This statement was originally published on eff.org on 26 January 2015.
We have a problem when it comes to stopping mass surveillance.
The entity that's conducting the most extreme and far-reaching surveillance against most of the world's communications - the National Security Agency - is bound by United States law.
That's good news for Americans. U.S. law and the Constitution protect American citizens and legal residents from warrantless surveillance. That means we have a very strong legal case to challenge mass surveillance conducted domestically or that sweeps in Americans' communications.
Similarly, the United States Congress is elected by American voters. That means Congressional representatives are beholden to the American people for their jobs, so public pressure from constituents can help influence future laws that might check some of the NSA's most egregious practices.
But what about everyone else? What about the 96% of the world's population who are citizens of other countries, living outside U.S. borders. They don't get a vote in Congress. And current American legal protections generally only protect citizens, legal residents, or those physically located within the United States. So what can EFF do to protect the billions of people outside the United States who are victims of the NSA's spying?
For years, we've been working on a strategy to end mass surveillance of digital communications of innocent people worldwide. Today we're laying out the plan, so you can understand how all the pieces fit together - that is, how U.S. advocacy and policy efforts connect to the international fight and vice versa. Decide for yourself where you can get involved to make the biggest difference.
This plan isn't for the next two weeks or three months. It's a multi-year battle that may need to be revised many times as we better understand the tools and authorities of entities engaged in mass surveillance and as more disclosures by whistleblowers help shine light on surveillance abuses.
If you'd like an overview of how U.S. surveillance law works, check out our addendum.
Intro: Mass Surveillance by NSA, GCHQ and Others
The National Security Agency is working to collect as much as possible about the digital lives of people worldwide. As the Washington Post reported, a former senior U.S. intelligence official characterized former NSA Director Gen. Keith Alexander's approach to surveillance as "Collect it all, tag it, store it… And whatever it is you want, you go searching for it."
The NSA can't do this alone. It relies on a network of international partners who help collect information worldwide, especially the intelligence agencies of Australia, Canada, New Zealand, and the United Kingdom (collectively known, along with the United States, as the "Five Eyes.") In addition, the United States has relationships (including various levels of intelligence data sharing and assistance) with Belgium, Denmark, France, Germany, Israel, Italy, Japan, the Netherlands, Norway, Singapore, Spain, South Korea, Sweden, and potentially a number of other countries worldwide. There are also other countries - like Russia, China, and others - engaging in surveillance of digital communications without sharing that data with the NSA. Some of those governments, including the U.S. government, are spending billions of dollars to develop spying capabilities that they use aggressively against innocent people around the world. Some of them may do so with even less oversight and even fewer legal restrictions.
Although whistleblowers and journalists have focused attention on the staggering powers and ambitions of the likes of the NSA and GCHQ, we should never assume that other governments lack the desire to join them. Agencies everywhere are hungry for our data and working to expand their reach. Read about international surveillance law reform and fighting back through user-side encryption.
We focus here on the NSA because we know the most about its activities and we have the most legal and political tools for holding it to account. Of course, we need to know much more about surveillance practices of other agencies in the U.S. and abroad and expand our work together with our partners around the world to confront surveillance as a worldwide epidemic.
Mass surveillance is facilitated by technology companies, especially large ones. These companies often have insufficient or even sloppy security practices that make mass surveillance easier, and in some cases may be actively assisting the NSA in sweeping up data on hundreds of millions of people (for example, AT&T). In other cases, tech companies may be legally compelled to provide access to their servers to the NSA (or they may choose to fight that access). Read more about how tech companies can harden their systems against surveillance.
The NSA relies on several laws as well as a presidential order to justify its continued mass surveillance. Laws passed by Congress as well as orders from the U.S. President can curtail surveillance by the NSA, and the Supreme Court of the United States also has authority to put the brakes on surveillance.
The Game Plan
Given that the American legal system doesn't adequately protect the rights of people overseas, what can we do in the immediate future to protect Internet users who may not be Americans?
Here's the game plan for right now. Note that these are not consecutive steps; we're working on them concurrently.
