Hardly a day goes by without news in the NSA/Snowden affair. Bruce Schneier adds to the fuel by publishing an NSA Exploit of the Day.
But while this affair drives news cycles, the ideas on how to address the problem of governments spying on each other and on citizens as such are not too numerous. It is obvious that the affair by itself is not limited to the US. The “Five Eyes” (US, UK, Canada, New Zealand, Australia) are all collaborating closely â€“ why not in this space? It is to be expected that other governments drive similar programs (as the article on Russia â€“ as an example â€“ showed: Russia spying as well?). At the end of the day it is a cultural and social debate how far “my” government is allowed to go and this is significantly different in different countries.
Yesterday, Brad Smith, Microsoft’s General Counsel, published a blog post, asking for an international convention on government access to data: Time for an international convention on government access to data. Let me elaborate, why I have very little hope for such a convention; I even have a challenge to see the need.
First of all we should not mix the discussion between fighting cybercrime and espionage or the police requesting information/data and national intelligence doing the same. The two cases are significantly different in the real world as well as on the Internet.
Therefore, let’s look at them separately.
I completely agree with Brad, that the processes to get legal assistance between countries to fight crime is too slow and cumbersome and therefore not usable in today’s world. However, there are initiatives under way, which address the global collaboration and there is an international convention since 2001: The Convention on Cybercrime or the Budapest Convention was written by the Council of Europe. Even if â€“ to my knowledge â€“ the convention does not address the process for international legal assistance (Mutual Legal Assistance Treaty, MLAT), it is ratified by a lot of countries (including the US) even outside the Council of Europe. There is absolutely no need for “yet another” convention but for broader adoption of the existing. Additionally, there needs to be a faster way to get legal support from other countries but even there, the Council of Europe and Interpol and other bodies are working on this issue.
But the whole Snowden affair by no means is related to this discussion at least from my point of view. It is about national intelligence and how to setup a proper governance in this space. Now, do we need a convention to cover this? Would be great if there would be one and if the governments then would adhere to it. However, the real issue in the NSA discussion to me, from a European view is not what they did but it is about who controls national intelligence. If you look at the first public NSA hearing, most of the discussions were circling around this question. Is there a need for an international convention? I doubt! And if one would exist, would they be willing to sign up for such a convention? It took years to convince countries to ratify the Convention on Cybercrime, which does not really limit the ability of the governments to act â€“ but voluntarily limiting espionage, dictated by an international body? Do we think that there is a chance for all the necessary governments like US, UK, Canada, Germany, France China, Russia, India, Brazil… to sign up if they cannot even get an agreement on fighting cybercrime?
If the international convention is not an option (and to me it is not), what is a way forward? Hard to say. The public debate definitely helps, even though the debate should not be limited to the NSA as others are as guilty as the US. I expect that governments/citizens will set their rules individually as they did in the past regarding espionage. Other countries will have to take counter-measures, as they did in the past. The real challenge is, that almost all software, which is enterprise-ready (with the exception for SAP) is written by US-based companies. And then all the hardware we are using is produced in Asia.
We need to start to get smarter to defend our data and our networks. It is obviously unacceptable that governments seem to pay companies to build backdoors (like the supposed RSA case) or even force companies to collaborate as hinted by Mr. Snowden initially. Here, the market has to give the answer.
At the end of the day the question you have to answer is, which government and which legal system you trust most to protect your data and to follow their rules. We do not need to cry “foul”; we need to take a decision and act accordingly or accept the risk. A lot of consumers did not change the way they behave even though they blame the US. Not taking a decision to stop using certain services is taking a decision as wellâ€¦
- Obama’s proposed NSA ‘reform’ changes nothing (zdnet.com)
- Anti-mass surveillance rally gains support across factions (mysecuritysign.com)
- Microsoft calls for international convention on govt data access (zdnet.com)
- As NSA Slammed, EU Panel Wants To Hear Directly From Snowden (mintpressnews.com)
- Blog Post: Time for an international convention on government access to data (blogs.technet.com)