Читать книгу Stopping the Spies - Jane Duncan - Страница 12

CHAPTER

2

Is privacy dead? Resistance to surveillance after the Snowden disclosures

‘I think it’s important to recognise that you can’t have 100 per cent security and also then have 100 per cent privacy and zero inconvenience.’¹ This was how US President Barack Obama responded to questions about the Snowden revelations of the NSA’s spying activities.² Politicians have used the supposed trade-off between privacy and security as a means of legitimising privacy-invading national security measures, including communications surveillance. Never in modern world history have there been so many violations of the right to privacy. Yet, never in modern world history have there been so many privacy protections. How should this seeming contradiction be explained? This chapter will examine this issue and, in doing so, will consider the range of actors involved in resisting unaccountable surveillance, their organising concepts, strategies and tactics, and will ask whether they are ‘fit for purpose’.

THE FALL AND RISE OF MILITARY TECHNOLOGIES, PRACTICES AND LOGICS

Four per cent of companies which feature in Privacy International’s Surveillance Industry Index are also major arms producers, including BAE Systems (UK), Boeing (US) and Elbit Systems (Israel). Arms manufacturers have expanded into cybersecurity, which has proved to be a hugely lucrative area: a boon for companies that are seeing their profits decline due to governmental budget cuts on conventional arms.³ While the US ramped up its military spending in the wake of the 9/11 attacks, its withdrawal from ‘theatres of war’ like Iraq impacted negatively on arms manufacturers, as did the reduction in military spending of other governments in the wake of the 2008 global recession.⁴ In an attempt to adapt to this changing global situation, some of the major arms manufacturers increased their involvement in the lucrative and ever-expanding surveillance market. A case in point is BAE Systems, which expanded the intelligence and cybersecurity aspects of its business from the late 2000s onwards, acquiring existing businesses in this area. The company intensified this focus when it experienced declining revenues owing to the falling demand for conventional armaments.⁵ Arms manufacturer Lockheed Martin has expanded its activities to include providing intelligence-gathering and analysis capacities to the Central Intelligence Agency (CIA) and other US government agencies, and even to commercial retail giant Walmart to spy on critics of its corporate practices.⁶ The French company Thales, traditionally a conventional arms manufacturer, also branched out into the communications surveillance business, but it was less agile in creating much-needed local partnerships, which assisted other companies to develop local security solutions for country-specific needs, rather than expecting them to purchase off-the-shelf technology. Arms companies saw the partnership approach as essential for survival in ‘developing country’ contexts in the face of cutbacks to armaments spending by Western governments.⁷

As is well known, war is good for economies, because it creates demand for armaments and industrial output more generally – an industrial strategy that has become known as ‘military Keynesianism’.⁸ However, what does a permanent warfare state do when the number of wars decline? It finds other markets by creating demand for related technologies. Surveillance is an excellent alternative. Wars involve bodies, which raises the cost of involvement in theatres of war, politically and socially. Ordinary citizens may begin to push back against warfare economies as the true human cost becomes visible. On the other hand, the lack of visible victims of surveillance makes it a much more difficult problem about which to raise public consciousness and, consequently, around which to organise. Small wonder that key arms-producing countries have begun to orientate their economies away from traditional industrial capitalism to what Robert McChesney and John Bellamy Foster have called surveillance capitalism, a form of capitalism that has new, distinct characteristics.⁹

These characteristics include the creation of huge but unstable financial surpluses, generated by financial speculation, which need to find investments but cannot turn to a favoured outlet like arms. Financialisation has also created a huge appetite for data, and these databanks themselves have offered new revenue streams to companies that can profile and target potential customers with products. More intense public–private collaboration in an industry that was traditionally dominated by governments cannot be underestimated as a key factor: as Snowden himself has observed, surveillance is the business model of the internet.¹⁰ This model has allowed unprecedented co-operation between communications companies and governments, as the former have the resources to develop and maintain huge databanks that the latter can plunder at will (at least until recently).¹¹ The turning inward of military technologies, practices and logics through, for instance, police militarisation has also facilitated the expansion of the industry, as it has allowed governments and arms manufacturers to create new domestic markets for arms. But this expansion has required governments to blur distinctions between internal and external security, and to shift the way violence is organised in society.¹² This shift would not be possible without a discursive reframing of who are considered to be ‘enemies’, which requires an expansion beyond the traditional targets of warfare (such as hostile countries) to non-traditional ones (such as internal populations that threaten existing social ‘orders’). These new state concerns have led to the importation of practices used in external intelligence-gathering, such as excessive secrecy, into internal policing. The nature of enemies has shifted – no longer are they whole nations, but fuzzier constituencies that are profiled as threats. Law enforcement concerns are being cast increasingly as national security concerns, which suggests that a less overtly violent and more disciplinary surveillance state is under construction.¹³ Forms of social control have shifted from who has the most tanks and guns to who has the most intelligence. These factors have created conditions for the development of an industrial base for surveillance, allowing for its rapid expansion and even universalisation.¹⁴

