12 August 2019

The mass surveillance of communications – between legitimacy and zero privacy

Liviu Ioniţă

A recent title from the Russian press, with a resonance in entertainment, “Oops, we did it again!”, signalled a new instance of NSA data gathering on US citizen phone calls. In the same period, the Canadian press obtained a copy of the Guide on Collecting Information about the Canadian citizen, which belonged to the military intelligence, a material referring to the possibility of information agents to collect and utilize data, including those obtained randomly, about citizens. And also then, in Germany, the Committee for Protecting Journalists urged the Interior Ministry to give up a bill which favours the extension of intelligence services supervision.

Image source: Mediafax

In fact, in all the three situations concern the same thing: fears created by the possibility that intelligence agencies, in their activity to protect national security, might violate the fragile line which separates legitimate actions from interference with the personal life of regular individuals.

It is a debate in which, for some time, a thorough and comprehensive concept is used to justify these operations.

Strategic surveillance

The concept, which especially targets the gathering of SIGINT-type information (SIGnal INTelligence) from civilian communications in order to defend against terrorist threats, reveals its significance if we take into account two milestones: September 11, 2001 and the information leaked by Edward Snowden twelve years later.

SIGINT is a term which refers to the interception means and methods and an analysis of radio communications (including satellite and cell phones) and those made by cable, a method used traditionally to obtain information of interest in the military area.

The development and diversification of communication means led to SIGINT being used outside the fields of the military and defence against foreign threats, but this extended use is not only due to the evolution of technology. Following the September 11, 2001 attacks, which changed the manner in which national security and threats to it are perceived, the concept of strategic surveillance was used most of the time to indicate the fact that SIGINT could target the monitoring of usual communications, and this survival also involves access to internet and the content of telecommunications.

The apparition of September 11 type of threats made intelligence agencies receive large data quantities, which is in fact metadata, later subjected to analysis with the help of so-called selectors, parameters inserted in the process of filtering data, whose relevancy and specificity have influenced the process of accession to private communications. This stoked fears that the natural inclination of secret services to collect as much information as possible, as well as the professionalism of the personnel involved in the process, will have consequences on the process of mass monitoring citizens.

This type of surveillance which has the goal to make large-scale interceptions, a mass surveillance, disproportionate, as well as the quantity of data collected through programs such as PRISM, Xekyscore and Upstream have generated major reactions. Surveillance without a specific target, with the person, organization etc. from which data is collected being set in advance, leads to the collection data quantities very different to those obtained in the case of traditional, secret surveillance methods with a pre-established objective, such as tapping up phone calls.

From the PATRIOT Act and FREEDOM Act to Ending Mass Collection of Americans Phone Records Act

In the US, mass communications surveillance was initiated shortly after September 11, 2001, when there was a fear of potential imminent attacks, and the existent internal judicial and operational counterterrorism framework was considered improper to deal with the threat presented by transnational groups acting in an environment with multiple technological options.

The stated objective of the surveillance program initiated by the United States back then was to offer early warnings on terrorist attacks.

Therefore, in 2001, the US Congress adopted a document over 300-pages long, the USA PATRIOT Act, destined to improve the US authorities’ capacity to detect and deter terrorism. The bill, whose title is an acronym for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, would only extend the use of instruments which were already used against drug traffickers and organized crime, according to the US Justice Department. It allowed authorities, including intelligence agencies, to use surveillance and the tapping of phone calls to investigate terrorism-related offences. The respective bill gave new competencies to the Justice Department, NSA and other federal agencies on internal and international surveillance of electronic communications and eliminated judicial barriers which impeded law enforcement bodies, intelligence agencies and defence structures to share information on potential terrorist attacks and coordinate their activities to prevent them.

The PATRIOT Act has generated, however, controversies especially with regards to the so-called section of practical things, which allowed the en gros collection of phone call metadata, as well as books, recordings, documents and other items - tangible things – for the purpose of investigations destined for obtaining security information.

Critics claim that that the metadata (number and time indices on the phone call, and not the conversation itself) can reveal the most intimate details in the life of an individuals, and the long list of tangible things included in the bill could lead to government excesses.

The debate became ampler after Edwards Snowden, a former NSA contractor, revealed the agency’s surveillance programs, with the public made aware of SIGINT’s potential to violate the right to private life and other basic rights.

Once Snowden made this information public, it showed that the US and other states’ laws on using SIGINT and mass surveillance had deficiencies. This led, among others, to the UN General Assembly adopting a resolution on the right to intimacy in the digital era.

In 2014, a research on the protection of basic rights in the context of surveillance, made by the European Union’s Agency for Fundamental Rights, at the request of the European Parliament, showed that only five member states of EU (France, Germany, the Netherlands, Sweden and the United Kingdom) have laws which detail the conditions allowing the use of such a specific type of surveillance, with a pre-established objective and without target, when the individuals or organization whose data is collected is not specified beforehand.

