Rebalancing Security and Freedom in the 21st Century

November 20, 2013
By Elizabeth Pond

It’s not just the ire of German Chancellor Angela Merkel at having her cellphone hacked that drives today’s buzz about spying. More fundamentally, the driver is the technology that has galloped far ahead of sane policy to control it.

It will be far easier to resolve the German-American strains than the strains in all democracies between security and freedom. Yet the time has surely come to formulate a common transatlantic approach to reconciling security imperatives with the core value of individual privacy in the 21st century.

The last time the United States addressed the schizophrenia between the two goals in a comprehensive way was in the 1970s after the debacles of the Vietnam War and the Watergate affair. Congress wrote guidelines that curbed promiscuous trawls for intelligence, established a special court for pre-approval of intelligence operations, and set up Congressional oversight committees to monitor the shadowy signals intelligence collector called the National Security Agency (NSA) or, less reverently, the “No Such Agency.”

In 2001 the Al Qaeda attacks on the World Trade Center and the Pentagon reversed the 1970s readjustment of the American legal balance toward protection of individual rights. In the post-9/11 scare secret intelligence or interrogation measures that might help prevent another terrorist attack were welcomed with minimal oversight scrutiny and with an elastic definition of who might be deemed terrorist suspects.

In this permissive atmosphere, a series of technological advancements—including the fiberglass revolution, increases in bandwidth, and proliferation of trackable mobile computing devices—fused together to enable the collection of NSA Chief Keith Alexander‘s beloved petabyte “haystacks” of metadata for eventual extraction of useful “needles” from them. Upgrades in computer speeds and search algorithms should soon go even further and facilitate an eerie Big Brother capacity to pluck individual messages out of the digital flood and read them in real time.

Computer geeks who followed the information explosion assumed that intelligence agencies were making full use of the new capabilities. It took the leak by NSA contract administrator Edward Snowden of more than 70,000 secret NSA documents about world-wide spying in mid-2013, however, to prove the assumption correct. Laws and oversight rules written before the latest information explosion—and made even more permissive by supplemental laws legalizing earlier NSA actions retroactively during the 13 months in 2004-05 in which the New York Times held off publishing an article about NSA exploits at the request of the US government LINK—were shown to be antiquated.

In the wake of these revelations an array of officials and commentators in both the US and Europe are calling for reform of the inherited legislation and habits of security services. President Barack Obama, in reference to the NSA’s bulk collection of fiberglass cable traffic worldwide, said, “Just because we can do something doesn’t mean we should do it.” He is even said to be considering, according to David Ignatius of the Washington Post, an unprecedented extension of the Fourth Amendment protection of US citizens against “unreasonable searches and seizures” to cover citizens of fellow democracies as well,. That would address a major grievance of Europeans—that the NSA has free rein to spy on them in ways that it cannot legally spy on Americans, and then pools its information with allied secret services that cannot legally spy on their own nationals but in turn swap their information on foreigners with the US and other friendly intelligence agencies.

Philip Zelikow, executive director of the 9/11 Commission, former State Department Counselor, and University of Virginia professor, has counseled a “period of reflection about America’s intelligence alliances,” the added value that coalitions give in plotting long-term strategy, and the current crisis of what he terms “the void in policy to guide” the secret services. Realistically, however, he expects that in the current crisis the US and Germany “will be merely reactive, and will pass up a significant opportunity” to go beyond “ad hoc operational co-operation” to strategic coordination.

On the European side of the Atlantic, a leader in the Economist cautiously endorsed the continent’s anger at Washington over the NSA spying and appealed for better domestic oversight of American intelligence agencies. The inventor of the world wide web, Sir Timothy Berners-Lee, in a Guardian interview, deplored the failure of America and Britain’s “dysfunctional and unaccountable” oversight to stop excessive spying.

But he reserved his strongest outrage, the interviewer reported, for the “appalling and foolish” decision by the American and British signals-intelligence giants to weaken online security by pressuring internet servers to install back doors for secret access to digital communications and “by cracking much of the online encryption on which hundreds of millions of users rely to guard data privacy.” He acknowledged that democracies “need powerful agencies to combat criminal activity online,” but he called it “naïve to imagine that if you introduce a weakness into a system you will be the only one to use it.”

