The Internet we depend upon will suffer irreversible damage — along with our societies and economies — if we don't
The public discussion of surveillance one year on from the Snowden revelations remains a search for the biggest sinner. New stories 'outing' countries and companies are great transparency and essential for healthy societies but they have a side effect that isn't so benign: they create an evergreen source of new justifications for security services to demand more money for a surveillance and counter-surveillance arms race.
While it now seems the US may accept further limits on how its security services can treat their own people, other countries are increasing, not reducing, their capacity to surveil online. None are likely to agree meaningful protection for non-citizens as that is the political equivalent of unilateral disarmament.
We need a paradigm shift away from a world where everyone is 'fair game' for unlimited surveillance by every country except (perhaps) our own.1 That requires very powerful interests to give up power they have which won't happen unless they get something they need more in exchange. A look at the landscape should give us some cause for hope:
- Security services must have access to the communications of those who are a real danger, yet that access is rapidly being curtailed by widespread implementation of encryption. Users both commercial and individual are demanding companies secure their data and the services are responding2: meanwhile standards bodies are aggressively working to build 'privacy by design' into key elements of the Internet. Both will make it increasingly difficult for security services to get access to data — something they have long feared.3
- The private sector and the open source community will outspend, and outcode, even the largest security services to restore users' trust and protect trade secrets. There are simply too many of us and we have vastly greater resources4.
- There is a genuine law enforcement need for information — and collaboration — that is a step change from the analogue era. Just as they do for the rest of us, networked technology makes it easier for criminals to collaborate across national boundaries in real-time. Tackling this requires faster access to information across jurisdictions to arrest suspects before they can get away or commit an attack (in the case of terrorism), and to stop criminals 'country hopping' to evade law enforcement. We all have an interest in ensuring legitimate access for these purposes, but if the non-governmental world can't trust law enforcement agencies ("LEAs") because they piggy-back on security services to get data 'in the dark' then LEAs will also end up 'encrypted out' of data they need — and we will all suffer5.
- There is a danger to the rules-based trading system the world economy depends upon.6 All trade agreements contain national security 'opt outs,' or exceptions. Over the last several years security exceptions in many bilateral trade agreements have become wider in scope; countries are proposing even broader exceptions in current negotiations. Post-Snowden, countries are limiting access to their markets7 using exceptions due to over-aggressive secret services. The world economy depends upon a predictable and rules-based trading system — and trade rules should not be abused as a tool for security services (whether to help or to avoid them) or an excuse for data protectionism. Moreover, the networked economy increasingly is the backbone of the entire economy; measures which distort or impede it will ultimately impact everyone.
- Last, but not least: we all want to feel safe, but we don't want to live in a George Orwell novel. We want our societies to stand for universal human rights, and large majorities don't want to see the perversion of those values, let alone further erosion of our own rights, in secret. We will accept reasonable access by governments to information about us (and it is in our interest to do so), but we want to know what access they have, who can get to what, and how, and to see transparently how many requests and of what kinds have been made of the private sector companies that hold information about us.
How do we combine all these motivations to create change?
Mutual Legal Assistance Treaties ("MLATs") govern how and when countries provide information to one another on their people for law enforcement and other national security purposes. Most are bilateral, pre-Internet and involve slow, cumbersome procedures and out-of-date technologies for data exchange; those that are multilateral are old and/or have significantly underfunded implementation. This hodge-podge also means these agreements tend not to be interoperable with one another, so transnational crime interdiction is made more difficult8. Real reform is overdue.9
While many MLATs will remain bilateral, there are significant multilateral MLATs too10. Given that the Internet is inherently borderless, international conversations that seek to agree, at a minimum, on the elements that MLATs should contain in order to be interoperable, sufficiently transparent, proportionate, and socially acceptable are long overdue. Such conversations would meet the positive incentives tests outlined above while leaving countries with flexibility in implementation, and lead to the give-and-take between stakeholders that can meet the needs of each outlined above. Ideally, existing relevant multilateral arrangements11 should eventually be amended to incorporate relevant provisions.
