By The European Parliament.
This Briefing note aims at providing the LIBE Committee with background and contextual information on PRISM/FISA/NSA activities and US surveillance programmes and their impact on EU citizens’ fundamental rights, including privacy and data protection.
On June 5th the Washington Post and The Guardian published a secret order made under s.215 of the PATRIOT Act requiring the Verizon telephone company to give the NSA details of all US domestic and international phone calls, and “on an ongoing basis”. On June 6th the two newspapers revealed the existence of an NSA programme codenamed PRISM that accessed data from leading brands of US Internet companies.
By the end of the day a statement from Adm. Clapper (Director of NSA) officially acknowledged the PRISM programme and that it relied on powers under the FISA Amendments Act (FAA) 2008 s.702 (aka §1881a). On June 9th Edward Snowden voluntarily disclosed his identity and a film interview with him was released. In the European Parliament resolution of 4 July 2013 on the US National Security Agency surveillance programme, MEPs expressed serious concern over PRISM and other surveillance programmes and strongly condemned spying on EU official representatives and called on the US authorities to provide them with full information on these allegations without further delay.
Inquiries by the Commission1, Art.29 Working Party2, and a few MS Parliaments are also in progress. The problem of transnational mass surveillance and democracy Snowden’s revelations about PRISM show that Cyber mass-surveillance at the transnational level induces systemic breaches of fundamental rights. These breaches lead us to question the scale of transnational mass surveillance and its implications for our democracies.
“Our government in its very nature, and our open society in all its instinct, under the Constitution and the Bill of Rights automatically outlaws intelligence organizations of the kind that have developed in police states” (Allen Dulles, 1963)4 ”There’s been spying for years, there’s been surveillance for years, and so forth, I’m not going to pass judgement on that, it’s the nature of our society”
(Eric Schmidt, Executive chairman of Google, 2013) These two quotations are distinct in time by 50 years. They differ in the answers but address the same central question: how far can democratic societies continue to exist in their very nature, if intelligence activities include massive surveillance of populations? For Eric Schmidt and according to most of the media reports in the world, the nature of society has changed.
Technologies of telecommunication, including mobile phones, Internet, satellites and more generally all data which can be digitalised and integrated into platforms, have given the possibilities of gathering unprecedented amount of data, to keep them, to organise them, to search them. If the technologies exist, then they have to be used: “it is not possible to go against the flow”. Therefore it is not a surprise to discover that programmes run by intelligence services use these techniques at their maximum possibilities and in secrecy.
The assumption is that if everyone else with these technical capabilities uses them, then we should too. If not, it would be naivety or even worse: a defeat endangering the national security of a country by letting another country benefitfrom the possibilities opened by these technologies.
However, should we have to live with this extension of espionage to massive surveillance of populations and accept it as “a fact” a Fortunately, totalitarian regimes have more or less disappeared before the full development of theses capacities. Today, in democratic regimes, when these technologies are used, they are limited on purpose and are mainly centred on antiterrorism collaboration, in order to prevent attempts of attacks.
According to Intelligence Services worldwide, these technologies are not endangering civil liberties; they are the best way to protect the citizen from global terrorism. Intelligence services screen suspicious behaviours and exchange of information occurs at the international level. Only “real suspects” are, in principle, under surveillance. From this perspective, far from being a “shame”, the revelations of programmes like PRISM could be seen as a proof of a good level of collaboration, which has eventually to be enhanced in the future against numerous forms of violence.
In front of this “recital” given by the most important authorities of the different intelligence services and the antiterrorism agencies in the US, in the UK, in France, and at the EU level, it is critical to discuss the supposedly new nature of our societies. The impact of technological transformations in democratic societies, how to use these technologies as resources for both information exchange and competition over information (a key element of a globalised world), what are the rights of the different governments in processing them: these are the core questions.
As stated by Allen Dulles above, justifications given by intelligence services work in favour of a police state and against the very nature of an open society living in democratic regimes. Proponents of an open society insist that, against the previous trend, technologies ought not to drive human actions; they have to be used in reasonable ways and under the Rule of Law. The mass scaling has to be contained. Constitutional provisions have to be applied, and the presumption of innocence is applicable for all human beings (not only citizens).
If suspicions exist, they have to be related to certain forms of crime, and not marginal behaviours or life styles. Hence, what is at stake here is not the mechanisms by which antiterrorism laws and activities have to be regulated at the transatlantic level, even if it is a subset of the question. It is not even the question of espionage activities between different governments. It is the question of the nature, the scale, and the depth of surveillance that can be tolerated in and between democracies.
