TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Don’t Strike Down the Safe Harbor Based on Inaccurate Views About U.S. Intelligence Law Related reading: Finding a Safe Harbor for Safe Harbor

rss_feed
iapp-privacycore
Webcon_PA_300x250_ad_November_2017-ThomsonReuters_use
GDPR-Ready_300x250-Ad

Important legal decisions should be based on an accurate understanding of the law and facts. Unfortunately, that is not the case for the Advocate General’s (AG’s) recent Opinion finding that the Safe Harbor agreement between the U.S. and the EU unlawful. As the U.S. Mission to the EU has also noted, the Opinion suffers from particular inaccuracies concerning the law and practice of U.S. foreign intelligence law, notably the PRISM program. It relies on these incorrect facts about PRISM to reach its conclusion, removing the factual basis for its overall findings.

My comments here focus on the Opinion’s incorrect description of U.S. intelligence law and practice. In my experience as a scholar and practitioner in the field, the U.S. has far more extensive legal rules, oversight and other checks and balances on intelligence agencies than is generally true in E.U. member states.

The AG’s opinion reflects the frustration and anger of many Europeans and Americans who learned about practices of the U.S. and European intelligence agencies from documents leaked by Edward Snowden beginning in June, 2013. The scope and nature of the intelligence surveillance far exceeded what most people previously understood. As a long-time legal scholar on these issues, and participant in previous rounds of policy debates, I have shared the view that important new legal checks and balances have been needed on intelligence activities. I also have sympathy and respect for the goals of European data protection law, having written a book on the subject as well as participating in the negotiation of the Safe Harbor itself.

The AG’s opinion reflects the frustration and anger of many Europeans and Americans who learned about practices of the U.S. and European intelligence agencies from documents leaked by Edward Snowden beginning in June, 2013

One response to the public concern was that President Obama created an independent Review Group on Intelligence and Communications Technology, to advise him on how to respond to concerns about intelligence agency activities. In my role as one of the five members, I know that we were briefed at the most classified levels, were provided all of the information and briefings we requested, and issued our 300-page report in December, 2013. The administration informed us that it has adopted at least 70 percent of our 46 recommendations; in addition, all of the major provisions of the USA Freedom Act, passed by Congress in 2015, were derived from Review Group recommendations.

None of these legal and administrative changes is reflected in the AG’s Opinion.

This lapse is particularly troubling because the Opinion based its analysis on the following statement: “In order to ensure effective judicial review of that type of decision, the assessment of its validity must therefore in my view be carried out by reference to the current factual and legal context.” (emphasis added) Unfortunately, the Opinion reached its conclusions with no reference to changes since 2013, and based on a demonstrably incorrect reading of the applicable law.

The central factual inaccuracies of the Opinion concern the PRISM program. It is worthwhile examining this issue in some depth, due to its status as the key factual basis for the AG’s views.

The Opinion bases itself on the Snowden revelations: “According to those revelations, the NSA established a programme called ‘PRISM’ under which it obtained unrestricted access to mass data stored on servers in the United States owned or controlled by a range of companies active in the Internet and technology field, such as Facebook USA.” Later, the Opinion states as fact: ‘’Indeed, the access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security.” The Opinion says the access covers “in a generalised manner, all persons and all means of electronic communication and all the data transferred, including the content of the communications, without any differentiation, limitation or exception according to the objective of general interest pursued.” It adds that, for information transferred by a company such as Facebook to the U.S., there is “mass, indiscriminate surveillance.”

As has been widely reported and based on my work on the Review Group, the PRISM program is governed by Section 702 of the law enacted in 2008 to amend the Foreign Intelligence Surveillance Act. The Review Group, in its Appendix B, set forth privacy protections applicable to Europeans and other non-U.S. persons under the law. Together these show the enormous gap between the statements in the Opinion and U.S. law and practice:

(1) Targeting must be for a valid foreign intelligence purpose in response to National Intelligence Priorities;

(2) Targetings must be under a Foreign Intelligence Surveillance Court (FISC) approved Section 702 Certification and targeted at a person overseas;

(3) All targeting is governed by FISC-approved targeting procedures;

(4) Specific communications identifiers (such as a phone number or email address) are used to limit collections only to communications to, from, or about a valid foreign intelligence target;

(5) Queries into collected data must be designed to return valid foreign intelligence and overly broad queries are prohibited and supervised by the FISC;

(6) Disseminations to external entities, included select foreign partners (such as E.U. member states) are made for valid foreign intelligence purposes; and

(7) Raw data is destroyed after two years or five years, depending on the collection source.

