On 8 April 2014, Edward Snowden gave testimony to the Council of Europe’s Committee on Legal Affairs and Human Rights by video link. As with his previous testimony to the European Parliament, Mr Snowden used his statement to elaborate on topics that had been previously outlined by journalists. Topics covered include data mining, XKeyscore fingerprinting and the surveillance of Amnesty and other human rights organisations. Mr Snowden also confirmed that we can expect to see “more, and more specific” reporting on NSA attempts to change legal regimes overseas.
The Council of Europe is preparing reports on mass surveillance and on the protection of whistleblowers, which will be published before the end of this year. This is the first hearing supporting those reports; a second will be held on 24 June. Legal challenges to GCHQ’s activities have also been lodged in and fast-tracked by, the European Court of Human Rights.
It goes without saying that at this point I would like to clarify that I have no intention of harming the United States government or straining bilateral ties between any nations.
My motivation is to improve government, not to bring it down. I’d like to request that my previous testimony to the EU Parliament be entered into the record so that rather than exhaustively cover previous statements, we can use this time instead to discuss programmes less understood to the public, or perhaps that have been misinterpreted by journalists. As well as to address a few novel questions of particular significance that I have received from this committee.
To briefly summarise my testimony before the EU Parliament, it established the following points we will likely touch on today, beginning and going forward from here. The US government confirmed, in at least three independent determinations over the last six months, that the kind of dragnet mass surveillance we discuss today is ineffective […] and potentially legitimises the actions of authoritarian governments that desire to construct similar systems.
The National Security Agency has a directorate that has worked to intentionally subvert the privacy laws and constitutional protections of EU member states against mass surveillance.
That the body of public evidence suggests that mass surveillance results in societies that are not only less liberal but less safe. That the NSA shares mass surveillance technologies with some EU member states as well as access to its own mass surveillance systems.
That reports of intelligence agencies using mass surveillance capabilities to monitor peaceful groups unrelated to any terrorist threat or national security purpose, such as the United Nations Childrens Fund or spying on American lawyers negotiating trade deals, are in fact accurate.
That the secret court in the United States that oversees mass surveillance programmes is best described as a rubber stamp court. This court has rejected only 11 out of approximately 34,000 requests made by the government over a period of 33 years. It hears arguments only from the government and it is appointed by a single individual without the benefit of any outside confirmation or review. I add that this secret court was ony intended to issue indiviudual and routine warrants for surveillance, not to decide legal issues of global importance or to authorise general untargeted warrants – for instance the clandestine wiretapping of anyone in Germany, as was recently reported.
That the UK electronic surveillance service GCHQ collected, on a massive scale, images from web cameras – often in bedrooms, within private homes – without any individualised suspicion of wrongdoing. This activity continued even after GCHQ became aware that the vast majority had no intelligence value at all and roughly ten per cent of images were discovered to be intensely private, depicting some form of nudity or other private intimacy.
That the NSA had intentionally sought to collect similarly explicit sexual material regarding religious conservatives whose political views it disfavoured and considered radical. For the purpose of exposing it to damage their reputations within their communities. This is an unprecedented form of political interference that I don’t believe has been seen elsewhere in western governments.
That no legal means currently exist to challenge such activities or to seek remedies for such interference.
That mass surveillance is used by the NSA, as well as partners and adversaries, for the purposes of economic espionage. The NSA has compromised the world’s major financial transaction facilitators – to include SWIFT and Visa – and in their reports they explicitly noted such data provided “rich personal information” including data that “is not about our targets.”
The governments caught engaging in mass surveillance have, in the last months, have stopped attempting to justify these programmes as being related to national security and have instead shifted to the lesser restriction of “valid foreign intelligence purposes.” This is particularly problematic for human rights as a government can justify almost any privacy violation on this basis and it reflects that some governments today are willing to cede a hard won moral highground rather than implement surveillance reforms.
That I believe the international community should agree to common standards of behaviour – perhaps a convention on the prevention of mass surveillance – as well as the adoption of technical standards mandating the common use of secure by default communication protocols for the transmission of data, if they are to have any hope of protecting citizens’ communications against online lawful surveillance.
That strong, pervasive encryption provides a robust defence against mass surveillance but does not preclude governments from gaining accesss to the communications of specific targeted individuals for the purposes of lawfully justified investigations.
Now I’d like to move on to the questions supplied by the committee and my responses to them.
The question was, to your knowledge does the NSA, GCHQ or other signals intelligence services engage in sophisticated data mining analyses of the data captured by the programmes I have exposed? Do they use sophisticated algorithms, of the kind used in commercial data mining, to seek out further people of interest?
