November 18, 2013

Following months of Snowden disclosures, the extent to which the National Security Agency’s extraordinary surveillance infringes on the privacy of our communications and other vast areas of our lives has become widely apparent. Far less appreciated, however, is the global threat that the NSA’s spying poses to freedom of expression over the Internet.

The NSA’s seemingly limitless prying into our personal electronic data is predicated on a cramped vision of our right to privacy. As I have described in this space these intrusions are facilitated by various shortcomings in current US law. For instance, the law recognizes a privacy interest in the contents of our communications, but not in what is known as our metadata, the electronic details about whom we communicate with, what we search for online, and where we go. The rationale, stated in a 1979 US Supreme Court ruling, is that we have no privacy interest in the phone numbers we dial because we share them with the phone company, even though the court could just as easily have ruled that the phone company has a fiduciary duty to respect the privacy of its customers.

In addition, on the weakest of legal authority, the NSA assumes that the mere collection of our communications does not invade our privacy until they are examined, or “queried.” Using facile metaphors about needing a haystack to find a needle, the NSA asserts that it is free to assemble that haystack unimpeded. It is as if the NSA were to mount video cameras in our bedrooms while assuring us that we have nothing to worry about until it looks at the film.

And to the dismay of the rest of the world, US law on surveillance recognizes no privacy rights whatsoever for non-Americans outside the United States, even though many of their communications travel through the United States and the US government has the capacity to collect much of whatever does not. Considerable attention has been paid recently to the NSA’s monitoring of German Chancellor Angela Merkel’s mobile phone. Under existing US law, however, the NSA can freely spy on ordinary foreigners living outside the United States as well. And it can collect not only their metadata but also the contents of their communications—including phone calls, email, and text messages. Communications between US citizens and foreigners are also vulnerable so long as the US citizen in question is not deemed a “target” of the surveillance.

This sweeping disregard for electronic privacy has particularly troubling implications for freedom of expression. In part that is because privacy and free expression are intimately linked. People are more likely to speak candidly if they can be assured of speaking privately. Whether it involves a client confiding in a lawyer, a patient talking to a doctor, a source speaking to a journalist, or an adherent of an unpopular cause addressing other supporters, robust speech suffers when privacy is imperiled.

But the NSA’s overreaching endangers free speech in more direct ways as well. Consider the not-uncommon situation in which a repressive government such as China’s asks an Internet company for information on a user. The most notorious request of this kind involved the Chinese journalist Shi Tao, who just completed eight years in prison for “leaking state secrets”—sending a human rights group information about media restrictions for the fifteenth anniversary of the 1989 Tiananmen Square uprising and the ensuing massacre. At China’s request, Yahoo turned over Shi’s email information, contributing to his conviction.

One of the best defenses against such requests is for Internet companies to store user information in servers located outside the country in question. That approach is not foolproof—governments have many ways to pressure Internet companies to cooperate—but it can help to fend off such requests. US Internet companies currently opt to repatriate to servers in the United States most information on users in foreign countries.

However, after the revelations about NSA surveillance, many countries have said they may require Internet companies to keep data about their citizens on servers within their own borders. If that becomes standard practice, it will be easier for repressive governments to monitor Internet communications. Weak as US privacy safeguards are, those in many other countries are no better. For example, while outraged at the NSA’s snooping, many privacy activists in Brazil oppose their own government’s proposed requirement to store data locally because they fear their data protection laws are inadequate.

Moreover, as the case of Shi Tao shows, granting national governments easy access to user information may enable them not only to invade privacy but also to suppress criticism and unearth dissent. Anonymity is sometimes the best protection against censorship, but official access to user information makes anonymity difficult.

Current proposals to change the way the Internet is regulated could, if implemented, also facilitate efforts by foreign governments to gather information on their own citizens’ electronic activities. The Internet is governed mainly through informal cooperative arrangements among numerous public and private entities, but a US-based organization, the Internet Corporation for Assigned Names and Numbers, or ICANN, is responsible for, among other things, coordinating the assignment of unique identifiers that allow computers around the world to find and recognize each other. A private board of directors runs ICANN, but the US Commerce Department has a large part in its management.

It may seem anomalous that the US government would have such influence over a global network like the Internet, and now that the United States has proven such an unreliable guardian of our privacy, there have been renewed calls to replace the current system with a UN agency such as the International Telecommunications Union. But few believe that such a system would protect free speech on the Internet because it would likely defer to governments that want to prioritize national sovereignty over the free flow of information and ideas. Greater national control would make it easier for governments to wall off national Internets, as China has tried to do with its Great Firewall and Iran has threatened to do with a “national information network,” enabling censorship and undermining the powerful potential of cyberspace to connect people around the world.

The NSA’s electronic spying has also done much to discredit the US government’s reputation as an outspoken champion of Internet freedom. Most notably under the leadership of former Secretary of State Hillary Clinton, the US has regularly criticized countries for detaining dissident bloggers or users of social media. But today, although the United States continues to respect freedom of expression on and off line, that virtue is easily overshadowed by Washington’s indifference to Internet privacy. And even America’s reputation for respecting free speech is undermined when the Obama administration tries to extradite and prosecute Edward Snowden for an alleged security breach that many see as legitimate whistleblowing.

Beyond Internet users, those who probably feel most at risk by Washington’s disregard for privacy are US Internet companies. Companies such as Google and Facebook are undoubtedly terrified that users in other countries will begin looking for non-American alternatives to avoid NSA snooping. The German Federation of Journalists, for example, recently warned its members to avoid using US Internet companies for email or searches because of NSA surveillance, and Deutsche Telekom said it is working to keep electronic messages from entering the United States unnecessarily. Internet companies thus may become one powerful constituency to press the US government to reform its surveillance laws.

There is, of course, an irony in the protests of companies that rake in billions by exploiting their customers’ online activities for commercial purposes. But without the coercive power of the state, private companies have less capacity to do harm, and unlike governments, they face at least theoretical competitive pressure to respect their customers’ sense of proper limits.

It is perhaps puzzling that Americans themselves seem largely unperturbed by the NSA revelations. But this complacency is not shared by much of the rest of the world, where memories are often fresher of cases in which the state abused access to private lives. That fear abroad, conveyed by US Internet companies that have come to depend on a global customer base, is perhaps the best we can hope for to overcome the relative indifference of the US public.

With the NSA’s motto seemingly “If it can be accessed, take it,” one is left with the impression that the US government never undertook a basic analysis of the costs and benefits of NSA surveillance. On the cost side must be weighed not simply the invasion of our privacy but also the harm it does to the unimpeded flow of information over the Internet. Americans may undervalue privacy, but they do tend to understand the importance of free expression.

On the benefits side, the NSA has failed to show that the mass scooping up of our electronic communications has meaningfully augmented the targeted electronic surveillance—focused on particular individuals who can be shown to pose a threat—that should be part of any counterterrorism effort. The US government has been at pains to come up with any terrorist plot that would not have been halted but for its mass collection of our communications.

In September I asked the White House counsel, Kathryn Ruemmler, about this lack of demonstrable benefit. She fell back on the argument that one must consider the information gained by the surveillance as part of a “mosaic” of information collected by other means. But that was the same rationale—the same word—used by the Bush administration to justify detaining people for interrogation who seemed to have no relevant information to offer.

Obama has stopped some of the worst Bush counterterrorism practices. He now needs to go beyond the cheap reassurances he offered us after the first Snowden revelations and rein in the NSA. If the United States wants to preserve the Internet as a vital and free network for connecting people the world over, it will need to reform its own surveillance policies to respect the privacy not only of Americans but also of everyone else.