Resistant to scrutiny: the NSA headquarters in Maryland. Amonbelial / Wikimedia. Creative Commons.What have the US and UK done in the past year to rein in mass surveillance? For the millions of global internet users, the answer is: not much. Despite worldwide outrage and debate, US talk of safeguards and reform has brought half-measures at best. The UK government has refused to answer the most basic questions about its intelligence gathering practices—and, in an astounding act of hubris, rushed through a law last week which extends surveillance powers.
The actions of the US and UK stand in stark contrast to a groundbreaking and forceful report released last week by the UN high commissioner for human rights, Navi Pillay, about privacy in the digital age. Many of her findings directly challenge US and UK arguments defending secret, mass surveillance.
Pillay found that mass surveillance was “emerging as a dangerous habit rather than an exceptional measure”. She said unchecked snooping could harm a range of human rights, including freedom of expression and association. The onus was on governments, she said, to demonstrate that their practices were necessary and proportionate. In other words, spying on everyone because you can doesn’t mean you should.
Pillay’s report followed sustained action from privacy advocates and a group of countries, led by Germany and Brazil, to press the US and UK to stop mass surveillance and safeguard the privacy of people around the world. Germany and Brazil, along with Austria, Liechtenstein, Mexico, Norway, and Switzerland, had led the drafting of the December 2013 UN General Assembly resolution calling for the high commissioner’s report—a resolution which the US and UK pushed, somewhat successfully, to water down.
Germany and Brazil’s continued leadership is crucial for keeping digital privacy on the UN human-rights agenda and driving real reform at the national level. The report will only strengthen their hand if they pursue a UN resolution on privacy later in 2014. Privacy advocates also need to scrutinise the practices of individual governments for conformity with the high commissioner’s recommendations. This is vital, not only in the face of US and UK inaction but also because many other countries are expanding their own electronic-surveillance capabilities. Unless mass surveillance becomes a global outlier, rather than the norm, privacy will disappear in the digital age.
A human-rights scorecard
Pillay’s report provides the clearest and most authoritative account to date of what the right to privacy requires—and an implicit rebuke of the US and UK’s deeply flawed defences. Privacy advocates and governments should use it as a scorecard for assessing protection of the right to privacy in all countries, starting with the US and UK.
Surveillance must be proportionate and necessary for a legitimate aim
The report applies the basic standards of international human rights law, which apply to interference with the right to privacy as with other rights: any intrusion must be necessary and proportionate to a legitimate aim, such as protecting national security or a similarly compelling state interest.
The revelations of the past year raise serious, unanswered questions about the necessity and proportionality of the US and UK surveillance practices. According to documents released by the former US National Security Agency contractor Edward Snowden, the US and UK have been intercepting the information of potentially millions of people, the vast majority of whom have no connection to terrorism or wrongdoing, as data flow along transatlantic fibre-optic cables.
In a recent analysis of a sample of intercepted communications, the Washington Post found that 90% of accounts swept up in NSA surveillance were not intended targets. Notably, US law allows the collection without a warrant of foreign communications which merely “relate to the foreign affairs of the US”—an extremely broad category. A recent opinion by the former internet-freedom director in the State Department, John Napier Tye, points out that US surveillance occurring outside its territory is subject to even fewer restrictions on the scale of collection, supporting concerns that US practices are excessively broad.
The US and UK governments contend that to find a needle in a haystack security agencies must collect the haystack. This approach seems in direct conflict with the principle of proportionality articulated by the high commissioner.
The US has taken almost no steps to curtail the scale and scope of information which the NSA can acquire about non-US persons outside the country. In January, in response to global outrage, the president, Barack Obama, announced new limitations on retention and use of information gathered through surveillance but did little to limit what could be gathered to begin with. The UK has refused to answer questions about the scale of its data-collection practices but what has been disclosed confirms what many had feared: not only is snooping happening on a mass scale but existing laws do little to protect privacy rights.
The onus is on governments to show their surveillance practices are not disproportionate—and so far the US and UK have failed.
Governments must respect everyone’s right to privacy
The high commissioner made clear that countries should respect the right to privacy, regardless of the nationality or location of those affected.
The US however denies it has any human-rights obligations to internet users beyond its borders, despite calls as recently as March from the UN Human Rights Committee to respect the privacy rights of all, at home and abroad. While it has adopted some safeguards for non-US persons as a matter of policy, these don’t go far enough to limit the scale of information collected abroad.
The UK Regulation of Investigatory Powers Act 2000 (RIPA) allows for government surveillance on broad grounds, with no independent scrutiny, and provides scant safeguards for people outside the country. In the new law hastily passed last week the UK actually extended the reach of its interception powers under RIPA to foreign internet and telecommunications companies which service UK customers. The changes meanwhile do nothing to address the lack of safeguards for people outside the UK.
Shifts in digital communications have made it especially easy for the US and UK to conduct broad, systematic surveillance of people beyond their borders. One internet company can hold the data of hundreds of millions of people worldwide and its home government may attempt to assert legal control over those data. The internet’s infrastructure often results in email being routed through several, unrelated countries—particularly the US—before it reaches the recipient.
If all governments followed the US and UK approach, they would have limited ability to protect the privacy of their own citizens against extraterritorial snooping by other countries. There would be nothing left of the right to privacy online.