To answer: yes. Algorithms are used to determine unknown persons of interest who are not actually suspected of any wrongdoing. This question is a good example of something that journalists and previous inquiries, working independently from newly public documents have had trouble properly interpreting. Some reporting on this issue has already occurred, but due to my inability to participate in the reporting at that time, these groups were unable to achieve a full understanding of these documents.
For example, it has been reported that the NSA’s XKeyScore framework for interacting with the raw signals intercepted from mass surveillance programmes, allows for the creation of something that is called fingerprints. I’d like to explain what that really means. The answer will be somewhat technical for a parliamentary setting, but these fingerprints can be used to construct a kind of unique signature. for any individual or group’s communications, which are often comprised of a group of “selectors”, such as email addresses, phone numbers or usernames.
This allows state security bureaux to instantly identify the activities to you, your computers or other devices, your personal internet accounts or even keywords or uncommon strings that indicate an individual. A group out of all the indiciations they intercept in the world is associated with that communication, much like a fingerprint you would leave on the handle of a door, the steering wheel of your car and so on.
However, though that has been reported, that is the smallest part of the NSA’s fingerprinting capability. You must first understand any kind of internet traffic that passes before these mass surveillence sensors can be analysed in a protocol agnostic manner, metadata and content both. And it can be today, right now, searched not only with very little effort via a complex regular expression which is a type of shorthand programming but also via any algorithm an analyst can implement in popular high level programming languages. This is very common for technicians, it’s not a serious workload – it’s quite easy
This provides a capability for analysts to do things that associate unique identifiers assigned to untargreted individuals via unencrypted commercial advertising networks, their cookies or common tracking measures used by businesses every day across the internet with personal details such as an individual’s precise identity, their geographic location, their politial affiliations, their place of work, their computer operating system and other technical details, their sexual orientation, their personal interests and so on and so forth.
There are very few practical limitations to the kind of analysis that can be technically performed in this manner short of the actual imagination of the analysts themselves. And this kind of complex analysis is in fact performed today using these systems.
I can say that the US government’s claims that keyword filters, searches or “back out analysis” have not been performed by its intelligence agencies are in fact false. I know this because I have personally executed such searches with the explicit authorisation of US government officials and I can personally attest that these searches may scrutinise the communications of American and European Union citizens without the involvement of any judicial warrants or other prior legal process.
What this means in non-technical terms, more generally, is that I – an analyst working at NSA or, more concerningly, an analyst working for a more authoritarian government elsewhere – can, without the issue of any warrant, create an algorithm that for any given time period, with or without any human involvement, sets aside any targeted individuals, even a class of individuals, and any indiciations of an activity that I, as an analyst, don’t approve of – something that I consider to be nefarious or indicate nefarious thoughts or pre-criminal activitiy, even if there is no evidence that that is what is happening at this time.
The nature of these mass surveillance technologies is creating a de facto policy of assigning guilt by association rather than on the basis of specific investigations based on reasonable suspicion. Specifcally, mass surveillance systems like XKeyScore provide organisations such as NSA with the technical ability to trivially track entire populations of individuals who share any trait that is discoverable from unencrypted communications. These include religious beliefs, political affiliations, sexual orientations, contact with a disfavoured individual or group, history of donating to general or specific causes, interactions or transactions with certain public businesses or even private gun ownership. It is a trivial task, for example, to generate lists of home addresses for people matching the target criteria. Or to collect their phone numbers to discover their friends. Or even to analyse the nature and proximity of their social connections by automating the detection of factors such as who they share pictures of their children with, which is capable of machine analysis.
I would hope this goes without saying but let me make clear that NSA is not engaged in any nightmare scenarios such as actively compiling lists of homosexual individuals to round them up and send them into camps or anything of that sort. Still, they deeply implicate our human rights. We need to recognise that the infrastructure for such activities has been bidden and is in within reach not only of the United States and its allies but also any country today. And that includes other private organisations that are not associated with governments.
Accordingly, we have an obligation to develop international standards to protect against the routine standard use of this technology, abuses that are going on today. I urge the committee in the strongest terms to bear in mind that this is not just a problem for the United States and the European Union, but that this is in fact a global problem – not an isolated issue of Europe versus anyone.
These technical capabilities don’t merely exist. They are already used without the application of any judicial warrant. I state that these capabilities are not yet being used to create lists of all the Christians in Egypt but let’s talk about what they are used for, at least in a general sense, based on actual real-world cases that I can assert are in fact true.
