Some short extracts from Caspar Bowden's evidence in the final session of the day -
Caspar's statement is really worth watching in full. It's only about 22 minutes but it's pretty impressive how much information he can pack into that time. He gets introduced by Dutch MEP Sophie in 't Veld at 17:07:04. Amusingly but emphatically he declines her invitation to introduce or provide a short overview of his report on The US National Security Agency (NSA)surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens' fundamental rights for the Parliament's Policy Department for Citizens' Rights and Constitutional Affairs. Caspar prefers to take a forensic approach, assuming MEPs have read the report (or will do at their leisure at some point) but highlighting some of the detail they may have missed the significance of (or might do when they read it). The scope of the report is limited to the US and the NSA.
There is a widely held view that the collection of data is less important than its use. Caspar disagrees. Now that Edward Snowden's revelations are public we know we are being watched and as a result likely to change our behaviour. It's the Heisenberg principle at a societal scale - you cannot monitor/measure/surveil without influencing those under surveillance. This poisonous mass surveillance it has been going on for perhaps over 10 years and this creates profoundly dangerous destabilizing factors in democracy.
We have never had disclosures on the scale we have seen from Snowden.
[Note In his statement Caspar refers to page numbers of his report in his evidence which are slightly out of sync with the copy I've read and link to on the parliament website. I'll use the numbers from the linked version if I refer to page numbers.]
The first theme in the report he draws attention to is the competing models of privacy governance in the EU and US. This is fundamental and often overlooked. From the long term perspective the underlying principle of EU data protection law is rather odd since it removes the key power to control their personal data from the individual. Once data is submitted to a government or private sector system the individual can no longer object when that data is copied - if it's copied to thousands of machines in that organisation or to a thousand other organisations or other legal regimes. The data protection system assumption is that if the right legal boxes are ticked, the individual must put up and shut up.
Yet every time data is copied from one system to another, privacy risk is increased. It never decreases. With every copy the risk that something bad will happen to that data goes up and the risk that something bad will happen to the person connected to that data likewise increases.
So EU data protection law disables individual control of personal data and the Snowden revelations should make us question this unsound regulatory foundation of privacy protection.
The next section of the report he picks is on the XKeyscore system. From the report:
The XKeyscore system was described in slides 20 (dated 2008 21 ) published by The Guardian on the 31 st of July. It is an “exploitation system/analytic framework”, which enables searching a “3 day rolling buffer” of “full take” data stored at 150 global sites on 700 database servers. The system integrates data collected 22 from US embassy sites, foreign satellite and microwave transmissions (i.e. the system formerly known as ECHELON), and the “upstream” sources above.
The system indexes e - mail addresses, file names, IP addresses and port numbers, cookies, webmail and chat usernames and buddylists, phone numbers, and metadata from web browsing sessions (including words typed into search engines and locations visited on Google Maps). The distinctive advantage of the system is that it enables an analyst to discover “strong selectors” (search parameters which identify or can be used to extract data precisely about a target), and to look for “anomalous events” such as someone “using encryption” or “searching for suspicious stuff”When you stop to think about this immense surveillance power you realise it goes beyond even George Orwell's imagination. Data can be extracted retrospectively in time, so it gives an analyst a time machine. So without any prior suspicion about an individual it is possible to go back and examine behaviour and conduct of anybody in the world, except Americans, to a limited degree. Not only is it a facility for officials to engage in fishing expeditions it is an irresistible (and most likely official) compulsion.
The next point of interest in the report is BULLRUN (page 16), the codename for the NSA programme to break into widely used encryption systems. Not exclusively by mathematical means but also via side channel attacks - electronic emanations from computers through which keys can be reconstructed - and also through co-opting manufacturers of security equipment. BULLRUN has created the most shock amongst the technology security community of all the Snowden leaks. All over the world security experts are trying to guess what is vulnerable and re-key/re-grade those systems. But they are working in the dark.
From Caspar's conversations with journalists and experts who have seen some of the Snowden material it appears unlikely that there will emerge much more specific detail about what exactly is vulnerable and what is not. That leaves us with the problem that a large number of systems we thought were secure may not be so and we don't know how to find out which ones are compromised.
He then moved onto the FISA definition of “foreign intelligence information” which is incredibly broad. The Foreign Intelligence Surveillance Act (FISA) foreign intelligence information, Caspar describes, poetically, as "the core term of art" underlying the NSA PRISM mass electronic surveillance programme. It is first defined in the original FISA in 1978 but the parts of the definition that are pertinent to this discussion have not changed since then.
To get to the definition you have to substitute in 2 levels of definition (from related statutes) in what is a complex formulation. (Just an aside - it is really irritating when regulators do this, leading to the byzantine searching of loosely connected laws, with multiple clauses referring to multiple other clauses, when you just want a clear notion of what the law actually is). From the report:
The FISA definition of “foreign intelligence information” has been amended several times to include specific and explicit categories for e.g. money laundering, terrorism, weapons of mass - destruction, but has always included two limbs which seem almost unlimited in scope. When the terms are unwound it includes:
information with respect to a foreign - based political organization or foreign territory that relates to, and if concerning a United States person is necessary to the conduct of the foreign affairs of the United States. [emphasis added]
This definition is of such generality that from the perspective of a non - American it appears any data of assistance to US foreign policy is eligible, including expressly political surveillance over ordinary lawful democratic activities.That's worth dwelling on and this represents only about a tenth of the full definition of foreign intelligence information. Read it again - any data of assistance to US foreign policy is eligible, including expressly political surveillance over ordinary lawful democratic activity of citizens of EU countries.
We do not know to what extent that definition is applied or exploited because a curious fact is that there has been nothing written about it in 40 years
- no legal commentary
- no published guidance
- no executive orders elaborating on what it means
There is, in the definition, a discrimination by nationality. In the case of US citizens the threshold for surveillance is necessity, a very strict legal line. For non US citizens the requirement is merely "relates", about the weakest legal hurdle you can imagine.
The FISA section 702 power (Procedures for targeting certain persons outside the United States other than United States persons) contains an express discrimination by nationality too, amounting to a double discrimination by nationality favouring US citizens.
There is nothing in EU law remotely like that and human rights experts say this is simply and obviously unlawful under the European Convention on Human Rights.
At this point Caspar refers to the contribution of an earlier speaker in the day relating to section 215 of the US Patriot Act. The reforms of s215 being discussed in the US are not going to help very much with the 'suspicious through lack of US citizenship' problem. The provision to "obtain foreign intelligence information not concerning a US citizen" gives carte blanche to apply section 215 power to foreigners. Even if they fix and restrict the selective collection of information to counter terrorism criteria but conveniently overlook the 'guilty of being a foreigner' provisions, it won't do any good.
I'm going to have to cut the report short at that point but will get back to the rest of this testimony in a later post.