Privacy

When I first saw “the Snowden treaty” in a tweet, I thought it was from The Onion. Wrong, and inexcusable for a guy who published The Snowden Reader. In September, Snowden and his supporters announced they are working on a new treaty to address problems his disclosures and experiences as a whistleblower exposed. Far from satire, the proposal is serious, and the proposers earnest. However, taking this effort seriously proves disappointing because what is proposed seems insufficiently radical for the problems advocates of a Snowden treaty identify. The proposal’s formal title is “International Treaty on the Right to Privacy, Protection against Mass Surveillance, and Protection of Whistleblowers.” The idea came from David Miranda, the partner of Glenn Greenwald, the journalist who helped Snowden. Previously, the UN Special Rapporteur for the Right to Privacy, Joseph Cannataci, identified a potential need for a “Geneva Convention-style” agreement in the wake of Snowden’s revelations. Miranda is working with privacy advocates and lawyers to produce a treaty text Miranda promises will be “a bulletproof document.” The text has not been released yet, but it has been shared with Snowden, “a handful of sympathetic governments,” and Pope Francis. According to a summary, the treaty will reaffirm privacy as a fundamental right, outlaw mass surveillance, and protect whistleblowers. To achieve these goals, the treaty will contain obligations (e.g., no mass surveillance) and mechanisms (e.g., oversight) to monitor and improve compliance. Advocates claim the treaty responds to “real demand” from “the global public,” but they acknowledge adoption will be hard, with many people dismissing it as wildly idealistic. Yes, it is unlikely a U.S. president would negotiate and the Senate consent to a Snowden Treaty. But glib punditry won’t faze the effort. More telling are problems with the proposal on its own terms. Snowden argued that the mass surveillance he disclosed violated international law on privacy in the Universal Declaration of Human Rights and human rights treaties. Similar assertions appear concerning the Snowden treaty. So, if existing treaties and other international documents already recognize privacy is a fundamental right and outlaw mass surveillance, why the need for a new treaty that does the same thing? The existing treaties don’t work? So, the answer is to choose the same strategy, a treaty, to protect the same right? How would a Snowden treaty fare any better? Why would states, which—according to Snowden’s supporters—don’t abide by existing treaties, now decide to respect one that enshrines privacy as a fundamental right and outlaws mass surveillance? How will the same legal strategy to protect the same right yield different results with the same states? These questions can’t be dismissed by claiming the Snowden treaty will be different because, based on what is available, nothing different is proposed. The goal is a treaty negotiated, agreed, ratified, and implemented by states, just like existing treaties. The proposed treaty will re-affirm privacy as a fundamental right, so it is doing nothing new with this right, even in terms of mass surveillance in the digital age. These questions might have answers if the Snowden treaty innovates with the right to privacy rather than simply reaffirming existing international law. Changing the right would mean existing treaties are not sufficient and a new agreement would have a clear rationale. The proposal states the treaty will contain stronger whistleblower protections than international law presently recognizes—a change treaty law could, in theory, advance. But, tweaking the right to privacy to address what Snowden disclosed would suggest his disclosures did not, as claimed, reveal clear violations of international law. Perhaps innovations will appear in compliance and implementation mechanisms. The proposal promises the treaty will require states to establish independent supervision of surveillance activities and periodically review these activities. Any country can, right now, adopt such measures without a Snowden treaty. But, according to Snowden, “around the world governments are aggressively pressing for more power, more authority, more surveillance rather than less.” How do we get innovative, robust compliance and implementation procedures from governments not interested in them? This predictable problem explains why oversight mechanisms in human rights treaties are notoriously weak. Put another way, states can riddle bulletproof documents with holes because they, not privacy advocates, write treaty rules. Oddly, the Snowden-treaty movement wants us to traipse, once again, into this cul-de-sac. Most surprisingly, the Snowden treaty seems very un-Snowden. For many, the power of Snowden’s rallying cry for privacy in the digital age comes from his challenge to established rules and processes and the impact this defiance has had. This example calls for more than believing states will, this time, adopt an effective treaty. So, for @Snowden: Why a treaty? Why not something more radical, like a Snowden Charter—an accord among civil society, consumers, and technology companies to confront governments and confound mass surveillance through, among other things, continuing to expand encryption in our digital lives?

Alan Charles Raul is a partner in the Privacy, Data Security and Information Law practice of Sidley Austin LLP.  You can follow his group at datamatters.sidley.com. In a decision Tuesday that was as shocking as it was predictable, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor for westward bound international transfers of personal data. The companies whose information flows to the United States will be impeded by the EU decision need to look to the U.S. government and not just the EU for letting this mess happen. The case stems from a complaint Max Schrems filed with the Irish Data Protection Authority about the privacy risks of using Facebook. He was concerned that electronic communications transferred to the United States would end up in the hands of the NSA’s PRISM program. PRISM involves the NSA’s use of a provision in the Foreign Intelligence Surveillance Act, section 702, that allows it to target non-U.S. persons located outside the United States for foreign intelligence purposes. This section only applies to collections from electronic communication service providers located in the United States. The CJEU, followed a recommendation of its Advocate General that assumed without any facts or analysis that NSA surveillance under section 702 is massive and "indiscriminate." Without the opportunity to receive any evidence or argument from the U.S. government, any U.S. company, or any amicus filing a brief on behalf of the United States, the CJEU decided that the EU’s executive branch, the Commission, had improperly determined that the U.S. Safe Harbor assured EU citizens an "adequate" level of privacy and data protection. This finding was necessary because the EU prohibits sending personal data to a non-EU country that does not provide "adequate" protection, which the CJEU understood as requiring the third country in fact to ensure, “by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.” Accordingly, a company needing to send its HR data or customer records to the United States requires an EU-approved mechanism to legitimate transfers of the personal data across the Atlantic. Until yesterday, companies could certify to comply with the fundamental privacy principles worked out in the Safe Harbor framework in 2000 between the US Department of Commerce and the EU Commission. Participating companies must also agree to submit to the enforcement jurisdiction of the Federal Trade Commission in the event of non-compliance with those principles, making their commitments legally binding. Other than Safe Harbor, U.S. companies can transfer data pursuant to certain EU-approved data transfer contracts, which can be implemented even between offices of the same multinational in different countries, or by adopting so-called Binding Corporate Rules where a company agrees to self-impose EU privacy standards for transfers of EU data throughout the company’s global operations. International data transfers are also allowed if EU citizens are informed and freely consent to the transfer of their data. The rationale for the CJEU’s invalidating the Safe Harbor is not really clear. The CJEU was apparently not required to, and did not, conduct any analysis of U.S. law, let alone review the statute authorizing NSA collection of foreign intelligence material under section 702. Accordingly, the CJEU merely assumed, and did not actually rule (or even consider) whether the PRISM program of concern to Mr. Schrems was indeed indiscriminate or unjustified. If the CJEU had examined that statute, it would have found checks and balances, including judicial oversight, more rigorous than controls on government surveillance in most if not nearly all other countries, including EU member states. Even beyond the requirement for judicial approval, the Attorney General and Director of National Intelligence must both certify that the NSA surveillance involves obtaining foreign intelligence information, is subject to rigorous minimization procedures to avoid excess collection, and is a collection that requires the assistance of an electronic communication service provider. After such detailed authorization, the Department of Justice Inspector General and the relevant intelligence community Inspector General must investigate and report on the surveillance practices, and the relevant intelligence agency must provide an annual report to the House and Senate Intelligence Committees, and also to the House and Senate Judiciary Committees. The Privacy and Civil Liberties Oversight Board (PCLOB), now a fully independent, free-standing institution of the federal government, is another oversight body authorized to investigate and assess these national security surveillance practices. In fact, the PCLOB concluded that the Prism program “consists entirely of targeting specific persons about whom an individualized determination has been made”—hardly indiscriminate surveillance. Significantly, the PCLOB has specifically asserted its role and authority to assess the impact of such surveillance on non-U.S. Persons. In its 2014 report to Congress, the PCLOB addressed the issue head on, noting that many of the “applicable protections that already exist under U.S. surveillance laws apply to U.S. and non-U.S. persons alike” and that it will contribute to President Obama’s effort to add additional privacy protections to non-U.S. persons. So how could the CJEU be unaware of the extensive certifications, checks, balances, judicial approval and independent oversight applicable to the national security surveillance in question? The answer is because the U.S. government simply does not defend or even explain how the privacy system works—neither with respect to national security privacy issues, nor with respect to commercial privacy regulation. The President has designated no one to be in overall charge of coordinating these issues government-wide and to serve as a senior public spokesperson with responsibility to communicate effectively on privacy to foreign and domestic constituencies. Accordingly, it is no wonder that the CJEU made no real effort (indeed no effort at all) to understand the significant protections built into the U.S. system, even for foreigners. Another recent example of the negative consequences of having no White House privacy coordinator is that the Department of Justice was left free to serve a search warrant in 2014 on Microsoft to compel disclosure in the US of one of its customer’s communications that were stored in Ireland. With no senior policy person to tell DOJ how much damage this would cause to the United States’ international privacy reputation, the fallout has been highly damaging to global respect for the U.S. privacy and data protection regime. The data the DOJ seeks could have been readily obtained from Ireland using the Mutual Legal Assistance Treaty process. In sum, the sky may not fall with the (perhaps temporary) collapse of the Safe Harbor.  EU officials have indicated they are determined to protect transatlantic data flows, and are likely to find away to enhance the Safe Harbor in the future and acquiesce in short-term workarounds. In the meantime, companies can also sign data transfer contracts between their subsidiaries, or look to individual consent and other mechanisms for legitimating the transfer of personal data to the US. And while the CJEU’s decision in the Schrems case was neither logical nor informed, the US government needs to do a lot better job to explain (and defend) U.S. privacy and data protection laws so this sort of mess doesn’t happen again.  

