PRISM, Private Companies and the Law.
Matt Muggeridge of Liberty considers the privacy issues emerging and the legal implication for private companies.
In May the Guardian was given access to a 41 page power point presentation created by the US’s National Security Agency (NSA) for the training of intelligence agents.
The PRISM programme allows officials in the US to collect search history, email content, file content and conversations of targets both within and outside the US.
According to the presentation, data is collected from the world’s foremost technology firms, including Google, Facebook, Microsoft and Apple; all of whom have since denied any knowledge of such a programme (Dominic Rushe and James Ball, Guardian.co.uk, Friday 7 June 2013). These companies do routinely share information with governments and are obliged to do so under various statutes, including the Foreign Intelligence Surveillance Act (US) and Regulation of Investigatory Powers Act (UK) – data protection laws also include caveats to allow for such disclosure.
The reason why PRISM has ignited controversy is that it appears to show the participating companies have given the NSA a “back door” to
their servers, precluding the need for the security services to obtain warrants before accessing user data.
Aside from the ethical debate regarding the proper use of intrusive surveillance, a debate particularly relevant in the UK where the government is intent upon widening surveillance powers (the snooper’s charter), there is a legal debate over PRISM now underway on both sides of the Atlantic.
The legal basis for the PRISM programme in the US is the Foreign Intelligence Surveillance Act (FISA), introduced by George W. Bush and renewed by Obama in 2012.
The Act grants the US security services wide ranging surveillance powers, but only in cases where the targets are not US citizens (other laws govern the surveillance of US citizens).
The Act also required the NSA to strictly prove that the targets of their surveillance were foreign. In practice this meant that, “it took a court order to collect on foreigners overseas who were communicating with foreigners overseas simply because the government was collecting off a wire in the US” (Dominic Rushe and James Ball).
PRISM became possible when an amendment to legislation meant the NSA only needed “reasonably believe” the target was outside the USA, thereby negating the need for case by case reviews. Critics believe this had led to many US citizens being spied upon under the programme. Even if there is a clear legal basis for PRISM, it is still possible for US citizens to bring an action against the government and other PRISM participants on the basis that their constitutional rights have been infringed.
The American Civil Liberties Union, together with the New York Civil Liberties union, filed such a suit, claiming the NSA has violated the first and fourth amendments (Ellen Nakashima and Scott Wilson, June 11, 2013 Washington Post).
Another has been initiated in the US District court of Columbia by formerJustice Department Prosecutor Larry Klayman. Mr Klayman’s suit names Barack Obama and the private companies alleged to have participated in PRISM as defendants.
A similar case, Clapper v. Amnesty International USA, was brought before the Supreme Court in February this year challenging an amendment to FISA which, it was feared, would enable the surveillance of US citizens.
The court found that Americans lacked standing to challenge this successfully because the very secrecy of the surveillance meant they couldn’t prove they had been subject to it. As Justice Samuel Alito wrote in the majority opinion: “respondents fail to offer any evidence that their communications have been monitored under the expanded version of FISA”. (Daniel Fisher, June 7th, 2013, Forbes Online)
Whether they are successful or not, this litigation will be an on-going embarrassment, particularly for the private companies involved. In the hope of securing the loyalty of users concerned about their personal data, tech firms have been vaunting their respect for privacy a lot recently, for example, Microsoft is running an advertising campaign with the slogan “your privacy is our priority”. Consumers are sceptical of companies claiming to have their best interests at heart most of the time anyway, but the PRISM revelations risk turning this scepticism into outright disbelief. The reputational damage may be far more significant than legal costs to the companies involved, and not just because they are indemnified for the latter by the government.
As mentioned, there is some uncertainty as to the legality of using the legal cover of FISA to initiate surveillance on US subjects. When it comes to monitoring those outside of the US there are fewer scruples. Spying on foreigners poses no significant legal risk for the US government as it is not possible for foreign citizens who do not have the protection of the US constitution to bring an action against the US government. For the private companies supposedly involved, the picture is somewhat different.
Those which have assets in Europe and serve European customers, are obliged to comply with European data laws. In disclosing information through PRISM on EU citizens, it is possible that private companies have actually broken these laws. The UK Information Commissioner’s Office acknowledged the possibility in a recent statement:
“There are real issues about the extent to which US law enforcement agencies can access personal data of UK and other European citizens. Aspects of US law under which companies can be compelled to provide information to US agencies potentially conflict with European data protection law, including the UK’s own Data Protection Act” (ICO Website)
The ICO’s concern was echoed by Viviane Reding, the UK’s Justice Commissioner, who has written to the US attorney general expressing her concern about the NSA’s activities.
Ms Reding states that FISA mandated surveillance “could have grave consequences for the fundamental rights of EU citizens” adding that American Law Enforcers should only be given access to EU citizens’ data in “clearly defined, exceptional and judicially reviewable situations” (BBC News June 12th 2013).
Reading the above letter, it is easy to think that the EU and US are in complete opposition over the NSA’s surveillance tactics. But an article published by the Financial Times just two days after Ms Reding’s own publication, claimed that in the past the EU has been somewhat more accommodating. It claimed that the EU dropped a proposed data protection measure specifically designed to ward off US efforts to eavesdrop on international phone calls and emails in response to lobbying by the US government (James Fontanella-Khan, FT Online, June 12th).
What the implications of the PRISM scandal are for private companies, is, perhaps, too early to tell. The lawsuits currently underway in the US will no doubt perpetuate the story in the media and further reputational damage will be sustained by the alleged participants. Actions in the EU may follow, but they will face the same problem as their US counterparts in that individuals will struggle to prove they were the subject of PRISM surveillance. It is unlikely that consumers will turn away from the companies involved; the very reason they were chosen in the first place is that their services are integral to many of our lives, and, some people may accept that a degree of government intrusion is necessary to protect the public from violent crime. If the scandal has any discernible effect, it may be to remind consumers that their data is highly exposed and in turn may lead them to expect greater protections from data controllers.
Matthew Muggeridge
Underwriting Assistant at Liberty Specialty Markets
You might also like ...
Mishcon de Reya report on Data Theft
This report from Solicitors Mishcon de Reya examines a sample of 150 data theft cases handled by firm in recent years.
The research has focused on cases involving dishonest employees and industrial competitors and can help you to identify where your organisation may be vulnerable.