1 Privacy and data protection in a post-snowden world Carly Nyst Head of International Advocacy
2 The great irony is that we re the only ones not spying on the American people. - Keith Alexander, head of the NSA, May 2013 countries or individuals that engage in cyber attacks should face consequences and international condemnation. In an interconnected world, an attack on one nation's networks can be an attack on all. - Hilary Clinton, Secretary of State, January 2010
3 Snowden leaks so far Around 500 docs made public Guardian has published 17 docs Yesterday US stated Snowden has doomsday cache of highly encrypted classified docs
4 What do we now know? Access to communications metadata The US has direct access to communications data held by Google, AOL, YouTube, Yahoo, Facebook, Microsoft (incl Skype) via PRISM Also gathers bulk access to telephone data Tapping of fibre optic cables UK is intercepting all data passing through 200 fibre optic cables landing in the UK via TEMPORA Storing content for 3 days and metadata for 30 days Breaking of encryption standards and infiltration of standards bodies
5 What do we now know? Computer network exploitation (hacking) is common practice The NSA has infected more than 50,000 computers with specialised malware Collection of and chat address books More than 250 million address books are gathered every year Hacking of private cables of Google centres Hacking of the SWIFT financial messaging system Spying on foreign leaders
6 What do we know? All data is shared with the Five Eyes alliance Interception, collection, analysis and decryption is conducted by each of the agencies of the 5 countries and all data is shared fluidly Operations centres are jointly run in each of the five countries Five Eyes have infiltrated every aspect of modern communications networks
7 What do we now know? Mass surveillance is the norm We are in a golden age for data collection NSA strategy doc: Digital information created since 2006 grew tenfold, reaching 1.8 exabytes in 2011, a trend projected to continue; the traces individuals leave when they interact with the global network will define the capacity to locate, characterize and understand entities. NSA has adapted in innovative and creative ways that have led some to describe the current day as the golden age of SIGINT.
8 Our thinking must shift in fundamental ways our personal and communications data is hugely valuable, and even data about data (metadata) is of great interest to our governments oversight mechanisms will fail to protect the rights of individuals when they are not transparent and publicly accountable borders are obsolete. Distinctions based on sovereignty and jurisdiction are being erroded. What does cross-border transfer of data mean in today s world? who needs data retention when individuals want to store everything, forever, in the cloud?
9 The policy and legal implications 1) The challenge to internet governance 2) Undermining the EU-US relationship 3) Long-term prioritisation of security over privacy 4) Increased legitimacy of surveillance in repressive regimes
10 The challenge to internet governance Brazil data localisation EU need a European data cloud What are the implications? Cost to internet services, complexity, impact on innovation Increased power to authoritarian regimes to restrict internet flows What role for national borders and outdated understandings of jurisdiction?
11 Undermining the US-EU relationship EU leaders (Oct 2013 statement): lack of trust undermines international cooperation Parliamentary vote to suspend the SWIFT agreement Renegotiation of the Safe Harbour Principles - Commission has imposed a 2014 deadline New data protection regulation prevents US companies from complying with law enforcement requests for EU data
12 Long-term prioritisation of security over privacy Justification for mass surveillance has been counterterrorism and the protection of security NSA media strategy document Sound Bites That Resonate mention 9/11 Negotiations around UN General Assembly US/UK demand to include mention of promoting security Difficulty in mobilising public outrage suggests that debate might be lost already?
13 Increased legitimacy of surveillance in repressive regimes China at the IGF: US should take a look at its own human rights record Zimbabwe on new SIM registration law: "There's nothing amiss about that, it happens all over the world. Ask Edward Snowden." Same technologies used by US government to conduct computer network exploitation and mass surveillance sold on the private market to Egypt, Bahrain, Libya, Morrocco, Yemen etc.
14 The fallout is not over yet More revelations to come Political and legal pressure to increase in the new year General Assembly vote on resolution in early Dec Brazil internet summit April 2014
15 The future?