While other nations should not localise servers as that may balkanise the Internet, the U.S. has to do more to show that it is not infringing on the rights of global citizens
Much has happened in the last six months, in different parts of the world, after the global surveillance programme of the United States National Security Agency (NSA) was revealed by Edward Snowden, a former NSA contractor. In the U.S., there was a lot of noise made by privacy and liberty groups — such as American Civil Liberties Union, Center for Democracy and Technology, and Electronic Frontier Foundation among others — and some Senators and Congressmen. Even U.S. President Barack Obama raised some questions on the propriety of such a massive surveillance programme. He set up a committee under the chairmanship of Richard Clarke, former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the U.S., to review the programme for recommendations to scale it down so as to be less intrusive in the lives of Americans and others. Within three months, the committee submitted its report to President Obama — on December 12, 2013 to be precise.
In the months leading up to the submission of this report, there were strong reactions from the European Union, especially Germany and France. Angela Merkel’s personal mobile phone was kept under surveillance by the NSA. She was put on a par with the Brazilian President Dilma Rousseff, whose phone gave away several governance and economic secrets to the Americans. The EU leaders condemned the NSA; the American ambassadors in various European cities were summoned and asked to explain their government’s actions. Threats were held out that the safe harbour extended to the U.S. for EU data flows would be withdrawn. Although the Brazilian President sent a strong signal by cancelling her visit to the White House, she was sought to be pacified through the offer of ICANN CEO Fadi Chehadé for holding a conference in April, 2014, in Brazil to consider or establish a new governance framework for ICANN, which currently governs the Internet under the exclusive control of the U.S. government.
In the meantime, Brazil and Germany had moved a resolution in the UN for nations to agree on privacy protection for citizens in cyberspace, which was passed by the General Assembly on December 18, 2013, as ‘Right to Privacy in the Digital Age’. It was sponsored by more than 50 countries, including India, and approved unanimously by the 193 members. The resolution upholds the right to privacy for everyone when billions of innocent individuals around the world have been victims of the sweeping mass surveillance conducted by the U.S. and the United Kingdom from their domestic soil. It reaffirms the human rights core principle that individuals cannot be denied human rights simply because they live in a country different from the one that is placing them under surveillance.
The resolution calls upon states to end violations of privacy by ensuring that national legislation complies with obligations under international human rights law, and “to review their procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law.”
The Clarke Committee in its report, titled “Liberty and Security in a Changing World”, observes that advances in ICT continue along with increased globalisation of trade, investment and information flows, as also the national security threats. Information collection by intelligence cannot distinguish between ‘domestic’ and ‘foreign’, leading to violation of the privacy of American citizens and foreigners. Even strategic relationships with allies get into difficulties because of pursuing “multiple and competing goals at home and abroad”. These goals include: protecting the nation against threats to national security, foreign policy interests, the right to privacy, democracy, civil liberties, the rule of law promoting prosperity, security, and openness in a networked world. But the recommendations do not suggest that bulk data of U.S. persons or non-U.S. persons should not be collected under Section 702 of the Foreign Intelligence Surveillance Act (FISA). While it does make some recommendations on ‘probable cause’ for U.S. citizens to be shown to the Foreign Intelligence Surveillance Court (FISC), there is no such concession for non-U.S. persons.
It is interesting that the committee acknowledges, albeit indirectly, that the U.S. government is undermining encryption standards, and subverting or weakening commercial encryption software, by advising the government not to do so. Likewise, it recommends that surveillance of foreign leaders should be done after due consideration of possible reactions by concerned countries, if it ever becomes public. The committee does not recommend that bulk data collection, in the form of meta-data of phone calls, under Section 215, be stopped. Instead it should be held by a private entity, and made available to the NSA after a judicial order by the FISC. There are several other recommendations, some of which will cause discomfort in the intelligence community. No wonder, in the congressional hearings, both the NSA and the Director, National Intelligence, have strongly urged that the surveillance programme should be allowed to continue in its present form, since it is essential for its counterterrorism operations.
The committee reiterates the position of the U.S. government on the Internet for global agreements, namely freedom of expression, Internet governance through multi-stakeholderism, use of the mutual legal assistance treaty process for gaining access to electronic communications, not engage in espionage to steal trade secrets through surveillance, not to sabotage financial systems. In a clear message to the Brazilian President, it recommends that countries should not try to locate servers in their territories, or prevent data trans-border data flows. While other nations should not localise servers as that may balkanise the Internet, the U.S. has to do more to show that it is not infringing on the rights of global citizens or undermining the sovereignty of nations.
Will the U.S. review its laws, procedures and practices regarding the mass surveillance of communications, their interception and collection of personal data to uphold the right to privacy by ensuring the full and effective implementation of its obligations under international human rights law, as per the UN resolution, to which it was a party?
(The writer is CEO, Data Security Council of India. The views expressed are personal.)