Tracking Oversight of Surveillance in the US and EUJustin Hendrix / Dec 10, 2023
In both the US and Europe, policymakers are making important decisions about the governance of the bulk collection of communications and data for intelligence purposes. In the US, some of these questions are at the fore as Congress considers how to extend the Foreign Intelligence Surveillance Act's Section 702 program, which is set to expire at the start of 2024.
To get a sense of how the broader policy debate around government surveillance is advancing in both the US and Europe, I spoke to two experts on the subject who happened to be meeting together in Washington DC last week:
- Dr. Thorsten Wetzling, head of the Digital Rights, Surveillance and Democracy research unit of the Berlin think tank Stiftung Neue Verantwortung (SNV), and
- Greg Nojeim, Director of the Security and Surveillance Project at the Center for Democracy and Technology (CDT).
In an SNV report published this October, Wetzling and his colleague Corbinian Ruckerbauer take a closer look at the reconnaissance and surveillance activities of the German military intelligence system. Also in October, with his colleague Jake Laperruque, Nojeim published a policy brief on FISA reform.
What follows is a lightly edited transcript of the discussion.
Thank you. My name is Thorsten Wetzling. I'm the head of research for a program called Digital Rights, Democracy and Surveillance at the Stiftung Neue Verantwortung. It's a Berlin-based think tank and we can call it SNV if you like.
I'm Greg Nojeim. I direct the security and surveillance project at the Center for Democracy and Technology.
And that is what we're going to discuss today, security and surveillance. We're going to take a bit of a transatlantic tour of what's happening in the US, in Europe, perhaps Germany in particular, and we're going to talk maybe more big picture about how these regions are balancing security interests and of course civil liberties as we go along into the early part of this century, with so much going on with emerging technology, artificial intelligence and the like. Thorsten, I want to start with you. My listeners are mostly in the United States, some in Europe and elsewhere around the world as well, but could you provide an overview perhaps of the different forms of government access to personal data in Europe, specifically the kind of compelled and non-compulsory access that you're concerned about?
That's an aspect that has come up, to my understanding, more recently. Surely this has been going on for quite some time, I presume, but basically you can distinguish between direct access where the services penetrate systems and do some bulk hacking for instance. But then there's also compelled access where you oblige providers to give you access to data, but on the basis of a legal requirement. And then there's a procedure in place for a number of those types of mechanisms, and then there is non-compelled or non-compulsory access where, as of today in a number of European countries, there isn't a specific statutory basis for getting access to data that you may have purchased on a market. There's a burgeoning market for data out there and some of the data brokers have specialized on national and intelligence services as clients. And this, to my knowledge, is just about to be on the radar of some regulators in Europe.
I think the US has done this for quite some time. I know there's public debate about commercially available data and whether or not this can be regulated, and access requirements in Europe. To the extent that I know, there is now more and more awareness also due to some very interesting media disclosures of... We all know that there's a GDPR, but that doesn't mean that European data cannot be purchased on marketplaces like Sonder. And the Netzpolitik, a very influential German... The news outlet has produced interesting stories about what kind of data is available and they looked at segments, and these segments have millions sometimes of IDs, and specifically European segments they were able to point to. And the thing that I'm worried about sometimes is that the intelligence services, they can use what is called cross-system information analysis. So they already have access to data on the basis of compelled and direct access. And if that data can be then pooled with data from non-compelled axis, this can give even more granular profiles of individuals.
And that for instance was something that I think the Dutch intelligence oversight body, the CTIVD, they have done a very interesting report and they looked at the purchase of automated big data analysis tools, and some of the data that these tools use is either publicly available or commercially available data. And then they looked at the definitions that are in place currently for the systematic use of publicly available information. They realized it's very broad, these definitions, of what is publicly available, and we are no longer in the time when there are telephone books and newspaper clippings that these services can collect, but there's a lot more data that can be used. And for that reason, we now see some reports, and there are legal reforms that we may come to talk to about, Justin, in a second, but where I feel like there is an urgent need, to include in the debates about legal reform a much more robust legal statutory basis for how you deal with this type of access.
And I hear some of the parallels with some of the things that are going on in the US which we'll come to in just a moment, but before we do that, you've already mentioned for instance the Netherlands, I want to ask you a little bit about how maybe things differ in countries over there, in Germany, the Netherlands, perhaps differ with the UK, and perhaps how laws like those in Germany interact with the EU?
