David Krivanek: Your recent article on the introduction by Danish authorities of a new intelligence bill, initially giving extraordinary rights to their intelligence agencies to spy on Danish and non-Danish citizens, had to be pulled as we were about to publish. Suddenly, it seemed, the government would remove the most controversial elements of the law. What happened?
Jacob Mchangama: The proposal met with significant criticism from both politicians and civil society including the usually very cautious association of judges. Moreover, the Danish prime minister’s justification for the proposal was factually incorrect. The PM gave the impression that the Danish Defence Intelligence Service would have to cease surveillance activities targeted at foreigners once Danish citizens become involved, when in fact the DDIS is authorized to continue such surveillance as long as it is not targeting Danish citizens. This fatally undermined the government’s credibility on the issue.
DK: This last minute change came as a result of civil society mobilization that the Danish government did not expect. How did that happen, and what was your organisation's role in that process? Controversial intelligence bills have been passed in many countries–what made Denmark different?
JM: With Associate professor Anders Henriksen from University of Copenhagen, Justitia published a short policy analysis concluding that the Danish proposal would include significantly fewer legal safeguards than those applicable to the NSA when targeting US citizens abroad (a requirement of FISA court approval was introduced in 2008). That became a frontpage news story in Danish newspaper Politiken and was picked up by most media both print and electronic. We then also came up with specific proposals on how a requirement of prior court approval could work in practice, with a lower threshold of suspicion than required at the domestic level, but limited to issues of national security and with a number of safeguards excluding for instance, journalists, aid workers, and people travelling abroad on business, vacation, family trips... Finally, we worked to get the message across to politicians and other civil society organizations as well as associations of judges and lawyers.
DK: Tell us more about your organisation–how did it start? What kind of people are involved? How do you work with politicians, with the media, with lawyers, with technology experts (e.g. on encryption)? What are your plans for future campaigning?
JM: Justitia is a brand new politically and ideologically independent think tank focusing on human rights and the rule of law. We began our work in September and have a staff of 3 full time employees as well as 6 interns/assistants. Our main “product” consists of policy analysis that is legal in nature. We strive not only to show problematic aspects of a law or practice but also to propose workable and targeted solutions that can be used and implemented by relevant decision makers. So far we have focused a lot on freedom of expression and surveillance but we also hope to be able to do more on access to justice and other relevant areas. We work with a number of independent experts in academia and elsewhere and also try to build coalitions with businesses, NGOs etc. on relevant topics including data retention.
DK: Take the net neutrality debate in the US–it’s rare isn’t it that any victory in this field can be considered as definitive given the resources and influence over policy-makers those in favour of either net regulation or unbridled intelligence activities wield. Do you see the same prospect of the issue coming back on the table in Denmark, this time with a better campaign by the security establishment–or even being taken behind closed doors next time?
JM: Certainly. While we scored a success with the above-mentioned proposal as well as with securing an amendment prohibiting the Danish Center for Cyber Security from using its access to IT infrastructure to conduct surveillance of users, the Danish government has just introduced a bill allowing for the use of PNR. The Danish national police have also demanded that the Danish data retention scheme be expanded from covering (chiefly) retention of phone data to also include web traffic. So there is a lot of demand on new and additional layers of surveillance from Danish authorities.
DK: While our new digitaLiberties series has put us in touch with a number of activists, lawyers, tech people and politicians concerned with the ways things are going, there is little expectation of citizens' ability to do much about the introduction of laws that expand the already very permissive legal space in which intelligence agencies operate. Examples include the recent French Intelligence Bill, which went through despite quite amazing civil society mobilization, or DRIP legislation in the UK, which went from announcement to enactment in eight days as the Guardian points out. Is this too defeatist? How do we overcome this?
JM: I do think it’s difficult, but it’s not necessarily a new issue. Any time technology advances authorities will want to exploit them. That was also the case with the emergence of telegraphy. It is very difficult to imagine a situation where a readily available technology allows authorities to obtain information on citizens almost effortlessly, being ignored by such authorities. I think fundamentally we need to be able to agree on some guiding and fundamental principles on where the line should be drawn, i.e. should we allow bulk data retention or should we only allow more targeted schemes?
DK: In a recent Reddit AMA by Snowden, Poitras and Greenwald, they are trying to condense the problems of unbridled surveillance into simple messages, to counter the usual “you're too alarmist, we're not trying to create a Big Brother state” argument for large-scale surveillance. Do you like this approach? Would it work for Denmark? More broadly, how would you go about addressing the infamous "I've got nothing to hide" argument?
