PRISM: No surprise to those who wanted to know

After The Guardian and the Washington Post revealed details about mass surveillance of citizens inside and outside the United States, EU Vice President Viviane Reding and national governments have announced they would put some questions to US President Barack Obama. PRISM, a data mining programme by the National Security Agency and the CIA will be discussed alongside the upcoming G8 summit in Northern-Ireland (June 17-18 2013).  But is this double speak? Mass surveillance by collection, long term retention and data mining is not at all new to those in power – technically or politically.

PRISM, which is only one of the programmes revealed by 29-year old former CIA and NSA analyst Edward Snowden (more are to come, promises The Guardian), could not have come as a surprise, Sophie In't Veld, liberal politician in the European Parliament scathingly criticised EU governments. Since the spy programme Echelon was scrutinised by the European Parliament “we knew that the Americans were spying on us”, In’t Veld said. Moreover, EU member states including the United Kingdom or her own country (The Netherlands) “did the same thing” surveilling their own citizens[1].

While political party groups nearly unanimously pushed to fix the EU Data Protection Regulation, Conservatives like Manfred Weber (EVP) clearly said, the EU has benefited from US anti-terror programmes like the controversial transfers of banking data (through the Terrorist Finance Tracking Program) or Passenger data. The EU has not been able to establish its own surveillance programmes, Weber regretted.

Reding meanwhile has written to US Attorney General Eric Holder and has underlined she will seek clarification on the programme and possible violations of fundamental rights of EU citizens during a meeting in Dublin on June 14.

Secure your communications

For the technical community, too, PRISM has not come as a surprise. Scott Bradner, one of the senior figures in the Internet Engineering Task Force (IETF), and Technology Security Expert at Harvard University, much like In't Veld pointed to Echelon when questioned about the US and other countries’ spy activities.

“The extent”, according to Bradner, “has been rumored, but a lot of people refused to accept that it was so large.“ Asked why no core infrastructure providers like network access, backbone or DNS providers were mentioned as PRISM partners (but only Google, Apple, Microsoft, Skype and other internet service providers), Bradner wrote it seemed only “logical that something is going on there considering what we already know“.

The current Chair of the IETF, when answering questions on a reaction of the technical community explained, that participants in the core internet protocol standardisation body had “positions at all points of the privacy/surveillance continuum”. More than once US agencies have brought security or interception issues to the IETF in the past.

According to Arkko, the entire internet community certainly did care “about how much we all can trust commonly used services”, but the IETF so far had not considered specifics of the PRISM revelations. A discussion is expected during the IETF meeting in Berlin in July 2013. In general, members from the technical community are quick to recommend securing one’s communication as an avenue to take, if not already done so. Engineers’ best answer to PRISM is to “enable end-to-end encryption to hide content and use Tor to hide who is talking”.

Yet technology, Arkko said, is not the only factor. Operational practices, laws, and other similar factors also matter.

Reactions by non-governmental organisations

Violations of international law, especially Articles 17 and 19 of the International Covenant on Civil and Political Rights, as well as Articles 12 and 19 of the Universal Declaration of Human Rights, were made an issue by the Best Bits Coalition. In an open letter to the Human Rights Council of the UN Best Bits is requesting a special session on the US mass surveillance programme.

Not only should the PRISM issue be addressed, but the High Commissioner on Human Rights should in the future ask governments to report on their surveillance practices and laws. The letter - which is still open for signatures - finally supports a recommendation of the UN Special Rapporteur on Freedom of Expression, Frank La Rue. La Rue, only three days before the PRISM scandal broke, published a report on the growing surveillance practices by governments all over the world and recommended “that the Human Rights Committee develop a new General Comment 16 on the right to privacy in light of technological advancements“.

Meanwhile, more NGOs and activist groups have added their statements to the public record. A group of New Zealand ICT organisations in an open letter called on their Prime Minister John Key to extend the deadline for submissions to the draft Telecommunications Interception Capability and Security and draft Government Communications Security Bureau and Related Legislation Amendment to allow to consider the impact of PRISM.

A large coalition of US NGOs meanwhile wrote to Congress demanding legal reform, see https://StopWatching.Us. The Internet Society reminded the US government in its statement that after all it had taken an active role in championing privacy rights offline and online in discussions in the international sphere and supported a respective Human Rights Council resolution (A/HRC/RES/20/8, PDF). The not so fundamental rights-friendly picture of the US also has resulted in some questions, if it really does not matter where core technical infrastructure (like DNS root servers) are located.

Backlash conspiracy

Reactions from US politicians and the intelligence community vary considerably. Former Republican Congressman Jim Sensenbrenner said (and wrote in The Guardian) the data mining was an abuse of existing law. Sensenbrenner is the author of the Patriot Act that significantly broadened law enforcement agencies’ access to private data after 9/11. On the other hand there is also a spin that describes Snowden's step as orchestrated by China (to where the whistleblower has fled). This somehow sounds like a reverse-engineered conspiracy theory.