The increasingly powerful surveillance industry has a vested interest in keeping these new markets for its products alive, creating powerful commercial incentives to expand the trade in mass surveillance equipment. The possibility of losing massive public spending on weapons has established powerful incentives for manufacturers to shift production from military to civilian uses: hence the rise in the number of dual-use technologies. Producers of mass surveillance also play an important consultancy role for government, creating revolving doors between industry and government that are potentially replete with conflicts of interest:¹⁵ a case in point being former NSA director Mike McConnell, who later became vice chairman of Snowden’s former employer, Booz Allen Hamilton.¹⁶

Given the powerful forces at work in promoting the expansion of surveillance, individuals and organisations seeking to resist unaccountable surveillance are going to have a tough fight on their hands. They will need to have a deep understanding of the factors that have driven this expansion, a keen sense of how to create public awareness about the dangers, and highly developed advocacy skills to be able to mount an effective pushback. This chapter will explore some of the key strategies and tactics used by anti-surveillance activists, the underlying concepts they work with and the effectiveness of their activism.

CONTEMPORARY PRIVACY STRUGGLES: ACTORS, STRATEGIES AND TACTICS

Resistance to surveillance can take place at the individual and collective levels. At the individual level, tactics may range from more passive forms of resistance to more active ones. For instance, people can resist invasions of their right to privacy by engaging in what James C. Scott has termed everyday forms of resistance, where less well-organised, weaker and more peripheral citizens may use ‘foot-dragging, evasion, false compliance, pilfering, feigned ignorance, slander and sabotage’ to express their discontent.¹⁷ When applied to the digital world, internet users may refuse to use privacy-invading applications or hardware, resist providing their voice prints or fingerprints to the authorities or ‘spoof’ fingerprints to fool biometric systems, provide no, false or misleading information, or refuse to register their subscriber information module (SIM) cards or register them under false names. For instance, in Mexico, a SIM card registration process was resisted by over seventeen million subscribers. In an act of civil disobedience, over five thousand people protested by subscribing their SIM cards under the name of the President.¹⁸

Increasingly, individual acts of resistance also include encrypting communications to make surveillance more difficult, using tools that anonymise browsing, such as TOR (software that allows users to browse anonymously on the internet), and not using company hardware or applications that take cavalier approaches to their users’ privacy. However, the use of these tools is purely voluntary and at the discretion of the individual, who may not have the technical knowledge to be able to use them or even know that they exist. While the relevant authorities may be irritated by these tactics, they are unlikely to result in substantive challenges to broader surveillant forms of governance, which would require more organised responses. Nevertheless, there are signs that more users are changing their communications practices in the wake of the Snowden revelations, with more people taking steps to hide their communications from the government.¹⁹

At the collective level, privacy advocacy has traditionally been based mainly in the US, where many of the well-funded groups are to be found (such as the Electronic Frontier Foundation, or the EFF; the Electronic Privacy Information Center, or EPIC; and the American Civil Liberties Union, or the ACLU).²⁰ The problem civil society faced in mounting organised opposition in the wake of the Snowden revelations was that while they could appeal to the internationally recognised right to privacy, they lacked clarity on what this right meant when applied to communications surveillance in the digital age. In an attempt to reach such clarity, they developed a set of thirteen principles called the International Principles on the Application of Human Rights to Communications Surveillance, otherwise known as the Necessary and Proportionate Principles. At their launch in 2013 at the UN Human Rights Council, over four hundred organisations worldwide endorsed them. The initiating organisations also broadened the range of anti-surveillance actors beyond those of the ‘usual suspects’, drawing support from organisations and individuals from around the world, although with a bias towards the US and Europe. While the signatories represented a broad range of actors, there was a clear bias towards media freedom and civil liberties organisations, as well as technology, digital rights and legal organisations and experts. The challenge this new movement faced was to translate this spurt of energy into an organised form and to sustain it.

The Principles were updated in 2014, to ensure that communications surveillance practices would adhere to international human rights law. The Principles state that any surveillance law needs to comply with the principle of legality, must serve a legitimate aim and be adequate for the fulfilment of this aim. It must also be necessary, proportional to the level of threat faced by a country and determined by a competent judicial authority following due process. Users have a right to be informed that their communications have been surveilled, and public oversight involving transparency must apply to communications surveillance. States should not compel communications service providers to build surveillance capacities into their systems, and they should also put in place safeguards against illegitimate access to these systems and the information that flows through them. Where mutual assistance from other states is sought, the available standards with the highest levels of protection should apply.²¹ These standards provided a useful framework for advocacy against unaccountable communications surveillance, and allowed for a generalisation of grievances against these practices. At the same time, while it made the establishment of the broadest possible coalitions possible that did not alienate groups who might not share the political perspectives of privacy activists, it also risked depoliticising the problem, as it failed to locate the problem within the broader context of the growth of surveillant capitalism and inequality.