I already mentioned the Netherlands. Then Germany, for instance, there we don't have as of yet a good statutory basis for OSINT and let alone the use of artificial intelligence, because if you want to train large language models, the kind of data you want to train these large language models in the security services with tends to be open source, tends to be commercially available data, so there are too a number of risks. And to my knowledge thus far, it has been the UK that has a good legal framework for bulk personal datasets. At least they have set their data examination warrants, so even if it comes to publicly available information in the UK, they had to get a warrant and they had to renew that every six months. And when I wrote a paper with a colleague on the disproportionate use of commercially available data in Germany and in other countries, a number of UK colleagues pointed to me, "Hey, that is more something for the continent. It's not for us to... We have a good enough framework."
But interestingly, the UK Home Office is now reviewing after five or six years the current UK legislation, and it asked Lord Anderson, who's a very prominent expert on this, to see whether some of the standards on publicly available information or the bulk personal datasets could be, what is the word? So the standards that they have, they think are so onerous to the government. They feel like we need to have an easier way to get to publicly available information that poses no or very little risk. So although I pointed to the UK a lot as a good example, by now, there will be discussions about a loosening of standards. And I hear from a report in the UK that up to 20% or 8% depending on which, MI5 or GCHQ, you're looking at, it concerns this no to low-risk category of bulk personal datasets.
And that to me says, well, there's at least 80% that pose a medium or higher term of risk and if we don't have a legal framework for that in some European countries, that certainly is a problem and we should think about how to do that. And I think in Norway, there's a report by the Norwegian intelligence oversight body and they have been discussing this as well for their service purchase of metadata. And they also realized they got the same response from the ministry, "Hey, this is open, publicly available." We don't necessarily need to have a legal framework. But they stood up and said, "No, we disagree." And the European Code of Human Rights has also, if you follow its jurisprudence, said we need to have a systematic legal framework for a number of rights infringements, and there can be rights infringements.
So long answer perhaps to your question, Justin, but I see when it comes to this type of access that there really should be the new frontier of reform in Europe, and I haven't seen this yet. So Germany is earmarked for some substantial reform in 2024 and my organization, but hopefully also others in Germany are trying to push the legislators and the people within the executive to do more to make sure that the access to these datasets has at least the statutory basis. Because if you don't have that, oftentimes the oversight bodies also, if they don't have a law that lays out the guard rails and the safeguards, then their important mission is also hampered. So of course, there are many reasons why it would be good to have a statutory basis for this.
Greg, I want to come to you because there are some parallels in the conversations that are happening in the United States. I know that you probably follow closely hearings with, for instance, FBI Director Christopher Wray, who I know has been pressed this year on some of these questions about these definitions around publicly available information, how the FBI thinks about that, how policies work at that agency. The executive branch, the Biden administration, issued a memo. We have a partially declassified version of that from the Office of the Director of National Intelligence in the public domain, and I know FBI Director Wray was very unwilling to answer questions about some of these questions in congressional testimony earlier this year. What's going on with, well, I suppose the FBI, but maybe more broadly across American intelligence agencies when it comes to personally available information and how to think about the acquisition of these large pools of data?
So the big picture is that we've set up a statutory regime to control the compelled disclosure of information, and what we're facing is a regime in which the disclosure is voluntary. So unless the law prohibits the disclosure, the government can get it through a voluntary means. And it used to be the case that nobody volunteered it because the people who had it didn't want to share it and were worried that if they did, people wouldn't use their service. Now we're in a world where it's a moneymaker and the government is saying, "Well, if X company can share that information commercially and they can share it with foreign governments, why shouldn't we be able to get it? Why shouldn't we be able to buy it just like everybody else does?" That's the argument. But that argument, if taken to its logical end, means that controls over the intelligence gathering function go away.
The Foreign Intelligence Surveillance Act, why do we need something that says government cannot compel the disclosure of a person's communications content for intelligence reasons unless you can prove to a court that that person is an agent of a foreign power? Why do we need that if they could get that data through another means? With respect to content, it has special protections under US law. It can't be shared freely. But metadata which can often be very revealing, and which as Woolsey, who was the former CIA director, once said, "It can't lie." Metadata can be shared commercially and with the consequence that it leaves a regulated regime and moves into a less regulated regime or an unregulated regime, and can be sold to the government. There's other developments that I wanted to mention as well. The FBI complains all the time that it's going dark because more and more communications are being transmitted in an encrypted form.
