The stream of revelations about US communications-intercept operations deriving from material purloined from the National Security Agency (NSA) by the rogue contractor Edward Snowden has aroused strong emotions in a variety of different constituencies. Civil-society groups concerned with issues of personal freedom and data privacy have expressed alarm about the pervasive nature of NSA bulk data collection. States that have been shown to have collaborated with the NSA in such collection have been embarrassed. And countries that considered themselves to have friendly relations with the United States but which have been the subject of US covert intelligence collection have reacted with varying degrees of outrage – some of it real, but much of it manufactured either for domestic political reasons or in the hope of leveraging some policy advantage from US discomfiture. And the major US technology companies and service providers which have to varying degrees collaborated with the NSA, either voluntarily or in response to judicial warrants, have experienced a decline in trust with uncertain but potentially significant implications for their future business prospects.
Not even the NSA knows for certain how much information Snowden actually stole. It is clear, however, that he could not possibly have read more than a fraction of this material. It is equally clear that he did not understand the significance of much of the material he did read and that the same was true for the newspapers that published it. The resulting confusion and misapprehensions that have taken hold within the media and shaped the public debate about the NSA’s bulk collection activities have not been effectively challenged or rebutted by the US and UK governments for various reasons, chief among which has been a desire not to create a damaging precedent by responding to specific allegations regarding the activities of their intelligence agencies. But many aspects of the activities reported on the basis of Snowden’s leaks are demonstrably erroneous and merit correction or clarification.
The NSA and its allies have been conducting mass surveillance on their own populations
The term ‘mass surveillance’ is a misnomer. Mass surveillance would imply that the states in question had been systematically monitoring the communications of their citizens and taking actions against them on the basis of the information gleaned from this process. In fact, what has happened is that the NSA and its partner agencies have been running huge quantities of communications metadata through computer programmes designed to identify extremely small target sets on the basis of very strict criteria; as Government Communications Headquarters (GCHQ) Director Iain Lobban put it in his public testimony to the UK Intelligence and Security Committee (ISC): searching the haystack for fragments of needles. Some errors have been registered – a judgment by the US Foreign Intelligence Surveillance Act (FISA) Court made public by the US government revealed that, since 2011, some 56,000 emails of US citizens and residents had been improperly read. As a proportion of the total email traffic fed through NSA computers, this number is vanishingly small. The NSA had logged and reported these errors – and the very fact of the FISA court judgment identified the errors suggests that the checks and balances built into the US oversight system are working correctly. Moreover, there is no evidence to suggest anyone in the US has suffered any injustice or discrimination as a result of their emails having been read.
The NSA and its allies have been violating the data-privacy rights of foreign nationals not protected by US law
There is a growing international consensus towards the proposition that, as was affirmed by the UN Human Rights Council in 2012, the rights to privacy enshrined in the 1966 Covenant on Civil and Political Rights apply in cyberspace. But there is no global consensus on what constitutes personal data in cyberspace. EU data-privacy legislation, for instance, treats IP addresses as part of personal data, whereas the US Supreme Court has ruled that they are not. The US is operating on its own interpretation of the law, as it is entitled to do, citing the imperative of national security. From a more practical perspective, the NSA has no interest in the private communications of ordinary citizens and lacks both the motivation and the resources to monitor them on a systematic or intensive basis. There comes a stage in any monitoring process where machines can no longer do the job and humans have to take over. The staffs of both the NSA and GCHQ would have to be many times larger than they in fact are in order to monitor such large volumes of traffic, much less take follow-up action. Moreover, it is now clear that much of the non-US data searched by the NSA was in fact provided by the intelligence services of the countries concerned, with the authorisation of their governments, as part of a programme of collaboration on counter-terrorism.
NSA surveillance programmes, including espionage undertaken against allies, violates international law
The programmes certainly violate the domestic laws of those countries that have been the subject of espionage. But, in international law, the position is rather different. International lawyers hold a wide spectrum of opinion on the legality of espionage but the absence of settled opinion is in itself a good indicator that, to all intents and purposes, no meaningful international law exists in this area. International law is broadly permissive, so what is not expressly prohibited is normally deemed to be legal. And there is nothing in existing international law that expressly proscribes espionage. The 1961 Vienna Convention on Diplomatic Relations asserts that the persons, premises and documents of diplomatic agents and their staff should be immune from search and that the receiving state has the obligation to permit free communication between diplomatic agents and the sending state. But it does not expressly prohibit the covert interception of such communications, something which has been widely practiced since embassies first existed (and international law is not just what is set down on paper but also what is enshrined in practice). Moreover, the Vienna Convention only applies to diplomatic missions and, arguably, foreign ministries – places where worthwhile secrets are increasingly unlikely to be found. Listening to German Chancellor Angela Merkel’s mobile-telephone calls – if indeed the US did so – might be judged to be politically unwise and was certainly illegal under German law. But, under international law, her telephone conversations would appear to be fair game.
Snowden was one of 850,000 US federal employees or contractors cleared to access all of this data. How could Washington expect to protect it?
Snowden, despite having systems-administrator rights that offered the kind of broad-spectrum access which was unavailable to other employees, did not have ex officio access to all the information he stole. Much of it was acquired by stealthily borrowing the passwords of other NSA systems administrators – something which should certainly never have been allowed to go on unchecked. Just because people have a certain level of security clearance does not mean they automatically have access to all the data classified to that level. In practice, most will have no way of knowing that much of it exists. That said, it is clear that the NSA’s protective security was not fit for purpose in dealing with the phenomenon of the ‘insider threat’, something that has long been recognised as a major security challenge, and systems will have to be revised to take account of this. But the implicit argumentation of the newspapers involved in publishing the Snowden data – in effect, that it was so promiscuously distributed that the NSA deserved to have its secrets exposed – does not stand up and appears particularly self-serving.