The European Court of Justice (ECJ) invalidated the Safe Harbor framework between the United States and the European Union that, for the past fifteen years, has enabled the movement of Europeans’ data across the Atlantic. As the business community seeks clarification about what rules will apply going forward, both the White House and the European Commission promised that they will continue work on a new agreement. The case began in 2013 when Austrian law student Max Schrems complained to the Irish data protection commissioner that his Facebook data was inadequately protected when it moved to U.S. servers, citing Edward Snowden’s leaks about widespread NSA surveillance. The Irish commissioner rejected Schrems’s complaint on the grounds that the European Commission had determined in 2000 that the Safe Harbor framework adequately protected EU citizens’ data. On appeal, the Irish High Court referred to the ECJ the question of whether a national data protection authority is bound by the Commission’s finding. Yesterday, the ECJ ruled the Safe Harbor agreement invalid because it places “national security, public interest or law enforcement requirements” over privacy principles. The court found that the European Commission had approved the pact without making a determination that U.S. law provides adequate privacy protection for European citizens. It also ruled that each data protection authority in the European Union may examine whether a transfer complies with EU privacy rules and, if it deems that it does not, raise the issue with its national court that can then refer it to the ECJ for a ruling. However, the ECJ made clear that only it can issue a final determination that a country does not offer “adequate” protection for personal data. What are the implications of the decision? First, U.S. and EU negotiators will attempt to put Humpty Dumpty back together again by updating the Safe Harbor framework. Both sides have been renegotiating the agreement since the Snowden revelations. Negotiators were reportedly close to an agreement when they got wind of the breadth of the upcoming ECJ decision. The Commission may now attempt to use the decision to gain more leverage in these negotiations. However, Congress is already considering bipartisan legislation that would provide U.S. Privacy Act protections to European citizens. Second, the spotlight is now on European national data protection regulators. In addition to their new ability to examine data transfers, they have a role approving other mechanisms companies may deploy to replace Safe Harbor, including binding corporate rules for intra-company transfers of personal data. In a number of EU countries, national regulators also have the power to confirm whether model clauses are being used to transfer personal data to the United States and other third countries. Today, many of these national authorities have backlogs of several months. It is unclear if they will order suspension of transfers of personal data to the United States under model clauses arrangements until they work through what would surely become a much bigger backlog. Third, this decision is a direct fallout of Edward Snowden’s revelations of NSA surveillance. Experts within and outside the U.S. government have argued that the ECJ based its ruling on erroneous factual assumptions regarding the nature and oversight of U.S. surveillance. Moreover, they note that the United States provides adequate privacy protections, especially in comparison to European countries many of which have no independent data protection oversight of law enforcement and intelligence surveillance. The ECJ also based its decision on a 2013 European Commission report on U.S. surveillance, parts of which are outdated given U.S. surveillance reforms spurred by President Obama’s 2014 executive order. Robert Litt, general counsel for the Office of the Director of National Intelligence, wrote an opinion piece for the Financial Times before the ruling to argue that the surveillance program at issue in the ECJ’s decision “does not give the U.S. ‘unrestricted access’ to data.” Meanwhile, privacy advocates are citing the decision to prod Congress to engage in much broader reform U.S. surveillance programs. Jens Henrik-Jeppesen, director of European affairs for the Center for Democracy and Technology, for example, said “There is a clear need for the U.S. and Europe to set clear, lawful and proportionate standards and safeguards for conducting surveillance for national security purposes.” In the end, the ECJ’s willingness to invalidate the Safe Harbor framework underscores the unpredictable outcomes of the proposed reforms to European data protection regulation, new intra-European tax rules on digital goods, or the competition cases involving U.S. tech giants. Europe appears willing to act to protect its interests even if it means upsetting established business conventions.

