It’s been more than a year since the Snowden revelations alleging mass government surveillance primarily by the United States first hit the headlines.
How have policy-makers, regulators, businesses, and users responded to potential government access to user data in the cloud? What new policies have been formulated? What has the business world done to address concerns? Has there been an impact?
A panel discussion entitled Privacy, Surveillance, and the Cloud: One Year Later, part of the agenda at the 9th Internet Governance Forum (IGF) hosted in Istanbul, sought to highlight these developments.
In June, 2013, Edward Snowden, a former contract worker at the US National Security Agency (NSA) and previously a system administrator at the Central Intelligence Agency (CIA) began releasing to the media classified documents detailing global surveillance programmes, including many run by the NSA.
The whistleblower is still being pursued by US authorities, and is currently living in an undisclosed location in Russia while he seeks political asylum from the European Union.
The first was the disclosure on June 5, 2013, which highlighted the bulk collection of phone data. The second was on June 6, 2013 and unveiled the PRISM programme, which centred on the downstream collection of data involving cloud companies, in addition to the upstream collection of data where ISPs (Internet service providers) and operators were given a target list with a request for information to, from and about the target.
The third type of revelation was on surveillance activities outside of the United States, and comes under the jurisdiction of the US President, leveraging Executive Order 12333 which was put into effect in 1981.
“All these revelations have caused a serious crisis of confidence among users in the US cloud, and the cloud in general, and according to research, people are doing less online, such as shopping,” said Bankston (pic).
US and European reactions
Reactions within the United States and its technology industry have been quite extensive.
Facebook’s director of Public Policy, Sarah Wynn-Williams, said that following the events, there has been recognition across the industry that the balance in power in many countries has tipped too far towards the state, and away from individuals.
“Technology companies have collectively called out for reform and we’ve set out a group of principles meant to highlight areas where there is real need to access issues.
“Because the bottom line is, people won’t use technology they don’t trust,” she said.
The principles are broad and seek to limit government authority to collect user information; highlight the need for improving oversight and accountability; greater transparency for government requests for data; promote the free flow of information; and reform of mutual legal assistance systems.
A question about global reactions to the Snowden revelations were posed to the panel, and Bertrand de La Chapelle, director of the Internet & Jurisdiction Project, noted that one of the lessons learnt was the lack of parliamentary oversight on such activities.
“There are many reasons for that of course, but behind all the noise, it is important to note that it is a huge challenge. Whenever you have oversight behind closed doors, it makes it difficult to be efficient,” he argued.
The Internet & Jurisdiction Project is a multi-stakeholder dialogue process addressing the tension between the cross-border nature of the Internet and the diversity of national jurisdictions.
He also pointed out that rather than the international community of governments, it was companies and civil society groups that were pushing for the development of a criteria of principles, with a key issue being the added difficulty of finding criteria to determine what are applicable laws when only territorial laws that govern sovereign rights are used.
However, de La Chapelle said he also believes that Snowden revelations have had a positive effect, most notably in the kneejerk reactions which have resulted in the increased resiliency of the network, such as new cable investments and the establishment of more ISPs and Internet exchanges in many countries.
“But there is also a downside to this kneejerk reaction – such as moves toward data protection and sovereignty, with requirements for all relevant data to reside in one country. It is not scalable if you multiply it across countries, and will not reduce but enhance surveillance due to the duplication of data,” he added.
“I only found one remark by a cabinet minister that said it was a US domestic issue and had nothing to do with Japan.
“There was also no strong reaction from civil society. The thinking is that our privacy is not that badly affected, we have no secrets from the US Government and we are aware of its intelligence activities, so why should we care?” he shared.
Commenting on reactions from others parts of Asia, especially emerging economies, Zahid Jamil, chair of Developing Countries Centre for Cyber Crime and Law, said it was “disappointing” to note that there hasn’t been a substantial response.
“There hasn’t been a response that would have been useful or positive, such as people looking inward and asking ‘what are we doing as country?’ ‘Should we ask our own intelligence agencies about their activities?’
“Funnily enough, what I found was that it was the politicians in certain developing countries who were more concerned than intelligence services.
“But the concern was due to fact that they get all the intelligence reports and in a sense controlled the process. It was more a case of ‘why aren’t we getting those reports?’ The Five Eyes envy was remarkable,” he added.
The Five Eyes, often abbreviated as FVEY, refers to an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States.
To characterise the reaction of many developing nations, Jamil noted that the sentiment was essentially that the United States had “screwed up,” becoming a victim of its own design.
“It was along the lines of ‘It’s silly to have a law or a court. You need to go to court and get a warrant? This isn’t criminal, this is intelligence! Thank goodness, we don’t have a law.’
“And if you ask many of them whether they have intelligence legislation, the answer is no. They don’t want to deal with it or go around it and prefer things as they are.
“We’re not seeing much positive outcomes, given this opportunity to push the envelope and nobody locally is calling them out on it,” he added.
Debate a good first step
While the Asia Pacific region lacked any substantive reaction, it could very well be that the movements being made by the United States and Europe could spur some action.
Facebook’s Wynn-Williams noted that the fact that these issues are being discussed is positive, but added that there’s still a long way to go.
“There’s been a lot of discussion and acceptance of the issues, but issues on the solutions side are no longer being discussed. Issues such as how do we get a functional mutual legal assistance treaty (MLAT) process and how access to data by governments can be transparent.
“In terms of concrete things to address the revelations, we still have a long way to go,” she said.
The Open Technology Institute’s Bankston also believes that there have been good outcomes from the Snowden revelations, pointing to two in particular.
“We have seen an utter explosion of transparency reporting in the ICT field, and industry is pushing for permission from government to publish these requests. The US Government itself is reporting more in terms of numbers, although there are problems with how the data is presented,” he said.
The second positive from the revelations of NSA activities has been the greater focus being placed on cryptology and encryption as an important part of Internet infrastructure.
“We’re seeing companies big and small deploying encryption on a level we’ve never seen before – encryption between their websites and users, encryption in their email, and between their datacentres.
“I think this is hardening the Internet ecosystem and it’s a wonderful result,” Bankston said.
Meanwhile, Jamil noted that one good thing about the debate that is now going on about nation-state surveillance and governance is the opportunity to include developing countries in the conversation and to set the benchmark.
“The transparency of how the United States is addressing the issue may push other countries to bring in some reform,” he said.
And while trust in US technology companies has taken a hit in recent months, Jamil noted that the active moves being made by the business community and civil society could just result in greater trust from users in developing countries.
“If I live in an oppressive country and I know that the government is accessing data, I’m not going to house it locally but somewhere where there are better safeguards and where I feel the data is safer. Maybe that’s one marketing strategy,” he said.
[Gabey Goh is one of four journalists supported by SEAPA to cover the Internet Governance Forum 2014 in Istanbul. She is a reporter for the Malaysia-based Digital News Asia, where this article originally appeared.]