The Edward Snowden revelations mean that governments are (mostly reluctantly) having to put their electronic surveillance processes under the microscope.
Firstly, As a UK citizen, I must admit I’m a bit miffed that the US is only concerned about the rights of its own citizens being infringed.
But there are implications which – although touched on- haven’t really been discussed in depth.
And there are other areas where single headlines aren’t joined up to produce the big picture implications.
Critically, while Snowden has revealed this information through the press, we don’t know whether any other employees (or contractors) have disclosed this information to other interested third parties.
Although that, of course, wouldn’t have resulted in the same degree of embarrassment. As with Chelsea Manning, I suspect that Snowden’s true offence would appear to have been “Embarrassing Important People”.
The honeypot
The huge amount of information being captured isn’t just useful to the NSA, of course.
Lots of commercial organisations, for example, would find this an attractive resource.
And there are reportedly 850k people authorised for access, each of whom is liable to be “leveraged” in one way or another for access.
It has also been reported that, on more than one occasion, users have accessed information for personal (mostly romantic) interests.
What we don’t know whether users have accessed the information for personal gain.
For example, reading (and possibly decrypting) emails to gain market sensitive information.
Breaking the Internet
Reports claim that a number of mechanisms have been employed to build backdoors into devices, or to compromise encryption tools – and even standards
Well, of course, “if you’ve nothing to hide, you’ve nothing to fear”.
Except that once the doors are unlocked, you can’t control who walks through them.
Now we know that there are probably backdoors in tablets, phones, networks and computers, there are probably a whole stack of people trying to open them up.
They may be nation states, or organised crime outfits, unethical corporations.
The ones we read about – and the ones who get locked up – will be the adolescent hackers who aren’t able to cover their tracks.
However, if those backdoors exist, then access isn’t limited to security services servers. A person with the skills to penetrate these devices can do it without touching the NSA/GCHQ servers.
Contractor skills
Having trained all these contractors to access these backdoors, they’ve created some people with a very marketable skillset.
Snowden’s revelations are, ironically, a very effective advertising campaign for those abilities.
Many of these contractors are (as was Snowden) working for consultancies who are adept at pitching business opportunities to large organisations.
Anyone following the Leveson enquiry can understand that a large corporation can be corrupted to the point where illegal surveillance becomes routine, particularly if the barriers to entry becomes low enough, and the risk of detection is minimal.
“What’s Good for General Motors …“
There have always been strong links between the US government and its corporate partners.
Could those partners be using data passed by the UK government to disadvantage British or European competitors ?
Data Protection Act
The UK passed the Data Protection Act in 1986. It was reworked in 1998.
The eighth principle is intended to ensure that personal data should not be exported (http://www.legislation.gov.uk/ukpga/1998/29/schedule/1).
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
There are, of course, exemptions for National Security.
Here’s the section (from http://www.legislation.gov.uk/ukpga/1998/29/section/28)
Personal data are exempt from any of the provisions of—
(a)the data protection principles,
[snip]
if the exemption from that provision is required for the purpose of safeguarding national security.
(2)Subject to subsection (4), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions mentioned in subsection (1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact.
However, was it necessary for the UK national security to pass all that personal information to a foreign government ?
What safeguards were applied to its storage and use ?
GCHQ Funding
Is it reasonable to extrapolate “safeguarding national security” to include £100m funding for GCHQ programmes by the NSA (as has been reported by The Guardian) – effectively paying for GCHQ’s budget by selling our (and our European Partners’) citizens’ personal data to a foreign government (and, possibly, its economic interests) ?
And while I’m on this subject, when did the government decide that I wasn’t a citizen, but a product ?
Publication
The Guardian newspaper’s been taking a lot of stick for revealing a subset of the Snowden revelations.
But, really, if 850k people have access to this data, then, let’s face it, it will leak. The Guardian hasn’t (so far) been shown to lost control of our information. The respective intelligence agencies have.
And, as I’ve implied above, just because we haven’t heard of any other leaks doesn’t mean they haven’t happened.
For me, the key point of the Snowden revelations was not that the data was being stored by the security agencies (bad enough in itself), but that it could be removed without their knowledge.
To that extent, they have failed in their duty to their citizens.
How many others of the 850,000 people who apparently have had access to that data have used it to less principled ends ?
Snowden and the Guardian are being accused of treason, of “aiding the enemy”.
The risk is that, if those enemies had already been aided by others, then we probably just wouldn’t have heard about it.
See First .. 