Will the PRISM surveillance lead to EU lawsuits?

By: Gregory P. Bufithis, Esq.  (founder, Senior Writer) and Eric De Grasse (Chief Technology Officer)

13 June 2013 – So in the land that makes litigation fun, the American Civil Liberties Union, together with the New York Civil Liberties Union, filed a lawsuit in the U.S. District Court in New York which claims that the National Security Agency’s (NSA) surveillance of millions of Verizon customers is unconstitutional. The suit lists key members of the Obama administration’s national security team as the defendants.

Meanwhile in Europe there has been much chatter that internet companies that pass data to the NSA under the PRISM program could face legal action in the European Union (EU).  Viviane Reding, the EU’s Justice Commissioner, has added her voice to the chorus of questions directed towards the US Attorney General over revelations surrounding PRISM.  She will be raising the issue at a meeting with the U.S. Attorney General Eric Holder in Dublin this week.

And this all comes on the news that the Obama administration successfully lobbied the European Commission to strip its data-privacy legislation of a measure that would have limited the ability of US intelligence agencies to spy on EU citizens.  The measure – which was known within the EU as the “anti-Fisa clause”, after the Foreign Intelligence Surveillance Act that authorizes the U.S. government to eavesdrop on international phone calls and emails – would have nullified any U.S. request for technology and telecoms companies to hand over data on EU citizens. However, the safeguard was abandoned by commission officials in January 2012, despite the assertions of Viviane Reding, the EU’s top justice official, that the exemption would have stopped the kind of surveillance recently disclosed as part of the National Security Agency’s Prism program.

This week we had the opportunity to attend a briefing at the EU Parliament on the issue and the subject came up.  The feeling?  Why bother.  Anything done would have little legal weight “because most of the damn data servers of these damn tech companies holding all this information on EU citizens are in the damn U.S.” (we are paraphrasing of course).

More helpful was the briefing held by the Oxford Internet Institute (OII).  We have noted OII in the past for their excellent programs on data visualization, and their recent symposium on the dynamics of the internet and society, Big Data, and how algorithms work.  The briefing put into perspective many of the legal and technological issues surrounding PRISM. For those of you who watch the BBC or CNN International to follow the PRISM story you have seen OII analyst Ian Brown pop up on your screen.

And, of course, Viktor Mayer-Schonberger who along with Kenneth Cukier recently published Big Data: A Revolution That Will Transform How We Live, Work, and Think, is a professor of internet governance and regulation at OII.

U.S. government activities and the activity of U.S. companies on home soil are not bound by E.U. law, but companies that operate in the E.U. and serve citizens of the bloc are subject to its relatively strict data-protection laws. Ostensibly, these laws limit the actions of companies that collect data, and require them to be clear about how it will be used and to whom it could possibly be disclosed. They are undergoing a complete rewrite this year (we cannot say more other than Project Counsel attorney-jurists are assisting).

Quoting the aforementioned Ian Brown: “U.S. companies that have gathered personal data from Europeans, such as Facebook, and then given access to U.S. government agencies are in something of a bind.  They had no choice but to obey U.S. surveillance law, but may well now face legal challenges in European courts.”

Duh.  Aspects of U.S. law under which companies can be compelled to provide information to U.S. agencies seemingly always conflict with European data-protection law. But one suspects all will be cleared up next week when “The Gentlemen’s Fanfaronade Debate Club” (aka Sedona) meets in Zurich next week.

As many EU pundits have mentioned, FISAA 1881a (the regulation under which PRISM is legal in the U.S.) is a direct attack on fundamental European constitutional rights.  Quoting Douwe Korff, professor of international law at London Metropolitan University and a specialist in privacy “from the European perspective, this is the digital equivalent to rendition.”

It brings to mind the “airline data war” where U.S. authorities demanded the EU hand over data about passengers on flights originating in the EU.  After airlines and travel companies began passing along names, credit-card numbers, and other details, a retrospective treaty between the U.S. and E.U. was needed to shield the companies involved from legal action under data-protection laws. Only last year did nine years of protracted negotiations over the terms of that agreement finally end, after several interim agreements. The U.S. now receives 19 pieces of information on each passenger, including name, contact information, payment details, travel agency, itinerary, and baggage information, and can retain them for up to 15 years.

Not everybody agrees complying with PRISM is illegal under E.U. law. Earlier this week researchers at the University of Amsterdam published a draft legal paper saying that national security exemptions in existing E.U. law make PRISM legal, addressing a legal loophole for bulk access by U.S. authorities to cloud data of E.U. citizens. Quoting from the abstract:

U.S. foreign intelligence law provides a wide and relatively unchecked possibility of access to data from Europeans and other foreigners. The amendments to the Foreign Intelligence Surveillance Act in 50 USC 1881a (section 702) are of particular concern. Recent leaks around the PRISM surveillance program of the National Security Agency seem to support that these legal possibilities are used in practice on a large scale. 

These developments will affect market conditions and competition, notably for U.S.-based cloud services. In addition, the possibility of foreign governmental access impacts the privacy of cloud end-users and can cause chilling effects with regard to cloud computing use.

This last is important.  The paper suggests that EU national governments that have received data sourced from PRISM through their connections with the NSA could face legal trouble. European intelligence agencies would have a very hard time to meet the fundamental rights safeguards while acquiring such wide and unrestricted access to cloud data from EU citizens. There were reports this week that suggest the U.K., The Netherlands and the German security agencies have received PRISM data.

Almost laughable in all this are the tech companies “we didn’t know” mantra. All these revelations simply highlighted the long-standing ties between the US military and Silicon Valley, a connection that was first forged in the Second World War and has evolved to produce technologies ranging from chips that powered ballistic missiles to today’s data-mining software employed to ferret out terrorists. Many of these technologies have their financial roots in government grants that supported early research into complex concepts, or military contracts, that provided revenues alongside commercial sales of an early product, such as semiconductors. Such products form the technical foundation of modern electronics from radios to phones to computers. And that Father-Of-All-Sugar-Daddies, the Defense Advanced Research Projects Agency (DARPA). As Wired magazine recently said in their blog, many technologies used widely today are rooted in DARPA-backed research, from the user interface that powers a Windows laptop to Siri, the voice of the Apple iPhone. Siri was developed out of a project backed by SRI International, a nonprofit research organisation with funding from DARPA, which aimed to integrate various aspects of artificial intelligence into a virtual assistant that could learn and evolve without constant follow-up coding.

And just how does some of this PRISM tech actually work to analyze data and ferret out terrorists? That we’ll save for tomorrow when we revisit some of the Cyber Gurus we met at the Mobile World Congress.

No comments yet... Be the first to leave a reply!

Leave a Comment

 

— required *

— required *