Snowden’s revelations highlight numerous breaches of fundamental rights. This affects in priority all the persons whose data have been extracted via surveillance of communications, digital cables or cloud computing technologies, as soon as they are under a category of suspicion, or of some interest for foreign intelligence purposes. However, all these persons are not protected in the same way, especially if they are not US citizens.
The EU citizen is therefore particularly fragile in this configuration connecting US intelligence services, private companies that provide services at the global level and the ownership they can exercise over their data. It is clear that if EU citizens do not have the same level of protections as the US citizens, because of the practices of the US intelligence services and the lack of effective protections, they will become the first victims of these systems.
Freedom of thought, opinion, expression and of the press are cardinal values that have to be preserved. Any citizen of the EU has the right to have a private life, i.e, a life which is not fully under the surveillance of any state apparatus. The investigative eyes of any government have to be strongly reminded of distinctions between private and public activities, between what is a crime and what is simply a different life-style.
By gathering massive data on life-styles in order to elaborate patterns and profiles concerning political attitudes and economic choices, PRISM seems to have allowed an unprecedented scale and depth in intelligence gathering, which goes beyond counter terrorism and beyond espionage activities carried out by liberal regimes in the past. This may lead towards an illegal form of Total Information Awareness where data of millions of people are subject to collection and manipulation by the NSA.
This note wants to assess this question of the craft of intelligence and its necessary limits in democracy and between them. As we will see, through the documents delivered by Snowden, the scale of the PRISM programme is global; its depth reaches the digital data of large groups of populations and breaches the fundamental rights of large groups of populations, especially EU citizens. The EU institutions have therefore the right and duty to examine this emergence of cyber mass-surveillance and how it affects the fundamental rights of the EU citizen abroad and at home.
Privacy governance: EU/US competing models
A careful analysis of US privacy laws compared to the EU Data Protection framework shows that the former allows few practical options for the individual to live their lives with selfdetermination over their personal data. However a core effect of Data Protection law is that if data is copied from one computer to another, then providing the right legal conditions for transfer exist, the individual cannot object on the grounds that their privacy risk increases through every such proliferation of “their” data5. This holds true if the data is copied onto a thousand machines in one organization, or spread onward to a thousand organisations, or to a different legal regime in a Third Country.
The individual cannot stop this once they lose possession of their data, whereas for example if the data was “intellectual property”, then a license to reproduce the data would be necessary by permission. We are all the authors of our lives, and it seems increasingly anomalous that Internet companies lay claim to property rights in the patterns of data minutely recording our thoughts and behaviour, yet ask the people who produce this data to sacrifice their autonomy and take privacy on trust.
The EU Data Protection framework in theory is categorically better than the US for privacy, but in practice it is hard to find any real-world Internet services that implement DP principles by design, conveniently and securely. Privacy governance around the world has evolved around two competing models. Europe made some rights of individuals inalienable and assigned responsibilities to Data Controller organizations, whereas in the United States companies inserted waivers of rights into Terms and Conditions contracts allowing exploitation of data in exhaustive ways (known as the ‘Notice-and-Choice” principle).
The PRISM crisis arose directly from the emerging dominance over the last decade of “free” services operated from remote warehouses full of computer servers, by companies predominantly based in US jurisdiction, that has become known as Cloud computing. To explain this relationship we must explore details of the US framework of national security law.
Scope and structure
It is striking that since the first reports of “warrantless wiretapping” in the last decade, and until quite recently in the PRISM-related revelations, European media have covered US surveillance controver sies as if these were purely parochial arguments about US civil liberties, apparently oblivious that the surveillance activity was directed at the rest-of the- world.
This note aims to document this under-appreciated aspect. It will show that the scope of surveillance conducted under a change in the FISA law in 2008 extended its scope beyond interception of communications to include any data in public cloud computing as well. This has very strong implications for the EU’s continued sovereignty over data and the protection of its citizens’ rights. The aim is here to provide a guide to how surveillance of Internet communications by the US government developed, and how this affects the human right to privacy, integrating historical, technical, and policy analysis from the perspective of the individual EU citizen.