The PCLOB has precisely the attributes of independence and investigatory powers that European privacy officials have long emphasized

In addition to the Review Group, the five-member, independent Privacy and Civil Liberties Oversight Board (PCLOB) issued a 191-page report on Section 702 in July, 2014. The PCLOB has precisely the attributes of independence and investigatory powers that European privacy officials have long emphasized; indeed, in contrast to the essentially non-existent powers of European Data Protection Authorities in intelligence matters, the PCLOB has the ability to conduct investigations based on classified briefings about the nation’s anti-terrorist surveillance activities. The PCLOB’s general findings are inconsistent with the factual statements in the Opinion: “Overall, the Board has found that the information the program collects has been valuable and effective in protecting the nation’s security and producing useful foreign intelligence. The program has operated under a statute that was publicly debated, and the text of the statute outlines the basic structure of the program. Operation of the Section 702 program has been subject to judicial oversight and extensive internal supervision, and the Board has found no evidence of intentional abuse.”

In short, based on investigation by an independent agency, the program has been necessary, effective and governed by law.

The independent Review Group and PCLOB reports refute the factual basis for the AG’s Opinion. Instead of the alleged “unrestricted access to bulk data,” the PCLOB found that the “program does not operate by collecting communications in bulk.” Instead of applying to “all means of electronic communications,” the program applies only to “specific communications identifiers” where the communication is to, from or about a valid foreign intelligence target. Instead of applying “without any differentiation, limitation or exception according to the objective of general interest pursued,” the program applies only to persons and queries for defined foreign intelligence purposes.

The U.S. government’s reforms and review have continued since the Review Group and PCLOB reports. We have witnessed a broader range of changes relevant to EU citizens than most have realized. Early in 2015, the PCLOB issued an assessment of how its recommendations have been implemented, finding: “The administration has accepted virtually all recommendations in the Board’s 702 report.” As one example relevant to the AG’s concern about indiscriminate surveillance unrelated to a legitimate purpose, the PCLOB recommended and the administration has accepted new definitional and oversight procedures about the purpose of each surveillance request. The new procedures create stricter definition and documentation of the purpose of each request, subject to two levels of approval within the NSA as well as independent judiciary review by the FISC.

The Section 702 discussion here illustrates the dense web of rules and oversight that exists for information collection by U.S. intelligence agencies seeking data held in the U.S. Transfer of data to the U.S. therefore does not remove legal protections against intelligence activities compared to data held in the E.U.

photo credit: 3D Scales of Justice via photopin (license)

5 Comments

If you want to comment on this post, you need to login.

  • comment John Kropf • Oct 5, 2015
    Well said and there is no better authority to set the record straight.  I suppose, however, if you want to reach a certain policy result even the facts can be ignored.  More fundamentally, I wonder if the ECJ will fail see that data protection issues have to apply principles of international law when it interacts with other legal systems.   A fundamental principle of international law is that every sovereign state is bound to respect the independence of every other sovereign state, and the courts will not sit in judgment of another government's acts done within its own territory.
  • comment Joerg Steinhaus • Oct 6, 2015
    The ECJ decision is a political one. It is based on a European understanding of basic rights which differs from the ideas on the other side of the Atlantic. To discuss these different point of view is important for a new and common agreement on the processing of personal data. And it is the result of the Snowden revelations to do so. Therefore, the ECJ decision is based on right assumptions and a great signal that mass surveillance is against our, hopefully: common, values. Now we should look forward how to handle the emerging challenges of international data transfers.
  • comment Steve Sanford • Oct 6, 2015
    "The PCLOB’s general findings are inconsistent with the factual statements in the Opinion: “Overall, the Board has found that the information the program collects has been valuable and effective in protecting the nation’s security and producing useful foreign intelligence."
    Please site at least ONE example to back up this statement.  Can you say that the Boston bombings were prevented?  
    Can you say that any violent act or act of internal spying by a state federal employee or contractor (such as Snowden) was caught?.  
    Can we site any occurrence of any act being stopped or mitigated?
  • comment Neil Riemann • Oct 6, 2015
    Thanks for the illuminating analysis and many good points. But it is an unfortunate consequence of our government's longstanding and affirmative effort to deceive the public about its practices in this area that foreign courts are unexcited about extending us the benefit of the doubt and uninterested in engaging in the fine analysis of US intelligence practices. This is particularly true because people tend to believe that if they are deceived once, the deception might be ongoing.
  • comment Shava Nerad • Oct 11, 2015
    Perhaps the court was not explicit in entering the evidence between 2013 and 2015, but it is out there.  The FISC has protested how the NSA has ignored their guidance.  Google publishes quarterly (delayed) reports as to the thousands of National Security Letters it is served and required to fulfill constantly under the requirements of the USA PATRIOT Act.  
    