In this regard, many in organised civil society have argued for stronger privacy protections for people’s personal data through laws protecting informational privacy. For instance, Privacy International has argued that data protection laws are needed to protect personal information from abuse by governments and commercial companies.²² To this end, many countries have set up data protection or privacy commissioners to ensure privacy protections are upheld by public and private actors. Some countries began to enact data protection laws in the 1970s and 1980s, and by November 2016 over a hundred countries had passed data protection laws, and over forty countries were developing draft legislation.²³ Many of these laws incorporate the basic principles of data protection outlined in the Fair Information Practice Principles (FIPPs), which emerged from the US government in the 1970s, and which were incorporated into the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy. These principles limit the collection and processing of personal data, and require the consent of the person whose data is being collected, who also has the right to know that data is being collected about him or her. They also commit data controllers to use the data only for the purposes for which it was collected, unless the data subject has granted permission for other uses, and they require the data processor to be responsible for complying with these principles.²⁴ Other Fair Information Practice Principles have been developed, which range from minimalist to maximalist, but the ones aligned to the OECD Guidelines have become the most prominent as foundational principles for data protection or privacy commissioners tasked with enforcing privacy and data protection laws.

However, when put into practice, these principles have not necessarily served the struggle for privacy very well, as they have prioritised individual control over personal data, while failing to address broader societal pressures exerted on the right. In doing so, these principles have individualised the problem and reduced it to sets of narrow, technical formulae that may not work well, and may even become dysfunctional. The activities of privacy commissioners tend to be premised on the control theory of privacy – as articulated by Alan Westin – that emphasises the right of individuals to exercise control over their personal information. In terms of this theory, individuals are asked to make choices (and often very few at that) about what happens to their data, but with little understanding of the real issues at stake, as data controllers skilfully bury them in legalese. However, as the underlying theory is premised on individual behaviour to enforce privacy safeguards, the principles fail to consider the massive obstacles that individuals face when attempting to enforce this right. For instance, very few people are able to understand the increasingly complex privacy notices that companies provide; this skews individual decision-making towards those with more resources or higher levels of education, and who can access legal advice, which in turn makes this form of privacy one that only a select few can and do enjoy. Consumers are also unlikely to know if information in the possession of a data controller has been misused; this calls into question the effectiveness of complaints mechanisms. By creating the impression that individuals do, in fact, have control over their own data, the principles ignore the power differentials between institutions and individuals that may make the exercise of this control difficult. They also fail to consider whether particular forms of surveillance should be taking place at all. Broad-ranging exclusions on grounds such as national security render data protection principles all but useless in the most controversial areas of data governance, where protections are often most needed. When these factors are taken together, it is hardly surprising that an overemphasis on procedural protections for privacy, rather than substantive ones, has made little difference to the overall protection of the right. In fact, it could be argued that privacy commissioners create the illusion of information control, rather than actual control.²⁵

The most serious flaw of data protection laws is that they often fail to hold governments to account for data breaches in the same way that private sector companies are held accountable. A former adviser to Canada’s Privacy Commissioner, Michael Geist, has argued that the Canadian government shared intelligence with other governments that went far beyond what was needed to investigate terrorism or other serious crimes, and that the government lacked the political will to address the privacy implications of these practices. While, increasingly, large communications companies like Google and Vodaphone were releasing annual transparency reports about the number of times they had been approached to share personal information, the government was not following suit and releasing similar reports.²⁶ According to documents leaked by Snowden, in the US an internal audit found that the NSA broke privacy rules thousands of times.²⁷ To all intents and purposes, national security has trumped informational privacy laws.

In addition to seeking legal protections through ensuring the enactment of data protection laws, privacy advocates have mounted legal challenges to enforce privacy rights, initially through complaints-receiving bodies on surveillance matters and, if these did not succeed, through the courts. This strategy has yielded mixed results, with the most positive being achieved in Europe, through the European Court of Human Rights. In the UK, several legal challenges have succeeded, and many of these have been brought by NGOs such as Privacy International and Liberty. Much of their work has focused on lodging complaints with the IPT, and then appealing against unsatisfactory decisions. As a result of the Snowden revelations and of sustained advocacy by NGOs, the number of complaints received by the IPT has grown by over 250 per cent, and increasing public scrutiny of this formerly little-known body has placed it under pressure to hold more hearings in public and communicate its findings more widely.²⁸

Overall, though, the IPT has been unwilling to reconsider the intelligence agencies’ arguments for mass surveillance powers. Privacy International, joined by several internet companies, has brought a complaint about GCHQ’s use of bulk hacking outside the country, but this was not successful as the IPT refused to rule on the matter, leading to its being referred to the European Court. However, during the case GCHQ did admit that it undertook hacking to obtain information, modify target devices and carry out intrusive activities, which it had previously refused to confirm or deny.²⁹ Privacy International, the National Council of Civil Liberties and other organisations have also filed separate complaints about mass surveillance and intelligence-sharing with the UK government. The IPT ruled that intelligence-sharing between the US and the UK – where the UK accessed information from the PRISM and UPSTREAM programmes – was illegal because the rules governing these activities had not been made available publicly, but that once some of them were, the sharing was rendered legal, making this case the first in which the IPT had ruled against the UK intelligence agencies.³⁰

