Even 10 years on, Edward Snowden's disclosures of U.S. government surveillance programs continue to make an impact on law and policy debates, particularly those involving privacy. His actions changed the coordinates of discussions not only about the balance between national security and privacy but about whistleblowing, journalism, trust in government and freedom of information. While the disclosures may have provided some answers, they generated at least as many new questions. Indeed, the picture today remains as complicated as ever.
The historical moment of the Snowden disclosures
The Snowden revelations happened at a unique point in time for privacy and data protection law. Just a year earlier, the European Commission proposed the EU General Data Protection Regulation, which was in the midst of significant debate and reforms and several years away from adoption. At the time, the EU-U.S. Safe Harbor Framework was still up and running. Of course, Maximilian Schrems was just weeks away from lodging his complaint with the Irish Data Protection Commission that would pave the way for the Court of Justice of the European Union to render it invalid a couple of years later.
Did Snowden's revelations achieve what he sought to, assuming his goal was to reform to U.S. surveillance laws? In other words, did the Snowden disclosures bring about significant reform to U.S. government surveillance programs?
Even with 10 years' worth of hindsight and perspective, this remains a difficult question. An important first step in trying to answer it, though, is to return to the U.S. government's initial response to the leaks.
Legal reforms following the Snowden leaks
Following the disclosures, President Barack Obama took several executive actions. One of the most important was to task the five-member Privacy and Civil Liberties Oversight Board with reviewing and making recommendations regarding the bulk telephone record collection program, known as Section 215 of the Patriot Act, and the program that allows surveillance of non-U.S. citizens, Section 702 of the Foreign Intelligence Surveillance Act. In 2014, PCLOB issued its reports on Section 215 and Section 702, which included a series of recommendations for the reform of both.
While Section 215 expired in 2020 due to its sunset clause, the PCLOB is now developing a new report on Section 702, due later this year, to inform current public and congressional debate over its reauthorization.
Did the USA Freedom Act "fix" the Patriot Act?
Perhaps the most important legal reform following the Snowden disclosures was the passage of the USA Freedom Act, which ended the telephone metadata collection program in Section 215. Recall, it included information about who phone users call, when they call and for how long. There were several other important reforms the USA Freedom Act brought about. For example, it declassified Foreign Intelligence Surveillance Court opinions containing significant legal interpretations or required summaries if declassification was not possible. It also added new transparency requirements, allowing companies to publicly report information about the number of FISA orders they receive. In addition, it created a five-person amicus panel of part-time, outside attorneys before the FISA Court to represent the public's interest in cases involving novel or important legal issues.
There is at least partial agreement that the USA Freedom Act righted some of the wrongs of the Patriot Act. At the time it was proposed, the American Civil Liberties Union, which was supportive of the bill, said that while it "does not fix every problem with the government’s surveillance authorities and programs, it is an important first step." After it was signed by President Obama, Sen. Ron Wyden, D-Ore., who has long been a proponent of U.S. surveillance reform, called the USA Freedom Act "only the beginning" of what Congress needs to do.
Current surveillance reform efforts
Today, the National Security Agency continues to use its authority under FISA Section 702 to collect both the content and metadata of communication of non-Americans located outside the U.S. Notably, this still results in incidental collection of Americans' emails and phone calls, which has been called "a feature of Section 702 and not a bug." First added to FISA in 2008 and renewed for six years in 2018, Section 702 is set to expire at the end of December if Congress does not reauthorize it by then.
There continue to be discussions about reforming, or even repealing, FISA within Congress. FISA reform has long been a priority for many Democrats and more recently became one for some Republicans, particularly in the wake of alleged illegal spying by the FBI directed at former President Donald Trump's 2016 campaign. Such claims were rebutted in the Justice Department inspector general's report on the Trump-Russia investigation.
In this vein, a House Judiciary subcommittee held a hearing in late April on the "weaponization" of FISA against Americans. The chair of the PCLOB, Sharon Bradford Franklin, gave testimony before the subcommittee, explaining how to address the risks to privacy and civil liberties created by Section 702 without undermining the program's effectiveness. As reauthorization moves forward, these recommendations from PCLOB will likely come into play. By one count, all 22 of the recommendations issued by the board between 2014-2018 had been implemented in whole or in part.