The Note will therefore cover the following:
- (I) An account of US foreign surveillance history and current known state
- (II) An overview of the main legal controversies both in US terms, and the effects and consequences for EU citizens’ rights
- (III) Strategic options for the European Parliament and recommendations
1. HISTORICAL BACKGROUND OF US SURVEILLANCE KEY FINDINGS
A historical account of US various surveillance programmes (precursors to Echelon, PRISM, etc.) and US legislation in the field of surveillance (FISA and FAA) shows that the US has continuously disregarded the fundamental rights of non-US citizens.
In Particular, the scope of FAA coupled with expressly ‘political’ definitions of what constitutes ‘foreign intelligence information’ creates a power of masssurveillance specifically targeted at the data of non-US persons located outside the US, which eludes effective control by current and proposed EU Data Protection regulation.
A historical account of US surveillance programmes provides the context for their interpretation as the latest phase of a system of US exceptionalism, with origins in World War II. These programmes constitute the greatest contemporary challenge to data protection, because they incorporated arbitrary discriminatory standards of treatment strictly according to nationality and geopolitical alliances, which are secret and incompatible with the rule of law under EU structures.
1.1. World War II and the origins of the UKUSA treaties
In the 1970s there were the first disclosures of the extent of Allied success in WWII cryptanalysis. The world discovered the secret history of Bletchley Park (aka Station X), Churchill’s signals intelligence headquarters. The story of post-war secret intelligence partnerships at the international level is intertwined with the personal trajectory of Alan Turing, a great mathematician and co-founder of computer science, who was critical to the effort to design automated machines which could feasibly solve ciphers generated by machine, such as Enigma (used for many Nazi Germany communications).
Alan Turing travelled to the US in 1942 to supervise US Navy mass-production of the decryption machines (called ‘bombes’) for the Atlantic war, and to review work on a new scrambler telephone at Bell Laboratories to be used for communications between Heads of Government. Unfortunately Turing was not equipped with any letters of authority, so he was detained by US immigration as suspicious until rescued by UK officials in New York.
What was initially supposed to be a two-week trip turned into months, as no precedent existed to grant even a foreign ally security clearance to the laboratories he was supposed to visit. There followed several months of fraught UK diplomacy and turf wars between the US Navy and Army, since the latter had no “need-to-know” about Ultra (the name given to intelligence produced from decryption at Bletchley). The UK wanted as few people as possible in on the secret, and the disharmony thus experienced inside the US military
security hierarchies became known as “the Turing Affair”.
These were the origins of the post-war secret intelligence partnership between the US and UK as “first” parties, Canada/Australia/New Zealand as second parties, and other nations with lesser access as third parties. The treaty is named UKUSA, and we know the details above about its genesis because in 2010 the US National Security Agency declassified the unredacted text of UKUSA treaties up until the 1950s with related correspondence (the 8 UKUSA Agreement Release 1940-1956 Early Papers Concerning US-UK Agreement – 1940–1944, NSA/CSS current text is secret).
GCHQ9 did not declassify much in comparison, although the occasion was billed as joint exercise. The purpose of the UKUSA treaties was to establish defined areas of technical cooperation and avoid conflicts. However, no general “no spy” clause appears in the versions published up until the 1950s, but expressions of amity comparable to public treaties. It is not known whether any comprehensive secret “no spy” agreement exists today between the UK and US, and neither has ever given legislative or executive comment on the matter.
1.2. ECHELON: the UKUSA communications surveillance nexus
From the founding of the US National Security Agency (NSA) in 1952 throughout the Cold War, both the UK and US vastly expanded their signal intelligence capacities, collecting from undersea cables at landing points10, satellites intercepting terrestrial microwave relays, and arrays of antennae usually sited in military bases and embassies. The evolution and nature of these capabilities were documented from open source research in two reports11 to the European institutions culminating in the Parliament’s inquiry into ECHELON in 2000.
ECHELON was in fact a codeword for one particular surveillance system, but became in common usage a synecdoche for the entire UKUSA communications surveillance nexus. The last meeting the EP inquiry committee was on September 10, 2001. The Committee recommended to the European Parliament that citizens of EU member states use cryptography in their communications to protect their privacy, because economic espionage with ECHELON had obviously been conducted by the US intelligence agencies.
1.3. 1975-1978: Watergate and the Church Committee
After the US was convulsed by the Watergate scandal culminating in the resignation of Richard Nixon, Senator Frank Church led a Congressional committee of inquiry into abuses of power by law-enforcement and intelligence agencies which had conducted illegal domestic wire-tapping of political and civic leaders under presidential authority, and contrary to the Fourth Amendment of the US constitution which protects privacy against unreasonable searches without a particular warrant, issued on “probable cause” (meaning evidence of a 50% likelihood of criminality).