Brett Ekberg is a research associate in the Digital and Cyberspace Policy Program at the Council on Foreign Relations.  There might be 435 days before Election Day, but the 2016 presidential campaign is well under way. With both the republican and democratic fields largely solidified, the twenty-two candidates have begun to lay out their policies and make their cases for why they should be commander-in-chief. While jobs and the economy have dominated the campaign, this election cycle could see cybersecurity play its largest role yet. Recent events like the hacks of Sony Pictures, Anthem and the Office of Personnel Management have brought the issue to public attention, and presidential hopefuls are being asked how their administrations would defend America’s interests in cyberspace. The candidates generally agree that the next occupant of the Oval Office will spend an increasing amount of time working on cybersecurity, but no candidate has offered specific policy ideas. Here are a five predictions on how cybersecurity could play out on the campaign trail prior to election day: 1. The rhetoric against China will continue, and escalate While we likely won’t see Lincoln Chafee demand that Xi Jinping tear down the Great Firewall, we should expect to see many of the candidates continue their anti-China rhetoric, particularly if future data breaches are linked to the country, confirmed or otherwise. Republicans blamed the president’s “weak” China policy for the recent OPM hack and were quick to demand that the administration respond. Among democratic candidates, Hillary Clinton has taken the toughest stance on China’s actions in cyberspace,  accusing the Chinese of “trying to hack everything that doesn’t move in America.” In a presidential election where republican voters have named national security their top concern, and where democrats may see speaking out against China as a way to counter GOP rhetoric that their party is weak on that issue, it would be a surprise to see a candidate soften his or her language prior to November 2016. 2. Privacy advocates won’t see the debate they’d like Few of the leading candidates, democrat or republican, have made privacy concerns a central issue. Of the twenty-two declared candidates, only four—Rand Paul, Ted Cruz, Bernie Sanders and Lincoln Chafee—have embraced the privacy debate as part of their campaign, and none looks likely to be the nominee for either party. On the right, Senator Paul’s poll numbers are slipping and he has struggled to fundraise. Ted Cruz is polling better, but is not as strongly opposed to government surveillance programs. Jeb Bush, Marco Rubio and other leading republicans generally support the NSA and its programs. On the left, Lincoln Chafee, according to some polls, has zero support. Bernie Sanders, who is polling much better, has said he supports “dismantling” NSA programs, but has not elevated privacy as a central issue. Mrs. Clinton endorsed USA Freedom in May, but hasn’t taken an explicit position on what she views as the proper balance between surveillance and security. With the leading privacy advocates struggling to make headway, privacy issues will likely take a backseat through 2016. 3. Candidates will back stronger offensive cyber measures Most of the talk on the campaign trail so far has been about defense. Candidates have stressed the need to improve the country’s ability to secure critical networks and defend corporations from cyberattacks, but there has been only limited discussion of offensive capabilities. The Obama administration’s recent decision that “it must retaliate” against the perpetrator of the recent OPM hack looks set to change that. With the idea of deploying offensive capabilities gaining traction in Washington, it is likely only a matter of time before it reaches the campaign trail. The broadness of the issue and the range of offensive responses will allow for some space between positions, making it an issue where candidates can potentially differentiate themselves from their opponents. Backing offensive cyber measures should also appeal to voters: a recent poll by Vormetric, a data security firm, found that ninety-two percent of Americans believe “action against a nation-state is necessary following a data breach.” 4. Hackers will target campaign websites Beyond crafting cybersecurity policy, candidates should focus on the security of their campaign operations as well. During the 2008 election, both the Obama and McCain campaigns were hacked by the Chinese government. Republican vice presidential candidate Sarah Palin had her email broken into that year as well. China reportedly targeted presidential candidates again in 2012, hacking both the Obama and Romney camps. While the 2008 and 2012 attacks targeted campaign computers and databases, in 2016 the candidate’s donation pages could also be targeted. With campaign websites now being “used more as tools to raise money,” often via credit card, they make for potentially lucrative targets. 5. Cyber becomes a stand-alone issue In a 2013 Washington Post article, Dominic Basulto asked, “When will cybersecurity become a major campaign issue?” The answer could be 2016. Cybersecurity is often thought of as a part of defense policy or of intelligence policy, and that’s still more-or-less where it fits now. But  with the number of hacks likely to increase, and sectors like health insurance, airlines and cars becoming targets, cybersecurity could make the jump into the 2016 mainstream. It will never top the economy in an issue poll, but as our interconnectedness and exposure increase in tandem, voters would be right to expect their presidential candidates to defend against, and respond to, their cybersecurity concerns.

With Congress passing trade promotion authority, negotiation of the Trans-Pacific Partnership (TPP) agreement is entering its final stages. In the authorizing legislation, Congress recognized “the growing significance of the Internet as a trading platform in international commerce” and instructed President Obama to achieve objectives concerning digital trade in goods and services and cross-border data flows. The Obama administration wants “digital trade rules-of-the-road” in the TPP agreement. These rules could mark a turning point in the global governance of digital commerce. The importance of digital technologies to trade has grown without multilateral rules keeping pace. The World Trade Organization (WTO) is the main source of multilateral trade agreements, but it was established before the Internet transformed how companies produce, sell, and deliver products and services. In a 1998 declaration, WTO members agreed not to impose customs duties on electronic transactions and recognized the need to address e-commerce directly. However, the WTO’s e-commerce work program has not progressed much because WTO members disagree on various issues. Without multilateral progress, countries have addressed e-commerce in bilateral and regional trade agreements. Since the WTO’s creation, the United States has negotiated nine bilateral agreements and one regional pact that contain e-commerce chapters. These agreements are not identical in their e-commerce provisions, but common features include rules that: Affirm that the agreement’s rules on trade in services apply to services supplied or performed electronically; Prohibit customs duties, fees, or other charges on the importation or exportation of digital products; and Treat digital products in a non-discriminatory and transparent manner. These types of provisions ensure that digital goods and services benefit from traditional international rules that liberalize trade through increased market access, non-discriminatory treatment, and transparent laws and procedures. But, over time, the agreements reveal increasing interest in issues specifically associated with e-commerce. While the U.S.-Chile agreement (which Congress approved in 2003) only contains the traditional rules described above, the U.S.-Korea agreement (which entered into force in 2012) also includes provisions on electronic authentication and signatures, online consumer protection, access to and use of the Internet for e-commerce, and cross-border information flows. The U.S. e-commerce agenda for the TPP reflects this trajectory because it seeks to apply traditional disciplines (e.g., non-discrimination) and adopt specific e-commerce provisions, including rules that ensure cross-border data flows over a single, global Internet and that restrict data-localization requirements. TPP parties have not released a draft of the e-commerce chapter, nor has Wikileaks disclosed it, as it did TPP’s intellectual property and environment chapters. A Wikileaks-released document dated November 2013 described TPP-country negotiating positions under the e-commerce chapter on, for example, non-discriminatory treatment of digital products, cross-border data flows, and data-localization requirements. These issues reflect the U.S. desire for expanded e-commerce governance, even if toward the end of 2013 consensus did not exist and the United States was alone in reserving its position on, rather than accepting, privacy obligations as a limitation on cross-border data flows. With TPP countries accounting for forty percent of the world’s economy, the TPP agreement will constitute a major trade governance instrument. But it will also affect negotiations in the WTO, U.S.-EU talks on the Transatlantic Trade and Investment Partnership (TTIP), and efforts on regional and bilateral trade agreements. Much as NAFTA’s conclusion in 1994 influenced subsequent trade negotiations, the TPP agreement could be seminal in shaping trade governance, including on rules for digital commerce. The TPP’s e-commerce provisions are important for reasons beyond trade. For many, the TPP is strategically important for U.S. efforts to counter China’s growing influence. Such considerations include U.S. interests in advancing an open, globally accessible Internet as a counterweight to China’s emphasis on subjecting cyberspace to national sovereignty. The TPP’s impact will depend on the rules ultimately agreed. Rules fostering cross-border data flows will probably reflect countries’ interests in protecting privacy. The agreement might allow data localization requirements through (1) "negative list" carve-outs for certain information (e.g., health records) and/or (2) exceptions that permit localization for legitimate purposes and which do not create unnecessary restrictions on cross-border data flows. Negotiators also have to decide whether e-commerce rules will be subject to the agreement’s dispute settlement provisions, including the proposed investor-state dispute settlement procedure. At the strategic level, whether the United States can generate sufficient support for e-commerce rules that maximize the Internet’s potential to support commerce might depend, among other things, on how Snowden’s revelations still affect policy thinking in TPP countries about the dominance of U.S. companies in e-commerce and the need to protect information from flowing outside national borders, where it is more vulnerable to foreign law enforcement and intelligence agencies. We might not have to wait long to learn whether the TPP agreement will start a new era of governance for digital commerce and for trade’s strategic importance in world politics. Trade ministers for TPP countries are meeting this week to resolve differences and are reportedly scheduled to hold a press conference on July 31 on the status of the negotiations.