    The US standards for protecting user data from breaches are that we close the doors after the horse is stolen, which is completely different from the EU -- VISA/MC went out of their way to cover for Target so as to preserve "consumer confidence" rather than censure them for violating their obligation to protect user data privacy and security as obligated by contract.  The CFAA keeps our businesses dependent on a weak standard of evidence, so prosecutors can use really slack technical work to bring in cases, and businesses can use CFAA threats to bargain with gray security researchers for patches.
    
    Angela Merkel's government leaked that her cell phone was tapped by the NSA and that our president told her, basically, to suck it up -- a woman who grew up in East German under the Stasi, who told Obama that his high policing was like the Stasi.
    
    These are American cultural and business and governmental phenomena.  To the outside world, they look insane.
    
    Critiques of these institutions should give us pause, but of course, such noise is just something that came out of the foreign press -- like this decision -- and therefor people such as yourself dismiss it. 
    
    I believe that we should be, like Europe, treating user privacy as consumer protection, as well as civil liberties.  
    
    Without privacy, civic dissent withers.  COINTELPRO and the birth of the FISC court are great examples of the abuse of high policing in our recent history.  Our nation would have been stillborn without the use of pseudonymous and anonymous publishing by our founders, for example in our Revolutionary War and during the Constitutional Congress.
    
    But today, privacy is under fire from the engines of marketing -- the loudest and most compelling voices in our culture.  Commercial interest in selling the public on the death of privacy is against the best interests of the republic, but there's very little money opposing it.  And as we all know, money is political speech.
    
    I really hope that outside pressure is enough to give us the incentive to actually form up a "Church Committee" with teeth -- something that we will never create out of a Congress under surveillance.
    
    Today, asymmetrical wars are fought with violence (rarely, and more successfully, with nonviolence); symmetrical wars are fought with economics and more subtle tools, including every tool in the obscurantist's quiver.  The spy/surveillance, high policing, chilling effects, propaganda, big lies, pressure to conform through cultural/economic norms.  These tools are available to democracies, if the electorate can be disengaged from oversight and civic literacy.  If the "political class" can be convinced that the electorate must be manipulated, rather than engaged.
    
    We all need to be honest about where we are in this conflict.  On the side of the consumer?  On the side of the electorate?  On the side of government reform?  On the side of American business being better trusted abroad?
    
    Just the sheer idiocy of having the FBI stand before Congress speaking against strong encryption -- the foundation of our modern economy?  Our banks, markets, commodities, e-commerce?  
    
    That the FBI this week admitted that their reporting of police violence against civilians was inaccurately reported, and The Guardian and the Washington Post had better numbers -- and that was "ridiculous" was refreshing.  But that no one, including the newspapers involved, bothered to note that this implied that the reports that the FBI had published using the same flawed methodology for decades were also flawed, implies that we simply republish government statements.  Or people who give government a blank check, such as yourself.
    
    We can't afford this.
    
    We need better long term solutions, and they may not include Adm. John Poindexter's paranoid inheritances in uncompromising contrast with American business interests.  We can not live in a safe world, and we can not live in a world where the American public lives in an isolated oasis without risks.
    
    We have to reasonably introduce our people to the global situation, and diffuse the GWOT bloat before it takes over our government irreducibly.
    
    We need to talk about that openly -- not privately.  We need better dialogue, point by point, looking for solutions.
    
    Shava Nerad
    former executive director, The Tor Project
    retired, speaking for myself