This victory showed that with persistence, gains can be won even from institutions that appear to be captured by the very agencies they were meant to oversee. However, the organisations disputed the IPT’s argument that the release of some of the relevant rules automatically rendered such intelligence-sharing lawful, especially given the fact that during the case GCHQ itself admitted to requesting and receiving bulk data without a warrant.³¹ The IPT’s unwillingness to rule on the GCHQ’s current activities meant that the agency continued to enjoy massive powers to collect the personal data of large numbers of people without even a reasonable suspicion of their having been involved in a crime, and in secret. Another victory was when the IPT found that GCHQ and MI5 had secretly and illegally harvested massive amounts of personal information from various databases between 1998 and 2015, as these activities were not subject to sufficient supervision, but again stopped short of saying that the surveillance itself was unlawful, thereby confirming a trend in the tribunal’s judgments to shy away from this all-important question.³² The UK government has also been very canny in responding to IPT judgments: if a power is not authorised sufficiently in law, then the government merely changes the law to give the power a legal backdrop, without addressing the substantive issues about whether that power is appropriate in the first place.³³

More substantive rulings have been forthcoming from the European Court of Human Rights, which rules on cases relating to the member states of the European Council according to the European Convention on Human Rights. The difficulty with taking mass surveillance cases to court, though, is that courts do not like considering cases in the abstract; as a result, there need to be specific complainants. But given the high levels of secrecy surrounding surveillance, communications users may not know if they are the targets of surveillance. On the other hand, investigatory tribunals such as the IPT require lower burdens of proof, as they both investigate and determine complaints. The court has addressed this problem by deciding to rule on complaints from people or organisations that are potentially at risk of being subjected to surveillance. It has also found Russia and Hungary guilty of contravening the European Convention on Human Rights through their surveillance practices, expressing concern in the case of Russia about insufficient oversight, and the potential for abuses when security services have direct, warrantless access to communications networks.³⁴ In the Russian case, brought by the editor Roman Zakharov, the court made a strong statement against mass surveillance, stating that it ‘considers that a system, such as the Russian one, which enables the secret services and the police to intercept directly the communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider, or to anyone else, is particularly prone to abuse. The need for safeguards against arbitrariness and abuse appears therefore to be particularly great.’³⁵

In the case of Hungary, the European Court expressed concern about the overbroad powers wielded by the security services in conducting anti-terrorism surveillance, subjecting nearly all citizens to surveillance with no proper oversight, especially judicial oversight.³⁶ The court also recognised the right of users to be informed that their communications had been subjected to surveillance. However, unlike the ruling in the Russian case, this one took an ambiguous approach towards whether mass surveillance in principle should be considered unlawful, leaving the door open to its accepting the necessity of mass processing of data in future, provided certain safeguards were put in place.³⁷

These rulings followed in the wake of two landmark rulings by the European Court of Justice (which rules on cases relating to EU members – the UK will no longer be subject to it once it leaves the EU). The first case found that the EU legislature had exceeded the legal requirement of proportionality when a data retention directive mandated the indiscriminate storage of metadata by public electronic communications companies for a period of between six and twenty-four months. It found that the very act of storage impacted on the right to privacy, even if the data had not been processed; however, the court remained silent on the appropriateness of data retention for law enforcement purposes.³⁸ The second case (involving an Austrian lawyer called Maximillian Schrems based in Ireland) found that the transfer of data to a country that did not have adequate privacy protections could not be condoned legally, even if the destination country claimed that it provided a ‘safe harbour’ for received data. In possibly the strongest legal statement yet against mass surveillance, as well as a slap on the wrist for the Irish Data Protection Commissioner, the court argued the following: ‘In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the [EU] Charter [of Fundamental Rights].’³⁹ While this judgment related to communications content, it was silent on the mass surveillance of metadata.

Legal precedents are still emerging from the US. A negative precedent was set shortly before the Snowden revelations in the Clapper judgment, in a major setback to civil society attempts to litigate around mass surveillance programmes. The US Supreme Court rejected a challenge to the FISA Amendment Act, which broadened the grounds for the surveillance of international phone calls and emails, although the judges were split along ideological lines.⁴⁰ The applicants included Amnesty International, the ACLU and a range of other civil society and journalism organisations. The majority opinion of the court argued that the applicants could not prove that they had suffered particularised, imminent harm from surveillance, and they were reminded that as the plaintiffs, they were under an obligation to provide concrete evidence of surveillance. As a result, they lacked standing to litigate on these matters, and the case was dismissed.⁴¹ This setback underscored the more conservative approach of US judges to judicial oversight of executive surveillance powers, and put civil society organisations in an impossible position. Without clear and demonstrable ‘victims’, these organisations could not turn to the courts for relief; yet excessive secrecy prevents such information from coming into the public domain on national security matters.

