By Ellery Roberts Biddle.
Last week’s revelations about phone and Internet surveillance programs of the US government’s National Security Agency (NSA) sent shock waves throughout the United States and the western media, but also around the globe. While in the US, many privacy-minded lawmakers and even digital rights advocates used the news as an opportunity to demand better protections for Americans’ online privacy, Internet users worldwide were left wondering how to protect their own data, short of closing their Google accounts, packing up their Facebook profiles and heading for the woods.
Documents leaked by Booz Allen employee and NSA contractor Edward Snowden have now confirmed that customer call data from telecommunications companies like Verizon and AT&T was being passed to the NSA through a system where accountability was scarce and secrecy ruled. Reports indicate that the agency applies a vague standard of “foreignness” when determining whether or not a person’s communications would be subject to surveillance under the US Foreign Intelligence Surveillance Act (FISA) and Section 215 of the PATRIOT Act– users who spoke with individuals in other countries, for any reason from hatching terrorist plots to catching up with relatives — could come under watch.
The documents also revealed details about an Internet surveillance program known as PRISM, which allows the NSA and the Federal Bureau of Investigation (FBI) to obtain copious amounts of user and communication data from major Internet companies including Google, Facebook, and Microsoft. While many details of the program remain murky, the news has left international digital rights advocates reeling. Advocacy groups in the UK wrote an open letter to Prime Minister David Cameron, condemning US government surveillance of British citizens and demanding strong protections for digital privacy in the UK. An international coalition of advocates meanwhile is pushing the UN Human Rights Council to convene a special session to discuss the matter and develop recommendations for member states.
While some see the revelations as an opportunity to push for stronger laws at home, others fear that the US, ever-committed to “leading by example,” has set a new, very low standard for online privacy protections worldwide.
“The leaks reveal an abuse of any citizen’s basic rights, no matter which country the citizen is in,” Wafa Ben Hassine, a Tunisian human rights advocate and ACLU member told Global Voices Advocacy. Ben Hassine pointed out that Tunisians are familiar with pervasive surveillance. “The Tunisian government in Ben Ali’s era indulged in spying on the average citizen’s digital communications for decades,” she said, arguing that this moment should be seen as an opportunity for policymakers to develop laws that would “enshrine the values of digital rights.”
Alberto Cerda, a human rights lawyer and international program director of Chilean digital rights group Derechos Digitales said that in Chile, the government has “done its homework” in this area of the law. But this, Cerda pointed out, doesn’t even begin to solve the problem:
> This proves that a local solution won’t do, as the violation of fundamental rights has a global character. What good is it for me to be protected in Chile if it’s actually the US government that’s violating my rights?
His question has likely loomed large for many users since the news hit. Kasia Szymielewicz, director of Polish digital rights group Panoptykon, argued that the NSA’s actions would violate the EU’s data protection policies, which aim to provide stronger protections against private or corporate data collection than are afforded in the US. She told GVA:
> Nobody expected that NSA and FBI have direct access to companies’ servers, which in practice means that data of Polish and European citizens can be used and abused without any legal safeguards. In the light of European data protection standards, even in the scope of law enforcement, this practice simply cannot be accepted.
Some actors see the particulars of the PRISM program as a reason to promote Internet business at the national level. Anja Kovacs, director of the Internet Democracy Project in Delhi, India, said that India’s ISP association sees this as an opportunity to push for requiring multinational companies to establish servers in-country, a move that would give the Indian government greater jurisdiction and control over local users’ data and US government efforts to obtain it.
Kovacs said that the Association has correctly pointed to the “duplicity of US-based companies in denying access to information to the Indian government while making it freely available to the US government,” but cautioned that “the latter point is sometimes framed in highly nationalist terms [as] urging for solutions that would perhaps benefit the Indian state but not necessarily Indian users.” Many advocates in India argue that efforts establish servers in-country are mainly driven by government desires to achieve greater control over online speech.
Ben Hassine also commented on the need for establishing more companies outside the US.
> The NSA leak should provide every country a lesson – including Tunisia – that the key to ensuring online privacy and digital rights is through the development of local platforms and content and making such tools available globally. Our reliance on US-based ‘big tech’ is an elemental part of the problem.
Advocates also speculated on how the NSA revelations might influence national-level policymaking on the issue of privacy itself. Carlos Afonso, an Internet governance expert and director of Brazilian Internet rights group Instituto Nupef, pointed to Brazil’s Data Protection Law, which will be brought before Congress in the near future. Afonso urged that future debates on privacy be transparent and open to all parties affected:
> [The data protection debate] needs to bring guarantees that data protection will be a policy/regulatory field where all the sectors of society are fully engaged, with spaces for the full participation of civil society.
Szymielewicz hoped that the news would trigger greater efforts to ensure data privacy within the European Union, and noted that the “PRISM affair” had already triggered a “serious debate” within EU institutions. But she also cautioned that the news could have precisely the opposite effect in many countries, including her native Poland:
> There is a risk that Polish authorities and security agencies may want to follow the NSA and FBI and demand even broader access to our data for public security purposes, therefore lowering our standard of legal protection.
As new information continues to emerge around this story, lawmakers and digital rights advocates should consider the global implications of these programs and other pervasive digital surveillance efforts by governments around the world. In a digital era, where it is impossible to draw a line separating the communications of “citizens” or “residents” of a particular country and “foreigners”, governments must strive to develop policies that will not only fit this new paradigm, but truly protect the privacy and freedoms of users worldwide.