Snowden revelations: ten years on
Ten years ago, the first revelations about US mass surveillance were published in the UK and USA. The revelations swiftly widened to encompass details about the role of the UK’s GCHQ (Government Communications Headquarters) in the global gathering of vast amounts of communications data.
Speculation about the potential use of sweeping powers to grab databases and add backdoors in US law had been growing, while governments denied their abuse. ORG Advisory Councillor Caspar Bowden, a longstanding UK privacy advocate, had begun an international tour to explain their potential for abuse, and ask why exactly the American National Security Agency (NSA) was building vast data centres in the Nevada desert. Two days later, at ORGCon, Caspar delivered his long-prepared lecture on the topic to a packed room: he was no longer making educated guesses.
For several months, we did not know who the leaker was, or their motivation. Eventually, Edward Snowden explained who he was and how he came to hold the information he did. In the meantime, neither the US or UK governments sought to deny much of what was being explained by the Guardian and other papers.
By the autumn, ORG, Big Brother Watch and Constanze Kurz launched a joint action against the UK legal regime supporting these programmes. The campaign, privacynotprism.org raised over £30,000 from across the UK and Europe to challenge GCHQ’s actions directly in the European courts.
By the end of a long period of revelations, GCHQ took the extraordinary step of forcing Guardian journalists to destroy two computers that had held Snowden’s reports. By this point, the data was already held in other countries, in particular by the Intercept’s journalists who kept working with it.
Lessons from Snowden
It would take much more than a blog to outline all of what we learnt over the next year and more. Javier Ruiz, Policy Director at ORG wrote a comprehensive analysis, Collect it all, describing what specifically learnt about surveillance in the UK, which included the following:
- The security agencies bulk collected anything they could, directly from cables outside of UK or US jurisdiction so that rules such as those from Regulation of Investigatory Powers Act were more lax.
- The lack of basic encryption meant that web addresses, emails and webmail pages could be intercepted and read.
- The major barrier to ingesting this information was the sheer amount available.
- The UK’s GCHQ operated with US support; personal data and technology was shared between them freely.
- Programmes to break into technologies including encryption, mobile devices, etc, were comprehensive.
- Stockpiles of known security weaknesses are kept in order to use them for surveillance, even where these weaknesses could be exploited by criminals at great cost to people and businesses.
- Ad cookies were used by the agencies as a way to identify and keep track of people.
- A programme to capture video traffic had to be abandoned because of the prevalence of intimate sexual chat between unsuspecting partners; GCHQ evaluated this as too great of an invasion of personal privacy.
Perhaps the greatest lessons were these: first, security agencies believe that information should always be easily and readily available to them; and will take steps to ensure it is; and secondly, whatever technologies and techniques are available, will be explored with gusto; and thirdly, that Parliament were in the dark about what they were doing.
On a political level, we learnt that politicians were not aware of the kind of surveillance that was being carried out. In ORG’s film Classified you can see a number of MPs at the time, including Tom Watson, Julian Huppert and Dominic Raab, admit that the first they heard of surveillance being carried out was when they read about it in the Guardian. But even once the revelations were made, politicians in the UK were more reluctant than their American counterparts to engage with the excesses of the agencies.
As Edward Snowden told ORGCon in 2019, people think of this as a surveillance story, but it is in fact a democracy story.
Private companies changed their practices quickly after these revelations. It’s surprising to think, but back in 2013 web pages, even for your email, were not routinely encrypted (using https links).
Private messages or video links would not take measures to stop someone ‘listening in’. Nowadays, everything does, which helps explain the institutional hostility towards ‘end to end encryption’. What was once trivial to slurp up from the Internet, would now take some dedicated effort to acquire, by targeting and breaking into a users’ device for instance.
From everything we now know about the agencies, E2EE encryption will not prevent a determined agency from targeting the guilty for the messages; it can only protect against routine acquisition or known, low effort attempts to acquire your data. Yet the agencies are involved in efforts to prevent the use of E2EE, even as their former bosses realise this is a mistake.
"In the last decade, the world has become more prone to anti-democratic forces, even in supposedly democratic countries. Digital mass surveillance remains a central and pervasive threat to our democratic society."
Where we have seen improvements – and secured victories – is through the courts and through oversight agencies, which are certainly better than they were in 2013. They are not perfect, and they have had setbacks. For instance, the UK security apparatus intervened to prevent Eric Kind from being appointed as an advisor to the UK’s judicial oversight body precisely because he had been employed by Privacy International to work on these questions. The decision was successfully challenged, but of course finding people capable of crossing these divides remains both necessary and difficult.
Parliamentary oversight remains especially weak. The members of the Intelligence and Security Committee are vetted by the government and tend to be non-experts. Members are not chosen by Parliament let close to it, in contrast to the systems in other countries including the USA, preventing critical voices from being brought in. While some capable MPs have been asked to lead its work, such as Dominic Grieve, it is worth remembering that Chris Grayling was viewed as a suitable successor.
Surveillance in the UK now
The legal challenges to mass surveillance have been significant but the questions are still not fully resolved. The ECHR (The European Convention on Human Rights) did not manage to rule for or against indiscriminate bulk collection, but did ask for greater oversight and safeguards. Bulk collection in the EU, however, has received significant legal restraint thanks to the CJEU’s ruling on data retention, including the Watson case, where ORG argued against the UK’s retention of Internet records. Key safeguards such as notification of users when records are accessed have been established in principle, but not yet in the UK’s legal regime. However, police have stopped self-authorisation for access of records as a result of the rulings, and authorisation is now handled by an independent agency.
Privacy International has been especially active in challenging the IPA through tribunals, and have won significant arguments for transparency and accountability. Liberty have also made in-roads into the implementation of UK surveillance law.
Surveillance – especially bulk surveillance – is increasingly dangerous in the digital world we live in. We have to assume that machine learning and AI will be used by GCHQ in very sophisticated ways. The law and parliament are the only ways to keep the use of such technologies and legal powers in check; while progress has been made, we are a long way from being in the right place.
Yet in the last decade, the world has become more prone to anti-democratic forces, even in supposedly democratic countries. Digital mass surveillance remains a central and pervasive threat to our democratic society.
Contribution by: EDRi member, Open Rights Group