The Church inquiry reported on the question of whether the Fourth Amendment restricts the mass-trawling and collection of international communications, which they discovered had been secretly conducted since the 1940s on telegrams12. The inquiry canvassed that inadvertent collection of Americans’ data transmitted internationally was tolerable, if procedures were made for “minimization” of erroneous unwarranted access (and mistakes not used prejudicially against Americans).
This idea was codified into the first Foreign Intelligence Surveillance Act of 1978 (FISA), which regulated the interception of international (and domestic) “foreign intelligence information” from telecommunications carriers. Collection of data by any nation from outside its territory is literally lawless and not restricted by any explicit international agreements.\
1.4. The post-9/11 context: extension of intelligence powers
After the terrorist attacks of September 11th 2001, privacy and data protection has been deeply challenged by exceptional measures taken in the name of security and the fight against terrorism. The USA PATRIOT Act of 2001 was enacted by the US Congress on October 26, 2001, and its primary effect was to greatly extend law enforcement agencies’ powers for gathering domestic intelligence inside the US.
The revised Foreign Intelligence Surveillance Amendment Act of 2008 (FAA)13 created a power of mass-surveillance specifically targeted at the data of non-US persons located outside the US. These aspects and their implications for EU citizens will be analysed in the following section (Section 2). Numerous new surveillance programmes and modalities were further suggested to President Bush by NSA Director Gen. Hayden, without explicit authorization under statute, and approval was nevertheless given.
Those programmes were retroactively deemed lawful in secret memoranda prepared by a relatively junior legal14 official, under the Authorisation to Use Military Force (AUMF) for the war in Afghanistan and associated War on Terror operations. Amongst these programmes was one codenamed Stellar Wind which involved placing fibreoptic cable “splitters” in major Internet switching centres, and triaging the enormous volumes of traffic in real-time with a small high-performance scanning computer (known as a deep-packet inspection box), which would send data filtered by this means back to the NSA.
An AT&T technical supervisor in the San Francisco office was asked to assist in constructing such a facility (“Room 641A”) and was concerned that this activity manifestly broke US Constitutional protections, because the cable carried domestic as well as international traffic. He took his story with documentation to the New York Times, which did not publish15 the story for a year, until 2005 after the re-election of President Bush.
Other whistle-blowers from the NSA, CIA and FBI emerged with tales of illegal masssurveillance via mobile phones, the Internet and satellites, and even revealed that phone calls of Barack Obama (he was then Senator) and Supreme Court judges had been tapped. The controversy was exacerbated because two years before, a former National Security Adviser had proposed a research programme for Total Information Awareness - T.I.A., a massive system of surveillance of all digital data, processed with advanced artificial intelligence algorithms to detect terrorist plots.
Immediate adverse media commentary prompted the US Congress to de-fund research into T.I.A., but rumours persisted that it had been absorbed into an intelligence “black budget”. When the “warrantless wiretapping” allegations surfaced in a series of press reports from The New York Times, The Los Angeles Times, and The Wall Street Journal, the resonance with the supposedly cancelled T.I.A project intensified the level of public unease.
1.5. Edward Snowden’s revelations and PRISM
On June 5th The Washington Post and The Guardian published a secret order made under s.215 of the PATRIOT Act requiring the Verizon telephone company to give the NSA details of all US domestic and international phone calls, and “on an ongoing basis”. On June 6th the two newspapers revealed the existence of an NSA programme codenamed PRISM, which accessed data from leading brands of US Internet companies. By the end of the day a statement from Adm.Clapper (Director of NSA) officially acknowledged the PRISM programme and that it relied on powers under the FISA Amendment 2008 s.1881a/702.
On June 9th Edward Snowden voluntarily disclosed his identity and a film interview with him was released. The primary publication was in three newspapers: The Guardian, The Washington Post, and Der Spiegel. Four journalists have played a central role in obtaining, analysing and interpreting this material for the public: Barton Gellman, Laura Poitras, Jacob Appelbaum and Glenn Greenwald. They were joined by The Guardian (US edition), the New York Times in conjunction with ProPublica after the UK government insisted on destruction of The Guardian’s copy of the Snowden material in their London offices, under the supervision of GCHQ18.What can be referred to as the ‘PRISM scandal’ revealed a number of surveillance programmes, including: 1.5.1 “Upstream”
The slides published from the Snowden material feature references to “Upstream” collection programmes by the NSA adumbrated by various codewords. Data is copied from both public and private networks to the NSA from international fibre-optic cables at landing points, and from central exchanges which switch Internet traffic between the major carriers, through agreements negotiated with (or legal orders served on) the operating companies (and probably also by intercepting cables on the seabed19 when necessary).