1. Pressure technology companies to harden their systems against NSA surveillance
To date, there are unanswered questions about the degree to which U.S. technology companies are actively assisting the NSA.
In some cases, we know that tech companies are doing a lot to help the NSA get access to data. AT&T is a clear example of this. Thanks to whistleblower evidence, we know AT&T has a secret room at its Folsom Street facility in San Francisco where a fiber optic splitter creates a copy of the Internet traffic that passes through AT&T's networks. That splitter routes data directly to the NSA.
Some companies have taken things a step further and deliberately weakened or sabotaged their own products to "enable" NSA spying. We don't know who's done this or what they've done, but the NSA documents make clear that it's happening. It's the height of betrayal of the public, and it could conceivably be taking place with the help even of some companies that are loudly complaining about government spying.
So what do we know about major tech companies, like Google, Facebook, Yahoo, and Microsoft? Here we have mixed reports. Documents provided by Edward Snowden and published in the Guardian and the Washington Post name nine U.S. companies - Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple - as participants in the NSA's PRISM program. The documents indicate that the NSA has access to servers at each of these companies, and implies that these companies are complicit in the surveillance of their users.
The companies, in turn, have strongly denied these allegations, and have even formed a lobby group calling on governments to "limit surveillance to specific, known users for lawful purposes, and should not undertake bulk data collection of Internet communications."
While a start, that's a far cry from the role companies could be playing. Tech companies also have the ability to harden their systems to make mass surveillance more difficult, and to roll out features that allow users to easily encrypt their communications so that they are so completely secure that even their service providers can't read them. Perhaps most importantly, technology companies must categorically resist attempts to insert backdoors into their hardware or software.
There's also an important legal issue that can't be ignored. Tech companies are in a unique position to know about surveillance requests that are kept secret from the press and the public. These companies may have the best chance to fight back on behalf of their users in court (as Yahoo has done).
What's more, tech companies literally spend millions of dollars to lobby for laws in Washington and enjoy incredible access to and influence over U.S. lawmakers. Often, companies spend that money trying to derail potential regulation. Instead, these companies could be heavily prioritizing positive surveillance reform bills.
So how do we get tech companies to start fighting surveillance in court, hardening their systems against surveillance, pushing back against the administration, and lobbying for real reform? We're focused on transparency - uncovering everything we can about the degree to which big tech companies are actively helping the government - and public pressure. That means highlighting ways that companies are fighting surveillance and calling out companies that fail to stand up for user privacy.
It's why we're proud to support the Reset the Net campaign, designed to get companies big and small to take steps to protect user data. It's also why we're working to make what companies do and don't do in this area more visible. Campaigns like HTTPS Everywhere and our work on email transport encryption, as well as scorecards like Who Has Your Back are designed to poke and prod these companies to do more to protect all their users, and get them to publicly commit to steps that the public can objectively check.
We also need to cultivate a sense of responsibility on the part of all those who are building products to which the public entrusts its most sensitive and private data. The people who create our computing devices, network equipment, software environments, and so on, need to be very clear about their responsibility to the users who have chosen to trust them. They need to refuse to create backdoors and they need to fix any existing backdoors they become aware of. And they need to understand that they themselves, unfortunately, are going to be targets for governments that will try to penetrate, subvert, and coerce the technology world in order to expand their spying capabilities. They have a grave responsibility to users worldwide and we must use public pressure to ensure they live up to that responsibility.
2. Create a global movement that encourages user-side encryption
Getting tech giants to safeguard our digital lives and changing laws and policies might be slow going, but anybody could start using encryption in a matter of minutes. From encrypted chat to encrypted email, from secure web browsing to secure document transfers, encryption is a powerful way to make mass surveillance significantly more difficult.
However, encryption can be tricky, especially if you don't have a team of engineers to walk you through it the way we do at EFF. With that in mind, we've created Surveillance Self Defense, an in-depth resource that explains encryption to folks who may want to safeguard their data but have little or no idea how to do it.
Read the full statement on EFF's site.
Game plan for ending global mass surveillance
This statement was originally published on eff.org on 26 January 2015.