In other responses, the European Parliament has urged the European Union to stop giving the NSA access to SWIFT records of international financial transactions and to make no compromise on the European demand for robust data protection in negotiating the proposed Transatlantic free-trade area. More popularly, demands have come from across Europe to segment the internet into “sovereign” national servers—as Brazil is now preparing to do in a draft constitutional amendment—that would circumvent the US in routing electronic communications. And opinion polls by ARD-GermanyTrend show that in the wake of the NSA snooping, German approval of Obama has plummeted from a remarkably high 75 percent throughout his first term to only 43 percent approval today (as against 52 percent active disapproval). An Emnid survey found further that 76 percent of Germans want President Obama to apologize to Chancellor Merkel for eavesdropping on America’s most important ally in Europe.

Despite all the talk of intelligence reforms, Washington is unlikely to go beyond (perhaps) bringing Germany into the inner circle of the “Five Eyes” Anglo-Saxon intelligence consortium to launch any comprehensive reconfiguration of surveillance rules. The besieged Obama must spend his shrinking political capital on more immediate crises like healthcare, the Syrian bloodbath, and negotiations with Iran. And he already faces formidable pushback from his intelligence chiefs, who resist surrendering the auto-pilot status they have enjoyed post-9/11 and fear losing their crucial leadtime in innovation as rival nations’ secret services catch up by copying the U.S. cyber spying methods revealed by Snowden.

Given Washington’s gridlock, the time has come for Europeans to take the initiative in recalibrating a common transatlantic balance between security and freedom, suggests Ben Scott, a former State Department advisor on technology issues who is now Program Director at Berlin’s Foundation New Responsibility. “What we have is a policy of surveillance for national security that was designed in an era before the internet,” he explains in an interview. “In oversight and accountability, what the law anticipated is quite different from what the technology is today….We are now in the process of rethinking how the law should fit the technology….If there were a common European standard clearly articulated, Europe would be in a strong position”—perhaps with the aid of San Francisco Internet servers who want to remain global business leaders—to urge the U.S. to join in building common transatlantic guidelines for surveillance.

A study Scott wrote recently together with Georg Mascolo, a visiting scholar at Harvard and a former Editor-in-Chief of the Hamburg weekly Der Spiegel, sets out the basic conundrums. [] The authors admit the “hard truth [that] there is no political or economic power in the world that can guarantee privacy and security in digital communications. The information systems of modern society are fundamentally insecure….The Internet that has beautifully facilitated access to knowledge, economic growth, and freedom of expression has at the same time weakened the liberty of individual privacy” and created “a fundamental—perhaps existential—problem….In short, the globalization of communications has taken control over the right to privacy outside the power of the nation state to protect. The most powerful nation states have turned this vulnerability into a strength to combat new threats to national security, authorizing spy agencies to use surveillance technologies to build a massive communications dragnet.” Today some “80  percent  of information  about terrorist threats comes from signals intelligence.”

With this shift, “the nature of surveillance has changed dramatically.  The original form required an evidence-based court order to intercept the communications of an individual suspect…. No other individuals were implicated in this infringement on privacy, except those who communicated with the suspect.  Today, this logic is reversed.” The NSA can trawl close to 100 percent of telecommunications in a given time period to capture the fraction of one percent that may reveal terrorist plans. But then “what about the rights of the other 99 percent that get swept up in the process?” How can the old requirement that surveillance of suspects be “necessary and proportionate” be reinstated?

A new study by the Centre for European Policy Studies commissioned by the European Parliament poses today’s dilemma even more starkly. It highlights the increased blurring of “the distinction between targeted surveillance for criminal investigation purposes, which can be legitimate if framed according to the rule of law, and large-scale surveillance with unclear objectives.” The study concludes that it “is the purpose and the scale of surveillance that are precisely at the core of what differentiates democratic regimes from police states.”

Edward Snowden, by his own account, wanted to trigger a serious debate about the legitimacy of today’s intrusive snooping by intelligence agencies. He seems to have succeeded in doing so, at least in Western democracies.

Elizabeth Pond is a Berlin-based journalist and the author of Friendly Fire: The Near-Death of the Transatlantic Alliance.

World Policy Journal
© Elizabeth Pond


What the NSA Can Learn From Sweden

August 9, 2013
By Elizabeth Pond

When Congress reconvenes in Washington after the summer break, it will try – for the first time since the 1970s – to recalibrate the proper balance between security and privacy in treatment of signals intelligence. It could learn a lot from the Swedes.