On June 16, the House of Representatives passed an Intelligence Authorization Act for Fiscal Year 2016, which requires the Director of National Intelligence (DNI) to produce a report on terrorist use of social media (Section 344). On July 7, the Senate Select Intelligence Committee approved an intelligence authorization bill that does not include the House bill’s mandate for a DNI report but does require social media companies to report terrorist activity to the federal government (Section 603). These proposals are new developments in the growing efforts to counter terrorist use of social media. The House Requirement for a DNI Report The House bill requires the DNI to produce a report containing the "assessment of the intelligence community on terrorist use of social media." The report must assess: What role social media plays in radicalization in the U.S. and elsewhere; How terrorists and terrorist organizations use social media; The intelligence value of social media posts by terrorists; and The impact on U.S. national security of terrorist content on social media for fundraising, radicalization, and recruitment. This proposal connects to efforts to understand terrorist use of social media, its national security implications, and ways to counter it. Legislative interest in the intelligence community’s assessment of these issues is understandable, but controversies about, for example, the role social media plays in radicalization, will heighten scrutiny of the intelligence community’s conclusions. Depending on what it contains, the DNI’s report could increase congressional interest in regulating social media for counter-terrorism purposes—another reason such a report could be consequential. The Senate Requirement for Social Media Company Reporting The bill approved by the Senate Intelligence Committee requires anyone who "obtains actual knowledge of any terrorist activity" while providing electronic communication or remote computing services to the public through means of interstate or foreign commerce to provide federal authorities with "the facts or circumstances of the alleged terrorist activities." This requirement directly regulates social media providers and raises more questions and policy implications than the House mandate for a DNI report. The provision does not define "terrorist activity," beyond requiring reports of activities touching on the federal crime of "distribution of information relating to explosives, destructive devices, and weapons of mass destruction" (see 18 USC sec. 842(p)). Without parameters, companies could interpret "terrorist activity" differently, creating under-reporting (which would harm the purpose for reporting) and over-reporting (which would create privacy and free speech concerns). To protect privacy, the provision states that it may not be construed to require a provider to monitor users, subscribers, or customers or the content of their communications. Although social media providers do not have to conduct active surveillance, the provision does not address privacy or free speech worries associated with reporting communications to the federal government (my recent Cyber Brief provides some guidance on these issues). Further, the provision does not specify what federal agencies (FBI, DHS, NSA, CIA) should receive reports because it assigns that responsibility to the Attorney General. Nor does the provision say anything about what agencies can do with submitted information. Thus, the provision raises concerns similar to those advocates of civil liberties have raised about proposed cybersecurity legislation designed to increase information sharing between the private sector and the federal government. News reports raise questions about the purpose of the reporting requirement. Senator Diane Feinstein, a member of the Senate Intelligence Committee, argued that "social media companies should be working with the government to prevent the use of their systems by violent militants." The Washington Post quoted an unnamed Senate aide who indicated the provision seeks to stop companies from removing content related to terrorism without informing the federal government in order to avoid losing potentially valuable intelligence. Reuters quoted "an official familiar with the bill" stating that its "main purpose was to give social media companies additional legal protection if they reported to the authorities on traffic circulated by their users." Legislation can serve multiple objectives, but, given sensitivities about tech companies providing information to the federal government, clarity on the purposes of this proposed regulation is critical. The provision leaves other questions unanswered. What happens to a social media provider that does not report terrorist activity of which it is aware? What oversight is needed to monitor reporting terrorist activity on social media to the federal government? How will such regulation be perceived by foreign customers of U.S. companies who are, post-Snowden, upset about the U.S. tech sector’s cooperation with, and vulnerability to, the U.S. government? Does the requirement apply to foreign companies that, in providing communication or computing services, access facilities or means of foreign or interstate commerce? The House and Senate proposals demonstrate intensifying concern in Washington, D.C. about terrorist use of social media, with the Senate bill containing the first attempt to require social media companies to support the federal government’s fight against digital terrorism. Although neither bill is close to becoming law at the moment, what happens next bears watching for national security, civil liberties, and business reasons.

The irony of Hacking Team—an Italian company that sells surveillance software—being hacked (or as Wired put it, “disemboweled”) is delicious, especially given Hacking Team’s denials it sold to governments with notorious human rights records. Hacking Team still insists it broke no laws and has behaved ethically. Whether Hacking Team survives remains to be seen, but this episode’s importance extends beyond one company. What the hack revealed touches on important policy issues. Cyber Surveillance Tools and Sanction Regimes The disclosed materials indicate Hacking Team sold its wares to the Sudanese government and a state-owned Russian company that produces military radar. Marietje Schaake, member of the European Parliament, argues that the sale to Sudan violates sanctions imposed by the UN Security Council—sanctions implemented through EU law. Schaake also states that the sale to the Russian company appears to violate EU sanctions imposed in response to Russian activities in Ukraine. Whether Hacking Team violated these sanctions I leave for others to decide, but the accusations suggest that future sanction regimes should explicitly cover the type of surveillance tools Hacking Team sold. In March 2015 correspondence, the UN Panel of Experts involved in monitoring the Sudan sanctions stated that Hacking Team’s software “may potentially” fall within the prohibited categories of “military equipment” or “assistance” related to prohibited items. This less-than-definitive phrasing invites questions about the interpretation of the UN sanctions. Such questions can be avoided in the future by including surveillance software within the scope of prohibitions imposed by UN sanctions. Wassenaar Arrangement Rules on Intrusion Software The Hacking Team disclosures focuses new attention on rules adopted in December 2013 that subjected intrusion software to the Wassenaar Arrangement, an export-control regime for dual-use technologies involving forty-one countries. As Kim Zetter noted, this change sought “to restrict the sale and distribution of computer surveillance tools to oppressive regimes,” though some argue it could chill cybersecurity research. Experts identified Hacking Team products as falling within these new rules. However, revelations that Hacking Team’s customers included countries with poor human rights records reinforce why the Wassenaar regime included intrusion software. The episode gives momentum to the Wassenaar approach of regulating cyber surveillance companies. While the momentum does not resolve the security research community’s concerns, the incident strengthens the position of governments and human rights groups interested in more regulation in this area. The Future of Lawful Hacking Hacking Team’s clients include not only repressive governments but also government agencies in democracies, including EU members and the United States, which connects the disclosures with controversies about “lawful hacking.” In June 2015, Senator Charles Grassley, Chair of the Senate Judiciary Committee, wrote to FBI Director James Comey seeking information about the FBI’s use of spyware, their legal justification that authorizes deployment of such software, and whether the FBI has purchased spyware from, among others, the Hacking Team. The disclosure that the FBI has been a Hacking Team customer will intensify scrutiny of its use of hacking in criminal investigations. The same might occur in other countries where government agencies are listed as Hacking Team clients, such as Australia, Chile and Mexico. This trajectory will increase tensions building between government interest in exploiting digital technologies for law enforcement and advocates for privacy and other civil liberties. International Human Rights in the Digital Age The nature of Hacking Team’s products and the global scale of its sales make the leaked information important for international human rights. Concerns about the threat government surveillance poses to the use of digital technologies existed prior to the Hacking Team disclosures. But, like the Snowden leaks, these disclosures will heighten worries that governments are engaging in surveillance that violates human rights. In response to the disclosures, the UN Special Rapporteur on the Right to Freedom of Opinion and Expression tweeted that the documents revealed the depth and extent of digital attacks on civil society and underscored the importance of encryption and anonymity. The disclosures will also be important to the work of the newly appointed UN Special Rapporteur on the Right to Privacy. Making It Too Easy for Authoritarian Regimes Hacking Team might go out of business, but its demise would not affect how authoritarian governments behave. Much like Snowden’s leaks, the Hacking Team contretemps reinforces their perceptions of the hypocrisy of democracies. They can easily point out double standards: multiple U.S. government agencies are clients of a company that sells to a Sudanese regime accused of genocide, even after the Hacking Team has been credibly accused of doing business with Sudan and other repressive governments? And it takes another spectacular criminal act to expose gaps between rhetoric about Internet freedom and the reality of governmental and private-sector behavior? Authoritarian governments do not need the travails of democracies to harness digital technologies for repression, but the democratic world’s struggles with these disruptive technologies are giving cyber repression too much space to metastasize.

Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations. Brazilian President Dilma Rousseff’s was in Washington D.C. this week to meet with President Obama. The trip came two years after she had famously cancelled a state visit in 2013 in protest following allegations that the NSA had spied on Brazil and Rousseff personally. At the time, the Brazilian president was very public and vocal in her denunciations, calling the espionage "manifestly illegitimate" and expressing her outrage at the United Nations. While the U.S.-Brazil cyber relationship hit the rocks in the immediate aftermath of the Snowden disclosures, it seems like time and some deft diplomacy has helped patch things up. At this year’s Summit of the Americas, Rousseff indicated that she’s moved on. Things have improved so much in fact that the Rousseff-Obama joint communiqué dedicated five paragraphs to Internet issues. Most importantly, both leaders have agreed to resume the Brazil-U.S. cyber working group. The United States and Brazil share the understanding that global Internet governance must be transparent and inclusive, ensuring full participation of governments, civil society, private sector and international organizations, so that the potential of the Internet as a powerful tool for economic and social development can be fulfilled. Both countries acknowledge the agenda approved by Netmundial conference (São Paulo, April 2014) as a guide for discussions regarding the future of the global internet governance system. Both countries reaffirm their adherence to the multistakeholder model of Internet governance and, in this context, reaffirm their commitment to cooperate for the success of the Tenth Internet Governance Forum (João Pessoa, November 10 to 13, 2015), and extension of the IGF mandate. Likewise, they reaffirm their interest in participating actively in the preparatory process of the High-Level Meeting of the UN General Assembly for the Ten-Year Review of the WSIS outcomes, to be held in New York in December 2015. Bilateral cooperation on cyber issues will be resumed by the convening of the Second Meeting of the Working Group on Internet and Information and Communications Technology in Brasilia in the second semester.  The meeting will offer the opportunity of exchanging experiences and exploring possibilities for cooperation in a number of key areas, including e-government, the digital economy, cybersecurity, cybercrime prevention, capacity building activities, international security in cyberspace, and research, development, and innovation. The resumption of the working group is significant. While the United States and Brazil don’t always see eye-to-eye on cyber issues—particularly on the Internet governance front—they recognize the importance of an un-fragmented and open Internet. That makes them important allies to push for a renewal of the IGF’s mandate and the adherence to multistakeholder model in the face of opposition from countries that question its worth. It will also help both countries coordinate each others’ negotiating positions in the run up to the negotiation of the WSIS+10 outcome document, expected to be issued later this year where the usual suspects are likely to push for a greater decision-making role for UN institutions in Internet governance. While some may be calling out Rousseff for flip-flopping, the resumption of the working group is unequivocally a good thing for the prospects of an open, global Internet.

Last Friday marked the second anniversary of the start of Edward Snowden’s disclosures. The days preceding this anniversary highlighted Snowden’s continued prominence. On June 1, Section 215 of the USA PATRIOT Act—the legal basis for the domestic telephone metadata surveillance program Snowden revealed—expired. On June 2, the Senate passed and President Obama signed the USA FREEDOM Act, which the House of Representatives previously approved. This legislation transforms how the U.S. government will access domestic telephone metadata for foreign surveillance. On June 4, the New York Times published a story based on Snowden-disclosed documents claiming the NSA secretly expanded “Internet spying at the U.S. border.” Also on June 4, Snowden published an op-ed claiming that “the world says no to surveillance.” It was a good week for Snowden. But has it been a good two years for the rest of us? Section 215 and the Domestic Telephone Metadata Program Snowden’s signature achievement involved exposing what the U.S. government did under a secret interpretation of Section 215. He defended the principle that the government should not exercise power under secret laws. Although oversight bodies found no NSA abuses, this conclusion did not overcome the rule-of-law defect Snowden emphasized. However, Snowden’s challenge was not the only factor in Section 215’s death. The metadata program was ineffective as a counter-terrorism tool, which led some in the intelligence community to welcome its demise. Had the program contributed to foiling terrorism, its utility might have overcome the taint of its secret jurisprudence. Section 702 Surveillance Against Foreign Targets Snowden also exposed programs operated under Section 702 of the Foreign Intelligence Surveillance Act (FISA). For example, the Times article on June 4 used Snowden-provided documents to disclose that the U.S. government began conducting surveillance for malicious cyber activities suspected to originate from foreign governments. Section 702 authorizes surveillance against foreign governments, so the cyber surveillance fits within this legal authority. The NSA was interested in conducting cybersecurity surveillance without identifying a foreign target. Such a step might have secretly expanded Section 702, but the Department of Justice blocked the idea. Like Snowden’s other Section 702 revelations, this disclosure did not reveal secret activities that break the law or abuse legal authority. Instead, Snowden’s disclosures provided transparency about Section 702 programs. Information released by the intelligence community and contained in oversight reports brought even more transparency. Controversies about the scope of Section 702 surveillance, the scale of incidental collection of communications of non-targeted persons, and government uses of incidentally collected information existed before Snowden came along. The new transparency rekindled these controversies, but also revealed how valuable Section 702 surveillance is to the U.S. government. President Obama imposed additional restrictions on U.S. government use of incidentally collected information but did not curtail the surveillance. Congress has not, so far, amended Section 702. At the two-year mark, Snowden’s impact concerning Section 702 is less definitive. Section 702 surveillance continues with robust support, leaving advocates of civil liberties lamenting the lack of curtailment of these programs. Further, the new restrictions on the use of incidentally collected information have not placated domestic opponents or foreign governments and nationals. In many ways, pre-Snowden debates about Section 702 continue because the transparency Snowden triggered provides all sides with ammunition. The Global Context Snowden intended to spark global debate by framing expansive surveillance and espionage as threats to universal human rights. His June 4 op-ed claimed a “change in global awareness” is underway and “the balance of power is beginning to shift.” However, the gap between these claims and reality is great, suggesting his impact globally has been weak, if not counterproductive. The latest Freedom on the Net survey does not support Snowden. Between May 2013 and May 2014 (roughly the first year of his disclosures), Internet freedom declined “for the fourth consecutive year, with 36 out of 65 countries assessed . . . experiencing a negative trajectory[.]” Little has happened since May 2014 to suggest this trend has been reversed. Increased surveillance by many states, including democracies, contributed to this trajectory’s momentum. For example, governments in France, Turkey, and the United Kingdom said “yes” to increased surveillance. In the midst of this decline, Snowden damaged the U.S. government’s international standing, created rifts among democracies, and harmed U.S. technology companies. The Snowden-triggered move by tech companies toward stronger encryption pits democratic governments against the private sector and civil society in a looming zero-sum brawl. Meanwhile, unperturbed by Snowden, autocratic countries exploit the disarray within and among democracies, bash the hyposcrisy of Internet freedom’s champions, conduct intrusive surveillance at home and abroad, and strengthen their manipulation, control, and censorship of digital communications. Given these facts, the UN resolution on the right to privacy in the digital age, which represents global progress for Snowden, does not reflect consensus among states on the relationship between surveillance and human rights. An unprincipled but ineffective program is dead. Long-standing controversies about large-scale surveillance programs targeting foreigners continue. Government surveillance powers are increasing, democracies are bitterly divided, and Internet freedom is in retreat. Whether these outcomes mean we have, as a country and an international community, reached a better place is hotly debated—a reminder that history’s arc is longer than two years.

