Subscriber OnlyTechnology

Surveillance does little to stop terror attacks, so why are our emails still being read?

Net Results: Section 702 extension will hurt business over fears for data of EU citizens

Online surveillance: section 702’s possible renewal will present serious difficulties unless clear protections are  introduced for EU data.
Online surveillance: section 702’s possible renewal will present serious difficulties unless clear protections are introduced for EU data.

Last week, the US House of Representatives followed in the footsteps of the Senate earlier this month, and voted to extend the deeply controversial section 702 of the Foreign Intelligence Surveillance Act (FISA).

Section 702 permits the warrantless surveillance of foreigners by US spy agencies. But past activities undertaken under the besmirched aegis of section 702 are known to have hoovered up the digital data – everyday communications such as emails, and text messages as well as revealing “metadata” about online activity – of millions of Americans as well, in a form of electronic collateral damage.

Section 702 was the legislation used to justify opaque bulk surveillance programmes by the National Security Agency (NSA) that sucked in US-based data from many US technology, internet and social media companies in the now notorious Prism programme, and under the Upstream programme, which collected data as it comes into and exits the US. Both programmes were disclosed by whistleblower Edward Snowden in 2013.

Some legislators put forward an amendment that would have required agencies to obtain a warrant to actually read the data collected, rather than just have a large ocean of data to trawl through as they please.

READ MORE
A National Security Agency (NSA) data gathering facility in Salt Lake City, Utah. Wikimedia and other rights groups have filed a lawsuit against the agency challenging one of its mass surveillance programmes. Photograph: Jim Urquhart/Reuters
A National Security Agency (NSA) data gathering facility in Salt Lake City, Utah. Wikimedia and other rights groups have filed a lawsuit against the agency challenging one of its mass surveillance programmes. Photograph: Jim Urquhart/Reuters

But enough Democrats and Republicans were convinced by the pleadings of the surveillance and security agencies to block the proposed amendment and then renew section 702 through to 2023.

Even the recent disclosure of a “secret memo” that identified deliberate abuses of section 702 – a report now seen by some senior members of Congress – failed to sway the vote.

Terrorist attacks

While surveillance agencies have argued that they need the powers allocated under the Act to prevent terrorist attacks, little evidence exists that it is needed or has helped stop attacks. Agency heads have previously been unable to cite convincing examples of how it has done so, when testifying before Congress.

Terrorist-attributed attacks since 9/11 have almost all been carried out by US nationals, either naturalised citizens or US native-born. Most of those have been shown to be isolated attacks with no direct connection to or direction from international terrorist groups like Islamic State. There were no communications to intercept to prevent such attacks.

Overall, 14 countries adopted laws in the past year to expand government surveillance, according to a new report
Overall, 14 countries adopted laws in the past year to expand government surveillance, according to a new report

And the worst attacks, causing the most deaths annually in the US, are the regular “non-terrorist” shootings carried out week in and out by American natives on their fellow Americans, with weapons they easily obtain in the US with its open gun laws, such as the horrific attack at an outdoor country music concert in Las Vegas last year.

For that matter, more shootings in the US in the past decade have been perpetrated by toddlers who gained access to loaded guns than by terrorists .

On evidence, granting surveillance agencies the ability to secretly look at just about anything they want, once that data flows across the internet, into or out of the US, is a preposterously sweeping power with little justification.

The US still has done little to reactivate the defunct Privacy and Civil Liberties Oversight Board which is supposed to have a watchdog role over FISA

One critical impact of the renewal of section 702 was, amazingly, almost entirely absent from US debate and media coverage.

The continued existence of the US/EU Privacy Shield data transfer agreement – which underpins billions in business annually and is the basis for allowing data to move between the two locations – hangs on guarantees that EU data has the same protections in the US as it has in the EU.

Tech companies including Apple, Google and Facebook have said they do not provide any US government agency with direct access to their servers in order to extract data. Photograph:  Pawel Kopczynski/Reuters.
Tech companies including Apple, Google and Facebook have said they do not provide any US government agency with direct access to their servers in order to extract data. Photograph: Pawel Kopczynski/Reuters.

Extending section 702 creates major, perhaps insurmountable, problems for businesses in the US and the EU, because it undermines US assurances that the data of EU citizens and residents won’t be swept up as part of such surveillance activities.

Clear protections

Following last autumn’s first annual review of Privacy Shield, both the European Commission, and perhaps more ominously, the article 29 working party of EU data protection authorities, noted that section 702’s possible renewal could present serious difficulties unless clear protections were introduced for EU data. EU commissioner Vera Jourova acknowledged in autumn that the EU was actively lobbying the US for changes to section 702.

But little of import differs in the renewal passed this week, and the previous version of section 702, when the review was conducted. In addition, the US still has done little to reactivate the defunct Privacy and Civil Liberties Oversight Board which is supposed to have a watchdog role over FISA.

The article 29 group promised to take action if its concerns were not addressed by the second annual review later this year, warning it would bring a case to national courts that would in turn be referred to the European Court of Justice (ECJ).

Given decisions on data collection and privacy in recent years, including the Digital Rights Ireland data retention case and Max Schrems' case regarding his Facebook data, the ECJ seems highly unlikely to find that section 702 provides adequate privacy protections to European data.

Which would throw Privacy Shield – and the billions in international business that depend upon it – into crisis.