So how could we move forward? I think we would need three pillars of activity, and good inter-process/pillar communications to ensure each can see how they create an overall sustainable result:
- The Human Rights and Social Justice Dimension: The UN's Human Rights Council is in the midst of discussing data protection and privacy in the context of surveillance. Including in that existing work a discussion on principles that MLATs should embody that would respect universal human rights norms would be logical.
- The Law Enforcement and Public Safety Dimension: A similar discussion jointly run by INTERPOL and the UN Office on Drugs and Crime (UNODC) on the law enforcement needs for MLATs in the Internet age would be highly beneficial; these are the places where law enforcement already meets to collaborate on transnational enforcement and cooperation.12
- The Economic Dimension: the WTO could (and should) have a conversation on the trading aspect of national security exceptions. A key — and sensitive — question this would need to address is: Should use of security exceptions in the WTO agreements be a 'free pass' with no objection really possible by other WTO Members when used over-broadly — or should it work like the exceptions for privacy where the measure taken must follow rules of proportionality and countries are subject to the rulings of the Dispute Settlement Understanding? My sense is that real progress on this question would depend upon how the law enforcement discussions proceed, but that doesn't mean a conversation has to wait.
These conversations would have to have multi-stakeholderism built-in. Key elements require good technical advice and the buy-in of the private sector, law enforcement agencies, and civil society. That buy-in won't happen if governments marginalize other constituencies.
Of course there is no guarantee of success. There never is. This is not a recipe for ending all surveillance, or limiting unlawful surveillance; that's never going to happen. What this could do is give all stakeholders the potential to gain something that they really need, and in doing so, to create a paradigm for surveillance that is far better than the one we have now, in every respect.
Ultimately, we all have too much to lose from the path we are on now, and everything to gain by changing course.
1 I addressed this paradigm problem last November in "We Have a Paradigm for Surveillance That's Broken, Fit Only for the Analogue Past”
2 For example, Google recently released a 'safer email' transparency report; it shows a very significant increase in the last year of the percentage of email that is encrypted during transit between its email servers and those of others; this makes third party attempts to 'capture' readable email in transit extremely difficult and expensive at a minimum.
3 The US Attorney-General Janet Reno's 1999 testimony to the US Congress in July makes this very clear.
4 The NSA "Black Budget" for 2013 released in the Snowden cache shows overall spending of US$11 billion per year (a quarter of the total) to "defeat adversarial cryptography and exploit Internet traffic." Meanwhile, security spending in 2013 by the private sector is estimated at US$6.8 billion, expected to increase ten-fold to US$680 billion — nearly the equivalent of the US defence budget — over the next decade.
5 Moreover, it is widely understood that there is a need for significant reform of the international architecture of crime interdiction and prosecution, of which the data element is only one (albeit critical) element. A layman-friendly overview may be found in "The Global Regime for Transnational Crime," Council on Foreign Relations, 2013.
6 I have addressed this in part here — more to come in a forthcoming post.
7 See "China to block IT products that don't pass cybersecurity vetting”, Computerworld, 14th May 2014.
8 In a public call for MLAT reform in January 2014 Microsoft's General Counsel Brad Smith relates a story from his personal experience of how out-of-date these agreements really are.
9 AccessNow has an excellent online resource dedicated to MLAT reform with a number of excellent recommendations at https://mlat.info.
10 The most widely implemented being the European Convention on Mutual Assistance in Criminal Matters of 1959, with 50 parties — most, but not all, European.
11 The United Nations Convention against Transnational Organized Crime and the Protocols Thereto being a ripe target.
12 UNODC administers the treaty referenced in the immediately-preceding footnote; amongst its objectives is strengthening mutual legal assistance and its Working Group on International Cooperation meets next in October 2014.
Written by Nick Ashton-Hart, Executive Director of the Internet & Digital Ecosystem Alliance (IDEA)