Thoughts on lack of democratic oversight, transparency and data protection by Kimon Zorbas, CEO, IAB Europe
The revelation of the internet surveillance programmes operated by the USA’s NSA (Prism) and the UK’s GCHQ (Tempora) are indeed something that many of us working and are interested in or even just follow cybersecurity (policy) suspected existed in the one or other form. Not that I claim I knew any of those details and the vast extent of surveillance, but it was no real surprise that secret services and law enforcement agencies intercept communications. It is the logical extension of Echelon (the European Parliament adopted a report on 11 July 2001 and a resolution on 5 September 2001) and it seems we see the same deep collaboration of the five countries (AUS, CAN, NZ, UK & USA) that set up their secret information sharing and intelligence cooperation many decades ago. What I am very surprised about is the extent of government surveillance (apparently even undersea transmission cables are tapped, a highly complex and difficult undertaking).
It is fair to assume that other European countries have similar surveillance programmes, not to mention those countries with less democratic tendencies.
While many details about the workings of surveillance programmes remain opaque and probably will remain so, the key point is that all these programmes were approved and agreed without engaging in a proper and transparent democratic process. Just to compare: in the pre-internet age letters were sacrosanct. Intercepting and reading a letter was not such an easy thing for policy makers and secret services to do – they needed a warrant on the basis of laws that were adopted by parliaments.
A more structured, transparent and democratic approach was adopted at European Union level following the attacks on the World Trade Center in New York on 11 September 2001. The attack certainly heralded the arrival of a massive change in western culture; it impacted on the way we deal with our freedoms and it also coincided with the vast uptake of the internet.
In the wake of “9/11”, policy makers pushed hard to improve the quality, safety and security of documents, culminating in the introduction of serious security measures such as biometric passport and data retention laws. The data retention debate was important for our society to create a process whereby we can discuss threats, measures to address these, the limitations or impact on personal freedoms and liberty (also on data protection), proportionality and other important questions.
The implementation of Data Retention Directive laws national level has led to interesting debates, which have demonstrated the differing approaches different states have taken – impacted to a large extent by whether the country had suffered a terrorist attack or not – and compared to debates in UK and Spain, which had experienced a number of security threats due to terrorism.
The main point was: we had a democratic and transparent process. Now, some would say that passing laws publicly that safeguard national security and counter terrorism are too sensitive and discussing these issues and threats publicly undermines the effectiveness and efficiency of surveillance programmes.
First, I do not believe this is true. It is likely that some terrorists are stupid and don’t expect surveillance. Others, are smarter and do expect surveillance. The first group will be caught fast, the second group deploys strategies and tactics to circumnavigate detection by authorities.
Second, if we subvert the democratic process, we run the risk of losing public support and becoming like those we combat (the United States’ reputation suffered from detaining people in Guantanamo without due legal process).
Third, western democracies have developed processes to discuss sensitive issues and agree on measures to combat crime, including terrorism in parliaments.
Taking all this into account, we need to start discussing some important questions:
Is the data protection review in Europe the right instrument to fix the problems we face? Probably not. Is the call to have one legal instrument for law enforcement and industry the right approach? Will we stop mass surveillance altogether and limit surveillance to individual cases? For which crimes do we want to use intelligence obtained through mass surveillance? Would Prism be appropriate and proportionate to combat ordinary crimes, such as illegal downloading? Probably not. Will surveillance only be used to combat serious crime or just terrorism? Can western democratic governments commit to not engaging in industrial espionage against each other and even jointly protect European companies against such attacks? Can we commit to not creating profiles with sensitive information that are then used to, for example, blackmail politicians into compliance? Can European member states agree to grant all European citizens the same rights and not discriminate against citizens from other EU countries? The European Parliament’s Echelon resolution provides a good basis to start from.
These are all very important questions and they should to be discussed in the public domain – publicly – and not behind closed doors. Of course this doesn’t mean that the functioning of the deployed measures and analytics and algorithms must be disclosed publicly. But massive surveillance without passing a democratic and transparent process is simply unacceptable.
It is time to rethink security, threats and how we manage freedoms in the internet age. Let’s start a proper and structured debate to strengthen our democracies and societies and find answers that can be supported and accepted by our representatives in the European Parliament.
If we fail to deliver this, secret services and government will undermine trust in the digital world – the trust companies have built and worked very hard to earn from consumers and is the basis for responsible data processing. Leading European company representatives have already warned about the impact this scandal has on the uptake of cloud services. Industry is transparent in the democratic process – debating with all stakeholders in a structured process. It’s time for the spooks to follow.