Freedom Not Fear: Ending A Decade Long Legacy of International Privacy Erosion
This Saturday, September 17th, concerned European citizens with the Freedom not Fear movement have decided to take their protest to the capital of the European Union, Brussels. Their slogan: Stop the surveillance mania! For five years in a row, Freedom Not Fear has taken to the streets in several cities in Europe and beyond to demand an end to suspicion-less surveillance measures. These include mandatory data retention laws and other reactionary surveillance measures that have been justified by the rhetoric of fear. Their protest efforts have been among the most meaningful demonstrations for this cause. Previously, Freedom not Fear protests were spread out across various European towns. For the first time, protesters from throughout Europe are descending on Brussels to directly confront the European Union’s policies at its headquarters.
Last week, protests were also organized in Dresden, Vienna, and Berlin. With mottoes such as: “Privacy is not a crime”, “mass surveillance threatens an open society”, and “mountains of data compromise our security”, thousands of people took the streets of Berlin to protest the surveillance of air travelers and to stop any attempt to re-introduce a German mandatory data retention law. A coalition of German activists is also urging fellow citizens to sign a petition against data retention. Its ultimate goal is to persuade the German government to fight for the repeal of the overall European Data Retention Directive.
As the world reflects on the decade following September 11th, Freedom not Fear protesters are attempting to reverse the unfortunate post-911 legacy of online anti-privacy measures. In the wake of 9/11, international government responses had significant impact on Internet privacy. The “war on terror” rhetoric enabled one of the most effective international policy laundering campaigns to quickly enact unpopular and often covert policies with minimal fanfare. Within 45 days of 9/11, then-president George W. Bush already sent his much-wanted surveillance wish list to the European Union. In a letter to the European Commission President in Brussels, the United States sets out a blueprint for privacy erosions the EU could undertake that have sacrificed privacy for little gain in the struggle against terrorism.
The letter called on the EU to eliminate existing privacy protections so that online companies would be free to retain their customers’ online activities: “[r]evise draft privacy directives that call for mandatory destruction to permit the retention of critical data for a reasonable period.” What did this proposed revision mean? One of the key European privacy protections is the data minimization principle. This provision compels companies to limit their collection of personal information to a specific purpose [e.g., billing], and keep their data for only a specific period of time before destroying or irreversibly anonymizing it. This helps prevent online companies from developing sweeping databases on their customers’ activities, while the U.S. Government wished to encourage retention of everyone’s data, whether innocent or not, so investigators will have access to it. The impact of 9/11 on deliberations at the EU was evident at the time:
"We think this new version of the directive sends a powerful signal and it responds to the events of Sept. 11," said a European Union diplomat involved in the Wednesday meeting who insisted on anonymity. "Since that date there has been a reappraisal of the issue of data retention."
These initial U.S. efforts to facilitate a permissive data retention regime evolved to something worse: a mandatory Data Retention Directive adopted by the EU in 2006. Mandatory data retention is an extreme measure that the U.S. government has perennially tried--and failed--to pass through Congress. It was reintroduced by the U.S. House Judiciary Committee once again this year, in a bill that will require any commercial providers of Internet access to keep, for at least 12 months, a record of which users were assigned to particular network addresses at particular times.
As we commemorate the 10th anniversary of the 9/11 attacks, we should reflect on the way in which a climate of fear has been exploited to advance Bush’s controversial proposals into international policies and practices. The fear of 'imminent threats' has made rational assessments aimed at achieving actual security and privacy difficult. Ten years later, the rhetoric of threats continues to pervade the dialogue.
As James Bamford said, in his recent op-ed, Post-9/11, NSA 'enemies' include us “somewhere between Sept. 11 and today, the enemy morphed from a handful of terrorists to the American population at large, leaving us nowhere to run and no place to hide.” Bamford is right, but the problem isn't limited to the U.S. In many countries around the world ordinary people morphed into potential criminals and governments took free reign to invade their privacy. If we allow the tragic attacks of 9/11 to create a cloud of fear, confusion and paranoia, we give in to the terrorists, and threaten the very freedoms that make open societies great. Freedom not Fear’s bold march into Brussels and across the European Union brings hope that the political climate is shifting and that we can re-establish our privacy rights and the principle of data minimization in the face of a decade’s worth of massive civil liberties breaches.