Surveillance still a concern 10 years after Snowden leaks

Revelations have deep impact on businesses, govts, tech industry

Edward Snowden speaks from Russia during a Council of Europe meeting in Strasbourg, France, in March 2019. (PHOTO / AFP)

Ten years ago this month, Edward Snowden disclosed to the media United States government intelligence programs that used extensive internet and phone surveillance to collect data.

The former contractor with the US National Security Agency leaked thousands of highly classified documents, revealing the extent of Washington's mass surveillance efforts.

Snowden's disclosures rocked governments, global businesses and the technology world. They also sparked debate on government surveillance, privacy violations and data security.

In the past decade, the "Snowden effect" has had a profound impact on society and the technology industry, with more public attention paid to the US government's abuse of surveillance tools and encryption services.

In a recent report examining Snowden's legacy, the privacy advocacy organization Electronic Frontier Foundation said, "Snowden's revelations acted like a floodlight, allowing everyone to better see and understand what happens inside the black box of government surveillance of millions of innocent people in the US and around the world."

Some observers, including the EFF, are disappointed by how little progress has been made. The programs Snowden pointed out in 2013 are still in operation, and the US government continues to conduct surveillance on foreigners and US citizens under the same legal framework.

The EFF said, "There's still much work to be done to rein in our overzealous national security state, break political gridlock, and end the extreme secrecy that insulates some of the government's most invasive tactics."

Analysts from the group recognized that "some things are undoubtedly better under the intense scrutiny of public attention".For instance, some of the NSA's most egregiously illegal programs and authorities have closed or been forced to end, and the intelligence community has started affirmatively releasing at least some important information.

Five years after the Snowden leaks, the NSA was compelled to delete millions of records in 2018 after it was revealed that some of the data had been collected from phone service providers without legal authority or authorization.

In 2020, Section 215 of the USA Patriot Act — a surveillance law with a rich history of government overreach and abuse — expired due to its sunset clause.

For years, the US government relied on Section 215 to conduct a dragnet surveillance program that collected billions of phone records documenting who a person called and for how long they called them. There was more than enough information for analysts to infer highly personal details about a person, including who they have relationships with and the private nature of those relationships, the EFF said.

In 2015, a federal appeals court held that the NSA's interpretation of Section 215 to conduct this surveillance dragnet was "unprecedented and unwarranted".

The EFF report said: "Outside of government, companies and organizations have worked to close many of the security holes that the NSA abused, most prominently by encrypting the web. But it's not enough — not even close."

A placard supporting Snowden is held aloft in Washington in October 2013. (PHOTO / AFP)

Mass surveillance

Snowden's leaks revealed numerous global surveillance programs previously unknown to the US public. The programs involved collecting private citizens' emails, search history, phone records and file transfers without their knowledge or court orders. He also exposed the NSA harvesting data from big internet companies, including Google, Facebook and Microsoft.

After fleeing to Hong Kong, Snowden told the media the NSA had led more than 61,000 hacking operations worldwide, including many in China. "We hack network backbones — like huge internet routers, basically — that give us access to the communications of hundreds of thousands of computers without having to hack every single one," he said.

Germany's Der Spiegel magazine reported that the NSA also spied on European Union offices in the US and Europe and ran a continent-wide surveillance program in South America. It also spied on the presidents of Brazil and Mexico.

An analysis by The Washington Post of the Snowden leaks found some 90 percent of those being monitored were ordinary US citizens "caught in a net the National Security Agency had cast for somebody else".

The Snowden revelations named two of the key types of surveillance the NSA conducts — Prism and Upstream.

Through the Prism program, the agency collects internet communications from various US internet companies. The information includes email communication, voice calls, SMS, social media communications, metadata, video calls and search preference.

The Upstream program aims to intercept telephone and internet traffic from the internet backbone — major internet cables and switches, domestic and foreign.

Seven years after Snowden blew the whistle on the mass surveillance programs, the Prism program was ruled unlawful by a US court in 2020.

The US Court of Appeals for the Ninth Circuit said the warrantless telephone dragnet that secretly collected millions of citizens' telephone records violated the Foreign Intelligence Surveillance Act, and that the US intelligence leaders who publicly defended it were not telling the truth.

Although there are legal cases pending against the US government, Prism and Upstream are still in operation under the auspices of Section 702 of the Foreign Intelligence Surveillance Act, which Snowden called out in 2013 for its abuse in spying on US citizens.

Section 702 is a law that allows the government to collect — on domestic soil and without a warrant — the communications of foreign targets who are not protected by the Fourth Amendment, including when those people are interacting with US citizens.

Under that law, the NSA can order companies such as Google to turn over copies of all messages in the accounts of any foreign user and network operators like AT&T to intercept and furnish copies of any phone calls, texts and internet communications to or from a foreign target.