The research highlighted the fact that strategic surveillance is difficult to regulate and control due to other legislative shortcomings, such as the not rigorously defining national security or not exactly specifying the mandate of services, which makes it so there is no clear line between the object of activity and their and the law enforcement bodies’ attributions, as well as the secret of the information gathering activity.

These controversies caused the US to enact in 2015 the USA FREEDOM Act (Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring), with the aim to somehow guarantee that there will be no meddling by intelligence agencies into the private lives of citizens. According to the new law, phone companies, and not the NSA, would be the ones to store the calls. The FBI (on part of the NSA) can request the Foreign Intelligence Surveillance Court (FISA) authorization to investigate a certain phone number or another identification element, but only based on a reasonable and articulated suspicion on its association with international terrorism. The data obtained from the telephone company from this process – the phone numbers with which terrorists could have been in contact – can serve as a basis for later investigations.

But the provisions of the PATRIOT Act / FREEDOM Act have continued to generate concerns among civil liberties and rights groups regarding the confidentiality of data and, in March this year, a bill titled Ending Mass Collection of Americans’ Phone Records Act, meant to end the mass collection of phone calls, was filed with the Congress.

The supporters of this legislation claim, however, that metadata collection cannot be harmful as long as it does not entail access to the message. At the same time, the public can access data on the number of government investigations carried out, periodically reported by phone companies, with the entire process being under the control of the Congress, Justice Department and FISA. Moreover, the NSA gave assurances that it ceased its mass surveillance operations.

However, recently, The New York Times and Wall Street Journal published documents from the American Civil Rights Union (ACLU) according to which the NSA has collected a significant quantity of data from US citizens communications in October 2018, only several months after the agency had announced (in June 2018) the suspension of its controversial program because of technical irregularities. The documents obtained by the ACLU suggest that a telecommunications company provided the NSA with recorded data on phone calls, without FISA approval. The debates are ongoing, as the FREEDOM Act is to expire at the end of 2019.

Strategic surveillance in other states with strong democracies

In the same period, the fears that emerging technologies and capacities increase the possibility for private life information to be accessed and used, even accidentally, made Canadian MPs launch an analysis into how the intelligence activity uses such information. The National Security and Intelligence Committee of Parliamentarians (NSICOP), which has a mandate to examine the activity of Canada’s entire intelligence community, will now analyze the Guide on Collecting Information about the Canadian citizen, recently published, as part of a larger report on the manner in which information about Canadians is stored and shared.

What’s currently bothering the critics of the act drafted by the German Interior Ministry – one which extends the competencies of the Bundesnachrichtendienst (BND), the country’s foreign intelligence agency, in the surveillance of journalist communications – follows the direction imposed by the reform of Germany’s intelligence legislation. In 2016, new provisions were enacted in the country regarding the authorization, practice and control of monitoring data collection by the BND from abroad.

German legislation uses the term of strategic surveillance as the type of surveillance which involves the collection, without a target, of an en gros data quantity, and the 2016 reforms made distinctions between the different citizens groups subjected to this surveillance, establishing specific authorization procedures, standards to protect data and provisions referring to data collection from German citizens, public and EU institutions, EU citizens and… the rest of the population.

In fact. the term of strategic surveillance accredited by the Venice Commission to highlight that SIGINT can be used to mass monitor regular communications is based on the concept of strategic restriction used in the German legislation, and on the idea of unintentional information collection through SIGINT, which are later selected with the help of algorithms.

Ensuring security at the loss of protecting civil liberties

Strategic surveillance, gathering SIGINT information from population communications has been performed for years in the name of protecting against terrorist acts. But they interfere with the private life of regular citizens.

Taking into account the process’ classified nature, citizens are obliged to rely on a certain trust in public authorities who, also, are obliged to defend their basic rights. A certain level of responsibility is needed from information services, as well as a clear and coherent legislation in the area, adequate control mechanism and efficient means of appeal.

Efforts have been made and are ongoing. The European Parliament adopted, in October 2015, a resolution regarding measures on the electronic mass surveillance of EU citizens. The United Kingdom publishes an annual report on surveillance programs, destined to inform the public and familiarize it with those activities.

It is not only a mater of civil liberties after all, but also of decency in public communications.

But, no matter how many efforts are made and how unhappy human rights defenders are, a point of no return was probably reached.

In 1999, Scott McNealy, one of the four Stanford University founders of communications technologies companies Sun Microsystems (1982), which would become part of Oracle Corporation, was criticized for his statement: “You have zero privacy anyway. Get over it.” This could probably be easier to understand today. At least the first part.

Translated by Ionut Preda