Well, the reality is that the government has never in the history of our species had more access to private thought than it has today. That's because it has access to metadata, which often is not encrypted. It has access to unencrypted content. And the way we communicate today is through intermediaries, Google, Microsoft, Facebook. These are intermediaries, they're holding data. They are a choke point to which the government can go to get our communications. Used to be more communications were over the fence between two neighbors. Now you see kids sitting in a circle, they're not talking to each other, they're texting each other, so their texts are available to law enforcement because they're held by a third party intermediary. And so encryption in a way is a counterbalance to that development of technology. It keeps our communications private, just like they were when we were talking over the fence to our neighbors in the old days, not loud enough for the other neighbor to hear.
And encryption, I should say before I leave, is under attack in multiple countries. It's under attack in the United States. It's under attack in the UK, in the EU. It's under attack in Australia. And in some ways, governments are coordinating their attacks and developing common requirements of providers that might make it so they can't offer end-to-end encrypted services. The other development that I wanted to mention that is opaque so far is how the intelligence agencies are using artificial intelligence to slice and dice communication streams, draw intelligence from them and use it to further security goals. I'm not saying that that's necessarily a bad thing.
In fact, I think it's a fair guess that the terrorists are going to use artificial intelligence to perpetrate their bad acts, and that it's important that the intelligence agencies keep up. On the other hand, it's opaque. Nobody really knows what's happening. The President's executive order carved out national security use of artificial intelligence to be dealt with later and perhaps not as visibly as government use of artificial intelligence in other contexts. So I wanted to mention that as an area in which without even increasing the amount of data that the government collects, it gets more intelligence because it draws it out through these other means like artificial intelligence.
Let's spend just a second on Section 702. That's a current topic. That's something that there are day-to-day updates on. I understand there's some new activity in the Senate in the last couple of days. What do we expect between now and the end of the year on Section 702?
Well, Section 702 is a provision of the Foreign Intelligence Surveillance Act that permits the government to compel communications service providers to disclose communications content, metadata in real time and from storage without a warrant. Section 702 surveillance must be reasonably designed to target the communications of non-US persons outside the United States, like Thorsten, and there are rules for minimizing the data about US persons that it's collected. The reality is that those rules aren't doing a sufficient job to protect US persons. The big issue is whether this database that's formed by gathering this information targeting foreigners can be searched for Americans identifiers and for Americans communications without a warrant. That's the big issue. And from our perspective, if you're going to have a Fourth Amendment and you're going to have a warrant requirement that applies to our content, it shouldn't matter whether that content was developed in conversation with a person outside the United States.
It shouldn't matter whether the content is developed because a person protected by the Fourth Amendment is a party to the communication. When that's the case, it does seem to me that there ought to be a warrant in order to gain that access. And the FBI, DOJ, DNI, CIA, they're all opposing the warrant requirement and there's a lot of support for it on Capitol Hill, and there's some senators and representatives who don't support it. In particular, both of the intelligence committees are developing legislation that would reauthorize Section 702, it expires on December 31st, without meaningful reforms. That might be a little too strong. There are some reforms in their legislation, but they're not tackling the big problem. They're not tackling this. Now that we've collected all these communications of Americans who are talking with foreigners, what do we do with them?
We're not saying you should ignore them. We're saying you can look at those, but you've got to have a good reason. And it's not good enough to say, "Well, we lawfully collected it. Because the foreigners don't have Fourth Amendment rights, they don't have a warrant requirement, they're not protected by probable cause, we lawfully collected it when you talk to a foreigner, and so therefore we can do with it what we want." I think that's a real recipe for disaster. Think of it this way, the United States has the capability of engaging in bulk surveillance of all the communications coming into and out of the United States. If we did that, would we still say that you don't need a warrant to collect the communications of an American that were picked up in that bulk surveillance? I'll tell you, in my line of work, there's a foreigner on the CC line in half of my emails, and it can't be the case that CCing a foreigner means that I've lost my Fourth Amendment rights.
The two of you are actually together today in Washington DC, so Thorsten, you've had the opportunity to perhaps wander around, talk to folks in the States about some of these issues. Let me ask you from your perspective, how do European approaches to these questions differ in any way fundamentally from the approaches in the US? Do you think there's a different concept of privacy and individual rights based on some of the rights frameworks we know that the EU has adopted?