Last week, a federal appeals court ruled that Section 215 of the PATRIOT Act does not authorize the NSA’s telephone metadata surveillance program. Since Edward Snowden disclosed it in June 2013, the program has been so controversial that its fate has taken on historic significance. The decision in American Civil Liberties Union v. Clapper arrived as Congress must decide whether to reform the program, continue it by re-authorizing Section 215, or let Section 215 expire on its June 1 sunset date. The judgment provided the program’s defenders and critics with ammunition in this debate. Moreover, the court, through its decision, seems to be sending the political branches explicit constitutional messages about what should happen next. Troubling Aspects of the Decision This case began in August 2013 when the ACLU filed suit in response to the program’s disclosure. In December 2013, a federal district court denied the ACLU’s request for a preliminary injunction, reasoning that federal law precluded judicial review of Section 215 and the program did not violate the Fourth Amendment. The appeals court over-ruled the district court. It decided Congress did not preclude judicial review of Section 215, and it held Section 215 did not authorize bulk collection of telephone metadata because this activity was not, and could not reasonably be interpreted as being, relevant to authorized counter-terrorism investigations. The court did not issue a Fourth Amendment ruling. Nor did it grant the preliminary injunction the ACLU sought. Commentary of the appeals court’s decision has mostly focused on whether the court was legally correct or persuasive and what impact the decision might have on Capitol Hill. However, the decision has troubling features that have received less attention but deserve examination. To begin, the court compared the firestorm over the program to scandals in the 1970s concerning surveillance within the United States. Like federal courts did in the 1970s, it held that the phone metadata surveillance program was illegal. Yet, in not issuing an injunction, the court allowed the program to continue because of the “national security interests at stake.” Under constitutional law, surveillance should have a legal basis. After the court’s interpretation of Section 215, that basis could only be the president’s constitutional national security powers. But, federal courts in the 1970s rejected claims that these powers justified the domestic surveillance at issue. The Bush administration turned to Section 215 to avoid continuing to rely on presidential powers to justify the metadata program legally. So, with presidential authority suspect, what is the legal basis for the program as it continues to collect phone metadata on Americans? Concerns multiply when we consider the privacy implications of government collection of metadata in the age of ubiquitous digital technologies. The court acknowledged dependence on these technologies raises difficult questions about the “third-party doctrine,” where data is not protected under the Fourth Amendment if it is shared with a third party, such as a phone company. Given this acknowledgment, is the court allowing a surveillance program to continue that not only lacks a legal basis but also might violate the Fourth Amendment? Making Sense of the Decision In its decision, the court is sending two strong messages to the legislative and executive branches about their responsibilities to protect national security and safeguard individual rights. First, the court believes the best outcome over the the Section 215 program is agreement between the political branches. Issuing a preliminary injunction because the metadata program had no legal basis or making a Fourth Amendment ruling because of the impact of digital technologies would take federal courts deeper into volatile national security, privacy, constitutional, and political controversies. The court asserts that legislation provides the most effective way to design metadata surveillance programs for counter-terrorism and to signal what the political branches deem is permissible under the Fourth Amendment. In short, the political branches can directly authorize metadata surveillance to protect national security (avoiding the surreal interpretive brawl Section 215 became) tailored to reflect privacy concerns about government collection and analysis of metadata in the digital age (avoiding potentially divisive judicial decisions on the Fourth Amendment). Second, the court’s reasoning contains warnings to the political branches as they consider their next steps. Its interpretation of “relevance” in Section 215 sends the message that invoking national security should not contort laws in ways that defy their language and intent. The court also rejects the argument that Congress ratified the executive branch’s expansive definition of relevance when it reauthorized Section 215 in 2011. In doing so, the court communicated that secret legislative review of secret interpretations of public laws is not legitimate. Finally, the court signaled its view that changes in communication technologies raise serious constitutional concerns with the third-party doctrine, suggesting that it might have held the metadata program in breach of the Fourth Amendment had it reached this question. In sending these messages, the court recognized the constitutional prerogatives of the political branches in national security but provided rule-of-law guidance to Congress and the president in crafting new legislation the United States so badly needs. Whether the political branches live up to these responsibilities in the coming days will signal to the world if the United States understands how to protect the security and rights of a free people.

Today’s release of the European Union’s Digital Single Market Strategy starts a new era in digital diplomacy within the union and between the EU and the United States. The strategy identifies the ways in which the EU is unprepared to harness the economic opportunities digital technologies create. In response, the European Commission, the union’s executive arm, proposes the creation of a digital single market (DSM) through comprehensive reforms. While the strategy is undeniably important to Europe’s economic competitiveness, the reforms will significantly affect U.S. technology companies operating in the EU. As a result, the strategy will likely complicate already difficult transatlantic relations on e-commerce issues. The DSM Strategy The strategy analyzes how the EU’s single market does not allow Europeans to take advantage of the benefits associated with integrating digital technologies into economic activities. Despite claims that “Europe has the capabilities to lead in the global digital economy,” the strategy (and the accompanying evidence document) identifies a sobering litany of problems that holds the EU back. These problems include the geo-blocking online services, copyright laws and licensing regimes that impede access to digital content, burdensome tax codes, cybersecurity threats, barriers to cross-border parcel delivery, challenges with radio-spectrum allocations, poor adoption of digital technologies by European companies, shortages of skilled professionals, and lack of investment in digital skills and businesses. To create a DSM, the strategy sets three core objectives supported by concrete actions: Produce better access to online goods and services by harmonizing e-commerce laws, improving parcel delivery across borders, reforming copyright regimes, and reducing the tax burdens associated with the online sale of goods and services; Create market conditions for European digital activities to flourish by harmonizing telecommunication laws, improving cybersecurity and data protection, and investigating online platforms to ensure compliance with EU laws; and Maximize the growth potential of Europe’s digital economy by building a single market for big data and cloud computing services, improving e-government, and investing in digital infrastructure. European and Transatlantic Implications The DSM strategy addresses the digital revolution’s threat to the effectiveness of the European single market, one of the EU’s greatest achievements. While the digital revolution has been years in the making, Europe hasn’t kept up. According to the European Commission, “[o]nly 1.7% of EU enterprises make full use of advanced digital technologies, while 41% do not use them at all.” EU policymakers face a daunting challenge to implement the proposed reforms. They touch virtually every aspect of the digital economy and will affect the single market comprehensively—from pan-European policymaking to decision-making in small start-ups. The extent and complexity of the reforms mean the strategy will influence policy for years as the EU modernizes existing legislation and formulates new regulations. Like the push for the single market in the 1980s, translating the strategy into policy and law is a decisive test for the EU’s ability to adapt to technological and economic change. Given the strategy’s importance to fundamental EU interests, it would be simplistic to criticize it as digital protectionism designed only to limit the power of U.S. tech companies. In fact, if implemented, some reforms will create growth opportunities for U.S. firms operating in the EU. However, it is disingenuous for European officials to claim that the strategy does not target U.S. companies that dominate European digital markets. The innovations and market successes of U.S.-based enterprises cast long shadows over Europe’s ineffective responses to the digital revolution. The strategy declares the EU’s intent to continue enforcing its antitrust rules (as it has against Microsoft and Google) and to launch a “comprehensive assessment” of the roles and power of online platforms (e.g., Google, Amazon), including those associated with the sharing economy (e.g., Uber, Airbnb). The likely outcome will be “level-the-playing-field” actions and regulations that disproportionately affect leading U.S. tech companies. The United States and the EU already butt heads over data protection, privacy, and the application of EU competition law to U.S. tech companies. The DSM strategy will complicate the transatlantic relationship by increasing the friction between these two economic powers as Europe implements the proposed reforms.

