Spies Will Be Spies in War, Peace and Cyberspace

On July 11, Germany's former Defense Minister Karl-Theodor zu Guttenberg told the mass circulation paper Bild that "anti-Americanism is already flourishing alarmingly" in Germany as a result of the spy scandals. President Barack Obama, he said, should heed this "alarm bell" and rehabilitate the relationship or "he will go down in history as the gravedigger of the Transatlantic friendship" -- a consequence that would be bad news for both U.S. and German security.

Here, along with his colleague Lothar Determann, Guttenberg ponders the larger questions of surveillance, sovereignty and privacy. This article is excerpted from a longer article in the Summer 2014 edition of the Hastings Constitutional Law Quarterly. Read the whole article here.

BERLIN -- The NSA, it seems, does not break any international law by operating the massive surveillance programs that Edward Snowden revealed. No treaties or customary international law have developed to impose meaningful limitations on spying. Countries routinely spy on each other in war and peace, in embassies, in covert operations, and in cyberspace.

The NSA is probably violating myriad foreign countries' laws, because all countries prohibit foreign spying against themselves. Yet, this hardly justifies the current outrage abroad. The complaining countries are running similar programs.

Moreover, many actually actively collaborate with the NSA and other U.S. authorities in the interest of getting help to protect their own national security. Threats to suspend free trade negotiations, individual cross-border transactions, or cooperative programs like SWIFT (Society for Worldwide Interbank Financial Telecommunication) or the U.S.-EU Safe Harbor (secure personal data exchange) program have counterproductive effects for national security and privacy. Proposals to nationalize or regionalize email, the Internet, or cloud computing are technologically impractical and would be ineffective so long as the various national secret services collaborate and share information.

EU data protection law does not and cannot protect EU residents any better from foreign cybersurveillance than U.S. law can (or does). The great hopes that European politicians are publicly placing on the EU data protection regulation in this respect are misplaced not only because current drafts of the regulation do not even try to regulate surveillance for national security purposes, but also because each country's laws can only offer meaningful protection from its own government agencies.

That is where those who want reform should focus -- and consider the trade-offs.

DOES LESS SURVEILLANCE MEAN MORE PRIVACY? Assessing the trade-offs is not a simple task, because much is and will remain unknown regarding the effects and effectiveness of surveillance programs, and because there is hardly any evidence supporting simple correlations like "less surveillance means more privacy."

Most assume that less government surveillance, intelligence gathering and law enforcement may result in less security. But, less government surveillance, intelligence gathering and law enforcement could also result in a loss of net privacy if one takes into account the fact that surveillance by foreign governments and cybercriminals will increase. Less surveillance does not automatically result in more privacy. Conversely, more surveillance does not automatically guarantee more security -- as recent security breaches and data leaks demonstrate.

Security interests and civil liberties must be carefully balanced.

PUBLIC GIVES PERSONAL DATA AWAY PRIVATELY In this context, it is worth noting that to date the public has been largely embracing or tolerating charge-free online services, big data, and tracking; evidence is the rampant success of Web 2.0, social media, and the Internet of things.

Consumers and employees agree every day to share massive amounts of personal data via various forms of tracking and surveillance technologies with companies that notify consumers and employees they should not expect privacy. In such open, limited-privacy segments of cyberspace, the government seems justified to emphasize security and patrol virtual worlds like city roads and public places. If and when individuals take steps to protect their privacy online to similar degrees as traditionally in the sanctity of their homes. For example, with paid, secure services, the government may become more pressed to respect this and give privacy a greater weight in the balancing act with security interests.

DOMESTIC VS. FOREIGN SPYING Trying to differentiate between foreign and domestic spying in cyberspace seems impractical, given the technological and social realities in today's connected global world. Even differentiating between war and peacetime has become difficult lately. Reform in this regard seems necessary to re-establish the boundaries of the rules of engagement for cyber intelligence gathering based upon war powers.

ACHIEVABLE GOALS NOW In the meantime, more easily achievable goals could be to:

  1. focus on enhancing the government's data security measures to reduce data leaks, security concerns, and diplomatic tensions caused by public embarrassment;
  2. bolster procedural and organizational safeguards at government agencies tasked with surveillance, as with the recent appointment of a privacy officer at the NSA;
  3. redraw the rules for cooperation between intelligence and law enforcement agencies, permitting information sharing only in clearly enumerated cases of extreme and immediate threats to national security; and
  4. closely monitor law enforcement agencies' compliance with data privacy laws while accepting that spies will be spies in war and peace and cyberspace.