The Snowden effect: new privacy wins await after data transfer ruling

American whistleblower Edward Snowden delivers remarks via video link from Moscow to a privacy talk Photograph: Andrew Kelly/Reuters

Many politicians held their nose and voted for the USA Freedom Act in June, hoping that the Snowden revelations would recede into the distance with the modest NSA reform bill’s passage. How wrong they were: the Snowden effect continues to ripple throughout the world on matters of privacy and law and it’s possible this second wave is only beginning.

On Tuesday, in a landmark decision, the European Court of Justice invalidated the “safe harbor” provision between the United States and Europe that allowed large tech companies like Google and Facebook to move large amounts of private Europeans’ data into servers in the United States. The case was brought by privacy activist and lawyer Max Schrems after the initial stories about the NSA’s Prism program. As the New York Times reported, the court “made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.”

Snowden quickly congratulated Max to his 1.4 million followers on his newly-minted Twitter account.

While the ruling will largely be symbolic (more on that later), the symbolism could not be more striking: Tuesday’s court ruling was only the first in a string of court cases that could mark the second wave of the post-Snowden era. It’s clear privacy activists won’t be satisfied with mild changes to just one aspect of the United States government’s vast spying apparatus and the Snowden leaks have opened the floodgates to changes not previously thought possible.

In the US, there are still a series of lawsuits alive and well that are challenging different aspects of the NSA’s surveillance. Wikipedia was just in court, represented by the ACLU, arguing that the NSA’s “upstream” surveillance program – where the spy agency has access to entire Internet streams coming into and out of the country – is illegal and unconstitutional. The Electronic Frontier Foundation (my former employer) has a case in the 9th Circuit challenging the constitutionality of the same program, focused on the expansive and secret partnership between AT&T and the NSA that has allowed the spy agency to siphon off huge amounts of data right off AT&T’s fiber optic cables all over the country.

In the UK, Privacy International has a slew of active cases in the British courts and the European Court of Human Rights which could potentially upend GCHQ’s mass surveillance capabilities.

Companies, stung by the revelations that they were collaborating closely with the NSA, have taken a much more adversarial stance against the government in court in recent years. In a case that has huge implications, Microsoft is aggressively challenging the Justice Department’s contention that they can force tech companies to hand over personal information even if that information is being stored in servers in other countries.

Then there are the privacy cases that don’t directly deal with the NSA leaks, but will be coming to a head over the next year, as the public is on a privacy heightened-alert. All over the country, civil liberties organizations like the ACLU and EFF have challenged the government over getting cell phone location data without a warrant. If and when one of those cases reaches the Supreme Court, it will have an even more direct impact on millions of people’s privacy.

As for the European Court of Justice ruling, the victory may be largely symbolic: the companies think they have other ways to continue to move data, and there has been a long re-negotiated agreement that has been on the verge of passing for months. And make no mistake: it won’t put an end to mass surveillance either. AsCory Doctorow wrote:

“[T]he NSA, GCHQ and other spy agencies will target data-centers wherever they are, and the spy agencies of European nations will surveil their own populations and foreign populations, covertly and overtly harvesting Europeans’ data from the data-centers in their own borders, and, often, handing it straight to the NSA, who’ll move it to its US data-centers like the titanic facility in Bluffdale, Utah.

If the European Court of Justice wants to end mass surveillance of Europeans, it can only do so by banning mass surveillance – by ruling that laws that treat foreigners’ data as fair game are unconstitutional.

We should also be aware that foreign countries can cynically use the idea of cabining data in their own domestic soil to thwart privacy and force companies like Google and Facebook to play by their own rules. Whereas European countries might think they have more privacy, Russia is attempting to force tech companies to do the same, which could have drastic and negative effects on its citizens. This so-called “Balkanization” of the Internet could allow nefarious governments to take advantage of their citizens’ fears over the NSA and actually end up weakening their privacy protections in the process.

Despite all of the disturbing tactics we’ve learned about from the NSA and their partners at the GCHQ in the past two years, our digital rights is unquestionably more protected than it was when the leaks started. And with the coming court cases over the next year or two, the seismic shift will undoubtedly continue to occur.

  • Disclosure: Trevor Timm is executive director of Freedom of the Press Foundation, where Edward Snowden sits on the board of directors.

Source: The Guardian