Flickr/Frédéric Poirot. Some rights reserved.

Individual responsibility is a dead-end

While the Snowden revelations have sent an unprecedented shockwave across the world, most of us have gone back to our old habits, checking our Gmail account with the morning coffee, making phone calls from our smartphones and occasionally browsing through Facebook looking for the odd or funny status update. Even though we know Google, Apple, Facebook and several other companies will hand that data directly to the NSA, and that the NSA is very likely to trade it in bulk with several European intelligence agencies. We now know for sure that our lives are tracked, and that every single one of our online clicks and keystrokes slowly builds a more detailed profile of us in the databases of intelligence agencies and advertising corporations in the US and in every member state of the European Union. Yet we do not really care and go on with our lives like nothing happened.

At the individual level, we already have several answers as to why this might be the case. Low digital literacy, the complexity of encryption, the habit of using easy to use commercial software as opposed to privacy-oriented yet more difficult one (compare Max OSX to Linux or TAILS, Internet Explorer to the TOR Browser) certainly matter. But more importantly, the problem of mass digital surveillance appears to have slipped in our subconscious.

Like a famous study in social psychology, we are behaving similarly to the inhabitants living near a nuclear plant. Although we are the most aware of the potential dangers of a radiological leak or a nuclear explosion that would severely hurt us and our families, we lead our lives convinced that nothing wrong can happen. In fact, the more we are made aware of the danger, the more confident we have become in the government’s reassurances that everything is under control, and that our privacy is not in danger. Comparisons with the dark days of East Germany’s secret police, the Stasi or Romania’s Securitate do not really work. There are no direct consequences of mass surveillance on our daily lives, so why should we really bother?

What should be done then? The main message that appears to emerge from Snowden’s interviews and Glenn Greenwald’s media interventions is the moralistic insistence on the individual responsibility of every one of us to ensure that we protect our data adequately. While we fully agree with these prescriptions, this bears the risk of ending in the long list of New Year’s resolutions, alongside with the promises to eat healthier foods, drink less and exercise more often. We might however also ask ourselves why it is that there is not more public outrage and mobilization around this issue. Where are the marches, demonstrations, the flash-mobs against mass surveillance? Why are there no more institutionalized and government-backed initiatives to put us on a stricter privacy diet, along with our five vegetables a day?

The EU is the master of its own problems

These questions are particularly salient in Europe. Publicly, François Hollande, Angela Merkel and several other European leaders were “shocked” and “appalled” by the revelations. In the meantime, we are now very aware of the fact that European intelligence services actively collaborated with the NSA and GCHQ, collecting themselves as much data as possible in order to gain bargaining power in the transatlantic intelligence-sharing cooperation game. This has been shown by some of us in a study for the European Parliament, and confirmed by the Moraes Report from the same institution. If not national governments, then whom should we expect to take measures?

The European Union has raised some hopes, through the activity of some key MEPs within the Committee on Civil Liberties of the European Parliament. The LIBE Committee conducted an enquiry on mass surveillance, asking critical questions to the European Commission and the representatives of the Union’s member states. The European Parliament, in turn, has been one of the few institutions to organise a hearing with Edward Snowden. These expectations are raised by the role that some within the European Union (EU) institutions have played in the past regarding previous occurrences of mass electronic interceptions, chiefly in the disclosure of the ECHELON programme. Yet this picture is misleading.

Thinking of the European Union as separate from national governments does not make much sense indeed. European states are member states. As such, their representatives participate on a daily basis in how the EU formulates its policies, and in turn EU policies are part of what national governments in member states do on a daily basis: Berlin, London, Paris or Rome are in Brussels as much as Brussels is present in national capitals. As we have argued elsewhere, the EU in this view is the master of its own problems.

The practice of mass surveillance underscores the limits of the existing and forthcoming EU data protection legislation, in particular with regard to data processing for law-enforcement and national security purposes, data processing by third countries, and cooperation in data processing between security and intelligence services and private service providers. National security, incidentally, is the only area of the founding Treaties establishing the Union where EU competence is explicitly ruled off.