I will answer this and then if I may, I wanted to come also to another aspect on military stuff, if we can cover that. But Greg has just mentioned for instance that he doesn't see that his Fourth Amendment rights should be given away by CCing his emails to some Europeans, perhaps. The big challenge and difference also in Europe and Germany in particular is that we no longer distinguish. The right to privacy in Germany is a universal right that we don't grant different privacy rights to Germans than to US citizens, and that has of course major implications for reform in Europe. I'd say Germany in this regard has come a long way because this was a position that wasn't voluntarily adopted by the government, but the constitutional court has said you can no longer make that claim and you need to make sure that there is proper judicial oversight of some foreign intelligence collection. That doesn't mean of course that you are going to be notified as someone in a different foreign country that Germany has collected on you] but the German state as such is bound by the constitution irrespective where it acts.
And that also means that the right to privacy under the German constitution is not territorially restricted to cover only Germans. And that is, for instance, an interesting... And we can talk a lot about how the German legal framework is quite elaborate when it comes to intelligence corporation and systematic partnerships, when it comes to signals intelligence and what the government needs to do to ensure that this signal intelligence corporation cannot be used to circumvent standards that we may have in Germany, and by cooperating with someone, that you no longer have the need to abide by these standards. So there's interesting and good progress there, but of course it is tied to only one collection method, and there is intelligence corporation beyond SIGINT and it can also be ad hoc. It's not always systematic. So there's a lot of room for keeping on working on this, and we're expecting reforms in 2024. But I wanted to, if I may, Justin, to cover another aspect-
And maybe just to separate things a bit, I'll say, but I understand you have concerns about the military and its collection of data.
I was a bit surprised to learn that the German foreign intelligence service considers itself as a three-in-one service. It has a foreign intelligence component, it has a technical intelligence component and the human intelligence component, and it considers itself as Germany's foreign intelligence service. But the German armed forces, in the wake also of course of geopolitical disruptions, have received a lot of attention, have received a lot of funding, and that is important for Germany to be resilient. But the German armed forces, they of course also collect a lot of data. And there's OSINT by the German armed forces, there is HUMINT by the German armed forces, and there is SIGINT by the German armed forces. And to my chagrin, there isn't a statutory framework. So if for instance, the German armed forces want to collect data, there might be ministerial directives, but that's not known to the public.
I point you to two international developments. One is the OECD. It has adopted a declaration on government access to personal data held by the private sector, and there is another one by the Council of Europe, Convention 108+, which is the only international convention that regulates data processing in the realm of national security defense and law enforcement, and makes a number of interesting proposals and standards. And the reason why I insist on the need for a proper legal framework where it says, "These are legitimate aims for collection. These are not legitimate aims for collection. This is the process for authorization. This is the process for control," is because we often hear about democracies worrying about authoritarian regimes, and that's clearly a thing we need to reckon with. And we know that we want to distinguish ourselves. We want to say... And in the OECD declaration, there's a passage that says, "We as members states signing this declaration reject government access to data that is unconstrained and disproportionate."
But yet if you look at the military, it's not part of this declaration. It's only law enforcement and national intelligence. And if you think about the, we discussed it before, the commercially available data, it is also not really addressed. And yes, I find the way the sector hasn't really dealt or the legal reform hasn't touched neither military intelligence nor publicly available information and commercially available information much opens up to criticism that these statements where you reject this, you want to be seen as different, you want to lead by example, and then you need to be making a better effort to adopt legal frameworks. And again, legal frameworks are not just important for the sake of showing that you have something, but the oversight bodies themselves, they need to work with this and they need to report on this.
And if there's only something in terms of a secret executive decree, then it doesn't help. It is not foreseeable. The public doesn't know what's going on. And just to mention that clearly, I don't want to put the German armed forces on a leash and say, "Look, you can't do your defense functions, much like the intelligence service." I don't want to say that they are not threats that need an answer. And I find it interesting that the PCLOB has... It's adopted in the US. There's no one in the PCLOB I find that really rejects the 702 as a program. It says there is a need for such collection, and we see that in European jurisprudence.
Bulk collection I think is an instrument that is here to stay. And the court said so, so the focus is really like, okay, how can we then establish safeguards that really are important? And I hear from smaller European nations, that's the last remark on this, Justin, that they have been doing very innovative oversight techniques, because there's a big difference between what is on the books and what's the practice on the ground. And I find that some oversight bodies have now acquired direct access to the IT system and databases of the intelligent services. Now access by itself doesn't do much because you could put someone in the terminal of the services, but if he doesn't know where to look... Maybe it's just a showroom and there's so much underneath that that the person doesn't see.
