LONDON – A year has passed since the American former intelligence contractor Edward J. Snowden began revealing the massive scope of Internet surveillance by the US National Security Agency. His disclosures have elicited public outrage and sharp rebukes from close US allies like Germany, upending rosy assumptions about how free and secure the Internet and telecommunications networks really are. Singlehandedly, Snowden has changed how people regard their phones, tablets, and laptops, and sparked a public debate about the protection of personal data. What his revelations have not done is bring about significant reforms.
To be sure, US President Barack Obama, spurred by an alliance between civil-society organizations and the technology industry, has taken some action. In a January speech, and an accompanying presidential policy directive, Obama ordered American spies to recognize that “all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and that all persons have legitimate privacy interests in the handling of their personal information.”
Some specific advances, unprecedented in the shadowy world of intelligence agencies, have accompanied this rhetorical commitment to privacy. When technology companies sued the government to release details about intelligence requests, the Obama administration compromised, supporting a settlement that allows for more detailed reporting. Under this agreement, companies have the option of publishing figures on data requests by intelligence agencies in ranges of 250 or 1,000, depending on the degree of disaggregation of the types of orders.
Though this represents a step forward, it is far from adequate, with gaping loopholes that prohibit reporting on some of the most notorious NSA programs, such as the dragnet collection of phone records under section 215 of the USA PATRIOT Act. Moreover, Obama has demurred on the most significant recommendations of the independent review group that he appointed. And the “USA FREEDOM Act,” which was meant to stop the mass collection of Americans’ phone records, is being diluted by a set of amendments that would enable the government to continue collecting metadata on millions of individuals, without their consent. This metadata – covering whom we talk to, when, and for how long – can reveal as much about our private lives as the content itself.
Worse, relative to the rest of the world, the US has taken the strongest action since the Snowden revelations began. Of course, Snowden exposed more about the US government’s surveillance activities than any other country. But the documents also included egregious examples of overreach by the Government Communications Headquarters, the United Kingdom’s signals intelligence agency, and information about intelligence sharing in the so-called “Five Eyes” network of the US, the UK, Canada, Australia, and New Zealand. The agreements that govern the pooling and exchange of intelligence among these governments remain closely guarded secrets.
In the UK, public and parliamentary debate on surveillance practices has been minimal, at best. And not only does Canadian law prohibit companies from reporting virtually any information about government requests for data; Prime Minister Stephen Harper has nominated a lawyer who spent his career advising intelligence agencies to serve as an official privacy commissioner, raising the ire of activists.
Some countries have even intensified their surveillance activities. Immediately following the Snowden revelations, the French government snuck into a military appropriations bill the authority to increase government surveillance of the Internet dramatically, including for “commercial” reasons. The European Parliament’s criticism of the mass surveillance practiced by the UK, Sweden, France, and Germany (and potentially soon by the Netherlands) seems not to carry much weight for national governments.
With the 800th anniversary of Magna Carta this month, Snowden’s revelations have also fueled a new movement to create country-specific Internet “bills of rights” establishing the principles of privacy, free speech, and responsible anonymity. In a stirring speech at the United Nations last September, Brazilian President Dilma Rousseff placed her country at the forefront of this movement by promoting Brazil’s historic Marco Civil bill.
But the proposed bill included the requirement that Internet companies keep their servers in Brazil – purportedly to protect information from American intelligence agencies’ prying eyes – while easing access to these data for Brazil’s own law-enforcement and security agencies. Fortunately, Brazil’s legislators kept these provisions out of the final Marco Civil, which was adopted in April.
Alas, other governments are threatening to impose similar forced data-localization requirements. Such rules run not only contrary to the fundamental principles of an open and interconnected Internet infrastructure; they also create new privacy risks. And they do nothing to solve the basic problem of restricting government access to personal data held by private companies.
How companies worldwide respond to Snowden’s revelations will have a profound impact on their users’ rights. So far, some have taken the right approach, pressing for greater transparency, while strengthening encryption on their networks to keep intelligence agencies out.
Companies throughout the information and communication technology sector have started to make transparency reports an industry standard. But more telecommunications companies and hardware manufacturers should join Internet companies and privacy rights advocates to build a broad reform coalition.
A year ago, Snowden alerted the world to governments’ egregious violation of people’s privacy. It is up to the technology industry, civil-society organizations, and the general public to keep governments honest in pursuing much-needed reforms. Only then can the Internet provide the boon to freedom that it has long promised.