Objectionable EU policies have also been formulated with regard to electronic surveillance. In April of this year the European Court of Justice (ECJ), prompted by the Irish High Court and the Austrian Constitutional Court, found the EU data retention directive adopted in 2006 to be invalid. The directive harmonised member state legislations on the retention by telecommunications operators of traffic and location data and their access by ‘competent national authorities’. It was found by the Court to constitute a particularly serious interference with the rights to privacy and data protection. The decision of the ECJ, incidentally, led the UK government to pass the emergency ‘DRIP’ legislation that extends rather than curtails the scope of data retention powers for UK authorities.

Some reactions from top EU policymakers after the Snowden revelations are telling in this respect. Viviane Reding, now former vice-president of the Commission and EU justice commissioner, argued in November 2013 for the establishment of an EU intelligence service by 2020 “so we can level the playing field with our US partners”.

National security is a misnomer

Expecting the EU to counter national governments then, or national governments to stand up against electronic surveillance is missing the point. What the NSA revelations show is that state surveillance and national security are to some extent misnomers. Surveillance is not exercised exclusively by “the state”, national security is not ensured exclusively at the national level.

So how does the picture look like from this perspective? On the one hand, we should think of the surveillance apparatus as a loose coalition of institutions, bureaucracies and corporations that function as a network both within and across national borders. More often than not, professionals working within these networks have more interests in common than they do with other civil servants from their own state. In other words, the French external intelligence agency (DGSE), which does much of the bulk data collection work in France, has more interests in common with the GCHQ or even the NSA than it does with the French data protection authority CNIL.

These networks work together and reinforce each other: the GCHQ, for example, is known to have actively trained DGSE officials to lobby the French government in order to get more institutional and legal powers. These alliances are sometimes institutionalized and public, as in the UKUSA Agreement (also known as the “Five Eyes”, which include the UK, the US, Canada, Australia, New Zealand), sometimes less known (such as Alliance Base, which includes the UK, the US, Canada, France, Germany and Australia since 2001).

Who is on the other side, and who has the potential to keep these networks in check? The courts are certainly one possibility, but it should not be overstated. As noted by some, the abovementioned decision of the ECJ on the data retention directive does not rule out mass surveillance and in fact sets out “unusually detailed guidelines for the legislature” to adopt a data retention instrument compatible with fundamental rights. Parliamentary supervision and oversight by independent bodies (such as the CTIVD in the Netherlands, or the Intelligence and Security Committee of Parliament in the UK) do exist, but have proved to be limited if not supportive of surveillance measures (the case of the UK DRIP law comes again to mind). The search for support points within the EU institutions, in any case, is limited.

In addition to these institutional options, three factors might contribute to a change in practices of mass surveillance: a gradual change in public opinion, an evolution in technology, and a challenge to the current business model (this means both the rise of free software and an increased offer of paid services relying on a subscription rather than free services financed by advertising - Google’s current model). As such, change in the direction of more privacy might come from a loose coalition of actors with divergent agendas but a common interest in privacy: privacy-minded political movements; the free software, open source, hacktivist community and private entrepreneurs. If the environmentalist movement can serve as an example, it is possible to imagine the diffusion of a demand for privacy from a small core of political activists to the broader society, in particular through open-source or easy-to-use paid software.

The development of recent initiatives and the renewed popularity of old initiatives aimed at guaranteeing more privacy, such as the Mozilla Foundation (Firefox browser, Thunderbird mail client), the DuckDuckGo search engine, or the new services from the Dark Mail Technical Alliance (founded by the owners of Silent Circle and the defunct Lavabit), and ProtonMail (an encrypted mail initiative launched by MIT and CERN scientists) supports this hypothesis. While these activists and entrepreneurs were largely ignored until not long ago, the Snowden revelations have contributed to diffuse their concerns and to popularize their combination of technological and political commitment. These changes might, in the long run, alter Europe’s national and supranational institutions more than anything else.

Read more from our 'Joining the dots on state surveillance' series here.