So what are they doing? They're writing programs and they're using supervisory technology to get a better understanding of mapping the whole system that is in use. And of course to American ears, as far as the colleagues I've spoken to, this sounds like they would never see this to be adopted in practice. And Greg, we've been talking about this for quite some time, there are certain differences between countries and there's a respect for, some democracies do things differently, but I just want to of course support and challenge oversight bodies to not merely be working closely with the government, but to also talk to one another and share good practices and become an independent critical voice when it comes to their interaction with government.
You're both paid to think about the details of this policy, the laws that are put in place to provide the type of oversight and the types of protections that you've referred to, when the two of you step back and you think about the future trajectory of government surveillance in Europe and the US, what do you think? Are there emerging technologies trends that concern you? Do you think that we'll be able to preserve the balance between protecting security interests and democratic values going forward? Or when you step back from it all, I don't know, are you paranoid about our ability to do that?
I'm very concerned, Justin. I'll tell you why. It's that technology keeps advancing, the ability to surveil keeps becoming stronger and more all-encompassing, and the regulatory regime is not keeping up. If you're counting on Congress to enact legislation to reign in surveillance, boy, that is really hard. It's very difficult to get legislation through nowadays, even when it seems obvious that something must be done. Take for example the access to commercial data, we've got a bill, the Fourth Amendment is Not for Sale Act, that basically says if this data was going to be protected by the warrant requirement when it was originally born, it should be protected by the warrant requirement if it's shared. It's pretty simple, but we can't even get traction on that. It's very difficult to get things through Congress. That said, it's also difficult for the government to get legislation through Congress that expands its power. So in a sense, it's a race of technology. Will the technology like encryption protect us while the technology like new forms of communication, new people having access to those communications develops further? So that's my big picture.
I can see both good and bad things obviously. And I just want to start maybe with the good things, that I've been doing this for quite some time now and if I think about the trajectory of reform that we've seen... Picture Germany for instance, after Snowden, there were lots of debates, but then there was also an insistence by the government that, "Hey, some aspects we can invest more in parliamentary oversight, give them a little more, but we don't want to do this judicial oversight. That cannot be done because that would be a serious risk to the operations that we do." And we've seen investments in judicial oversight. We've seen investments in the data protection authorities. Certainly not... And I'm not saying that between behind every analyst there needs to be a controller, but we've seen significant investments in the mandate of oversight bodies. We've seen significant reforms when it comes to what kind of collection can be subjected to minimization and to greater safeguards.
We have a very active civil society that has put forward claims of unconstitutionality and they've won. Maybe it's also a learning from the German government that they didn't take this... They weren't used to be appearing in front of the bench and justifying their surveillance programs, but they have learned a hard lesson that there is a need to be explaining programs and to make sure that they are legal. And if there are accountability gaps, and if there are open questions, there's a likelihood that we have a case coming out of a court that wants to change things. Now, of course, the court often promotes minimal standards. And of course I'm not an idealist, so despite the fact that we now have a very progressive... It calls itself a progressive coalition with the liberal and the green parties coming into government. They put a lot of things also tied to surveillance, governance and reforms into their coalition agreement treaty, but we have yet to see this.
And then came the war in Ukraine, and that had put some new perspectives on things. So I want to be modest and say, look, when it comes to some oversight bodies experimenting with access, when it comes to new reporting, it's good. When it comes to a lot of technological evolution, I'm also a lot more pessimistic. You can easily say, "Hey, how is research funding for security? For instance, why is AI and machine learning funded when it comes to security agencies, but rarely when it comes to justice and oversight? They can as much benefit from the use of this, so make AI or machine learning a standard when it comes to your help of understanding the realm of different programs and service that are in use." But I haven't seen that yet. That maybe is my mixed answer to your question, Justin.
Well, I think that I see the world maybe a bit like Greg. If you stand back on the moon and you look down, the ability for a human to connect with another human or a group of humans and not have that communication collected or surveilled or traded by some authority does seem to be certainly at risk, certainly in the age of artificial intelligence. That's one of the reasons why of course encryption becomes so crucial for maintaining that ability for one mind to connect with another without someone in the middle. And I suppose we might be ending on a slightly sour note with both of your concerns about how things are going forward, but I am at least heartened that there are individuals like yourselves paying close attention to how these policies, how these laws play out, and I appreciate you for speaking to me today.
Thank you so much.
It was a pleasure, Justin. Thank you.