Mere collection has impacts on privacy
US and UK intelligence officials contend there is no harm to privacy if personal information is gathered but not examined. The high commissioner made clear, however, that merely collecting information could interfere with privacy, regardless of whether it was ever viewed or used. Even the possibility that information in communications would be captured interfered with privacy because of the “potential chilling effect on rights”, including those of freedom of expression and association.
The report went further to recognise that metadata—data about communications—can reveal highly sensitive information, especially when digitised on a large scale. Because metadata enjoy less protection than the content of communications under many countries’ laws, including those of the US and UK, stronger safeguards are needed.
Mandatory data retention is neither necessary nor proportionate
The high commissioner confirmed that mandatory data-retention requirements for technology companies are neither necessary nor proportionate.
The European Court of Justice ruled in April that the EU’s blanket data-retention mandate breached the right to privacy, making the UK’s implementing regulations unenforceable. Such mandates require internet and mobile service providers to retain all customers’ communications data for a set period. The court said the EU mandate flouted proportionality by invading everyone’s privacy, regardless of whether they were suspected of any wrongdoing.
Yet the UK’s new emergency regulations preserve the government’s ability to compel telecommunications firms to retain personal data about all users in the country, ignoring the European court’s concerns.
Transparency, oversight and remedy
The high commissioner cited a “disturbing lack of governmental transparency” around surveillance laws, policies and practices, hindering accountability for unlawful snooping. She called for much greater transparency and emphasised that surveillance could not be justified by secret laws or policies which granted authorities too much discretion. The report also called for greater oversight by all branches of government, including the judiciary, as a check against abuse.
Intelligence officials in the US cite multiple layers of oversight in the executive, legislative, and judicial branches to protect against privacy violations. Yet its secretive foreign-intelligence court, by design, plays a very limited role in safeguarding the rights of people outside the US who may be swept up in NSA surveillance. Members of congressional committees set up to oversee national-security surveillance have also admitted to being surprised by some aspects of the programmes Snowden revealed.
In 2008, Human Rights Watch joined Amnesty International and other human-rights and labour organisations to challenge the constitutionality of one NSA programme. HRW was denied standing because it could not prove that it was under surveillance, effectively shielding US national-security surveillance policies from judicial review. The Snowden revelations may now prompt the court to reconsider its conclusion.
In the UK, oversight and accountability mechanisms have also proved inadequate to prevent abuse of surveillance powers. A person who believes one of the intelligence agencies has breached their right to privacy can file a complaint before the Investigatory Powers Tribunal, a judicial body. But if the tribunal does not uphold the claim it does not reveal whether the person’s communications were intercepted—and its decisions cannot be appealed.
The UK’s new surveillance law provides for an independent review of this entire area by May 2015, including issues of oversight, transparency and privacy. But parts of the independent reviewer’s report which the prime minister considered “contrary to the public interest or prejudicial to national security” might be excluded from the version presented to Parliament. While this review may be helpful, it should have been completed before the UK passed the new law—not afterwards.
Responsibilities of technology companies
The high commissioner said that technology companies which complied with government requests for surveillance assistance without adequate safeguards risked complicity in any resulting human-rights abuses. She said internet and telecommunications companies should assess whether their own data-collection and privacy practices could bring human-rights harm to their users, implicitly drawing a connection between company data-collection practices and government access to data which companies hold.
In response to the Snowden revelations, technology companies have begun to reveal information about how governments are asking them to assist with surveillance. But much more scrutiny is needed to ensure that companies minimise the amount of data they collect from users in the first place, as a critical safeguard against government access to personal data.
The high commissioner is expected to discuss the report’s findings during the UN Human Rights Council session in September and to formally present the report at the coming session of the General Assembly.
The report has armed Brazil, Germany and privacy activists worldwide with the ammunition to counter the flawed US and UK defences of mass surveillance. Brazil, Germany and their allies should ensure that any UN resolution they pursue directly incorporates the report’s recommendations and findings in the strongest language possible. They should resist any efforts to weaken the standards the report so soundly articulates and should reinforce the high commissioner’s call to countries to review immediately their national law and practice to ensure full conformity with international human-rights law.
Another resolution, however is just a first step.
The Snowden revelations focused on the surveillance practices of only a handful of countries. While many governments expressed outrage about snooping by the NSA and its British counterpart, GCHQ, many also may have privately responded with envy. Though few can match the resources of the NSA or the GCHQ, governments worldwide are expanding their own digital-surveillance capabilities.
In just one example, Human Rights Watch documented how the Ethiopian government had acquired mass-surveillance equipment, enjoying thereby nearly unfettered access to intercepted mobile calls. The government has used surveillance, under the pretense of anti-terrorism efforts, to silence political dissent and harass critics.
Digital surveillance is also going to get cheaper and more efficient. Protecting the right to privacy online requires sustained scrutiny of government surveillance practices worldwide.
International human-rights bodies have paid insufficient attention to the impact of surveillance on human rights. The Human Rights Council should create a dedicated special procedure—an independent expert for the right to privacy—to take the report’s recommendations forward. The expert should examine national surveillance programmes, identify best practices to protect privacy and make recommendations for meaningful national reforms.