The Council on Foreign Relations is hosting a conversation with Giovanni Buttarelli, the European Union’s newly-appointed data protection supervisor. Mr. Buttarelli will discuss his strategic plan for the next five years as European Data Protection Supervisor along with the right to forget, trade negotiations, and other issues relating to data protection both in Europe and around the world. You can watch a live-stream of the discussion with Mr. Buttarelli below or by clicking here.

The UN Human Rights Council has convened for its 28th regular session, and its agenda includes revisiting Snowden-sparked debates about the right to privacy in international law. In explaining his actions, Snowden appealed to the Universal Declaration of Human Rights and human rights treaties. He wanted to expose the peril he believes pervasive government surveillance poses to the right to privacy, and his leaks catalyzed many privacy-related controversies. For example, Snowden’s revelations about U.S. and British signals intelligence programs launched efforts in the UN and the European Union (EU) concerning the International Covenant on Civil and Political Rights (ICCPR), EU privacy law, and the European Convention on Human Rights (ECHR). The UN General Assembly adopted a resolution on the right to privacy in the digital age, and the High Commissioner for Human Rights and Special Rapporteur for the Promotion and Protection of Human Rights while Countering Terrorism issued reports. The EU made demands on the United States in the context of data-sharing relations. Privacy advocates challenged UK  surveillance activities under the ECHR before a British tribunal and the European Court of Human Rights. But, after much deliberation, debate, and diplomacy, where do things stand? Have the key Snowden villains—the United States and United Kingdom—altered their approaches to their international legal obligations? Has the UN succeeded in illuminating how international law handles privacy challenges posed by digital technologies? Have countries spared by Snowden’s disclosures, including authoritarian states notorious for not respecting privacy, embraced UN interpretations of the right to privacy and improved compliance with international law? Looking across the post-Snowden landscape suggests that little has changed despite all the activity. UN human rights bodies have done what they often do—highlight painful gaps between what the UN claims international law requires and what governments do. In many countries where privacy has long been an empty right, it has been business as usual, or worse. The British government believes it has effectively defended its position in domestic litigation and wants stronger surveillance powers from Parliament. Changes in U.S. signals intelligence have occurred, some of which are unprecedented, but they owe more to factors other than international law. In the United Nations UN activities have followed a familiar pattern. The General Assembly’s resolution was contentiously negotiated, was claimed as vindication by countries that did not agree about what the resolution meant, and, tellingly, was adopted without a vote. UN officials asserted that existing international law provided compelling answers to all privacy-related questions raised by member states—an assessment, critics observed, that lacked analysis of state practice on complex issues, such as extraterritorial jurisdiction, what "arbitrary and unlawful" interference with privacy means, balancing secrecy and transparency in surveillance programs, and the extent of discretion governments have in confronting security threats. And, as often occurs and is happening again this month, a UN human rights perspective disconnected from the way states behave comes before the Human Rights Council, the membership of which typically includes a rogue’s gallery of states renown for their lack of interest in human rights, including privacy. In Authoritarian Countries Authoritarian governments do not appear to have had any "come to Snowden moments." Human Rights Watch condemned a proposed new Chinese counter-terrorism law  because it would establish "a total digital surveillance architecture subject to no legal or legislative control" inconsistent "with international law and the protection of human rights." Just as Snowden began his temporary asylum in Moscow in the fall 2013, researchers described Russian surveillance capabilities as "an Orwellian network that jeopardizes privacy and the ability to use telecommunications to oppose the government." In 2014, Human Rights Watch asserted that Russia "took a leap backwards demonstrating little respect for its human rights obligations." In the United Kingdom A British tribunal rendered decisions in December 2014 and February 2015, which held that, after the British government provided transparency on safeguards it had in place, it was in compliance with the ECHR concerning receipt of surveillance information from the NSA. Given the storm Snowden stirred up about the UK’s signals intelligence activities, the change required for the tribunal to consider the government in full ECHR compliance was strikingly limited. Although they claimed victory, privacy advocates were upset the tribunal did not strike down the U.S.-UK information-sharing arrangement on substantive grounds. Whether the European Court of Human Rights reaches a different conclusion remains to be seen. To complement its recent wins in the courts, the British government has expressed interest in new legislation that would expand its surveillance powers. In EU-U.S. Data-Sharing Relations The EU used the Snowden-generated controversies to make demands on the United States in negotiating data-sharing arrangements, namely the Safe Harbor and "Umbrella" agreements. This scenario replays difficulties the EU and the United States have long had on privacy.The EU has not re-interpreted EU privacy law because of Snowden’s actions, but it has exploited the disclosures to strengthen its negotiating position with the United States. For its part, the United States has not altered its stance on its ICCPR obligations because it negotiates privacy deals with the EU. In the United States A February 2015 progress report from the Director of National Intelligence (DNI) highlights changes implemented since President Obama announced reforms in Presidential Policy Directive-28 (PPD-28) in January 2014. Some changes address concerns about the privacy of U.S. persons that are anchored in U.S. law not international law. Other changes relate to EU negotiating demands, such as the commitment to pursue legislation to permit nationals of designated countries to seek redress in U.S. courts for inappropriate handling of personal data. Some reforms relate to debates about international law, particularly whether U.S. treaty obligations on privacy apply outside U.S. territory. Under PPD-28, the U.S. intelligence community now treats information collected on foreign nationals outside the United States under rules equivalent to those on the treatment of information on U.S. persons. David Medine, Chairman of the Privacy and Civil Liberties Oversight Board, argued that this decision is unprecedented because “no country on the planet [...] has gone this far to improve the treatment of non-citizens in government surveillance.” But the Obama administration has not expressly grounded this move in international law. PPD-28 and the DNI’s progress report do not link this change to international law. Nor does the decision seem inspired by the UN’s, ECHR’s, or EU’s respective approaches to privacy in international law. Rather, this shift might reflect a claim of American exceptionalism—the United States is undertaking something exceptional with privacy in the digital age that only America would dare to attempt, even after events as damaging as Snowden’s leaks. And, like all claims of American exceptionalism, it is highly provocative but, nevertheless, consequential for reasons well beyond international law.

Last night, President Obama gave his annual State of the Union address in which Internet and cyber issues got their own paragraphs. On the Internet, the president said: I intend to protect a free and open Internet, extend its reach to every classroom, and every community, and help folks build the fastest networks, so that the next generation of digital innovators and entrepreneurs have the platform to keep reshaping our world. On cybersecurity, he said: No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe. President Obama’s remarks referred to policy proposals he announced last week, in which he proposed a plan to incentivize the delivery of high speed Internet and called on Congress to pass legislation to facilitate cybersecurity information sharing, protect consumer data, and increase the penalties in the Computer Fraud and Abuse Act (CFAA). The cybersecurity information sharing proposal is interesting. According to the text the president has sent Congress, the legislation aims to facilitate information sharing by: 1.  explicitly authorizing a private entity to share cyber threat indicators with the Department of Homeland Security’s National Cybersecurity and Communications Integration Centre (NCCIC), any federal entity (including law enforcement), and private sector-led information sharing and analysis organizations (ISAO); 2.  launching a process to determine the best practices for the creation and operation of ISAOs, organizations the White House hopes can act as a clearing houses to pass cyber threat information between private sector entities; and 3.  allowing NCCIC to share cyber threat information it has received from private entities to other federal entities, such as the National Security Agency or the FBI. As opposed to requiring companies to report indicators, the proposed law hopes to incentivize companies to share information by shielding them from liability and regulatory action. The draft law would also require the attorney general, in cooperation with a slew of federal entities, to develop privacy guidelines for the use, retention, and disclosure of the indicators the private sector provides. There are a couple of things that stand out from the proposal. First, the draft focuses heavily on the private sector sharing information with the government but remains largely silent on the government sharing information with the private sector. Information sharing is not a one-way street: the private sector needs information from the government if it hopes to better protect itself against advanced persistent threats. The U.S. government already provides programs that facilitate this, like DHS’ enhanced cybersecurity services or US-CERT’s product offerings, but it will all too often take and rarely give back. While legislation provides some legal protections to incentivize sharing, the private sector will only share if they get something in return. That’s not so much as a legal issue as it is a policy and operational one. Second, though the privacy community has embraced some aspects of the White House plan, especially compared to the Cyber Intelligence Sharing and Protection Act (CISPA), concerns remain. As Paul Rosenzweig has already noted, many of the privacy provisions rest on the "reasonableness" of stripping personally identifiable information reports of cyber threat indicators. That is likely to cause a battle between the intelligence community, which needs to know as much as possible, and the privacy advocates, which only want to share what is absolutely necessary. Furthermore, relatively little is said about the privacy controls that the ISAOs should have when handling cyber threat indicators. This stands in contrast to the controls that the legislation proposes for government, such as destruction schedules, protecting proprietary information, and creating anonymizing processes. The discrepancy makes me wonder whether ISAOs could abide by a lower privacy standard than the government to handle the exact same information. With regards to the amendments to the CFAA, Orin Kerr provides a legal analysis of the proposal in the Washington Post. I see two primary policy considerations. First, the amendments could make it harder for computer security researchers to do their job. As I’ve said before, some amendments such as using information derived from a computer security breach would carry stiff penalties, potentially making it difficult for researchers and security companies to analyze incidents. Second, it’s hard to see what increasing the penalty for unauthorized access to a computer will achieve. Will a potential hacker not deterred by the prospect of ten years in prison be deterred by twenty? Increasing criminal penalties certainly will do nothing to stop hackers in China, Russia, or North Korea. Could this finally be the year when the Congress passes cyber legislation? I think yes. Public awareness of the threat is at an all-time high. The Sony attack has created pressure for Congress to act (though it is not clear that any of the legislation would have prevented the North Korean hackers from breaching the company). Moreover, there is bipartisan support for cybersecurity legislation. The New York Times this morning contrasts the bold vision President Obama delivered in the State of the Union with the political reality that he lost control of both houses of Congress: "The question raised by the speech was whether advancing initiatives with little or no hope of passage constituted an act of bold leadership or a feckless waste of time." Yet, while disparaging most of the President’s agenda, prominent Republicans like Senator Lamar Alexander of Tennessee have pointed to cybersecurity as an area where "we can get some agreement." As in the past, privacy concerns will make or break the legislation, but we should expect to see real signs of progress.

Sharone Tobias is a research associate for Asia Studies and the Digital and Cyberspace Policy program at the Council on Foreign Relations. The recent terrorist attacks in Paris have led European leaders to revisit Internet surveillance policies in their countries in the hopes that more effective data collection can prevent future terrorist attacks. EU leaders released a joint statement over the weekend expressing concern "at the increasingly frequent use of the Internet to fuel hatred and violence," and calling for a partnership with Internet service providers. In France, Prime Minister Manuel Valls announced that the government will soon propose a new security law to reinforce the intelligence community’s surveillance capabilities, especially directed at Internet-based communications. EU leaders are particularly concerned about encrypted communication technology that allows individuals to send messages not accessible to law enforcement, even by a court order. Over the last few years a number of widely used applications like WhatsApp, iMessenger, and Facebook Messenger have adopted end-to-end encryption. Much of the data passing between users of these applications are inaccessible to anyone without a password—including law enforcement with warrants. UK Prime Minister David Cameron is leading the way, stating at a recent security meeting that "terrorists are using the Internet to communicate with each other and we must not accept that these communications are beyond the reach of the authorities." Cameron also plans to lobby U.S. President Barack Obama to criticize U.S. technology companies like Facebook for their encryption methods during Cameron’s visit to the United States this week. Many have already questioned the proposals on grounds of privacy and freedom of expression. Some have interpreted Cameron’s comments to mean he wants to try and block access to these types of applications. The technical restrictions and regulations required to enforce such a ban would be enormous: it could involve blocking websites from which users download encrypted applications, or even render communication between UK-bought and foreign-bought devices impossible because of the differences in encryption standards. British technology companies would be especially affected, since they wouldn’t be able to produce competitive encrypted software and so lose out to other technology companies in third markets. Even if Cameron does not intend to ban access to the apps, but just wants to make them more open to surveillance, there is cause for concern. Weakening encryption or building "back doors" creates vulnerabilities that make it easier for criminals, not just the "good guys," to access data. Unforeseen problems with government intervention in encryption have come to light before. Last year, Edward Snowden released classified documents that showed a highly classified NSA decryption program called Bullrun that used a combination of supercomputers, court orders, and even inserting "back doors" into certain encryption technology to tap into secure data. For example, the agency allegedly paid security firm RSA $10 million to use less secure encryption standards. Several U.S. technology companies supported an amendment last year that would prohibit the agency from installing such back doors, which the companies say hurt their businesses abroad. Law enforcement practices have long relied on the ability to gain access to phone calls, mail, and other communication methods to track criminals and terrorists (and in many countries, journalists, activists, and political opponents). Encrypted messaging services present new challenges to law enforcement and intelligence agencies in their fight against terrorism and other crime, particularly important after the terrorist attacks in Paris last week. But before making any rash decisions, it is essential that leaders first determine the real-world effects of taking a stand against technology that has now become so commonplace.