On 5 June 2013, Edward Snowden initiated a cascading exposé that would open the eyes of the world to the surreptitious and wholesale surveillance of digital communications by the NSA in the US and GCHQ in the UK.
The revelations laid bare the activities and programmes that have been intercepting and analysing the vast majority of internet and phone communications at a global level for many years, including programmes that obligated the world’s largest technology corporations to provide access to their networks and data centres through the use of secret court orders that not only forced these corporations to hand over data about their users en masse but also prevented them from disclosing anything about these orders.
The Foreign Intelligence Surveillance Court (FISC), which is responsible for the issuing of these orders in the US, has only rejected 12 out of 35,434 applications (0.03 per cent) since it was first established in 1979 and is widely regarded as a rubber stamp with little or no oversight.
The legal underpinnings of US surveillance
There are a number of laws in the US that enable law enforcement to intercept and access our communications.
The Communications Assistance for Law Enforcement Act (CALEA), which was introduced into US law in 1994, forced telecommunications companies to change their networks to enable law enforcement access to intercept communications. In 2004 the Department of Justice (DoJ) petitioned the Federal Communications Commission (FCC) to expand CALEA to include communications taking place over the internet in order to gain access to technologies such as Skype and voice over IP (VoIP), which the FCC agreed to do; this was met with a legal battle mounted by the Electronic Frontier Foundation (EFF), which requested that the court rule against the FCC expansion. Unfortunately EFF lost the battle.
Not only does CALEA require telecommunications companies to provide access to real-time communications on their networks, as a result of the expansion in 2004 all internet traffic has to be accessible as well and all hardware and software switches for these communications must have this capability built in. Furthermore, the DoJ is currently pushing to expand CALEA even further, introducing fines for non-compliant companies and even stronger powers for accessing hardware and software (including master keys for encrypted communications).
The Foreign Intelligence Surveillance Act (FISA), one of main concerns for European citizens, was passed by Congress in 1978 and extended in 2008 to be more relevant to modern technologies such as cloud computing. FISA was also expanded by Section 215 of the Patriot Act in 2001.
The Patriot Act, Section 215 amended FISA in 2001 to expand the definition of business records to any tangible thing – which includes hard disks, databases, files, papers and even computers. Furthermore, the 2008 expansion to Section 702 (Section 1881(a) of FISAAA) allows law enforcement in the US to access any data held by a US company without a warrant (whether or not that data is stored on US soil) on the grounds that non-US citizens are not protected by the Fourth Amendment of the US Constitution. This means any US company that holds information or data relating to or belonging to EU citizens can be forced to hand that data over to the US government for whatever reason they see fit.
The Patriot Act also amended the Stored Communications Act to permit law enforcement to use a warrant to access stored communications. This is the same law currently being used by the DoJ in an attempt to force Microsoft to hand over emails relating to a user in Ireland (where the emails are also stored).
When you mix all of these laws together, you basically end up with a recipe that gives the US government access to any communications or other data stored or in transit in relation to any non-US individual with little to no legal oversight. The data can be collected en masse without any suspicion of criminal activity, with no due process or proportionality measures. In essence, non-US citizens are all viable targets with no rights under US law.
Enter the Safe Harbour Agreement. In 2000, the European Commission (EC) – as a result of Europe’s strict rules on data protection and the exporting of EU data outside of EU borders – introduced an agreement with the US called the Safe Harbour Agreement. You see, it was accepted that privacy laws in the US in relation to EU citizens offered insufficient protections for Europeans’ personal data (insufficient is an understatement – there are no protections whatsoever). This meant that under Directive 95/46/EC (known as the Data Protection Directive) European companies could not lawfully export citizens’ data for processing in the US. With the emergence of digital society being facilitated mainly by giant US technology corporations, this was creating significant friction.
Safe Harbour was supposed to alleviate this friction by requiring US companies to provide contractual assurances that data on EU citizens would be processed and stored in accordance with 95/46/EC, and the Federal Trade Commission (FTC) agreed to oversee and enforce the agreement. However, due to the nature of US surveillance laws it was impossible for US corporations to meet those contractual guarantees and furthermore, they were unable to disclose when they had been forced to breach those contracts due to the non-disclosure elements of the surveillance orders they were forced to comply with.
As a privacy advocate, I have on many occasions raised this issue with the EC and European Parliament, arguing that the Safe Harbour Agreement should be revoked on the grounds that it does not provide adequate protections against US surveillance orders which fail to meet EU requirements on proportionality and due process. Shortly after the Snowden revelations broke I wrote to José Manuel Barroso, President of the EC, seeking the revocation of Safe Harbour and sent a further letter relating specifically to data stored in Europe by US corporations.
Further support for this argument has emerged recently. In the Schrems vs Facebook case currently being heard in the Court of Justice for the European Union (CJEU), the EC has stated on the record that it “cannot confirm an adequate protection right now” in relation to the Safe Harbour Agreement, to which the Judge responded “Directive requires COM to PROHIBIT transfers (Recital 57)”, a reference to Recital 57 of 95/46/EC which states: “Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited”.
In other words, given that the EC has admitted that it is unable to confirm adequate protection for EU citizens’ data, it is required by the Data Protection Directive to suspend the agreement and all transfer of data to the US. Furthermore, it should be assumed that given the extra-territorial reach of US surveillance laws on US corporations (to access data they hold outside of the US) that the EC should in fact be prohibiting the collection of data relating to EU citizens by any US corporation.
Of course in practice this would be very difficult to do given that we are so reliant on technologies provided by these same corporations in our everyday lives. The impact on business and consumers alike would be catastrophic – it would impact e-commerce, public sector services, transport, banking, communications, entertainment and much more.
So what do we do? How can we ensure that the privacy and data protection rights of European citizens – rights afforded to us under the EU Charter of Fundamental Rights – is protected in a digital world where most digital services are provided by US corporations and the US government show flagrant disregard for those rights?
A dangerous deception
Many US corporations are attempting to mitigate the damage caused by Snowden by opening data centres in Europe. But as I discussed in a recent article, such actions fail to provide any protection for EU citizens and should be seen as nothing more than sleight of hand. Using the European data centres of Amazon, Microsoft or Salesforce still allows the US surveillance machine to access that data through all of the laws described above. Not only are these manoeuvres deceptive, they are also dangerous as they are likely to make people think that their data is safe which will inevitably lead to complacency. Furthermore, this has a direct impact on the European economy as it gives US corporations a competitive advantage over EU companies in the same markets.
The ongoing discussion over Safe Harbour between the EC and the US government does little to alleviate our concerns as it is obvious the US is unwilling to rein in its surveillance machine, mostly because it has faced so little resistance from the EC to motivate it to do so.
The reality is, the US economy needs us more than we need them – if we revoke the Safe Harbour Agreement it will cost the US economy hundreds of billions in revenues over the next 10 years. In theory, we should have the upper hand if only our Commission would stand steadfast on our behalf. However, given the unlikelihood of this happening (the Commission is captured by the US lobby) it would seem the only other option is to call their bluff.
European cloud for European data
What we need to do is invest in European technology, after all most of these US corporations do little to reinforce the EU economy as most of their profits are exported out of the region and the taxes they pay are scandalously inadequate.
If we are to break the chains of our dependence on US digital services, we must first find a substitute for them, which means we need to develop the European digital infrastructure. There are a number of ways we could do this such as grants and funding through programmes like Horizon 2020 and tax incentives. We need a future where the data belonging to and relating to European citizens is managed, processed and stored by European companies in European data centres; a future where companies are obligated by law to use European cloud infrastructure.
To the naysayers who would argue this will cripple the European digital economy, to be frank, you are wrong – in fact it would infuse new life into an economy which is mostly an illusion. Sure, the Googles and Facebooks of this world provide employment opportunities for European citizens but those jobs would be replaced by the European equivalents as a direct benefit of developing our own infrastructure with the added benefit that those corporate profits would be taxed in the region instead of being removed from the economy through royalty schemes developed specifically to avoid paying taxes.
Many would argue that we don’t want to fragment and regionalise the internet; that it should be free and open and ordinarily I would agree. But the reality is that is exactly what we currently have – the internet is already fragmented and regionalised with most of the power resting in the hands of the US and rules imposed by the same. There is no freedom, do not mislead yourself into believing there is – our trade agreements, our infrastructure are developed to give the US even more control with scant regard for the consequences for our rights or our culture.
It is time to lift the shroud and realise that the only way forward, the only way to ensure a free and open internet is to wrestle control back from the US; to break the chains which tether us to US surveillance and to develop a future where our rights, our economy and our data are enriched and protected to the benefit of our citizens.
Alexander Hanff is a globally respected privacy expert with over 20 years experience in the technology industry and is a strong advocate for e-privacy and European data protection rights.