First, Sweden has an ombudsman as a contrarian public advocate at the secret court that must authorize all signals surveillance operations. Second, those operations by the National Defense Radio Establishment (FRA) that are approved are reviewed after six months and terminated if they are not productive. Third, the FRA, Sweden’s equivalent of America’s National Security Agency (NSA), is more keen on getting rid of the clutter of unnecessary metadata than maximizing the bulk-collection “haystack” for future rummaging.

FRA spokesman Fredrik Wallin wouldn’t presume to teach the United States anything, of course, but an American hearing his description of how the FRA functions can’t help but draw her own conclusions.

Granted, Sweden is not the United States, and its signals intelligence agency has a far less comprehensive mandate than the NSA’s. The country is a medium-sized player on the globe, not the hegemon of the seven seas. Sweden neither led the West’s defense over six decades nor has it fought a national war in centuries, and it doesn’t have as many foes as America does. Moreover, with some 700 employees, the FRA simply cannot be as omnivorous as America’s basic Fort Meade team of 30,000, with access to the world’s second-best supercomputer (running 58 times faster than Sweden’s) or as Chinese intelligence and the world’s top supercomputer (112 times faster).

Nonetheless, modern Swedish signals intelligence has a lustrous record going back to mathematical genius Arne Beurling, who cracked the Nazi Geheimfernschreiber (“secret teletypewriter”) code with a pencil and graph paper in two weeks in 1940—and, even more discreetly, also decoded Moscow’s serial wartime encryption. During the cold war and the predominance of communication by satellite, Sweden’s thousand miles of coast facing east gave the country ideal geography for monitoring radio signals from the Soviet superpower and its Russian successor. In the present era, analysis of traffic from trans-Atlantic fiberglass cables that transit Swedish territory—with, as recently as 2007, the world’s fifth-fastest supercomputer —has kept Stockholm in the signals-intelligence big leagues.

At the same time, the fierce Swedish ethos of personal integritet, or privacy, provides cultural constraint on snooping. The FRA is not technologically driven to tap into everything it could access as capabilities expand exponentially, FRA spokesman Wallin says. The systematic ethics training for all FRA employees seems to be reinforced by the esprit of the agency, along with need-to-know compartmentalization of access to raw intelligence.  Ethics training covers the relevant legal framework, oversight agencies, obligations of the civil service, and the public’s right to freedom of information.

Most important, the Defense Intelligence Court that must approve new targets for surveillance has an ombudsman present at all authorization hearings to raise objections about potential violations of  Swedish citizens’ privacy rights. This is not the case with its American counterpart, the Foreign Intelligence Surveillance Court, where there is no built-in challenge to mission creep and where American reporting has described a bench that philosophically favors expansion of secret surveillance at the cost of privacy.

When the Swedish Military Intelligence and Security Service, Intelligence Office (CIA equivalent), or Security Police (FBI equivalent) propose targets for FRA eavesdropping, the Defense Intelligence Court ombudsman raises questions about safeguards, explains Annica Hellstrom, head of the court secretariat in Stockholm. The ombudsman does not participate in writing the final judgment. That is made by the court chairman (or his deputy) and two persons from the court roster of six “special members” drawn from prominent Swedes across the political spectrum. Because of the secrecy of court proceedings, Hellstrom could not give any indication of how often, if ever, requests for surveillance targeting are rejected on grounds of potential violation of the country’s robust privacy laws.

A further control mechanism is the Defense Intelligence Court review of new surveillance targets after six months. There is no extension of authorization by default. The court sends copies of its authorizations to the Defense Intelligence Inspection, which then monitors ongoing compliance with the mandate. The court does not report to a parliamentary oversight committee, as there has been no permanent Riksdag intelligence committee since the first six months after the basic law for the current FRA came into force in 2009.

In answer to a question, FRA spokesman Wallin said the FRA is not technologically driven by ever improving surveillance capabilities to expand its operations and bulk data storage. On the contrary, it is eager to get rid of excess data, “not only because it is good for privacy, but also because it would fill our capacity with a lot of junk.” It adheres to the legal ban on monitoring domestic communications between Swedes. As a general rule, it destroys metadata after one year, although this period may be extended to three years for cases of ongoing analysis.

And, oh yes, there is one more Swedish example the US Congress might like to think about. Apart from strictly ringfenced technical jobs, the FRA does not outsource its tasks to subcontractors.

Elizabeth Pond is a Berlin-based American journalist and author.

World Policy Journal
© Elizabeth Pond