More than two years ago, following the Snowden disclosures the German parliament instituted a committee to, among other things, investigate the role of mass surveillance programs of the NSA in addition to its cooperation with German agencies. During last week’s hearing, five experts from the USA were invited to present their opinions and assertions to the committee. There was considerable agreement on many topics. Most interesting of all, however, were the remarks by the the technical expert Chris Soghoian, chief technologist from ACLU (the American Civil Liberties Union). He advocated the embrace a technological response to the threat of surveillance.
The other panellists were made up of Timothy H. Edgar, from the Watson Institute, who also worked as the first director of privacy and civil liberties for the White House National Security Staff, Ashley Gorski, Staff attorney at the ACLU, Morton H. Halperin, senior adviser to the Open Society Foundation, and Amie Stepanovich, U.S policy manager at Access Now.
The Legal Framework Is Inappropriate for Our Time
The very first question, asked by the chairman Patrick Sensburg (CDU), was addressed to Morton Halperin and Amie Stepanovich: „What is your motivation for having taken the trip to Berlin?“ Both of the respondents stressed their hope for future international agreements and that this committee might facilitate this process. Stepanovich pointed specifically to the „implementation guide for the international principles on the application of human rights to communications surveillance“ published by Access Now. Halperin noted that the USA is only one of many countries surveilling vast amounts of internet traffic. Hence, whoever wants to seriously secure privacy in the internet has to address this issue in a multi-state forum. Stepanovich urged Germany to take the lead in this process while this committee might help spur the national discussion.
On the campaign trail, Obama once said he wanted allies who „listen to each other“. That now has a different context. Timothy Edgar said he was „shocked“ by the breadth of NSA surveillance when he first learned of it during his work for the White House National Security Staff. However, he was also surprised how seriously the intelligence agencies took their legal frameworks. For him, a disregard of legal limits was not the major problem, but rather more that these limits were inappropriate for modern times.
The Choice Between Technical or Legal Protection
Most countries demand their surveillance agencies treat their own citizens differently to foreigners in terms of privacy. For this purpose, filters are employed. Thosed used by the NSA or their German counterpart, the BND, work by identifying country codes from phone numbers or domain names, such as „.gov“ or „.de“. However, when someone tries to stay anonymous by using a VPN service or by buying a new SIM card abroad, the filters become absolutely ineffective. Such a choice between technical or legal protection should not exist, Soghoian explained.
The Green’s parliamentarian Konstantin von Notz later returned to this point. If there are two intelligence agencies and they share data with each other, is not everyone a foreigner somewhere? Is the legal protection in one’s home country in any way effective? Even though Timothy Edgar answered that this practice of „reverse targeting“ is clearly illegal, Mr. Soghoian brought up another point: Germans use US services like Gmail, Facebook or Instagram on a daily basis. But he himself does not use German products. So, „yes we are all foreigners to all other countries, but some of us are more often foreigners.“ That we are even taking such objections seriously, i.e. recognising the privacy needs of foreigners, Norton Halperin considers the most important change in the last years.
No Working System of Checks and Balances
But when asked whether progress has also been made in the legal arena, not just in the discussions, none of the experts were able to give a positive answer. Even though some minor steps like the Presidential Policy Directive 28, regulating how US agencies may conduct signals intelligence, or the EU-US privacy shield were named during the hearing, all in all the experts agreed in calling the rate of progress minimal. Ashley Gorski even declared the absence of a working system of checks and balances.
The same frustration was expressed when talking about selectors — the input for the surveillance systems which filter internet traffic. They can be anything from an email address to an IMEI number, a phone number or a country code. Edgar asserted that actors like the state department can simply hand such selectors to the relevant agencies, without a robust system that checks their legitimacy. The German foreign intelligence service BND is currently employing thousands and thousands of selectors handed down by the NSA. For months the committee has been trying to understand their use. However, the German government has blocked any real access, presumably because of the loss of face, were the selectors to become public knowledge.
It’s Not Privacy Versus Security, but Security Versus Security
Nevertheless, Christopher Soghoian noted that the real scandal was not that government agencies were spying on their people, but that technology was so poorly secured that it could have been exploited. Historically, encryption and security have had a very low priority for big internet companies like Google. Snowden turned the discussion upside-down, his disclosures radicalised the very people who design the software the NSA had privately exploited. Therefore, the most important post-Snowden changes were not made in Government hallways but in the technological community, according to Soghoian.
But even if the USA were to introduce new, robust legislation, other countries with similar efforts to screen the internet like Russia, China, the UK or Israel would not be affected by such. Hence, Soghoian promoted one point of view over and over again: to embrace cyber security over law enforcement concerns. This, of course, lead to a conversation we can observe in many countries worldwide: if we make services secure and encrypted, how will law enforcement agencies be able to perform their legal duties? Amie Stepanovich urged the committee to avoid framing this discussion as privacy versus security but as security versus security. Technology could fail sometimes and if it is made penetrable for domestic law enforcement, it is also made penetrable for others.
Encryption as a Competitive Advantage
Christopher Soghoian does not estimate the agencies to go blind in case of widespread encryption. It would simply become more difficult and thus costlier to access information. Effectively, encryption raises the cost of surveillance and access, it does not render it impossible. State actors would be forced to concentrate on personalised instead of mass surveillance.
End-to-end encryption for example denies access to the content, even for the service provider. Such technology, as Soghoian explained, does not favour one government over another. He observed that more and more companies take the view that the liability of complying with local law enforcement outweighs the possibility to monetise the content of data. While some like Yahoo were „shamed into using encryption technologies“, other companies like WhatsApp and Apple apparently see a competitive advantage in distributing encryption. Still, companies like Google take a different approach because they only encrypt the traffic to and from the customer to their own servers. The content is available to Google at any moment — and could therefore be demanded by state actors.
Also Germany Has Blood on Its Hands
Just as he started the session, the chair Mr. Sensburg, ended it. He wanted to know in which areas his commission could look into in the future. Mr. Soghoian gave a clear answer: He would look at German companies like the Gamma Group or Trovicor. These are manufacturers of surveillance technology which export their goods to all regions of the world. The committee could review customer lists and contracts and thereby help shine a light on their activities. When it comes to the suppression of civil rights, Germany also has „blood on its hands“.
At the end of the day, the hearing did not produce any breaking news. Nevertheless, it put to protocol the evaluation of esteemed experts. For the observer, findings could be summarised as follows: the past reforms have been inadequate and a multi-national approach would be the only way to go forward if we want to protect privacy. Since that is not likely going to happen, we should invest efforts and resources into making our technologies better at shielding themselves from surveillance.