Fingerprints, for example the kind used in XKeyScore, have been used – I have specific knowledge that they have been used – to track, intercept and monitor the travels of innocent citizens who are not suspected of anything worse than booking a flight. This was done in Europe against EU citizens but it is of course not limited to that geographic region nor that population.
Fingerprints have also been used to monitor untold masses of people whose communications transit the entire country of Switzerland over specific lines. Fingerprints are used to identify people who have had the bad luck to follow the wrong link on an internet site or internet forum, or even download the wrong file. They have been used to identify people who visited a specific internet sex forum. They have also been used to monitor French citizens who have never done anything wrong other than logging on to a network that is suspected of activity that is associated with behaviour that the National Security Agency does not approve of.
This mass surveillance network… in the United Kingdom, in Australia and even Germany is not restricted for being used for national security purposes, even for terrorism or even for foreign intelligence. XKeyScore is today being used for law enforcement purposes, for the detection of even non-violent offences, and this practice has never been declared to any defendant or in any open court.
We need to be clear in our language: these practices are abusive. It is clearly a disproportionate use of an extremely invasive authority and extraordinarily invasive means of investigation taken against entire populations rather than the traditional investigative standard of using the least intrusive means of investigating specifically named targeted individuals or groups. The screening of trillions – and I mean that literally, trillions – of private communications for the vaguest suggestions of association or some other nebulous pre-criminal activity is a violation of the human right to be free from unwarranted interference, to be secure in our communications and our private affairs, and it must be addressed.
These activities, routine, unexceptional activities that happen every day are only a tiny proportion of what the Five Eyes are secretly doing behind closed doors without the review, consent or approval of any public body. This technology represents what I would consider to be the most significant new threat to civil rights in modern times.
The committee should consider what truly bad actors will use these same capabilities for if we allow them to go unchecked and how we will develop unduring norms and technical standards to protect against such abuses wherever they occur.
The next question is to my knowledge have the NSA or GCHQ used these surveillance powers and similar capabilities to spy upon highly senstivie confidential communications of human rights organisations, such as but not limited to Amnesty International, Human Rights Watch and/or smaller global, regional or national non-governmental organisations.
The answer is without question, yes: absolutely. The NSA has in fact specifically targeted the communications of either leaders or staff members in a number … Another matter of similar concern is the matter of what the Drug Enforcement Agency now calls “parallel construction“. This is a technique whereby secret intelligence information is unlawfully used for law enforcement purposes. It is then concealed from… I will add the initial intelligence information in such cases has often been gathered without the issue of any judicial warrant as previously noted.
This unlawful use of secret evidence, whose existence or provenance has been concealed from the defendant and the court itself, represents a serious threat to both the right to a fair trial and the right to face one’s accusers. Given the growing global awareness of these intelligence practices, which we should recall have been called by the United States government itself to have no statutory basis in law, I would urge the committee to take immediate steps to address these concerns. The failure of a state to assure binding assurances that intelligence information received from or provided to any forieng partner may not be used in such manners that could make them party to huiman rights violations carried out by trusted partners.
To continue, I’d like to point out what I consider to be the likely response to any political inaction by elected representatives on these issues and on encryption, what I consider to be the likely response to inaction, and the impact they’ll have for civil society.
If a political solution to the problem of mass sureillance is not reached on an immediate basis, technical solutions are likely to be imposed by the international research and engineering communities. Should governments wish to retain […] necessarily subordinate to the physical laws of the universe itself. And in issues of liberty and human rights in the digital sphere are left to technologists to address rather than ected bodies, governments are very likely to irrevocably lose a portion of their authority to interfere with the communications of legitimate targets.
To illustrate, I’d like to comment, with respect, to correct a point on the committee’s introductory memorandum regarding the strength of encruption currently used today. Contrary to a point in that memo, there are in fact today encruption schemes that are not suceptible to any realistic brute force attacks on any timescale and I can confirm that this remains true even at the forefront of the classified state level. Properly implemented modern encryption, backed by truly random keys if significant length…. basically all require more energy to decrypt than exists in the known universe.
For example if today we dedicated every supercomputer, every desktop computer, every smartphone on the planet to bruteforcing a single 256 bit keyspace of this type, the sun in our solar system would literally stop burning, we would be sititng in the dark before we’d solved the problem and enumerated all the possibilities within that space. To quote Bruce Schneier, who I’ll point out is one of the world’s foremost cryptographers, who actually wrote the book on applied cryptography, “we cannot even imagine a world where 256 bit bruteforce search is possible. It requires some fundamental breaks in our physics and our understanding of the universe.”