After the Snowden leaks began, divisions opened up in the judiciary about mass surveillance, and consequently the legal position has remained unsettled. Immediately after the leaks revealed the existence of a top secret court order requiring the US company Verizon Wireless to collect the telephone records of millions of US customers, some of these customers (including the ACLU) brought a lawsuit against President Barack Obama, the NSA and others, alleging that the bulk collection of their phone and internet metadata was illegal. Federal Judge Richard J. Leon upheld their case, delivering a stinging rebuke of the NSA’s bulk collection programme as being most likely unconstitutional, describing it as ‘almost Orwellian’, and ruling that in this case the plaintiffs did have standing as they could demonstrate a clear interest. However, the judgment was reversed and remanded back to the district court. In 2015, the US Court of Appeals for the Federal Circuit rejected this ruling and found that the bulk collection of metadata was illegal on the grounds that innocent people were targeted.⁴² This was the most significant court victory in the US to date, and suggested that the courts had been revitalised by the Snowden revelations. In response, the House of Representatives passed the US Freedom Act, which limited bulk collection, and restricted law enforcement agencies to more targeted surveillance, although other provisions have arguably broadened their surveillance powers.⁴³ The year before, the Obama administration also issued a presidential policy directive announcing policy reforms aimed at limiting the circumstances under which signals intelligence could be collected to genuine national security situations, and not for purposes of curtailing dissent; however, this directive has been criticised as weak and easy to revoke by another President.⁴⁴ At the time of writing, other legal challenges to the US government’s surveillance powers were still unfolding. While it remains to be seen what the election of Donald Trump as the new US President, and the shift from a Democratic to a Republican administration, will mean for the fight for accountable surveillance, it could well entail a reversion to more conservative judgments that are more deferential to the executive.

With respect to the US FISC, privacy advocates have attempted to address its bias towards the very spy agencies it is meant to preside over, by arguing that FISC should include a special public advocate. This person would have the powers to interrogate cases before the courts, engage in discovery of relevant evidence, brief the court on matters relevant to current cases (including technically complex matters), and appeal against adverse rulings. Such an advocate would make sure that court decisions were debated vigorously even if the court processes took place behind closed doors.⁴⁵ Privacy advocates have noted that the European Commission for Democracy through Law has argued that an internal privacy advocate in a secret court process could raise arguments on behalf of people who have nothing to do with the investigations at hand, but whose metadata was nevertheless being intercepted. In the case of content, the agencies might use selectors that could be attributed to an individual, and in those cases the advocate could ensure that the court strengthened its justification requirements.⁴⁶ As surveillance issues have become highly technical, a public advocate could also introduce expert technical evidence into court to inform proceedings on matters with which the judges might not be conversant.⁴⁷ Furthermore, in its standards for democratic oversight of intelligence agencies, a team linked to the University of Amsterdam’s Institute for Information Law have argued that oversight needs to incorporate the adversary principle, which they point out is a basic rule of law principle. The introduction of a public advocate into the system could be one way of incorporating this principle into strategic surveillance oversight, without necessarily compromising the need for secrecy in the process.⁴⁸ While the Freedom Act has provided for an amicus curiae role, this differs from the public advocate role in that these individuals do not have the right of consistent representation, as the court can rule an amicus inadmissible or inappropriate, particularly if the legal issue is not one the court considers novel or significant. The amicus will only enjoy restricted access to information relating to current cases, which could limit his ability to participate fully and even counter the state’s legal arguments, and the amicus also does not play a meaningful role in deciding whether the FISC’s decisions should be taken on legal review.⁴⁹

Another strategy adopted by privacy advocates has been to lobby various UN bodies to adopt positions on various aspects of surveillance. On this level, the advocates have met with considerable success. In the wake of the Snowden revelations, the Special Rapporteur on the rights to freedom of assembly and expression emphasised the importance of privacy for freedom of expression and, within this, the essential role of encryption and anonymity for the privacy of communications.⁵⁰ The UN General Assembly also adopted a resolution entitled ‘the Right to Privacy in the Digital Age’. While the resolution stopped short of condemning surveillance practices, it expressed concern about the impact that surveillance, especially mass surveillance, may have on the enjoyment of human rights. It also reaffirmed the right to privacy, and the right of people to enjoy the same rights online as they do offline, and recognised the open nature of the internet. It called on states to respect privacy and to review their surveillance procedures, and requested the High Commissioner to submit a report to the UN Human Rights Council and, ultimately, the General Assembly on privacy and surveillance. The report’s authors expressed concern about countries engaging in surveillance, but not providing adequate legislative safeguards, as weak safeguards and poor accountability increased the potential for abuse. They noted that while the report was an important first step, they acknowledged that much more work needed to be done to develop mechanisms to ensure that surveillance practices complied with international human rights law.⁵¹ The Human Rights Council also appointed its first Special Rapporteur on the right to privacy, Joseph Cannataci, who began the process of elaborating on these mechanisms in a preliminary report to the council, which referred rather optimistically to the Schrems and the Zakharov cases (mentioned above) as ‘the beginning of the judicial end for mass surveillance’.⁵² He argued that the UK Investigatory Powers Bill failed the judicial tests set by these two cases and expressed concern that the government would be setting a bad precedent for the rest of the world.⁵³ These efforts at the UN level are clearly bearing fruit in that a set of legal principles is in the process of being developed, and is bound to have great utility in the years to come as different countries review their legal protections (or lack of them) for privacy in the face of widespread surveillance.

