Last month saw an important anniversary for Edward Snowden. In June 2013, he broke the biggest state surveillance scandal in history. Where has it left us three years on, and what have we learned?
Snowden left the country that May without telling anyone where he was going. A little later he was in Hong Kong, briefing film maker Laura Poitras and Guardian journalists Glenn Greenwald and Ewan MacAskill, using documents that he had downloaded from NSA servers.
He spilled everything (you can find the source documents for reported stories here), alerting the world to an egregious surveillance mechanism that spanned numerous countries.
He named Verizon as a telco that had been gathering metadata on millions of citizens’ conversations for the NSA, and also highlighted PRISM, a systematic data gathering program under which the NSA reportedly monitored nine large Internet companies. These were just the opening stories.
The US government charged him under the Espionage Act, on his birthday, June 21. He didn’t return for trial, instead gaining asylum status in Moscow. His life will never be the same again. Now, he tweets and talks to people via video link from his new home in Moscow. He’ll be doing that in October, when he keynotes at SecTor’s tenth anniversary conference.
When he left the US not even his family was aware of what was happening. It was a massive sacrifice. Was it worth it?
“It’s been unexpected and challenging but it’s been encouraging. It’s been energizing to see the reaction from the public,” he told the Guardian a year after his story broke. “It’s been vindicating to see the reaction from lawmakers, judges, public bodies around the world, civil liberties activists who have said ‘it’s true that we have a right to at least know the broad outlines of what our government’s doing in our name and what it’s doing against us’.”
The Snowden legacy
How have his revelations helped?
“The impacts can’t be underestimated. As a starting point, he has completely transformed the debate, which is an essential starting point to any other positive change in terms of privacy” said Tamir Israel, staff counsel at the Canadian Internet Policy and Public Interest Clinic (CIPPIC). “The debate had been very focused on security concerns. Privacy concerns had been raised but they weren’t getting the same weight.”
That heightened awareness of privacy issues has contributed, indirectly if not directly, to some wins for privacy advocates, he added. For example, the US entered into an agreement with EU citizens, enabling them to challenge how US agencies were using their data.
Gains and losses
There have been other significant milestones, such as the introduction of the USA Freedom Act on June 2 2015. That Act sought to curtail some of the intelligence and law enforcement community’s more egregious powers.
In the early months of 2015, the intelligence community was concerned about the expiry of Section 215 of the Patriot Act. Passed in 2001, section 215 amended the Foreign Intelligence Surveillance Act (FISA), making it easier for intelligence and other agencies to gather information about US and non-US citizens. The Patriot Act’s author, Rep. Jim Sensenbrenner, had said in 2014 that Section 215 wasn’t meant to be a tool for gathering call metadata.
S.215’s expiry effectively left the intelligence gathering mechanism blind for a brief period, causing Congress to rush through the USA Freedom Act, which resuscitated Section 215, but with caveats.
The new legislation curtailed the use of National Security Letters, which are used to gain customer records from organizations, and of pen registers, a Patriot Act mechanism used to gather metadata. It imposed the use of specific selectors on both of these tools, to avoid the kinds of broad sweeps that had been happening.
This kind of broad sweep for data was one of the issues that compelled Snowden to do what he did. He told the Guardian: “I would argue that simply using the term haystack is misleading. This is a haystack of human lives. It’s all the private records of intimate activities throughout our lives that are aggregated, compiled and stored for increasing frequencies of time.
“It may be that by seizing all of the records of private activities, by watching everyone everywhere we go, by watching everything we do, by monitoring every person we meet, by analysing every word we say, by waiting and passing judgement over every association we make and every person we love that we could uncover a terrorist plot or discover more criminals. But is that the type of society that we want to live in?”
The USA Freedom Act also appointed a watchdog to sit in on the FISA court hearings that approved requests for such things, which had previously been held entirely in secret.
There were other high points for privacy activists like Snowden. In 2014, the House passed the Massie-Logfren amendment to the Defense Appropriations Bill. This sought to curtail one of the most important pieces of FISA – Section 702 – which allows the NSA and law enforcement to search without a warrant emails, browsing and chat histories of US citizens collected incidentally while collecting data on non-citizens. The amendment would also have stopped the NSA using its budget to try and make tech vendors build encryption back doors into their products.
That high point also led to one of the low points for privacy activists since Snowden’s whistleblowing: last month, the House backtracked on the original Massie-Logfren decision, this time voting it out.
Where are we now?
Today, the privacy battle continues to rage. Draft legislation to force crypto backdoors into tech products is dead in the water.
Apple, whose refusal to decrypt its own users’ data for the FBI spurred the draft legislation, has ethically inverted itself, increasing transparency to the rest of the world. It left its iOS kernel unencrypted in a move that could help the community to discover security flaws more quickly and make it harder for agencies to hire third party firms to crack its devices.