The 256 bit keys that he discusses are incredibly common today. Anyone in this room can learn to encrypt everything on their computer, on their hard drive with this funtionally unbreakable code, in the academic sense of the word, within the space of a single weekend. No intelligence agency anywhere in the world, working for even ten years non-stop on a single programme, can break such codes.
However, law enforcement agencies need not despair and be concerned that this will stop their work as there are many other well-known ways around even such perfect – in a theoretical sense – encryption. Weaknesses in the specific implementation of such encryption libraries and programmes are common. In fact we just saw one today which could affect two thirds of all traffic on the internet.
Beyond that, there are also methods around even robust encryption programmes that have no known direct vulnerabilities. These methods, called “side channel attacks” can allow actors such as government agencies, police bodies and so on to steal keys necessary to decrypt certain communications and complete their investigations without actually having to decrypt those communications by confronting the mathematical strength of the algorithms themselves.
These techniques can be analogised to investigators installing a hidden camera to record a suspect dialling the correct combination to his or her safe where they hide documents or evidence, rather than have the government actually crack the safe with drills or saws or the sheer guesswork of trying to dial every combination. This distinction is of critical policy importance because it is these kind of side channel attacks that can only be applied successfully on a targeted individualised basis. But if the same techniques are used into the context of untargeted mass surveillance that is not premised on specific individuals who are the targets of justified investigations, these attacks can be rapidly detected or mediated and protected against by the community of security researchers and the academic community worldwide.
In the event that the political institutions of the international community fail to address today’s surveillance abuses, this scenario – that of pervasive encryption that has to be countered by the case-by-case application of side channel attacks is I believe the most likely response of the technical, academic and business communities to the intelligence operations of today. I do not necessarily believe this is something policymakers should be afraid or reluctant to support as even with real, comprehensive surveillance reforms, we cannot trust legal protections enshrined in the laws of the developed world to be respected and enforced elsewhere. That can only be achieved with enforcing those laws through common, interoperable technical standards that are backed by our international institutions.
The most cost effective means to guard against this kind of systemic violation of communications security, the kind we see in less liberal regions of the world today, seems to me to be pervasive encryption.
In summary, the issues that we’re facing today are complex. There are a number of unanswered legal questions that have to be anwered, not just by intelligence agencies who I do believe have necessary work, but by the public bodies and our elected representatives. It’s very important to us that we as a society determine the appropriate balance between the desire of intelligence agencies to perform the most efficient work possible and to try new tehniques that have never been proven, such as mass surveillance. Now we see actually there is a growing body of evidence that they offer no real value.
Personally, I believe that human rights are best protected and constituional prohibtions should be in place against mass surveillance that favour the use of individual targeted surveillance. Individual targeted surveillance has been shown time after time, even in today’s complex enviuronment, even against specific hard targets whether they’re in North Korea, whether they’re terrorists, whether they’re sophisticated cyberactors or anyone else, to be effective. Our human rights can only be protected if we ensure that our laws, having a clear meaning and the meaning of the words within those laws cannot be secretly interpreted by any legal body or intelligence agency without the public’s knowledge and consent.
That’s the end of my comments today.
In response to questions from members of the committee
Let’s go down the list. The first [question] was why should we have new laws as opposed to respecting old laws. The key there is from the perspective of senior intelligence officials and others in the intelligence community, when new technologies are created and they want to take advantage of them, what they do is they go back to the old laws – and in the United States they have literally hundreds of lawyers, I think 125 lawyers for the National Security Agency – and they task these lawyers with creating new definitions of the meanings of the words in the old laws, to provide new authorities without asking the legislature for them.
Now, I think it would be great if we could get them to stop that but in order to do that we would have to pass specific prohibitions. Until we do, this practice is common and will continue. As I have previously stated, the NSA actually encourages foreign partners, including EU member states, to follow that practice and adopt a backdoor ability to interpret themselves into gaining new authorities without the specific passage of new laws.
The next question was how would you describe Europe’s involvement in mass surveillance and I’ll tie that into other agencies outside the US and the EU – maybe Russia, China.
The key, I would say, is that almost all nations that have well funded intelligence services that an excess of resources are using these kinds of authorities and these kinds of capabilities – or if they do not have them yet, they are actively pursuing – because it’s not a well regulated area with real rules or restrictions.
There are no well established international standards because it hasn’t been debated yet. It was all happening in secret without public awareness. And that made it fertile ground for experiments with new technologies, new desires that have led to the situation we’re in today.
So yes they are involved and there’s a very tight partnership between the US and other countries. Again, we shouldn’t beat on the United States government specifically on this. They are the most capable actor simply because they are the most well funded actor.
