Surveillance in the cyber sphere: In an age of terror, should privacy always be negotiable?
Sarah Lohmann
Dr. Sarah Lohmann is Non-Resident Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University. Dr. Lohmann is an Acting Assistant Professor in the Henry M. Jackson School for International Studies and a Visiting Professor at the U.S. Army War College. Her current teaching and research focus is on cyber and energy security and NATO policy, and she is currently a co-lead for a NATO project on “Energy Security in an Era of Hybrid Warfare”. She joins the Jackson School from UW’s Communications Leadership faculty, where she teaches on emerging technology, big data and disinformation. Previously, she served as the Senior Cyber Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University, where she managed projects which aimed to increase agreement between Germany and the United States on improving cybersecurity and creating cybernorms.
Starting in 2010, Dr. Lohmann served as a university instructor at the Universität der Bundeswehr in Munich, where she taught cybersecurity policy, international human rights, and political science. She achieved her doctorate in political science there in 2013, when she became a senior researcher working for the political science department.
Prior to her tenure at the Universität der Bundeswehr, Dr. Lohmann was a press spokeswoman for the U.S. Department of State for human rights as well as for the Bureau of Near Eastern Affairs (MEPI). Before her government service, she was a journalist and Fulbright scholar. She has been published in multiple books, including a handbook on digital transformation, Redesigning Organizations: Concepts for the Connected Society (Springer, 2020), and has written over a thousand articles in international press outlets.
Hours after the Orlando shooting, the world knew where Omar Mateen had taken his cell phone in the days and months before the massacre. To Disney World with his son, to the Pulse Club on multiple occasions alone, and to a Disney Springs shopping and entertainment center the day before the attack. Investigators hope that his cell phone, and the tower data released by his phone company, could provide vital digital clues about his motives. Is the encryption and surveillance debate now passé in the wake of a large scale terror attack?
As the question continues to make its way through US courts, in practice the gloves have already come off. While a House working group on encryption urged against a broad legislative mandate to require law enforcement access to secure communications last week, Secretary of State John Kerry called for allowing lawful access to encrypted data. He also documented the fact that the United States is continuing to use mass surveillance: “…There are any number — in the double digits — in plots that have been interrupted where many lives might have been lost were it not for our ability to take massively gathered — not individual — information and make sense of it. And anonymously gathered, I add,” he said Thursday.[1] In linking the policy of access to encrypted data with mass surveillance, he addressed the heart of the controversy: Do citizens and corporations have the right to protect their data from secret spying by the government, or not?
On the other side of the Atlantic, the highest court in Germany has ruled that a mass surveillance law which allows secret monitoring of Internet activity, phone tapping, and even surveillance of private homes is constitutional when being used to fight terrorism. But there is a caveat, according to the court: Its use has to be proportional to the crime. Just where that proportionality line lies is the crux of the debate in both the US and Europe in an era where citizens without previous known links to an extremist group can commit acts of wanton terror.
The answers on both sides of the Atlantic cannot be answered in a vacuum: The privacy interests of the citizen must be represented at the table where security and intelligence specialists are meeting with private corporation giants like Microsoft, Apple, Linked In and Facebook to map the future of surveillance, and the encryption methods that could prevent cyber spying. This piece examines the four thresh holds that must be reached to ensure that privacy is protected, even as security is strengthened.
Five years ago, the European Court of Human Rights (ECHR) came up with standards that surveillance legislation should keep in order for there to be no violation of an individual’s privacy rights.[2] The standards were not rocket science, but have been difficult for countries to implement, as quick access to data has been paramount for governments who have struggled to respond to an increasing spate of terrorist attacks and extremist violence in Europe and the United States.
Why Privacy Matters for National Security
Why should intelligence and security agencies on both sides of the Atlantic care about such thresh holds, when the task of the day is to prevent further violence? First, the companies that create the technology that harness the data intelligence agencies want, have as their client base the common user, and their business is their client’s privacy. The latest case in point was Apple’s refusal to provide the FBI with a new version of the iPhone circumventing the security features so that they could hack the San Bernardino shooter’s phone. Why the pushback? Because unlocking encryption could allow intelligence services to hack into any of Apple’s clients’ phones. While ultimately, the FBI was able to access the shooter’s phone using a third party hacker, when government agencies demand the right to remove, or access, loopholes in security mechanisms, they set up a system in which mass amounts of data can be compromised.
Second, today’s users do not use Social Media, portable electronic devices or software applications as private persons only. In the moment when the bank president transfers money via his banking app, he can be the head of a bank, or merely a personal account user. When the German chancellor sends a text on her cell phone, she can be acting as the head of a country, or a wife responding to her husband’s question about a dinner party. When the Facebook user sends pictures, she may be trying to get more clients for her real estate business, or boasting of her child’s latest academic performance. When government agencies demand that encryption be made negotiable, passwords, contact lists, the user’s location at any given time, the countries and cities they are communicating with, and sensitive financial and personal information can be made available not only to government officials, but advertisers, criminals, and even enemies of the state. Therefore, when government agencies demand access to this “private data”, it has the potential to affect companies, stock markets, public services, or the national security secrets of a nation.