Given this complicated history, the effect of the Snowden disclosures on U.S. surveillance reform remains an unsettled debate. Critics have maintained that the reforms of the USA Freedom Act "didn't go far enough," while others praised the bill for managing "risk for both American civil liberties and national security." In a press conference, President Obama suggested that he, the PCLOB and Congress "would have gotten to the same place" in terms of reform had Snowden not disclosed anything.
While the legal legacy of Snowden's disclosures remains murky, a clearer picture emerges when focusing on the effects of these revelations on U.S. public attitudes about surveillance and privacy, in particular.
Chilling effects: The downstream effect of societal self-censorship
Since the Snowden revelations, numerous studies have addressed questions about how they affected things such as people's online search behaviors, Wikipedia viewing behaviors and, of course, privacy attitudes. Much of this research is based on the so-called chilling effects theory, which is the notion that, in situations of uncertainty, people will engage in more self-censorship or more socially conforming speech or conduct. Chilling effects happen when a regulation is "unclear, uncertain, or overbroad," which then leads people to "refrain from engaging in legally permissible actions" because they are worried about being punished. The consequences of chilling effects can range from self-censorship to "making citizens more cautious, careful, and less willing to seek out and engage with controversial views and ideas," which negatively impacts democratic participation and the exercise of rights and freedoms. It's talked a lot about in First Amendment law but applies to any government action that appears to target expression.
In the context of the Snowden disclosures, the chilling effects theory holds that the U.S. government's surveillance programs — even if people understood them to be directed at combatting crime and terrorism — inhibited lawful behavior online and on telephones. One study, for example, found that the Snowden revelations in June 2013 led to a 5% reduction in Google search terms that were either personally sensitive or government sensitive. Personally sensitive search terms included things like depression, divorce lawyer and erectile dysfunction, while government sensitive search terms included things like dirty bomb, suicide attack and ecoterrorism. Another study by Jon Penney of the Harvard Berkman Center found internet users were less likely to view Wikipedia articles that had privacy-sensitive content, finding a 20% to 30% drop in article view counts when comparing the pre-June 2013 period to the post-June 2013 period.
In the aftermath of the disclosures, the Pew Research Center also conducted surveys on how they affected Americans' privacy perceptions. About 30% of all U.S. adults said they took at least one step to hide or shield their information from the government after learning about the surveillance programs. These behaviors included things like changing privacy settings, using social media less often, avoiding or uninstalling certain apps, speaking more in person rather than online or over the phone, and avoiding the use of certain words in online communication. These behaviors are very similar to those identified in the IAPP Privacy and Consumer Trust Report. In the report, I described these behaviors as "privacy self-defense," borrowing the term from Georgetown University Law Center professor Julie Cohen.
Conclusion
Ten years on from the Snowden revelations, challenges remain — both for governments and the private sector — in terms of earning and securing the public's trust. Due at least in part to the disclosures, but also because of events like the Facebook-Cambridge Analytica incident or any number of other high-profile data breaches, trust in governments and companies regarding privacy and data protection has eroded. Indeed, surveys continue to find about half of Americans do not trust the federal government or social media websites to protect their data, and consumer privacy has become more important globally.
Moreover, the issues raised by the leaks are anything but settled. There continues to be a wide range of views expressed about the right balance between national security, privacy and civil liberties. More importantly, a lot of work remains to address the fears, concerns and distrust that has built up over the years.
Yet, over the past decade, there have been multiple reforms to U.S. surveillance laws and greater attention to the trans-Atlantic relationship around data transfers. Edward Snowden's leaks were also the precursor to the complaints of Maximillian Schrems, which have led the CJEU to invalidate both the EU-U.S. Safe Harbor and the Privacy Shield adequacy decisions. At the same time, chilling effects felt across societies have undoubtedly increased self-censorship around the world.
At the 10-year mark of the Snowden revelations, discussions about the interplay between privacy and surveillance remain as relevant as ever. The disclosures are responsible for one of the biggest historical shifts in the discourse around privacy — tantamount to what the invention of the camera did for privacy and publicity rights in the late 19th and early 20th centuries. Not only did the disclosures directly influence U.S. surveillance law and the trajectory of the GDPR, but they reshaped the privacy attitudes and behaviors of people around the world and had impacts on transatlantic relations that are still being felt to this day.
These realities of the post-Snowden era will likely persist, and they will continue to shape not only our laws, but our very understanding of what it means to have privacy.