Yesterday, the relatively new National Security Agency Civil Liberties and Privacy Office released its second report, examining the privacy protections utilized for surveillance under Executive Order 12333. A Freedom of Information Act request by the ACLU recently revealed that 12333 is one of the most used surveillance authorities, yet the 17-page report didn’t contain much information that wasn’t already on the record. And what it did contain is nearly useless, as surveillance expert Marcy Wheeler has already pointed out, because it is limited to “targeted” cases, and therefore doesn’t pertain to bulk collection – surveillance where the U.S. government collects everything.
However, there is a second, larger hole in the report. You see, 12333 is the authority that U.S. federal agencies cite to justify surveillance that is neither prohibited under the Constitution nor regulated under existing federal law. As such, most 12333 surveillance takes place outside the United States, with intelligence agencies collecting vast amounts of personal information from people who reside elsewhere in the world. However, in an omission that by itself speaks volumes, the NSA’s report does not cover non-U.S. persons:
The report focuses only on U.S. person protections. PPD-28 states that intelligence community elements shall establish policies and procedures that apply various principles for safeguarding personal information collected from signals intelligence activities equally to the personal information of all persons, regardless of nationality, to the maximum extent feasible consistent with national security. NSA is in the process of developing implementation instructions consistent with PPD-28.
TL;DR: The NSA wants to give people in the U.S. more information so that they can engage in a dialogue about how to incorporate additional protections. But when it comes to those outside the U.S., the agency is silent: No additional information on what protections are in place now (hint: there are few to none) and no word on what the future will look like. Those who have been following this issue for a while will note that the U.S. Privacy and Civil Liberties Oversight Board also punted recently on examining the rights of non-U.S. persons in its report on Section 702 of the FISA Amendments Act. The failure of the United States to examine or report on its surveillance of more than 95% of the world’s population sends one clear message: We don’t care about the rest of you.
Collateral Damage
The global population has become collateral damage in the race to collect surveillance data. However, this wasn’t always the case. Traditional limitations on surveillance – limitations that spring from its reliance on human observation – meant that operations were largely targeted toward an individual or a group. The internet, and electronic communications in general, has changed that. Now, on a scale never before seen, surveillance has become automated, meaning that individual communications of an entire country can be swept up in a government’s dragnet with a single underwater fiber tap.
In those communications, the U.S. finds a wealth of data. 12333 specifically authorizes surveillance of “foreign intelligence,” or “information relating to the capabilities, intentions and activities of foreign powers, organizations or persons.” Essentially, this definition encompasses every communication of non-U.S. persons. But in the way that people in the U.S. would never accept the collection, analysis, and retention of their own phone calls or emails, they do not raise much of an eyebrow when the collection is the most private conversations of “them.”
People outside the U.S. have families. They have wives and boyfriends and children, they have fears, dreams, mortgages, car payments, bosses they hate, and illnesses they battle. Most people outside the U.S., just like most people in the U.S., will never pose a risk to anyone’s national security; they will do their best to live their lives and be happy. So why is it acceptable that they get treated differently? The short answer is that it is not, and while I could hypothesize at length for the reason for this “us” versus “them” distinction, the most important thing is that there is a distinction. And it is not acceptable.
A global problem
This is not only a U.S. problem. This is not only “American exceptionalism” at play. Some will argue with this. Some will say that the U.S. is the source of all surveillance woes, but those people are wrong. This is a problem of domestic exceptionalism generally: A problem with individuals caring more about themselves than others in the rest of the world, which, sadly, only perpetuates surveillance that impacts everyone. Surveillance is a global problem, and it requires a global solution.
However, the U.S. is a good place to start. First, its military budget (approximately equal to the next nine highest-spending countries on military, combined) is large enough to accommodate the bulkiest of bulk surveillance programs. In addition, the U.S. is home to the largest internet companies in the world, providing easy access to a vast array of user information. Finally, we now have more information about U.S. practices, with thanks to Edward Snowden, in a way we are not as educated on what the rest of the world is doing (though we need to be).
But the U.S. stance as the surveillance heavyweight may not last forever. Countries all over the world are increasing their military spending. Additionally, many are passing laws, like Russia’s data localization law, which would increase local access to information in the possession of foreign companies. Finally, previously untouchable companies are starting to feel the pain in their user numbers. Ello recently joined the social media scene as a potential competitor to Facebook, which has taken yet another public relations hit in the wake of strictly enforcing its real name policy (it has since pledged to revise the policy). While it is unclear what the future for companies like Ello are, one can’t help but acknowledge that the next Google, LinkedIn, or Instagram could be headquartered in China or Turkey.
Looking ahead
As always, admitting we have a problem is the only way to start solving the problem. So waking up to the state of exceptionalism and the need for answers is a good start. Another initial step would be broad government adoption of the International Principles on the Application of Human Rights to Communications Surveillance: thirteen principles, rooted in international law and policy, that serve to inform the public debate on the appropriate limits of government surveillance.
Next, it is time to start a global, multi-stakeholder, public conversation about how surveillance can and should be conducted. I’m not asking for countries to out their super-secret spy tools, only to discuss candidly, though perhaps generally, how effective surveillance operations can be structured to avoid large dragnets and focus instead on individual users who pose genuine threats to security. Bulk surveillance should not be a crutch to compensate for government blindspots. Solutions are needed, but not at the cost of the privacy and individual security of users around the world. And these solutions can’t only look at today’s problems; they must address the problems of the future, and those problems, like the internet itself, are borderless.