The next [question] is how do I feel about progress since these revelations, these disclosures began.
This is a very complicated question. Obviously there’s a lot of ground to cover. It’s very difficult to achieve revolutionary change overnight, particularly on the topic of human rights, which the average person doesn’t necessarily get excited about, doesn’t necessarily get passionate about.
But we have made incredible progress. In legislatures and newspapers in almost every country of the world, every citizen who had not even heard about these capabilities is now talking about them, how it impacts them and deciding how they feel about it and the kind of world they want to live in in the future.
And that’s the specific intent, the purpose, the motivation behind the disclosures: the fact that people are now aware about the world they currently live in. And they have the ability to affect the world they will live in in the future by voting in a more informed manner. I think is worth everything that’s happened and everything it has cost me.
The final question was the nature of the data exchange between the United States and Germany. I’m going to have to be careful on that, to talk to my lawyer and maybe submit a written response later because I am at risk of legal jeopardy for anything I say there.
But what has been reported and what I can generally comment on is that the exchange is deep and its common. I can say from my personal experience that the NSA has within its databases, it has within XKeyscore on a daily basis the communications of innocent German citizens who were unsuspected of any crime. German citizens, German websites, German businesses, German services, it’s all in there as it is with every other country.
And the NSA and Germany do exchange information back and forth, they have a close partnership. That partnership is beneficial and it’s not a problem in a lot of contexts but it should be subject to public oversight and the necessary accountability in law. The fact that this data is being collected, it’s been intercepted and it’s been analysed and it’s been stored without the consent of the public or their representatives is a serious concern and should be addressed. I hope that the Bundestag investigation in Germany will ask tough questions about the nature of this relationship and how it can be proved upon and made more accountable. Thank you.
On NSA attempts to weaken legal protections overseas
I want to make sure they [overseas citizens] have the sole boundaries to make their own independent public interest determinations in cooperation with their governments. What I can say is that it’s now established – or at least has been admitted in the United States on a number of occasions – that this sort of legal exchange, legal advocacy, legal advisement campaign is very well funded. It’s seen as furthering the national interest of the United States and because of that I expect it to continue.
And there are reasonable justifications for why it should occur, but the manner in which it’s occuring – this kind of subverting and peeling back of protections on surveillance – I would agree that that is a serious problem that needs to be addressed. I would say it is very likely that we will see more, and more specific reporting about this kind of operation and I don’t believe it’s a mystery or it’s going to surprise anyone in national security.
I know that journalists have agreed this is in the public interest and some of these countries include Germany, Sweden and The Netherlands. The UK is not just a target of it but a willing participant.
On being asked how well NSA analysts – and journalists – understand the legal limits on surveillance.
The answer is yes we are [aware]. The legal limits are actually extremely weak. There are policy prohibitions, there are regulatory limits that have no penalty for transgression. They have no remedy assigned to them, whether that be criminal or procedural.
Because of the structural weakness of having no limits on intelligence collection, it creates a situation where bad behaviour is incentivised. When senior officials, such as former NSA and CIA director Michael Hayden have said regularly that they are happy, that they want to interpret every authority they get in the most abusive, most open manner possible – they want to get chalk in the pleats of their sporting shoes, as they’re called, being right on the boundaries of what’s allowed – because there’s no penalty and because they gain for doing so.
I think any lawmaker, any policy maker should keep that mindset in the forefront when they’re designing national security regulations. Because these officials are always going to press regular authorities and they’re going to adapt authorities already granted as times and technologies change.
The other question was about data retention in light of the ECJ ruling. I haven’t had the chance to read the court ruling. What I can say is that the National Security Agency at least for itself has a team, a pack of lawyers, whose purpose in life is to interpret rules, laws and regulations in the most permissive way, even if that requires the intentional abuse of language to redefine words in a way that the lawmakers, policymakers, judges did not intend.
On that basis, I think it’s unlikely that we’ll see sweeping change. I do believe that it’s likely that at least European states will change the methods in which they share, they will reevaluate their policies and there will be a significant benefit from this. But until it’s established in law with specificity and strong language that cannot be intentionally misinterpreted, this issue won’t end.
Beyond that I would caution one more time that even if we have good government – even if we have perfect governments, perfect policies and perfect regulations within the western sphere, within the US and within the European Union – those rules will not necessarily be respected overseas until bodies and regulatory authorities take strong steps to ensure that our standards are protecting our communications by default, regardless of whehter any particular bad actor respects our laws or doesn’t. Technology is the fallback for policy in this specific case.