Our comments to the review board set up by President Obama, emphasising the need to respect non-US people's privacy rights and to restrain untargeted, mass surveillance.
In August, following revelations by whistleblower Edward Snowden, US President Obama set up a review board to look at the scale, scope and oversight of NSA surveillance. The deadline for comments was Friday 4th October. The group's remit is set out on the website of the Director of National Intelligence. Below is Open Rights Group's short submission, in which we emphasise the need for US intelligence to respect the privacy rights of non-US persons, to restrain mass and untargeted surveillance, and to consider the damage that such practices will do.
Review Group on Global Signals Intelligence Collection and Communications Technologies:
Open Rights Group response.October 4th 2013.
About Open Rights Group
Open Rights Group is a UK based campaign group, founded in 2005, that promotes human rights and civil liberties in the digital age. We are funded by around 1,900 individuals who donate monthly contributions and by a variety of grant giving institutions such as Open Society Foundations and Joseph Rowntree Reform Trust. More information is available at our website.
We thank you for the opportunity to submit comments to this review. Like many we have been alarmed and highly concerned about the scope and scale of the surveillance practices revealed over the summer. They demonstrate that both the NSA and GCHQ are not subject to a sufficiently robust legal framework, with the consequence being overly broad, intrusive and unaccountable mass surveillance.
These practices have undermined trust online, casting serious doubts about the confidentiality of all categories of everyday digital transactions. In this short contribution, we stress that we believe the surveillance practices revealed over the summer will damage the relationships necessary for an open and cooperative Internet economy and society.
Without a review of and amendments to these surveillance laws and practices - which we hope would bring an end to mass, suspicion-less surveillance and recommend more transparency, accountability and proportionality - we are likely to see moves towards nationalist or regionalist industrial policies that will undermine the US' (and the UK's) economic and political goals.
The absence of privacy rights for non US persons.
We are extremely concerned by the apparent failure of US surveillance laws and practices to consider the privacy rights of non-US persons. We do not believe that the US' commitment to privacy and civil liberties should be constrained by nationality and are concerned that this leaves UK citizens – and others of course – vulnerable to significant violations of their privacy rights.
NSA sharing of data with foreign intelligence services, including GCHQ.
The revelations revealed in the Guardian suggest that the UK's GCHQ has a reciprocal relationship with the NSA and shares in the information collected by them. That exacerbates the aforementioned issues regarding the non-US persons' lack of privacy rights, especially as it seems that UK domestic law effectively provides no regulation or oversight of requests by GCHQ for access to or use of data collected by foreign intelligence services. No law or published regulations seem to govern this activity.
Scope and scale of the information collection.
We support targeted, proportionate, transparent and accountable surveillance laws. The revelations in Guardian suggest that the collection and use of Internet data by the NSA – and GCHQ - is in fact: general, insufficiently accountable, and subject to insufficient democratic oversight and safeguards.
Our concern, as a UK based NGO, is that as a result intrusive personal information relating to high percentages of UK and EU citizens is gathered and stored, that this available to be accessed for reasons that are imprecise, and that the governance of this process is not strict enough. In short, we are greatly concerned about mass, un-targeted collection and storage of data.
Undermining the security of the Internet
It appears that US and UK intelligence services have in various ways attempted to undermine cryptography This is a challenge to the fundamentals of trust on the Internet – to the reason you trust your bank, your credit card payments or Virtual Private Networks not to leak this information to criminals, blackmailers or governments. Vulnerabilities and backdoors are open to anyone, potentially, to exploit. It is feasible that other foreign intelligence or criminal gangs could use some of the same exploits. Where this undermines trust and puts the confidentiality of sensitive communications further in doubt, there are clear economic consequences, not least related to competition.
Weakening US relationships and fragmenting the Internet.
Taken together, we believe the issues raised above will have a detrimental effect on the US' relationship with international partners, in the EU and beyond.
For example, we point at the policies currently pursued by Brazil and suggest that such local approaches will become more attractive to States losing confidence in the ownership and governance of Internet infrastructure.
Further, this will put at risk cooperative multi-stakeholder governance of the Internet. It puts the sustainability of current Internet governance processes under serious doubt, by creating the risk of balkanisation of the infrastructure and the governance of it. That is likely to make it even harder to ensure the Internet is built upon a respect for human rights, and for States who claim to promote such values to exert influence over it.
Legal challenge to GCHQ surveillance.
Finally we wish to highlight that Open Rights Group and two other UK based civil liberties groups, Big Brother Watch and English PEN, are seeking to challenge GCHQ surveillance in the European Court of Human Rights, on the basis that they are in breach of Article 8 (the right to privacy) of the European Convention of Human Rights.
One aspect of this challenge relates to GCHQ receipt of information collected under what is known as PRISM. As mentioned above, it appears that the receipt of this information is not governed by law or published regulations. The application and other relevant documents are available online.