The US Government has release a white paper in response to the Schrems II judgment. This post is a initial reaction to a part of the US Government’s position – which can be summarised as ‘trust us.’ (I will follow up with a more detailed post examining the specific content of the white paper soon).
The US Government’s (‘USG’) position is highly problematic in light of the current approach to oversight within the relevant government departments, particularly when considered against the background or mass-surveillance programs like those revealed by Edward Snowden. Importantly, many of the observations made here apply to the Australian context as well.
Background
Most people interested in privacy and data protection would have heard about the Schrems II judgment. In this case, the ECJ invalidated ‘Privacy Shield’ which regulated data transfers from the EU to the US. The Court also made comments on the approach companies should take if they want to the rely on the Standard Contractual Clauses (‘SCCs’).
In response to this, the white paper seeks to help companies to follow this approach so that the SCCs can be relied upon by (among other things)
provide[ing] an up-to-date and contextualized discussion of this … area of U.S. law and practice.
white paper p 1
The paper makes a couple of important points as follows:
(1) Most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies, and have no grounds to believe they do …
(2) The U.S. government [collects and shares] data disclosed by companies in response to FISA 702 orders, to counter threats such as terrorism, weapons proliferation, and hostile foreign cyber activity […].
white paper p 1
So here in essence the USG is saying: first, we’re probably not interested in your data – we only look at data for security and counter-terrorism reasons; and second, when we spy on you we get a warrant – here pursuant to FISA 702.
We’re not interested in your data
This is demonstrably false. The mass surveillance programs of the NSA (and – to be clear – pretty much all intelligence agencies) is well documented. These agencies clearly are interested in gathering huge amounts (i.e. exabytes) of data. This quantity is generated by the routine, day to day operations of the internet as a whole, not by the (comparatively) small data footprint of terrorist groups.
Intelligence agencies use this massive store of data to try and find the proverbial needle in the haystack that is a inchoate terrorist threat. This argument is not entirely meritless, so let’s assume that having that information is useful.
Its routine at this point in this kind of blog post to go on about the balance between privacy and security. So lets also assume for now that the ‘balance’ metaphor is an effective way of approaching this problem. Everyone agrees that one important way to maintain this balance is oversight of the capabilities. This brings us to the second point made in the white paper that I’ve highlighted above – when we spy on you, we get a warrant.
When we spy on you, we get a warrant
This may well be true. We know that the USG has engaged in warrantless surveillance in the past. We also know that FISA Amendments Act 2008 allows permits warrantless surveillance for up to seven days. But let’s assume that the NSA have changed their ways and always get court orders.
The court in question is the Foreign Intelligence Surveillance Court (FISC), described in the white paper as a
“federal court staffed by independent, life-tenured judges whom the FISA statute authorizes to approve and oversee foreign intelligence surveillance—supervises whether individuals are properly targeted”
white paper page 6
The idea is to have processes and procedures in place that ensures that the surveillance is targeted and restricted. The white paper describes a court that restricts surveillance to ‘a specific person’ and memorialises the ‘targeting rationale.’ It is definitely the case that there are non-trivial legal requirements that must be satisfied in order to get a 702 warrant. However, the court described in the white paper seems very different to the one that authorised the collection of millions of records of Verizon users and the NSA’s Special Source Operations.
In any event, the kinds of processes and procedures described by the white paper are profoundly important as a mechanism to routinise or regularise the exercise of these surveillance powers. They are necessary steps.
The problem is that in order for these steps to impact on decision making, there needs to be oversight – someone needs to be watching. As the white paper points out, in addition to the FISC itself, the watchers are:
- Independent intelligence oversight attorneys in the Department of Justice, and
- Office of the Director of National Intelligence.
Trust without verifying; or Quis custodiet ipsos custodes?
The conventional wisdom is that due to the inherent need for secrecy, the general public cannot be privy to these decisions. Accordingly, the NSA (and all intelligence agencies) say they
can’t be transparent about most of these issues and we have to get comfortable with the idea that we’re delegating to somebody the ability to learn the secrets, review what’s being done and determine whether its being done properly.
Stewart Baker, Former NSA general counsel
So herein lies the problem – fundamentally we need to trust that agencies in question are doing the right thing.
This is why behaviour of government officials that undermines trust is so problematic. The two agencies that the white paper says oversees the surveillance programs have been directly engaged in conduct that directly undermines their claims to impartiality and probity.
The Department of Justice has interfered with the sentencing processes of a close associate or the president, and attempted to drop a prosecution in a matter where the defendant, a former presidential advisor, has pled guilty. More recently, the Director of National Intelligence declassified and released unverified foreign intelligence that was politically advantageous to the president (possibly compromising sources in the process).
If the argument is that we don’t need to worry about FISA 702 because ‘trust us,’ then the ECJ’s scepticism may be warranted – even if the surveillance is too.