It’s impossible to look at these events outside the context of Snowden’s revelations. As Israel said, he changed the debate.
Two other significant things are now happening on the Hill, each focusing on two sides of the investigation process. The first is Sen. McCain’s Amendment 4787 to the Commerce, Justice and Appropriations Bill. This is a proposal to expand the scope of National Security Letters to include electronic community transaction records (ECTRs). These include email time stamps, senders, and recipients, along with browsing metadata that also includes location. Under the amendment, this information would all be obtainable by the FBI without a warrant.
This bill was narrowly voted down in the Senate in June, although a motion was forwarded to reconsider the vote.
The other bogeyman for privacy advocates is the amendment of the Federal Criminal Rules of Procedure’s Rule 41. The amendment would enable district judges to issue warrants to remotely search devices believed to be shielding their locations online. That theoretically opens up everything from devices connecting via Tor or other proxies, and potentially those whose users choose to disable location-based services.
The amendment could also open machines already infected by botnets to remote probing. So theoretically, if you’re unlucky enough to be compromised by Conficker, you could be hacked a second time by the Feds.
Unlike the McCain amendment, the Rule 41 amendment is designated as procedural rather than legislative, and was created by the advisory committee on criminal rules for the Judicial Conference of the United States. This means that it will become effective on December 1 unless Congress does something about it.
Unfortunately, Congress just doesn’t have a great track record on this stuff, warns Shahid Buttar, doctor of law and director of grassroots advocacy at the Electronic Frontier Foundation.
“The USA Freedom Act was a preliminary step. They never even started to finish the job, which is to say the last time that Congress investigated the intel agencies was in 1976,” he said. “Why has there been no investigation in the past three years?”
He’s talking about the Church Committee, which probed US intelligence and led to more oversight of the NSA. Since then, the intelligence community has overreached itself, warned Snowden.
“Generally, it’s not the people at the working level you need to worry about,” Snowden said in 2014. “It’s the senior officials, it’s the policymakers who are shielded from accountability, who are shielded from oversight and who are allowed to make decisions that affect all of our lives without any public input, any public debate, or any electoral consequences because their decisions and the consequences of the decisions are never known.”
Why isn’t Congress stepping up to investigate? It’s partly to do with the news cycle, suggested Buttar. In spite of publications like The Intercept, which Greenwald went on to found after the Snowden stories, broad media coverage has declined.
Even after a year, media coverage of the relevant issued had declined to less than 2% of its traffic as the Snowden news was happening, according to a June 2014 CIPPIC report. Two years on, we can assume that it’s decayed to the level of background noise. Many people – and especially Congressional leaders – simply aren’t listening as much as they were.
If there is a failure, it certainly isn’t Snowden’s. He couldn’t have sacrificed much more. “The failure isn’t with the whistleblower, it’s everyone else,” Buttar suggested.
There’s lots of work to do for those privacy advocates that are fighting in the wake of Snowden’s revelations. There are still many other mechanisms that allow for state surveillance. Executive Order 12333 allows for the gathering of metadata and message content, and opens the door for the incidental collection of data on US citizens in the course of international terrorism or narcotics investigations. The US DEA’s Hemisphere program collects four billion call detail records daily via AT&T.
FISA’s Section 702 also permits the collection of data under the FISA court’s review, although FISA doesn’t approve the actual targets. There are at least 90,000 targets under that authority. ‘Back door’ searches of incidentally-related information without a warrant is still permitted, and both the NSA and FBI have access to this information.
Buttar suggests that other countries now have a role to play in monitoring America’s actions and holding it accountable. One of its closest cousins, Canada, has been divided by its own intelligence debate.
Bill C-51, the lawful access legislation originally introduced by the Conservative government, angered privacy advocates who saw it as overreaching. Unlike the NDP, the Liberals supported the bill, although their leader promised alterations to tone down its powers. Since gaining power, the government has legislated a committee to oversee the Canadian Security Intelligence Service (CSIS) and other government intelligence agencies.
This is a start, but more action is needed, argued CIPPIC’s Israel. “Oversight alone is never enough because if they have expansive powers, all oversight can do is say that they’re doing what we told them they could do,” he said.
That’s earmarked for the future. The Canadian government has committed to make changes following a more detailed consultation, while in the US, another big event is due next year: FISA Section 702 will shortly sunset, just as Patriot 215 did. That represents another turning point for US surveillance legislation, warned Buttar.
“Next year they will legislate something to keep at least what part of 702 authorized. What’s that going to look like?”
One thing’s for sure: the debate over these issues will never be the same after Snowden’s sacrifice. If you want to hear him speak about it, then come to SecTor 2016 this October. It’s sure to be a packed room.