At the international level, civil society has also focused on placing pressure on governments to impose export controls on surveillance equipment that qualifies as dual-use technology. The 2013 revision to the Wassenaar Arrangement (on export controls for arms and dual-use goods and technologies) to include IP-based surveillance equipment has greatly increased its utility for privacy advocates. The fact that 86 per cent of surveillance companies are located in countries that subscribe to the Wassenaar Arrangement makes this agreement even more important to the fight to control the spread of surveillance technologies.⁵⁴ Moreover, the 2013 additions to the Wassenaar Arrangement have been added to EU dual-use regulations, creating a further layer of compliance for European-based companies. At the same time, the surveillance industry has continued to grow by an estimated 20 per cent a year.⁵⁵ A specific coalition has been established to focus on campaigning against sales of mass surveillance technologies that do not have sufficient legal controls to prevent human rights abuses. Called the Coalition Against Unlawful Surveillance Exports, it seeks to encourage governments to regulate exports of mass surveillance technologies, and private sector companies to exercise responsibility in deciding to whom they sell such equipment, to prevent them from empowering authoritarian governments. However, the question does arise why the mass surveillance industry is booming if it is subject to unprecedented export controls. One of the problems is that the agreement does not have the status of a legally binding treaty, which means that countries can choose whether to, and how to, codify the Wassenaar Arrangement into domestic law. The EU has already implemented the Wassenaar Arrangement, and the US is in the process of doing so. An increasingly important surveillance player, Israel, has not subscribed to the Wassenaar Arrangement, although it has implemented its key features in exports, while not subscribing fully to all of them.

Companies like HackingTeam have argued that their surveillance software does not qualify as a weapon, and is therefore not regulated by the arrangement.⁵⁶ In fact, the application of the Wassenaar Arrangement has been controversial as it could also cover IP-based monitoring systems that have a more general application and that could be used to improve network security. In such situations, the arrangement may well work against one of the very objectives it is attempting to realise, namely greater online security, which is an important precondition for privacy. However, these arguments have been debunked on the basis that the definitions of the types of products that are covered are narrow enough to prevent products that have more benign or even positive uses from being caught in the net.⁵⁷ Some efforts on the export control front are bearing fruit, but it remains to be seen how the US responds, and whether this arrangement can be elevated to treaty level and how many countries domesticate the arrangement into law.

THE ROLE OF MULTILATERAL PLATFORMS ON SURVEILLANCE AND INTERNET GOVERNANCE

The Wassenaar Arrangement is not the only multilateral platform that has been used to respond to surveillance in the wake of the Snowden revelations. Other forums took place, focusing on the broader principles that should guide the development of the internet in the wake of these revelations, including NETmundial and the Stockholm Internet Forum (which preceded the Snowden revelations). The United Nations Educational, Scientific and Cultural Organisation (UNESCO) also launched a research project to identify internet first principles, revolving around the concept of ‘internet universality’. The Internet Governance Forum, established in the wake of the 2006 World Summit on the Information Society, continues to meet and debate the future of internet governance.

Traditional communications surveillance was confined to plain old telephones and, more recently, mobile phones (or cellphones). As its use became more widespread, state spy agencies began to recognise the internet as a surveillance tool that would allow them access to unprecedented amounts of information. Initially invented as a communications tool for the US military, the internet became popularised as the first truly global medium of communication in the 1990s. At the time, its founders insisted on some important first principles to ensure that the internet was maintained as a global public resource. These included ensuring that its architects used freely available standards that everyone could build on, and ensuring that the various components of the internet were interoperable. All data was supposed to be treated equally, irrespective of its contents, so that the internet could remain a level playing field for all its users (the ‘net neutrality’ principle). To all intents and purposes, the internet was meant to be a self-managed network of users, designed for communication and collaboration, and its publicness was meant to be central to its nature as a communications medium.⁵⁸

However, since those heady days, governments and corporations have enclosed the internet in various ways, in the process compromising these foundational principles: governments by controlling internet content through filtering and censorship, and at the same time conducting surveillance of internet users on a worldwide scale – thereby threatening other countries’ sovereignty – while corporations have commodified internet traffic by selling users’ data to advertisers. Several powerful governments, notably the US, continue to champion internet freedom, subscribing to a free market ideology that does not problematise sufficiently the question of who controls the internet. In fact, Snowden exposed the hypocrisy of the US and other Five Eyes countries in supporting internet freedom rhetorically, while in practice promoting mass surveillance that went far beyond what was needed to fight international terrorism. The Snowden documents also revealed the extent to which internet companies were willing to collaborate in surveillance programmes uncritically.

One of the thorniest issues about internet control concerns the body that manages the domain name system for internet. Currently managed by the Internet Corporation for Assigned Names and Numbers (ICANN), this institution was established by the US Department of Commerce in 1998, and has become extremely powerful as it controls the reach of the internet as a global commons.⁵⁹ ICANN has remained controversial in that, while it operates at arm’s length from the US government, the department still maintains crucial oversight and control functions, particularly through the Internet Assigned Numbers Authority (IANA) functions contract.

Several governments in the global South, especially some of the so-called BRICS countries (Brazil, Russia, India, China and South Africa), have complained that, while the US gave birth to the internet, its status as a truly global medium makes even indirect US control inappropriate; consequently, they have argued that a new governance model needs to be explored that reflects the global nature of the medium. These complaints have intensified in the wake of the Snowden revelations as more countries become concerned about the US’s control over the internet being abused by the country to expand its global influence. This it could do by pressuring ICANN to create or remove online property. To its credit, though, the US did not use its influence to demand the removal of WikiLeaks’s domain name, presumably because it feared a backlash from countries that were already concerned about US control of the internet. While some of the BRICS countries have called for greater state involvement in internet governance issues and multilateral decision-making, others have even argued for greater UN involvement as an antidote to US and corporate control.