JM: It’s not an approach that Justitia would take. First of all we have to be much more 'legalistic' in our approach. Secondly we acknowledge that there is a real and serious threat from terrorism to many liberal democracies, including Denmark, and that threat necessitates certain trade-offs. Part of the success in changing the Danish proposal, I think, was exactly because the opponents of a warrantless surveillance scheme did not resort to “1984” language, but acknowledged that there are weighty arguments in favour of letting intelligence services conduct targeted surveillance of Danes leaving for Syria suspected of being foreign fighters, on the condition that such a measure must include strong safeguards against abuse.
Danes have a lot of trust in government agencies and officials and we have a very different political history and culture than, say, the US and Germany, where suspicion of surveillance measures taps into the political culture (US) and recent history (Germany). In Denmark a more “alarmist” approach would only mobilize those already on board and would create resentment among the key constituents necessary to obtain more privacy compliant changes.
DK: Yet the global surveillance system put in place by the US after 9/11 has this remarkable 'hub' character, where the NSA receives information on everyone except German citizens from German intelligence agencies, but is able to complete this by receiving info on Germans collected, for example, by the Swedes, the Danes or the British. Since many western agencies (and beyond, e.g. Saudi Arabia) can access or try to get access to the databases built by the Americans, there is absolutely no guarantee that your personal data is safe from any participating government or, indeed and in breach of national laws, of your own. Some experts think that efforts at the international level–at the EU or the UN–are not very useful, since the power to actually legislate on national security matters remains with governments. Amandine Scherrer or Jean Lambert MEP by contrast have argued on openDemocracy that given the transnational scope of the problem and the pro-surveillance consensus in many countries' political classes, we should emphasise mobilisation at the international level. What do you think?
JM: I do think an international approach is necessary, but I also think it will be very difficult to achieve. As we have seen, states jealously guard their secrets and intelligence operations and even close allies are prone to spy on each other. But as we have also seen once the role of big IT companies was revealed and they felt the heat from their customers they put pressure on the US to become more transparent. In Denmark we have also seen the telecom companies be very critical of data retention laws and proposals and I think that targeting these critical players and ensuring that they don’t become unquestioning cogs in a mass surveillance infrastructure is vital.
DK: Do you think it is possible to share the insights of any given national debate? Take the German debate on surveillance–arguably one of the most open following the Snowden revelations. Some of this discussion could be very interesting to other European countries and in the US. But to follow it, you have to be able to identify the national experience (in this case the totalitarian experiences of Nazism or the GDR) which forms the basis for a pro-privacy argument, and you can't always use the same arguments to stir debate. Does this reflect your own experience? Do you see sharing what you have achieved as part of a broader winning strategy?
JM: Of course learning from other countries’ experiences is always a good idea, but again Denmark is very different from Germany. We have never had any real major scandals implicating our intelligence services in wide pread illegal activities (though we have very limited oversight) so Danes tend to be very trusting of our intelligence services. That may also be the case in a number of other countries. One of the things I think is absolutely crucial is to propose credible and workable alternatives that have a chance of being adopted. For instance we are working on getting support for a new two-tier data retention scheme, replacing bulk data retention. Our idea is to authorise police and intelligence services to order telecoms to initiate data retention only regarding persons reasonably assumed to be involved in serious crime or terrorism. Only then should we allow these authorities to access the actual data pursuant to a court order based on reasonable suspicion. And that is a proposal that could also be relevant for other jurisdictions. For the time being, there was some modest interest in the Danish case, but I don’t think the government’s change of heart was widely publicized outside Denmark.
DK: openDemocracy is collecting perspectives from activists, lawyers, politicians, IT and security specialists but also economists (e.g. when you look at the multi-billion public-corporate 'symbiosis' over surveillance)–because it is clear that mass surveillance has a quite unique multi-faceted character, and everyone has some type of expertise that sheds light on one aspect of the challenge. We are exploring responses to Jim Killock's argument, that what this coalition of forces has to do is to raise the costs of mass surveillance–financial and political–for governments. An anti-unbridled surveillance coalition could pull together efforts of techtivists developing and spreading information about the use of tools such as TOR or Tails, lawyers filing lawsuits against intelligence agencies, people demonstrating against excessive practices, and a media raising the public profile of these initiatives. Does this accord with your vision for Denmark?
JM: This is probably more a job for activists than a think tank such as Justitia and it is certainly not an area where we have much expertise or advice to give.
DK: In the absence of such a fightback being offered by the political opposition in most countries, who then might offer a viable alternative, in the form of intelligence legislation that would enable intelligence agencies to do their job–with robust accountability and oversight mechanisms and some fundamental guarantees regarding your digital rights as a citizen? Could this be a job for an international coalition as suggested above?
JM: Certainly. As mentioned above we have what we think is a good alternative to bulk data retention, which we think could be relevant to other countries as well (perhaps even as the basis of a new EU directive). One could also look at best practices from a number of other countries. If one or more countries have good experiences with a less intrusive surveillance scheme on one particular area without having experienced specific threats to national security, that could–depending on the specifics–serve as a blue print for other countries.