The agencies of the United States and its allies were out of control, acting without political authorisation
Claims by some US and UK politicians that they were unaware of the scope of NSA and GCHQ bulk collection programmes have led to suggestions that these agencies were not keeping their own governments or legislatures adequately informed of the scope of their activities. In fact, there is no basis on which to draw such a conclusion. Within the US, senior figures in the Obama administration, up to and including the president, clearly were aware of the nature and scope of NSA collection activity – which was conducted on the basis of established legislation – although they would not necessarily have been briefed on operations targeted against specific individuals. The situation is less clear-cut in relation to the congressional and Senate oversight committees, but it has been established that the members of these committees were provided with copious documentation on these programmes – much of which appears to have gone unread. In the case of the United Kingdom, it is likely that some members of the cabinet were not made privy to the details of GCHQ collection programmes on the basis that they would not need this knowledge to perform their functions. But those cabinet members who did need to know were appropriately briefed. And Hazel Blears, a former minister in both the Blair and Brown governments and currently a member of the ISC, has confirmed that while the committee was not aware of some of the US code words which have come to light as a result of the Snowden revelations, they were aware of the nature and scope of the bulk collection programmes undertaken by GCHQ.
The legislation under which these bulk collection programmes was undertaken is not fit for purpose in the digital age and requires extensive revision
In both the US and the UK, there is extensive legislation governing the basis on which intelligence agencies can exercise their powers, including the interception of electronic communications. The US has the world’s most developed and comprehensive set of legal arrangements governing such activities, and some of the purloined Snowden documentation published in the media testifies to the efforts made by the NSA to ensure that it did not, for example, violate Fourth Amendment freedoms (guaranteeing protection against unreasonable search). In the US system, the fact that few requests to the FISA Court were turned down has been cited as evidence that such applications were simply a pro forma exercise offering no real protection against abuse. But such requests would have been extensively vetted by NSA legal staff prior to submission, precisely in order to weed out those that were not well founded. In the UK, such activities are governed by the Intelligence Services Act, which defines the purposes for which the country’s intelligence and security agencies can exercise their powers, and the Regulation of Investigatory Powers Act, which regulates covert surveillance operations conducted within the UK. Compliance with the law is monitored by designated commissioners and by the ISC, a parliamentary oversight committee which has been given enhanced powers to hold the intelligence and security agencies to account. In the UK system, warrants authorising categories of activity, including bulk intercept operations, are signed by the secretary of state rather than a judge – but that is what the law provides for. While the scope and modalities of such operations have changed substantially, bulk interception of civilian communications was an established reality when the relevant legislation was enacted – and such laws were crafted to take account of this. The law is always susceptible to alteration in the face of changing circumstances. But it is not clear that any new or revised legislation would provide significantly better protections against illegal intrusive surveillance than that already in existence – or would enhance the prospects of such capabilities being deployed effectively and expeditiously against the targets they are designed to cover.
The US and the ‘five eyes’ allies have abused their privileged status and therefore jeopardised the integrity of the Internet
It is true that the US and its allies have sought to exploit the intelligence advantages they enjoy by virtue of the fact that the Internet is largely a creation of the Anglosphere – although, in the counter-terrorism context at least, their activities have been of benefit to many other countries. But as the Snowden revelations have progressed, it has become increasingly evident that many other states have been engaging in their own bulk collection programmes, using the same mix of approaches as the NSA and GCHQ, and constrained only by the limitations of geography, political ambition and budget. The reality is that, in practice, most forms of electronic communications can be accessed by state or non-state actors with sufficient imperative to do so. In the information age, any state with a national telecommunications agency acquires by default a signals-intelligence service with a reach that was previously the preserve of a few major intelligence powers. Encryption is a challenge but, in the case of state actors, this can normally be overcome by requiring service providers to make encryption keys available as a condition of their operating licences. The Internet has already become a domain for contestation between states. Over 30 countries now have both the capabilities and the doctrines to conduct offensive operations in the cyber domain, and at least as many again have the necessary capabilities, if not the doctrines, to do so. Major technology firms and service providers register ever more requests from a growing range of governments for information about capabilities that can only serve the purposes of espionage or sabotage. A degree of Internet Balkanisation has already taken place as states, especially those at the more authoritarian end of the political spectrum, seek to exercise greater control over the information that their citizens can access. The Snowden revelations will undoubtedly act as a catalyst for some states to expedite efforts towards indigenisation of capabilities and diversification of network routing to minimise dependence on US systems. But that process began some time ago.
It seems that the revelations will continue for the foreseeable future and that, as they do, further myths and misapprehensions will take hold. For those who regard intelligence services as inherently illegitimate or take the view that the US is the world’s number-one rogue actor, no counter-narrative will ever be convincing. But for those who accept that covert capabilities of some kind are needed to combat the threats posed by an array of state and non-state actors – or who adopt the realist perspective that countries are entitled to use covert capabilities to secure national advantage, provided that this is subject to proper controls – there is scope for a more nuanced debate on how power can be responsibly exercised by governments in the cyber domain. That must start with an understanding of the issues based on facts rather than misapprehensions.
Nigel Inkster is Director of Transnational Threats and Political Risk at the IISS. His article, ‘Conflict Foretold: America and China’, appeared in the latest issue of Survival.