In an attempt to prevent attempts to control the internet by other governments, the US has committed itself to establishing ICANN as an independent entity, run according to the principle of ‘multi-stakeholder governance’. The race to establish such a model is on, as the US Department of Commerce indicated that it did not intend to renew its contract with ICANN for the management of the domain name system, in the wake of controversies about this institution. On the surface of things, this principle looks attractive, as it appears to offer a ‘touchy-feely’ form of democratic control, in which a global entity is established which uses open, transparent and consensus-building decision-making, and where internet stakeholders meet one another as equals. However, the multi-stakeholder approach is unlikely to deliver truly democratic control of the internet. While this model remains relatively vague, the ground rules set by the US government for relinquishing control will ensure that it adopts operating procedures and principles acceptable to it. The model will limit government involvement, and, where it does become involved, it will operate on an equal footing with other stakeholders, such as business and civil society. However, the US can afford to relinquish control as it will have approved the new body’s rules of engagement. Furthermore, the danger of a consensus-based model is that groups that have diametrically opposed interests (corporations and consumers, for instance) could block decision-making simply by refusing to agree, which may paralyse this aspect of internet governance. In any event, the de facto control of the US through its control over other internet governance organisations, as well as the world’s major internet companies, is almost certainly assured even if a new multi-stakeholder body is established.⁶⁰ And if this happens, then the worldwide struggle against surveillance will become even harder.

CONCLUSION

In the dying days of 2016, the UK Parliament passed the Investigatory Powers Bill into law, despite significant opposition from digital rights and privacy groups. According to research conducted by academics at Cardiff University, in the campaign against the Bill too much attention was paid to specialist lobbying and advocacy work, and not enough to broader public awareness-raising and mobilisation. Organised formations and social movements that focused on a range of social justice issues were not engaged in the campaign, and consequently felt alienated from it. In spite of the fact that many activists expected to be subjected to surveillance, organised responses to surveillance were left to expert communities rather than being integrated into broader activist concerns.⁶¹ The mainstream press tended to be pro-surveillance, as they were dominated by the voices of politicians, and the public became resigned to security discourses as an inevitable feature of a landscape where terrorist threats were real and present. As a result, there was no significant mass opposition.⁶² This analysis suggests that anti-surveillance campaigns that are driven by specialists, and that eschew, or do not pay sufficient attention to building effective mass opposition, will be doomed to fail. According to Gus Hosein, the campaign against the Investigatory Powers Bill was inadequate for a number of reasons. In spite of the fact that the UK has a strong tradition of grassroots activism, and highly successful activism at that, privacy advocates did not reach out to parliamentarians and lobby them, and failed to engage the more conservative media in the UK. While The Guardian became the paper of record of the Snowden revelations, the issue was mostly marginalised in the media discourse. The narrowness of the media discourse was in contrast to the earlier campaign against the smart ID card, in which Hosein had been involved. This campaign engaged the spread of media across the political spectrum, leading to widespread cynicism about ID cards. According to Hosein:

We have to own some of the failure [around the Investigatory Powers Act], which is we made this entirely about intelligence agencies, we made this all about mass surveillance, we didn’t articulate a positive framing of the issue, we didn’t get into The Telegraph or The Times or the Daily Mail. This is in spite of the fact that the [Investigatory Powers] Bill contained similar powers, if not the exact same powers that two years before had been stymied by the lib-dems [the Liberal Democrats], and … yet the same media and the parties that admonished the government for these exact same powers in 2013, came out in support of it. When it was post-Snowden, and The Guardian took to owning the story, and with the chaos in the Labour party, there was no similar dissension on it.

It’s not easy to frame it [the Bill] positively. There were powers in there that you wouldn’t want any government having, apart from your own. For example we can frame the struggle as being one for secure devices, not just that government is trying to stop bad people. [We needed to say], you are going to be affected by this in the following ways. [In the campaign] we didn’t relate to the British lived experience. Privacy advocates and technology rights advocates in the old days were accustomed to not having any friends, so we worked really hard to get the message across. But now tech issues have become cool, we have our own media for crying out loud, we have our circuits, and we intermingle with each other. There isn’t the same sense of need to reach out. There’s a comfort in our worldview, a liberal NGO club that doesn’t attempt to get into the right wing media.⁶³

For Hosein, a narrow approach towards the advocacy around the bill, where advocates focused on their own circles of influence, meant that they were unable to have a significant impact on the public discourse, which largely accepted the need for expansive counter-terrorism measures. Ironically enough, in spite of the increased resources that flowed to privacy work, especially in the wake of the Snowden revelations, their public traction did not necessarily increase. Advocates failed to create doubt in the public debate about the necessity of these measures. All the same, the approach of limiting surveillance largely to a specialist community did have its own logic, in that it was difficult for broader movements to focus on a wide spread of issues, as well as surveillance.

