Between 15th-19th of September, in the week leading up the first year anniversary of the 13 Necessary and Proportionate Principles, EFF and the coalition behind the Principles will be conducting a Week of Action explaining some of the key guiding principles for surveillance law reform. Every day, we'll take on a different part of the principles, exploring what’s at stake and what we need to do to bring intelligence agencies and the police back under the rule of law. You can read the complete set of posts at: https://necessaryandproportionate.org/anniversary. The Principles were first launched at the 24th Session of the United Nations Human Rights Council in Geneva on 20 September 2013. Let's send a message to Member States at the United Nations and wherever else folks are tackling surveillance law reform: surveillance law can no longer ignore our human rights. Follow our discussion on twitter with the hashtag: #privacyisaright
Human Rights Require a Secure Internet
The ease by which mass surveillance can be conducted is not a feature of digital networks; it's a bug in our current infrastructure caused by a lack of pervasive encryption. It's a bug we have to fix. Having the data of our lives sent across the world in such a way that distant strangers can (inexpensively and undetectably) collect, inspect and interfere with it, undermines the trust any of us can have in any of our communications. It breaks our faith not only with the organizations that carry that data for us, but the trust we have with each other. On a spied-upon network, we hold back from speaking, reading, trading and organizing together. The more we learn about the level of surveillance institutions like the NSA impose on the Net, the more we lose trust in the technology, protocols, institutions and opportunities of the Net.
Thankfully, technologists have been slowly hardening the net to defend against this global vulnerability. In the last year, according to Sandvine, in Europe and Latin America, encrypted traffic has increased from 1.47% to 6.10% and 1.8 to 10.37% respectively. Companies and individuals are encrypting more now not just because of the greater knowledge of government mass surveillance programs, but because of the increasing use of such security flaws by opportunistic criminals. What NSA does today, even under-resourced states (like Ethiopia) will manage tomorrow, and common criminals might be able to do in a decade. Fixing the safety of the Net means fixing all the flaws that allow mass surveillance, one step at a time.
But when a surveillance capability that government agencies are accustomed to use starts to disappear, we know that those agencies fight back. The Crypto Wars of the Nineties represented the US intelligence community's attempt to prevent the spread of encryption that they could not crack. What followed was a decade of complacency, when encryption was used only when it was thought to be absolutely necessary, and the majority of online communications remained eminently tappable.
If we succeed in taking back the Net through increasing use of encryption by major communications providers, more secure software, and closer auditing of the tools we use, how can we expect intelligence and law enforcement agencies to react?
The visible moves we have seen in the last few years include legislative attempts to mandate data collection by companies, increase sharing with governments, and build backdoors into networking equipments. This is the purpose of proposed and enacted legislation such as in the United States, DRIP in the United Kingdom, the Mexican Ley Telecom, a Colombian lawful interception law that compels Telecommunication Service Providers—including Internet service providers (ISPs)—to create backdoors that would make it easier for law enforcement to spy on Colombians, and Australia's data retention proposals.
Invisibly, the world's intelligence agencies have been pursuing alternative strategies. Almost exactly a year ago, the Guardian published a report describing internal GCHQ documents which declared that the UK's intelligence capabilities "will degrade ... as widespread encryption becomes more commonplace". In preparation, the report described the British and American intelligence services attempts to find (or insert) security flaws in the network. That work includes attempts to weaken encryption standards, as well as the support of dedicated GCHQ human intelligence teams whose responsibilities included "identifying, recruiting and running covert agents in the global telecommunications industry."
This week, the Die Spiegel and Laura Poitras brought that battle between intelligence services and those trying to secure the Internet to life when they filmed employees at one satellite Internet provider as they learned that their networks were being exploited, and even their own lives were being monitored in order to defeat their corporate protections.
Such surveillance is not just about exploiting and keeping secret existing flaws. Last July, in response to claims that the Skype network had been compromised by intelligence services, a Microsoft spokesperson gave a carefully-worded answer about government interference in the upgrading of their products (our emphasis):
Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues.
In other words, it may well be that companies like Microsoft are prevented from improving the security or privacy of their products, because governments have become accustomed to extracting data from them.
When EFF helped draft the Necessary and Proportionate Principles, our intention was to create set of guidelines that illuminate how lawmakers could fix the woefully out of date legislation and jurisprudence regarding surveillance. It was an attempt not to brief lawmakers about theoretical threats, but to highlight we already knew was happening in everyday state surveillance practice.
But human rights principles and the best laws to enforce them don't just deal with the here and now. They have to look to the future too. The very heart of the Necessary and Proportionate Principles is that while technology advances, our fundamental human rights must remain a constant.
One of the greatest future threats to human rights -- an existential threat, in fact -- isthe continued undermining of the progress being made to secure our networks.
It remains vital that governments support the toughening of our digital infrastructure, not subvert or impede it in their own interests. That's why the Principle 11 speaks of the integrity of communications and systems.
As the Principles note, compromising security for State proposes "almost always compromises security more generally." Undermining security for everyone online is an inherently disproportionate act. Legal regimes that require compulsory data retention or enforced monitoring capabilities undermine that integrity.
Maintaining that integrity also means reining back some of the tactics of state espionage. We can no longer afford to have shadowy state institutions slipping backdoors into encryption standards, or pressuring or colluding with companies to re-engineer their systems to allow or maintain existing surveillance capabilities. We need to push forward in building technology that secures the network: and lawmakers need to push back against executive practices that weaken it.