The following thresh holds, loosely based on those provided by the ECHR, can help provide a framework to ensure national security is maximized while also ensuring data privacy by making surveillance by government agencies limited, accountable, targeted and coordinated.
Threshold One: Limited
Whether in the United States or Germany, surveillance should be limited to the boundaries of the law. While many will argue that the cyber sphere is a new frontier, there is a substantial body of domestic and international law regulating mass surveillance, including several recent detailed court rulings addressing the subject. In Germany, the Federal Constitutional Court ruled in April that a mass surveillance law needed to be reworked. For surveillance to be considered proportional, there has to be an imminent danger, for example of a crime, or of the public security being compromised. In cases where the surveillance touches innocent third parties or compromises the privacy of the party being spied upon, there needs to be concrete proof of the danger.[3]
Similarly, in a November 2015 ruling in the United States, a federal judge had said that the NSA’s telephone mass surveillance program was “likely unconstitutional.”[4] While the mass surveillance provisions of the Patriot Act had expired in June, the USA Freedom Act passed June 1, 2015 had allowed American’s phone records to continue to be collected, albeit by the phone companies, to be perused later on if needed. While there has been some controversy over whether the way the NSA applies the Freedom Act indeed protects privacy concerns, at least formally, the legislation does away with mass surveillance through requiring a warrant for a particular person or persons to be surveilled and by mandating that the telephone companies, not the NSA, keep the records.[5]
Threshold Two: Accountable
There must be sufficient and effective safeguards which exist against abuse, and hold governments accountable for such. Russia’s attempt to do away with any safeguards last week is a case in point. The Duma passed a law Friday, June 24, which forces anyone using encrypted applications including WhatsApp, Telegram, Facebook Messenger or Viber to provide the Russian Secret service with access to their communications, or face a fine of up to 14,000 Euros if they don’t comply.[6]The law requires telecommunications companies to save connection data for three years, and the content of those calls, texts, or videos for up to six months.[7]
The ECHR set the bar at making the accountability mechanism an independent body. In a ruling issued in a surveillance case called Szabo and Vissy v. Hungary in January of this year, it said that “supervision by a politically responsible member of the executive such as the Minister of Justice, does not provide the guarantees” that are needed for accountability.[8] If the same department issues the warrant and reviews the information to decide if there is enough evidence to continue surveillance, an abuse of power can occur.[9] This impartiality in the form of an independent watchdog is the same standard that the German court called for to ensure that the German surveillance laws respect privacy. While FISA serves this purpose in the United States since Nixon, the agency’s independent role should be strengthened. Without it, there is room for misuse of data.
Threshold Three: Targeted
National security is strengthened when the surveillance used is targeted on those compromising the security of the nation, including terrorists and extremists. On an international level, this means ensuring the values of a democratic society are served.
In Germany, where over 1 million refugees entered the country last year, and over 1,000 hate crimes were committed against them, the Justice Ministry came to an agreement in December 2015 with Facebook, Google and Twitter that enables the Internet corporations to remove hate speech against refugees posted on their sites. This they have done, and German officials have underscored the seriousness of such crimes by sending those committing hate speech online to jail or to pay hefty fines. Here, cooperation between corporations, governments, and local security officials ensures that surveillance occurs for the protection of targeted groups.
Threshold Four: Coordinated
This leads to the final point: Surveillance for national security purposes should be coordinated to protect the interests of national security and public safety. This means corporations and governments need to come to agreements on when surveillance and creating backdoors to encryption is necessary. But it also means intelligence services from allied countries should be working more closely together in the cyber arena and sharing information gathered through surveillance on common enemies, such as the Islamic State, extremist groups, and others.
Security is, after all, the business of the international community. The attacks of the last year have shown us that France, Belgium, Germany and the United States can be victims to common enemies in the cyber sphere. Yet a nation’s defense is only as strong as the democracy it is pledged to protect. When the innocent user’s privacy can no longer be protected, democracy is compromised, and our security along with it.
[1]Katie Bo Williams, The Hill, “Kerry Backs Government Access to Encrypted Data” and “Overnight Cybersecurity: Sit In Disrupts Cyber Hearings”, June 23, 2016.
[2]Council of Europe, European Court of Human Rights, June 2011, p. 6.
[3]Bundesverfassungsgericht, Leitsätze zum Urteil des Ersten Senats vom 20. April 2016, 1 BvR 966/09, 1 BvR 1140/09.
[4]Barrett, Devlin, Wall Street Journal, “Federal Judge Rules Against NSA Phone Surveillance Program”, Nov. 9, 2015.
[5]Steinhauer, Jennifer and Weisman, Jonathan, New York Times, “U.S. Surveillance in Place since 9/11 is Sharply Limited”, June 2, 2015.
[6]Russon, MaryAnn, International Business Times, “Russia Demands Backdoor to Spy on Users of WhatsApp, Viber and Telegram Messaging Apps”, June 21, 2016.
[7]Nienhuysen, Frank, Süddeutsche Zeitung, “Das Anti-Terror Packet, das selbst dem Kreml zu scharf war”, June 27, 2016.
[8]European Court of Human Rights, Szabo and Vissy v. Hungary, p. 40-41.
[9]Venice Commission, 71st Plenary Session, Par. VII, 130-137.