Critics of the law are worried that it also gathers data about US citizens, for instance, when they communicate with people overseas.

The newly unsealed Foreign Intelligence Surveillance Court opinion shows that the Federal Bureau of Investigation, or FBI, has continued to abuse its access to information collected under Section 702, including by searching for activist groups and political campaign donors.

The court document also reveals that the FBI used the warrantless foreign intelligence surveillance authority improperly more than 278,000 times in 2021. US citizens involved in the improper searches include people suspected of taking part in the Jan 6,2021, attack on the US Capitol and those in the George Floyd protests against police brutality and racism in 2020.

The recent revelation of the FBI's search for those rioters and protesters in the spy database has set back the administration of President Joe Biden's effort to renew Section 702, which was last renewed in 2018 and will expire this year.

The Biden administration has been lobbying Congress for months to renew Section 702 without any changes, saying it is a critical tool for counterterrorism operations, cybersecurity and understanding rivals such as China.

To stop mass surveillance, advocates are calling on Congress to end Section 702 in the autumn so that the Prism and Upstream programs will end along with it.

In an article reflecting on the 10th anniversary of the Snowden revelations, security expert Bruce Schneier said the US government did not play its part in addressing the privacy concerns.

"Despite the public outcry, investigations by Congress, pronouncements by President Obama, and federal court rulings, I don't think much has changed," Schneier, adjunct lecturer in public policy at Harvard Kennedy School, wrote in the article for the Internet Engineering Task Force.

"The NSA canceled a program here and a program there, and it is now more public about defense. But I don't think it is any less aggressive about either bulk or targeted surveillance. Certainly its government authorities haven't been restricted in any way. And surveillance capitalism is still the business model of the internet," he said.

German lawmaker Hans-Christian Stroebele (left) holds a news conference in Berlin in November 2013 about his meeting with Snowden in Moscow. (PHOTO / XINHUA)

Technology's role

The "Snowden effect" rocked the technology industry after it was revealed that the NSA was tapping into information held by some US cloud-based services through the Prism program.

Google, Cisco and AT&T lost international business due to the public outcry over their roles in the NSA spying. Apple and other Silicon Valley tech giants were accused of knowingly taking part in the secret data collection program.

To regain users' trust, Apple pioneered technological change a year after the leaks by encrypting its services in an attempt to prevent law enforcement from accessing users' data.

The company's encryption methods help protect the contents of the device and prevent federal agents, intelligence agencies and even Apple from accessing any users' data. This measure forces the government to go to the owner of the device, rather than Apple.

The Snowden revelations, especially slides showing the NSA was using the unencrypted traffic between the internal data centers of Google and Yahoo as a point of surveillance, triggered the tech industry into wide encryption.

The use of encryption has become more widespread in recent years and many companies now offer it as a standard feature in their products.

But the recent record-breaking fine levied by European Union regulators against social media giant Meta suggests that the days of the US unlawfully accessing users' personal information via the nation's tech giants are not over.

In May, the European Data Protection Board announced the $1.3 billion fine, saying that Meta violated EU privacy laws by transferring the personal data of Facebook users to servers in the US. Meta is the latest company to face a big penalty for privacy violations under the EU's General Data Protection Regulation. The previous record fine of $805.7 million was levied against Amazon in 2021.

Privacy advocates criticize the US Congress for not taking privacy concerns seriously. The EFF report said, "Congress' relationship to privacy comes when it's politically expedient, and disappears as soon as members feel as if they could be too easily painted as being soft on crime or national security."

Despite calls in recent years for federal legislation to reign in big tech companies, the EFF analysts said they have seen nothing significant in limiting a tech company's ability to collect data (then accessed by the NSA via Prism), or regulate biometric surveillance, or close the backdoor that allows the government to buy personal information rather than obtain a warrant.

"It's been 10 years since the Snowden revelations, and Congress needs to wake up and finally pass some legislation that actually protects our privacy from companies as well as from the NSA directly," they said.

Stephen Farrell, research fellow in computer science at Trinity College Dublin, said far more needs to be done to better protect internet users' security and privacy.

"In particular, we (the technical community) haven't done nearly as good a job at countering surveillance capitalism, which has exploded in the last decade," Farrell wrote in a Snowden retrospective published on May 20.

However, the "legal but hugely privacy-invasive activities" of major tech companies have not caused as much "annoyance" as the Snowden revelations, he said.

Bad actors are not limited to governments, Farrell said. "Many advertising industry schemes for collecting data are egregious examples of pervasive monitoring, and hence ought also to be considered an attack on the internet that ought to be mitigated where possible. However, the internet technical community clearly hasn't acted in that way over the last decade," he said.

"While we got a lot right in our reaction to Snowden's revelations, currently, we have a 'worse' internet."