How – despite recent legal changes in the US - email mass surveillance remains widespread, and what to do about it.
Photo by arbyreed / CC BY-NC-SA 2.0
The enactment of the USA Freedom Act in June 2015 was an historic moment in that it was the first time that the US government’s surveillance powers had been curtailed since 9/11. However, the author argues that this is just the beginning of what is fast becoming an Internet human rights movement. He explains the legislation that has been left untouched by the USA Freedom Act. This legislation enables the US government to continue to spy on both US and non-US citizens by collecting the content of their emails and other online messages. Finally the author sets out specific groups that must put pressure on the US government to end such discriminate surveillance.
People’s understanding of the concept of privacy has changed enormously since Edward Snowden’s 2013 revelations about the United States’ indiscriminate global spying programmes. Before Snowden, few in the human rights field even knew what metadata was. Privacy of electronic communication was nearly a non-subject in human rights circles. Since then, things have changed rapidly. Once the US government’s growing surveillance powers came into the spotlight, it became increasingly clear that something had to be done to swing the pendulum back in the other direction, curbing abuses in surveillance and building up real accountability mechanisms.
From a historical perspective, the USA Freedom Act, enacted on 2 June 2015, marks the first time since 9/11 that the surveillance powers of the US government have been curtailed. It is a milestone in that it ended the bulk collection of US – and many non-US – citizens’ telephone records which had been taking place by the National Security Agency (NSA) since 2001. Furthermore, it provides for some semblance of oversight. The Acts foresees representation of privacy concerns in the Foreign Intelligence Surveillance Court. Ultimately, it limits the ability for the government to warehouse phone metadata information of US citizens.
Yet, the Act does not go far enough. We at the American Civil Liberties Union (ACLU) call attention to what will be the next big battle against mass surveillance: to challenge the equally widespread collection of emails of US citizens, including their correspondence with foreigners. This mass email collection – left untouched by the USA Freedom Act – proves we still have a long way to go before privacy is fully respected. Recent media reports show the magnitude of this problem. In August 2015, New York Times and ProPublica revealed that, between 2003 to 2013, AT&T has provided NSA access to billions of emails crossing its US network system.
There are two pieces of legislation that remain in force which allow this kind of mass email surveillance – Section 702 of the Foreign Intelligence Surveillance Act (FISA) from 1978 and the Executive Order 12333 from 1981. They are even more invasive than Section 215 of the Patriot Act, which the USA Freedom Act put an end to. Section 215 recorded metadata – lists of incoming and outgoing phone records – but not the audio content of telephone calls themselves. In contrast, these two sister provisions permit the collection of actual communications content – including emails, instant messages and messages on social media – without individual warrants.
Section 702 of FISA provides for the collection of content, within the US, of a person located outside the US. In 2013 there were approximately 90,000 such targets. To the extent US citizens’ correspondence is incidentally included in such an investigation, this content is also retained by the NSA. In 2011 approximately 250 million messages were collected on the basis of Section 702, mostly from service providers such as Google, Microsoft and Yahoo.
Meanwhile Executive Order 12333 focuses on bulk collection of content from data centres located outside the US. Although the provision again is theoretically aimed at foreigners, US citizens’ communications are incidentally collected if they form part of communication with a foreigner who is under investigation.
How can we pressure the US government to change such alarming practices of email surveillance? First of all, engaging with the tech companies is critical – the top five US tech companies have a combined revenue of over half a trillion US dollars and therefore pack a lot of weight in the corridors of Washington. And the government is only able to access such data with the acquiescence of these companies. Increasingly, we are seeing the private sector taking affirmative steps in order to close the surveillance “back doors” created by the NSA. Additionally, tech leaders are beginning to engage with civil liberties organisations such as the ACLU and with government on the privacy debate. Certainly, the tech lobby was an important engine of reform that contributed to the passage of the USA Freedom Act, including forming the so-called Reform Government Surveillance coalition.
Companies recognise that not doing anything about the government accessing their customers’ data will hurt their bottom line. They recognise that it is a misapprehension to think that just because the millennial generation is happy to share their personal lives – photos, opinions and stories – online, that they are also happy for the government to access their data without their permission. On the contrary: this generation is demanding that the tech companies respect their privacy and stop handing over data to the government. And the tech companies are beginning to listen.
Pressure also needs to come from outside the US. It must come from the leaders of countries who were spied on, such as Brazil, France and many others. And it must come from non-US citizens who refuse to accept that they are offered a lower standard of privacy than their US counterparts. It is illogical – especially in the context of the World Wide Web – that the US offers greater privacy rights to its own citizens than to foreigners. In the virtual world, such division does not make much practical sense. For instance, when I email another American citizen on American soil, if our email traverses a data centre overseas, it becomes more open to government surveillance and interception. By not challenging this differing standard of privacy protection we risk betraying the very power of the World Wide Web and the concept that it is indeed a worldwide – and not a country by country – resource. Similarly offering higher privacy protections to only US citizens would suggest that tech companies would need to treat customers differently based on nationality. Together, we must reframe privacy rights not as a domestic civil rights issue but within the broader struggle for international human rights.
The USA Freedom Act therefore marks a pivotal moment in the birth of a new movement for human rights on the Internet, of which Snowden might be considered the founding father. Except perhaps for China, the US government has the greatest ability to conduct surveillance. The Internet generation, together with civil society groups and the private sector must demand continued review of the US’s surveillance legislation, in particular the repeal of section 702 and Executive Order 12333. Failure to do so will result in the US becoming a global standard setter for surveillance initiatives and allow it to continue to undermine privacy on the Internet. As Snowden recently said, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”