1.5.2 XKeyscore
The XKeyscore system was described in slides20 (dated 200821) published by The Guardian on the 31st of July. It is an “exploitation system/analytic framework”, which enables searching a “3 day rolling buffer” of “full take” data stored at 150 global sites on 700 database servers.
The system integrates data collected22 from US embassy sites, foreign satellite and microwave transmissions (i.e. the system formerly known as ECHELON), and the “upstream” sources above. The system indexes e-mail addresses, file names, IP addresses and port numbers, cookies, webmail and chat usernames and buddylists, phone numbers, and metadata from web browsing sessions (including words typed into search engines and locations visited on Google Maps).
The distinctive advantage of the system is that it enables an analyst to discover “strong selectors” (search parameters which identify or can be used to extract data precisely about a target), and to look for “anomalous events” such as someone “using encryption” or “searching for suspicious stuff”.
The analyst can use the result of these index searches to “simply pull content from the site as required”. This system of unified search allows retrospective trawling through 3 days (as of 2008) of a much greater volume of data than is feasible to copy back to the NSA. The system can also do “Persona Session Collection” which means that an “anomalous event” potentially characteristic of a particular target can be used to trigger automatic collection of associated data, without knowledge of a “strong selector”.
It is also possible to find “all the exploitable machines in country X” by matching the fingerprints of configurations which show up in the data streams captured, with NSA’s database of known software vulnerabilities. The slides also say it is possible to find all Excel spreadsheets “with MAC addresses coming out of Iraq”23. Slide 17 is remarkable because it contained the first intimations of systemic compromise of encryption systems24 (see BULLRUN below).
1.5.3 BULLRUN
BULLRUN25 is the codename for a NSA programme for the last decade for an “aggressive multi-pronged effort to break into widely used encryption technologies”, revealed in a joint Guardian26/New York Times story on September 1st. This programme has caused the greatest shock amongst the Internet technical security community of all the Snowden material so far, and frantic efforts are underway worldwide to assess which systems might be vulnerable, and to upgrade or change keys, ciphers and systems, not least because adversaries in hostile countries will now be trying to discover any backdoor mechanisms previously only known by the NSA.
The programme budget is $250m per annum, and may use some of the following methods: collaboration with vendors of IT security products and software, mathematical cryptanalysis and “side-channel” attacks, forging of public-key certificates, infiltrating and influencing technical bodies towards adopting insecure standards, and likely use of coercive legal orders to compel introduction of “backdoors”.
It is important to stress that no evidence has emerged (yet) that the fundamental cipher algorithms in common use have been broken mathematically, however over the past few years doubts have grown about vulnerabilities in the complex “protocols” used to set-up and ensure compatibility amongst the software in common use.
FISA 702 may require a service provider to “immediately provide the government with all information, facilities, or assistance necessary to accomplish the acquisition” of foreign intelligence information, and thus on its face could compel disclosure of cryptographic keys, This seems anomalous because ostensibly Microsoft stopped incorporating the MAC address in the GUID (Global Unique Identifier – a way of generating a unique document index number) with Office 2000, and MAC addresses are not correlated to a particular country (unless somehow the NSA has obtained a comprehensive database or built one somehow specially for Iraq or is able to monitor and collect WiFi signals at long range and/orsystematically).
“Show me all the VPN startups in country X, and give me the data so I can decrypt and discover the users” – a VPN (Virtual Private Network) is an “encrypted tunnel” between the user’s computer and a VPN provider, so Internet traffic notionally appears to originate from the VPN provider rather than the user, for privacy and security reasons.
The corresponding codename of the similar GCHQ cryptographic penetration programme is EDGEHILL, curiously both names of battles from each country’s civil war, and is outside the scope of this Note. 26 http://www.theguardian.com/world/2013/sep/05/nsa gchq-encryption-codes-security including the SSL keys used to secure data-in-transit by major search engines, social networks, webmail portals, and Cloud services in general. It is not yet known whether the power has been used in this way.
To keep reading this great article: http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/briefingnote_/briefingnote_en.pdf