|
March 16, 2016 | American Enterprise Institute
|
Key Points
- Governments and the international business community are currently embroiled in a conflict over the appropriate balance between individual privacy and legal government surveillance.
- International companies and governments must consider how to resolve issues such as backdoors that permit surveillance by local authorities, encryption, localization of data storage, and the transfer of citizens’ personal data across national borders.
- The international community must work together to achieve a multilateral agreement for what constitutes legal surveillance and what ensures protection of individual privacy, while considering the potential actions of countries such as China and Russia.
Executive Summary
All major IT companies are caught in the midst of conflicting directives that pit the need for surveillance against the requirement to protect personal privacy. As a result, these firms are asking for a new multilateral agreement to provide common rules of the road.
This paper examines five key areas where conflict among national directives would have to be addressed in a potential new multilateral treaty: (1) the demand to design hardware and software with backdoors to permit surveillance by local authorities; (2) the demand to turn over encryption keys or weaken encryption capabilities to allow the breaking of codes by national agencies; (3) the requirement for localization of data storage and cloud services on national soil; (4) the right to place extraterritorial demands on companies to retrieve personal data stored in another country; and more broadly, (5) the harmonization of rules governing the transfer of personal data of citizens of diverse nationalities across borders.
As shown here, reconciling the desire for surveillance with the need to protect individual privacy will be difficult for the United States, UK, France, Germany, and the EU more broadly. This challenge is compounded because other countries—including potential adversaries such as China and Russia—will be watching closely and doubtless claim the right to impose mirror-image demands on companies of all nationalities operating within their own economies.
Introduction
The revelations from Edward Snowden about the surveillance activities of US and other intelligence authorities, dating from 2013, generated widespread demands for measures to safeguard personal privacy and protect individual data, particularly in Europe. The terrorist attacks in Paris in 2015 have generated counterpressures for increased surveillance of phone calls, emails, and other forms of communication, especially in France, the UK, and the US.
As the pendulum now swings toward more extensive and intrusive official scrutiny, international companies—especially, but as will be seen, not exclusively IT companies—find themselves caught in the middle, in need of rules about how to comply with hotly debated and often-conflicting national directives. The confrontation between Apple and the FBI is today’s most prominent case of a company torn in conflicting directions, representing a mix of several distinctive strands of conflict involving surveillance versus protection of privacy.
What exactly are the most important issues in the trade-off between surveillance and privacy that are embroiling international companies? What are the most important debates that will have to be resolved to create an international agreement on standards for international companies to participate in national surveillance programs?
This paper focuses on what is commonly called “legal surveillance.” These are measures that have been officially authorized by legislation in the countries involved. This paper does not delve into covert espionage activities on the part of the US, UK, France, or other countries; examine offensive and defensive measures involved in cyberwarfare; nor investigate programs to track and prevent hacking by individuals and governments around the globe.
Within the realm of legal surveillance, this paper identifies five areas (among many) that are particularly fraught for international IT companies: (1) the demand to design hardware and software with backdoors to permit surveillance by local authorities; (2) the demand to provide access to encrypted text or weaken encryption capabilities to allow the breaking of codes by national agencies; (3) the requirement for localization of data storage and cloud services on national soil; (4) the right to place extraterritorial demands on companies to retrieve personal data stored in another country; and more broadly, (5) the harmonization of rules governing the transfer of personal data of citizens of diverse nationalities across borders.
Achieving multilateral agreement for what constitutes legal surveillance and what ensures protection of individual privacy—and how to apply such agreement to international companies’ behavior—will be no mean feat. Not to be forgotten, the shaping of such a multilateral agreement will have to be conditioned on the expectation that potential adversaries outside of Europe and North America—such as China and Russia—will claim legitimacy for counterpart regulations applied to international companies within their own borders.
Backdoors for Government Surveillance in IT Equipment and Services
Presaging the contemporary debate about inserting backdoors into IT systems, two long-standing US statutes specify that service providers have the obligation to offer “technical assistance” to the US government to conduct surveillance. Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (often referred to as the Wiretap Act) and the Foreign Intelligence Surveillance Act of 1978 (FISA) include provisions mandating technical assistance so that the government will be able to carry out surveillance activities authorized by a court order. For example, Title III‐8 specifies that a “service provider, landlord . . . or other person shall furnish [the government] . . . forthwith all . . . technical assistance necessary to accomplish the interception.”[1]
Since passage in 1994, however, the Communications Assistance for Law Enforcement Act (CALEA) has constituted the principal platform for legal surveillance of telecommunication channels in the United States. The US Federal Communications Commission (FCC) provides a succinct description of CALEA’s backdoor-portal requirement:
CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that these agencies have the necessary surveillance capabilities as communications network technologies evolve.[2]
In August 2013, the Wall Street Journal revealed that CALEA’s reach extended even to foreign telecommunication companies operating in the United States, such as China Telecom, Ericsson, Lucent-Alcatel, and Nokia.[3] But this “exposé” should not be surprising. To the question of who must comply with CALEA, the Department of Justice answers, “all telecommunications carriers or other entities engaged in the transmission or switching of wire or electronic communications as a common carrier for hire.”[4]
While CALEA was intended to keep pace with technological changes, its focus was on telecommunications carriers that provided traditional telephony and mobile-telephone services, not Internet-based communications services. Over the years, through the FCC’s interpretation of the statute, CALEA’s reach has been expanded to include facilities-based broadband Internet access and Voice over Internet Protocol services, which are fully interconnected with the public switched telephone network. The phrase “providing a backdoor” for surveillance has evolved as well, from incorporating a physical portal to insert a wiretap or listening device, to designing software that can be penetrated electronically.
Requests to penetrate IT systems to conduct surveillance under the Wiretap Act, CALEA, or FISA can originate in court orders from any ordinary criminal case. Of particular note, however, are the latter. Here petitions to secure a warrant are drawn up by the office of the general counsel of the Justice Department, the FBI, or the National Security Agency (NSA) and presented to a special court—the FISA Court—without any public notice.
These requests to conduct surveillance need not show probable cause—nor even reasonable grounds to believe—that the person whose records are sought is engaged in criminal activity or that the subject of the investigation is a foreign power or agent of a foreign power. The records simply have to be “relevant” to a criminal or national-security investigation. Established in 1978, the FISA Court’s jurisdiction was upgraded and expanded in the Patriot Act of 2001
All FISA Court activities are conducted in secret. FISA deliberations about issuing a warrant are carried out ex parte—that is, the FISA Court hears only the government’s argument in the absence of, without notification of, and without any chance for rebuttal or counterargument from those who are targets of surveillance. Subjects of surveillance are never notified that their privacy has been compromised. From 2004 to 2012, the FISA Court granted 15,100 requests for warrants, while rejecting seven.[5]
IT service companies, meanwhile, are prohibited from disclosing information about the FISA Court’s requests for surveillance to the public through gag orders. In January 2014, President Barack Obama ordered the Justice Department to allow companies such as Facebook, Google, LinkedIn, Microsoft, and Yahoo to disclose the total number of FISA Court orders they receive annually and the total number of users those requests affect, but no other information.
CALEA and the predecessor laws that require providers of equipment and services to enable surveillance apply only after the messages concerned have left the device and are in transit or are being stored externally on a server. Contemporary debate in the United States focuses on access to information stored on an individual’s cell phone or other device. Requiring individuals to turn over their devices to law enforcement or intelligence authorities, along with passwords and keys to permit access to data stored thereupon, raises Constitutional issues and will be discussed next in the section on encryption.
At the same time, while the FCC has steadily expanded CALEA’s coverage as IT technology has evolved, the FBI and Department of Justice complain that CALEA does not currently cover many popular Internet-based communications services involving email, Internet messaging, social networking sites, or peer-to-peer services.[6] Many of these services also involve user-controlled or end-to-end encryption, allowing terrorists and criminals to communicate without any possibility of surveillance. (See the discussion of “going dark” in the next section of this paper.)
In the UK, new legislation—the Investigatory Powers Bill of November 4, 2015—will consolidate past regulations governing IT communications.[7] This bill makes explicit the legal authority of intelligence and security agencies, the police, and the armed forces to conduct surveillance of computers, networks, and mobile phones. The legislation requires all IT companies operating in the UK to design their systems to allow interception, data collection, and surveillance and to assist such actions. The term of art is that IT companies must allow for “equipment interference” throughout their hardware and software to assist official surveillance.[8]
Currently, warrants for surveillance are approved by a government minister with no judicial involvement. Under the new legislation, warrants will have to be approved by both a minister and a senior judge. But the role of the latter is limited to determining whether the authorities followed correct procedures and acted reasonably. Even this pro forma judicial review is waived if the minister considers the case to be “urgent,” and such urgent cases are not limited to situations involving imminent threats to life.
Similarly, the French government passed new surveillance legislation in the aftermath of the January 11, 2015, attacks on Charlie Hebdo. The legislation consolidates provisions for intelligence gathering that had been scattered across various provisions of the French Internal Security Code.[9] It requires Internet providers to ensure that French intelligence services have access and visibility into all data traveling over networks.
Intelligence-gathering measures under the new French legislation can be implemented upon specific authorization given by the prime minister or designee. This authorization is granted only after a specially created Commission for Oversight of Intelligence Techniques renders an opinion on the measure’s compatibility with the principles set forth in the law, but the commission’s opinion is not binding on the prime minister.
Given the history of surveillance on the part of intelligence agencies in East Germany during the Cold War years and earlier in the Nazi period, Germany has been particularly concerned to protect individual privacy.[10] In 2010 the German Constitutional Court struck down a 2007 law covering data retention and access to stored data, arguing that the law violated Article 10 of German Basic Law, which protects the privacy of correspondence, posts, and telecommunications.
Following the Charlie Hebdo attacks in Paris in early 2015, the German government proposed and the Bundestag passed a new data-retention law.[11] The crafting of this law attempted to address some of the concerns previously raised by the Constitutional Court, such as reducing the time of retention from six months to 10 weeks; limiting surveillance by law enforcement and intelligence authorities to a specific list of “severe crimes”; and exempting access to individuals that deserve special protection, such as doctors, lawyers, and journalists. Investigators can access personal data only with a court order. This law has not thus far been evaluated by the German Constitutional Court, so its ultimate fate is not yet known.
There are at least four layers of policy questions here: (1) Will US and EU governments be comfortable with required backdoors for surveillance via IT systems becoming the global norm? (2) Will court warrants be required to conduct surveillance via IT systems, or will only ministerial discretion be required? (3) Will warrants from secret courts—such as the FISA Court in the US—qualify as adequate? (4) Will targets of surveillance by authorities in various countries be denied due process, without the opportunity to know or rebut the suspicions cast on them, or will the momentum in this direction have to be reversed?
Notes
- Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. No. 90-351, 82 Stat. 197 (1968), Title III‐8.
- Federal Communications Commission, “Communications Assistance for Law Enforcement Act,” November 24, 2014,www.fcc.gov/encyclopedia/communications-assistance-law-enforcement-act.
- Spencer Ante and Ryan Knutson, “U.S. Tightens Grip on Telecom,” Wall Street Journal, August 27, 2013,http://www.wsj.com/articles/SB10001424127887324906304579037292831912078.
- US Department of Justice, “CALEA FAQs—No. 5,” http://askcalea.fbi.gov/faqs.html.
- Evan Perez, “Secret Court’s Oversight Gets Scrutiny,” Wall Street Journal, June 9, 2013,http://www.wsj.com/articles/SB10001424127887324904004578535670310514616.
- Sally Quillian Yates, testimony before the Senate Committee on the Judiciary, July 8, 2015, https://www.justice.gov/opa/speech/deputy-attorney-general-sally-quillian-yates-delivers-oral-testimony-senate-judiciary; and James B. Comey, testimony before the Senate Select Committee on Intelligence, July 8, 2015,https://www.fbi.gov/news/testimony/counterterrorism-counterintelligence-and-the-challenges-of-going-dark.
- Draft Investigatory Powers Bill, November 2015 (Eng.).
- Ibid., 16–19.
- Republic of France, LOI no. 2015-912 du 24 juillet 2015 relative au renseignement (1), January 24, 2015,http://www.legifrance.gouv.fr/eli/loi/2015/7/24/PRMX1504410L/jo/texte.
- Caroline Copley, “German Parliament Okays Law to Store Telephone and Internet Data,” Reuters, October 16, 2015.
- Mirko Hohmann, “German Bundestag Passes New Data Retention Law,”Lawfare, October 16, 2015.
