EU group: NSA's 'balance' of security, privacy in surveillance sucks

Three SURVEILLE teams of EU-funded experts studied NSA mass surveillance techniques for the purpose of a counter-terrorism investigation and basically found the surveillance 'failed drastically in striking the correct balance between security and privacy.'

You likely don’t need a European Union-funded multidisciplinary research effort to tell you that when it comes to mass surveillance, the NSA’s idea of “balance” between security and privacy sucks. Nevertheless, three teams of experts, which included engineers, ethicists, and lawyers, made three separate assessments of the ethical and legal issues of surveillance technologies.

In fact, Martin Scheinin, European University Institute Professor of Public International Law, wrote, “Electronic mass surveillance – including the mass trawling of both metadata and content by the U.S. National Security Agency – fails drastically in striking the correct balance between security and privacy that American officials and other proponents of surveillance insist they are maintaining.”

The latest SURVEILLE (Surveillance: Ethical Issues, Legal Limitations, and Efficiency) consortium paper, “Assessing Surveillance in the Context of Preventing a Terrorist Act” (pdf), looked at mass Internet monitoring systems for the purpose of a counter-terrorism investigation. Based on NSA revelations from Edward Snowden leaks, SURVEILLE specifically looked at the following surveillance techniques.

The technologies featured and assessed are: the use of a cable splitter off a fiber optic backbone; the use of ‘Phantom Viewer’ software (pdf); the use of social networking analysis and the use of ‘Finspy’ equipment installed on targeted computers. Non-technological surveillance techniques featured and assessed are the opening of baggage in an airport and the use of a covert surveillance team. The assessments are represented visually in a multidimensional matrix – a grid with numerical scores for fundamental rights risk and technical usability assessments, and color coding for ethical risk.

Assessing surveillance in the context of preventing a terrorist act SURVEILLE

Usability was ranked from 0 to 10, with higher numbers representing the most technically usable. Fundamental rights intrusion was ranked from 0 to 16 with 16 representing the most serious rights intrusion. Ethical risks were ranked so that red represents a severe ethical risk, yellow is for moderate risk and green is associated with a low ethical risk.

Scheinin noted on Just Security, “Privacy intrusion scores above 10 would indicate that there is no justification for the use of a particular technology, as the negative human rights impact would be too high. Privacy intrusion scores that are high but nevertheless below 10 represent the ‘hard cases’ in a discussion of a possible balance between privacy and security.”

The legal team determined that “privacy intrusion provides a good proxy for also assessing surveillance’s impact upon other human rights, such as freedom of expression, freedom of movement, freedom of association, and the like.”

Only the two non-technological surveillance techniques produced usability and fundamental rights intrusion scores and an assessment of possible ethical risks that would make them justified…Three methods of electronic surveillance are assessed as legally impermissible, as they resulted in modest usability scores, coupled with the highest possible fundamental rights intrusion score and the highest degree of ethical risk. Only one of the methods of electronic surveillance – social network analysis – is assessed as highly suspect (instead of manifestly impermissible), as it produces high scores both as to usability and fundamental rights intrusion, coupled with intermediate ethical risk.

The three teams of experts, technological, ethical and legal, found:

Internet monitoring techniques, with the exception of targeted social networking analysis, represent an unacceptable interference with fundamental rights to privacy and data protection, the deepest ethical risks of chill and damage to trust, intrusion and discrimination, while also violating moral norms of proportionality of methods and consent of the policed. Meanwhile these high moral and legal costs reflect a mostly middling to poor usability benefit, performing worse with regard to cost, efficiency and privacy-by-design than lower tech alternatives. The case for a mass Internet monitoring system is found wanting.

Although this is the first SURVEILLE paper that I learned about, it is far from the first. SURVEILLE has published a plethora of papers about surveillance. The previous Matrix of Surveillance Technologies paper (pdf) “focused on a serious crime investigation, where suspected gun and drug runners were subjected to a range of different traditional surveillance techniques including chemical explosives detectors, CCTV and drones, and 50 much more intrusive methods such as bugging and phone tapping.” Like the other research, the teams looked at the ethical, legal, and technological issues with the surveillance.

SURVEILLE also previously published a research paper titled, Mass Surveillance by the National Security Agency (NSA) of the United States of America (pdf). The consortium is currently working on a “third round of assessments relating to the use of closed circuit TV and other surveillance technologies in an urban security context.” The results will also be released to the public.

Copyright © 2014 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations