Agencies such as the NSA and the FBI will no longer be permitted to arbitrarily access the logs of phone calls, emails and internet use. Congress has passed the USA Freedom Act of 2015, which limits the power of government intelligence organisations to access the communications records of US citizens.
Rather than intercepting data and retaining it in case it’s needed for an investigation, intelligence agencies will now have to access the data from the private companies that collect it. And they will only be able to do so in specific and justified cases.
This is being hailed as an important amendment to intelligence practices, as well as vindication for Edward Snowden, who revealed the extent of the surveillance that was going on after the September 11 attacks in 2001.
Many argue that there is still a long way to go. The Electronic Frontier Foundation actually withdrew its support for the Freedom Act in an effort to push politicians to go further with it. And ironically, the transition period for the implementation of the bill means the NSA will actually restart its data gathering program, having suspended it in May due to legal uncertainty. Once the Act comes into force, the NSA will have six months to adapt to the new requirements.
And while the changes may come as welcome news to US citizens, not a great deal has actually changed for everyone else in the world.
The USA Freedom Act only applies to US citizens, which means the NSA is still free to gather meta data on citizens of other nations. Meanwhile, other governments are moving to hand greater powers to their intelligence services.
In the UK, for example, GCHQ operates a similar program to the NSA. In early 2015, a consortium of civil rights organisations took GCHQ before the Investigatory Powers Tribunal – a British court set up to hear complaints against the security services. The consortium argued that GCHQ’s mass surveillance program – as well sharing the results of that program with the NSA – was an abuse of human rights law. The tribunal found in favour of GCHQ but the case is expected to proceed to the European Court of Human Rights in Strasbourg later this year.
Left as it is, GCHQ can help to alleviate problems that the NSA will face in collecting data on US citizens. As part of the “Five Eyes” intelligence sharing arrangement that includes the US, UK, Australia, New Zealand and Canada, GCHQ is perfectly positioned to collect and pass on communications data on US citizens that the NSA may be prevented from collecting itself.
What’s more, in the wake of the British election, the UK government is seeking once again to implement a law known as the Snooper’s Charter. This is essentially a data retention bill that would require telecommunications companies and internet service providers to hold onto the meta data (but not content) from their customers' emails, phone calls, texts and internet browsing for 12 months.
Meanwhile, in the weeks following the Charlie Hebdo attacks in Paris, France moved to introduce significantly strengthened data retention laws. Echoing the US response to the 9/11 terrorist attacks, French Prime Minister Manuel Valls suggested that an “extraordinary situation calls for extraordinary measures”. This has implications for European negotiations over data protection laws which have been implemented to shield EU citizens from the NSA surveillance program.
Questions about the balance between privacy and security are ongoing and to some extent, they define the times. With increasing intensity, organisations have been racing to take advantage of personal data trail that we now generate online. There can be little doubt that this provides opportunities for use in law enforcement and intelligence.
It’s worth remembering, though, that mass surveillance is not carried out by the NSA or the FBI or even GCHQ. It’s carried out by private corporations such as Google and Facebook. Adequate oversight of the way intelligence agencies access and use that data is extremely important but we have remarkably little oversight of the way private companies deal with our data. And in many cases, they operate with very little transparency themselves.
In February 2015, the Belgian Privacy Commission found that Facebook is acting in violation of European law. A few months later, Apple CEO Tim Cook launched an attack against the collection and monetisation of personal data saying that Silicon Valley businesses are “lulling their customers into complacency about their personal information”.
And as for telcos and ISPs, those that don’t already retain our data aren’t acting out of ethical concerns – they don’t keep the information because the expense of storage currently outweighs the commercial value of the data.
So while US citizens have reasons to celebrate about the USA Freedom Act, they should remember that the NSA has allies around the world who continue to collect data on both their own citizens – and those in the US.