Is the PRISM revelation as surprising as the news coverage makes it seem? Independent privacy researcher and advocate Caspar Bowden previously predicted of PRISM-like surveillance systems in a 2012 Report to the European Parliament. Here, in an interview with LSE’s Alexandra Kulikova, the former Microsoft Chief Privacy Adviser reflects on how the mishandling of privacy by governments and media has disrupted public engagement with the privacy debate.
What is your take on the media coverage of PRISM, Tempora and the Snowden chase?
The British media blackout of the story is remarkable. In the past three weeks we’ve learned of the GCHQ use of PRISM and the existence of TEMPORA, and the lack of curiosity of the British media about the mode of operation of GCHQ in particular is fascinating. Only The Guardian has been covering the topics following up the leak itself. All the other media are restricting their reporting to the chase after Snowden, and there is no broader discussion of the wider significance for the way we are governed.
When you look through all of the BBC reports on any channel and format, the central aspect of the story that is only obliquely being covered is the discrimination of rights according to nationality – “one law for Americans, another law for everybody else”. US citizenship confers the protection of the Fourth Amendment, but as ex-NSA Director Hayden recently said – that’s not an international treaty. The law underlying PRISM was expressly designed to spy on data inside US jurisdiction, yet it ignores every other nationality’s privacy rights. This is such an important point, yet it has only emerged through a smoke-screen of US diplomatic and commercial propaganda in the past couple of years. I escalated a complaint to the head of BBC News Online (Steve Herrmann) who ducked the question of why the BBC has only referred to it in a couple of sentences out of thousands of words of coverage. I could offer similar examples from the way BBC R5 Live, Newsnight, R4 Today, and R4 documentaries in production have swerved away from this spotlight on American exceptionalism. It is the unmentionable topic for our state broadcaster.
Snowden made it clear in his Q&A with The Guardian that he has a lot more significant revelations to come, in particular, concerning the modalities of collecting the data. One of the problems for the media perhaps is that it’s been so long since we had a secret communications spying story of comparable impact that there’s almost a shortage of knowledgeable pundits.
What policy developments in terms of data protection and privacy do you think will take place in the UK?
The UK government has been hostile to data protection legislation since at least the Younger Report of 1972, and not only has always implemented the bare minimum required by European treaties, but always sought to bend privacy rights out of shape and create loopholes during negotiation. For instance, Recital 26 of the current EU Data Protection Directive effectively allows the UK to pretend indirectly identifiable data is not personal.
More disappointingly, there has been no proper engagement of the UK media with the new Data Protection Regulation being negotiated in Brussels right now. The only coverage has been from legal practitioners talking up their clients’ interests in de minimis protections, and feeble government and regulator denunciations against the burdens of regulation. The UK will face heavier burdens than most but only because it has effectively disregarded much of the data protection regime that should have been implemented two decades ago. Academic and NGO engagement has also been minimal and often of indifferent quality.
Do you think now there will be a push for new amendments to the EU Data Protection Regulation, which when released in 2012 was stripped of the clauses potentially protecting EU citizens from PRISM-like activities?
My view is that this is a red herring and I’m rather against the idea of reinstating a clause (the “lost Art.42”) that obliges US Internet companies to report FISA 702 or PATRIOT Act orders to the EU data protection authorities. It might seem surprising that I oppose this, but I fear it will only become a way for the European Parliament to feel better about the situation. My experience at Microsoft tells me there is a very real risk it will just be ignored. If the risk is merely a fine from ponderous and remote European regulators many years down the road, US corporations simply won’t take this law seriously.
I would prefer Europe to get tough with the Americans and actually press for changes in US law. Some would say this is unrealistic, but the only real solution is for the US to recognize European human rights to privacy, so that it would simply be unlawful for the US Foreign Intelligence Surveillance Court to apply the full breadth of powers to EU citizens if it would violate the ECHR. This strategy seemed absurdly out of reach before Snowden. It’s still hard to attain but strategically it’s tremendously important to assess what opportunities Snowden’s case presents.
How global is this story? So far it’s the US and the UK in spotlight, are we going to see new entrants?
There are several countries that have the potential and ambition to become major surveillance and intelligence powers on the basis of cloud computing. A problem is that there is also a certain disconnection between the political level and national security authorities which don’t break the harsh truth to ministers that allies always spy on allies. Nevertheless, one of the reasons we do not have a pan-EU industrial policy for cloud computing is because the EU member states do not trust each other that much anyway. From the individuals’ point of view, there’s a fundamental difference between your own country spying on you and a foreign country spying on you. For 40 years in data protection policy we more or less had a rough congruence between territory and legal jurisdiction, which was the guarantee for individual redress of abuses; the advent of cloud computing just floated them apart, and destroyed that 40 year old legal model.
What’s your view on the transparency policies of tech-companies?
It is purely public relations strategy – corporate propaganda aimed at the public sphere – and due to the existence of secret mass-surveillance laws will never be truly transparent. For example, although these companies have nominally disclosed the number of user accounts looked at by the state authorities under PRISM, what has not yet clearly emerged is that the FISA 702 law can command arbitrary searches. Such search queries could combine many different types of location data, transaction data, interests, contacts and search histories of users of Facebook, Google etc. This means that although the numbers of accounts accessed may appear unimpressive, these are merely single components of more sophisticated trawling through the entirety of data. It matters less to what extent PRISM has authorised such searches so far – the point is that the FISA 702 allows this (provided of course one is not an American).
Do you think the general public understands how much privacy they have in the digital world?
There’s been a grinding down of people’s privacy expectations in a systematic way as part of the corporate strategy, which I saw in Microsoft. As for the secret surveillance agenda, most people in the UK do not seem to care about it, because they lack accurate information in the media about what exactly is happening. The reporting is always chronically mangled and pre-spun according to law-enforcement lobbies.
The key socio-political question is not whether and how much privacy one wants for oneself, but whether one would want to live in a society where nobody has any privacy. Such a society would be sterile, conformist and probably repressive and authoritarian. So in this way privacy is properly understood as a meta-right – a right which makes other political and personal rights collectively possible. But of course, much of the discussion tends to be in selfish terms, so it’s always going to be difficult to achieve that level of political sophistication in public discourse.
The post gives the views of the author, and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics.