Privacy after Paris
- November 28, 2015
- Clayton Rice, K.C.
On December 18, 2013, the United Nations General Assembly adopted resolution 68/167 that expressed “deep concern” about the negative impact that surveillance and interception of communications may have on human rights. The General Assembly affirmed that the rights held by people offline must also be protected online and it called upon all States to protect the right to privacy in digital communications. The next year the Office of the High Commissioner for Human Rights, in The Right to Privacy in the Digital Age (2014) stated: “While the right to privacy under international human rights law is not absolute, any instance of interference must be subject to a careful and critical assessment of its necessity, legitimacy and proportionality.”
I have previously advocated on this blog that the law of privacy, both internationally and domestically, must also incorporate rights to encryption and online anonymity. On May 22, 2015, the United Nations received the Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression by David Kaye submitted in accordance with Human Rights Council resolution 25/2. The Report concluded, at p. 16: “Encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age. Such security may be essential for the exercise of other rights, including economic rights, privacy, due process, freedom of peaceful assembly and association, and the right to life and bodily integrity. Because of their importance to the rights to freedom of opinion and expression, restrictions on encryption and anonymity must be strictly limited according to principles of legality, necessity, proportionality and legitimacy.”
The Report went on to recognize that discussion of encryption and anonymity have too often focused only on their potential for criminal purposes in times of terrorism. But emergent circumstances do not relieve States of their obligation to ensure respect for international human rights law. The Report recommended, at p. 17, that national laws should protect individuals in their use of encryption and anonymity tools, and that legislation and regulations should also include provisions enabling access to the use of these technologies by human rights defenders and journalists to secure their communications. Encryption and online anonymity are essential swords in the protection of communications between journalists and their sources and critical shields against self-censorship.
On September 8, 2015, the Secretary-General transmitted the Report to the General Assembly. It contains this recommendation to protect the confidentiality of sources, at p. 22: “National legal frameworks must protect the confidentiality of sources of journalists and of others who may engage in the dissemination of information of public interest. Laws guaranteeing confidentiality must reach beyond professional journalists, including those who may be performing a vital role in providing wide access to information of public interest such as bloggers, ‘citizen journalists’, members of non-governmental organizations, authors and academics, all of whom may conduct research and disclose information in the public interest. Protection should be based on function, not on a formal title.”
Then, Paris. And this unfolded.
A familiar script played out in the days and weeks following the Paris attacks. In an article titled The Threat Is Already Inside published by Foreign Policy on November 20, 2015, Rosa Brooks began this way: “By now, the script is familiar: Terrorists attack a Western target, and politicians compete to offer stunned and condemnatory adjectives. British, Chinese, and Japanese leaders thus proclaimed themselves ‘shocked’ by the Paris attacks, which were described variously as ‘outrageous’ and ‘horrific’ by U.S. President Barack Obama; ‘terrible’ and ‘cowardly’ by French President Francoise Hollande; ‘barbaric’ by Indian Prime Minister Narendra Modi; ‘despicable’ by U.N. Secretary-General Ban Ki-moon; and ‘heinous, evil, vile’ by U.S. Secretary of State John Kerry, who possesses a superior thesaurus. The Paris attacks were all these things. One thing they were not, however, was surprising.”
Although that is a good place to begin it didn’t top the response four days earlier by CIA Director John Brennan who wasted no time exploiting the tragedy to promote the agenda of advocates who would ban encryption and online anonymity. Mr. Brennan complained about “a lot of hand-wringing over the government’s role in the effort to uncover these terrorists.” What Mr. Brennan called ‘hand-wringing’ is the outrage following the leaks by Edward Snowden, the former national security contractor, in 2013. Mr. Brennan called the Paris attacks a “wake-up call” claiming that recent “policy and legal” actions in the United States “make our ability collectively, internationally, to find these terrorists much more challenging.”
Not to be outdone by Mr. Brennan, former CIA Director James Woolsey claimed that terrorists increasingly take advantage of encryption to conceal their communications. “The blood of a lot of these French young people is on his hands,” Mr. Woolsey said, “because of what he turned loose.” Mr. Woolsey was reported as adding that Mr. Snowden should be convicted of treason and “hanged by the neck until he’s dead rather than merely electrocuted.” I didn’t read anywhere that Mr. Woolsey was contemplating a fair trial first. (See: Dell Cameron. Former CIA chief blames Paris attacks on Edward Snowden, says he should be ‘hanged’. Daily Dot. November 25, 2015)
The Editorial Board of The New York Times replied to Mr. Brennan in a blistering Opinion titled Mass Surveillance Isn’t the Answer to Fighting Terrorism published on November 17, 2015. This is particularly good:
“It is hard to believe anything Mr. Brennan says. Last year, he bluntly denied that the C.I.A. had illegally hacked into the computers of Senate staff members conducting an investigation into the agency’s detention and torture programs when, in fact, it did. In 2011, when he was President Obama’s top counterterrorism adviser, he claimed that American drone strikes had not killed any civilians, despite clear evidence that they had. And his boss, James Clapper Jr., the director of national intelligence, has admitted lying to the Senate on the N.S.A.’s bulk collection of data. Even putting this lack of credibility aside, it’s not clear what extra powers Mr. Brennan is seeking.
Most of the men who carried out the Paris attacks were already on the radar of intelligence officials in France and Belgium, where several of the attackers lived only hundreds of yards from the main police station, in a neighbourhood known as a haven for extremists. As one French counterterrorism expert and former defense official said, this shows that ‘our intelligence is actually pretty good, but our ability to act on it is limited by the sheer numbers.’ In other words, the problem in this case was not a lack of data, but a failure to act on information authorities already had.
In fact, indiscriminate bulk data sweeps have not been useful. In the more than two years since the N.S.A.’s data collection programs became known to the public, the intelligence community has failed to show that the phone program has thwarted a terrorist attack. Yet for years intelligence officials and members of Congress repeatedly misled the public by claiming that it was effective.”
The only thing Mr. Brennan and Mr. Woolsey seem to have missed is – the facts. According to French authorities, the terrorists in Paris did not encrypt their communications but used standard SMS text messages. French police found a cellphone outside the Bataclan theatre not only unencrypted but also unlocked. The phone contained this message: “Ou set parti on commence.” (Let’s go, we’re starting) And the data on the phone led investigators to a safe house used by the terrorists.
After shock (with or without Mr. Kerry’s thesaurus) the predictable blame game unfolded – blame encryption, online anonymity or Mr. Snowden – any or all would do. And, of course, deflect the evidence. It’s the old litigator’s proverb – when you have the law on your side, pound the law; when you have the facts on your side, pound the facts; when you have neither the law nor the facts on your side, pound the table! Mr. Brennan and Mr. Woolsey did a lot of table pounding. In an article titled Paris is being used to justify agendas that had nothing to do with the attack published in The Guardian edition of November 20, 2015, Trevor Timm wrote this about the “we need to ban encryption” push: “It was a masterful PR coup: current and former intelligence officials got to sit through a series of fawning interviews on television where they were allowed to pin any of their failures on Edward Snowden and encryption – the bedrock of privacy and security for hundreds of millions of innocent people – with virtually no pushback, or any critical questions about their own conduct.”
The blame shifting that predictably follows every terrorist attack is deceitful and self-serving. Journalist Glenn Greenwald used those words in an Op-Ed titled Why the CIA is smearing Edward Snowden after the Paris attacks published by The Los Angeles Times on November 25, 2015: “In one sense, this blame-shifting tactic is understandable. After all, the CIA, the NSA and similar agencies receive billions of dollars annually from Congress and have been vested by their Senate overseers with virtually unlimited spying power. They have one paramount mission: find and stop people who are plotting terrorist attacks. When they fail, of course they are desperate to blame others.” Mr. Greenwald went on to remind us that Mr. Snowden did not tell the terrorists anything they did not already know – that the US government is trying to monitor their communications. What the Snowden disclosures did tell us is that the NSA is monitoring the communications of millions of innocent people under a surveillance program that has been ruled illegal and unconstitutional.
Weakening rights of encryption and anonymity are not the answer even if a ‘back door’ was technologically possible and even if Mr. Brennan and Mr. Woolsey had their credibility intact. Although I began here by focusing on the rights of journalists, and others who provide access to information of public interest, the security enhanced by encryption goes beyond the protection of human sources. Ann Cavoukian, the executive director of the Privacy and Big Data Instituite at Ryserson University in Toronto, Canada, said that getting bad guys has to be done in a way that doesn’t obliterate freedom. Back door proposals are shortsighted because they weaken the world’s infrastructure – banking, health information and commercial security. And more recently, the Information Technology Industry Council in Washington, D.C., which represents giants such as Apple and Microsoft, said: “Weakening security with the aim of advancing security simply does not make sense.” Compromising encryption would not only endanger the banking system but the electrical grid as well. (See: Robert Cribb. Mobile encryption arms race heats up. Toronto Star. November 20, 2015; and, The terrorist in the data: How to balance security with privacy after the Paris attacks. The Economist. November 28, 2015))
What we have seen following the Paris attacks is the exploitation of the tragedy for the ends of certain politicians and government officials. The response of Mr. Brennan was described in the Times editorial as “wretched yet predictable” taking the exploitation to a “new and disgraceful low”. And, as Amy Davidson said in an article titled Don’t Blame Edward Snowden For The Paris Attacks published in The New Yorker issue of November 19, 2015: “…[T]he claim that everything would have been better if only the public had never learned that the N.S.A. was breaking the law, and if it had been allowed to keep doing so, is not a serious argument worthy of a mature democracy.”