It should be noted that some real gains are being made in the European courts, but with the UK having decided to exit from the EU, it is unclear how much attention will be paid to European Court rulings in future. It is possible that the UK will want to embrace the court’s rulings in future to argue that it still remains part of the vanguard of international human rights law.⁶⁴ According to the Privacy International legal officer, Scarlet Kim, there have been notable gains, but key issues relating to the lawfulness of mass surveillance still remain to be decided in a key European Court of Human Rights case. According to Kim:

What progress has been made post-Snowden? The most positive developments are around transparency and data and retention. These came from a lot of different places, and came about through court cases. The IPT started requiring additional transparency about the type of surveillance being undertaken. Of course, this had its limits as the agencies don’t have to give over information to the IPT. But they have released information in response to a number of our claims. They have also released a draft code of practice [on equipment interference]. We’ve also got some transparency about their [GCHQ’s] policies and procedures [on bulk personal datasets].

In the context of Zakharov and Schrems, the court started articulating some basic principles around bulk surveillance, namely individualised reasonable suspicion, prior authorisation and notification of individuals that have been subjected to surveillance. So, if you have to review the positive developments that have come out of our cases, they have ensured the enforcement of the safeguards. Those are really blockbuster judgments, but there is a question about how do you judge a country like the UK, so it’ll be really interesting to see what the court has to say about the necessity of the safeguards.⁶⁵

The UK’s experiences with the Investigatory Powers Act bring to the fore the need to take movement-building seriously as part of anti-surveillance work, and the precondition of such work is public awareness-raising. Furthermore, a precondition for public awareness-raising is using empowering concepts that can make a seemingly unassailable problem challengeable. Relying on privacy articulated as a ‘me, me, me’ right is unlikely to provide a compelling enough basis for collective action, and, after all, collective action is what is needed to give campaign positions social force. Powerful social actors, especially those in government, are unlikely to be persuaded to adopt different positions purely on the basis of good arguments; this is especially so if their material interests are threatened by those arguments.

It is clear that the surveillance industry has become extremely powerful, as it provides an alternative outlet for the profits soaked up by the conventional arms industry, which is now in decline. These challenges suggest that a theory of agency in relation to surveillance needs to be developed. It needs to ask and answer the question, What collective behaviour is needed to rein in unaccountable surveillance? In order to reach this point, it is necessary to identify the social forces that are most likely to bring about this change. While the capitalist state incorporated elements of surveillance in earlier periods in history, technological developments have since allowed an unprecedented expansion of the surveillance capacities of the state. Government uses of these capacities have moved far beyond their stated purposes of fighting crime and terrorism. As neoliberalism has intensified inequality, so there has been an increase in the number of the unemployed and those in insecure work, youths (especially urban youths), black people, Muslims, and lesbian, gay and transgender people. In the earlier phase of industrial capitalism, it was fairly easy to identify the social force that had the most to gain and the least to lose from challenging exploitation and oppression, and that therefore constituted the main motor for progressive social change: the organised working class and their allies. The post-industrial era saw new social movement theorists make claims for a broader range of actors as drivers of progressive change, including cross-class identity-based movements. However, while the shift towards more cross-class social movements may have been more apparent in the global North, class-based movements remained active in many parts of the global South, and class never really lost its salience in analyses of social processes.

In conditions of neoliberal precarity, where the industrial working class has declined in power and, with it, their organised formations, it is less easy (but not impossible) to identify the most likely motors of potentially emancipatory social change, including anti-surveillance work. These must surely be the very ‘problem populations’ that are the targets of surveillance, as they have a compelling interest in resisting unaccountable surveillance. With the advent of the 2008 global recession, anti-austerity movements have developed in different parts of the world, and these movements, too, have an immediate interest in anti-surveillance work.

But in order to make the work relevant to these movements, it is necessary to find ways of ‘mainstreaming’ this work in the everyday campaigns that bring ordinary people into organised social and political actions. Of necessity, working-class communities are often highly organised; so, with some creative campaigning, it should not be difficult to relate surveillance and its dangers to mobilisations in defence of public services, for jobs and free education for young people. The important part of campaigning is to take people where the campaign finds them and to relate the work to existing struggles on the ground. In doing so, the role of surveillance in the creation and reproduction of inequality would need to be emphasised, which is what the critical perspective implies. The conflict inherent in social inequality should drive social change, as it is this conflict that is behind the massive expansion of the global security apparatuses, industries and discourses. If resistance to this expansion is going to be effective, it needs to provide a political voice to the otherwise voiceless, and this involves articulating an understanding of privacy that makes most sense to these social groups. This means that privacy as an organising concept is likely to focus less on privacy as an individual right, and more on its content as an enabler of collective rights. So, if privacy is denied these actors, this will prevent collective discussion and organisation.

The forces of reaction are growing stronger by the day in the very countries that lie at the heart of the surveillance industry, and if they are going to be challenged effectively, then anti-surveillance and pro-privacy campaigners clearly need to ‘do’ their work differently. This needs to start with mapping those social forces and their organisations that are making progressive socio-economic and democratic claims, and placing them at the centre of anti-surveillance work. In this regard, there seems to be much to gain from drawing links between social movement studies, political economy and surveillance studies – fields of study that tend to operate in silos. Some possible synergies in this regard will be explored in the next chapter, which focuses on the context of surveillance and social control in South Africa.