Privacy International Releases "Leading Surveillance Societies in the EU and the World 2007"
At the end of last year, Privacy International and the Electronic Privacy Information Clearinghouse (EPIC) released a report entitled "Leading Surveillance Societies in the EU and the World 2007". This report assesses the state of privacy in every EU country and various other countries, including much of Asia, the US and Canada, Australia, and a small number of South American and African states.
The report paints a grim picture. Of the 47 countries surveyed, only one - Greece - was described as having "adequate" privacy protections and limitations on surveillance. Twelve others were identified as having "some safeguards but weakened protections," while the remaining 34 countries are described as having a "systemic failure to uphold safeguards" or worse. The list of the worst offenders, called "endemic surveillance societies," includes Russia, China, Malaysia, Singapore, Taiwan, Thailand - and the United States and United Kingdom.
Looking at individual categories paints a similar picture. Under "communications interception," only five countries received a ranking of 3 (out of 5), indicating "some safeguards [or] relatively limited practice of surveillance"; 21, including again the US and UK, are given the lowest ranking, labeled "extensive surveillance / leading in bad practice."
The problem with the idea of "extensive" communications surveillance in the US and UK can be summed up in a single word: volume. The US and UK have the technology and legal regime to conduct targeted surveillance on any specific individual given sufficient grounds (probable cause for a wiretap in the US) - but internal auditing of wiretap requests (also a key safeguard) reports only 1,839 wiretap requests nationwide in 2006, including 461 by federal authorities. For a nation of 300 million, this amounts to 6 requests per million residents, far fewer than Italy's 760 wiretap requests per million residents.
More alarming from the US perspective is the possibility of pervasive Internet surveillance. The ongoing litigation in Hepting v. AT&T concerns alleged (and allegedly illegal) wholesale capture and analysis of Internet traffic routed through AT&T's San Francisco gateway. However, the sheer volume of traffic routed through such a gateway makes it impossible to record or even comprehensively analyze more than a small fraction of the communication. (An inventory of the "secret room" suggests that the primary analysis device apparently deployed at AT&T San Francisco is a single Narus STA 6400, capable of performing sophisticated semantic analysis on 10 Gb of data per second; while this is a huge amount of data, it is nowhere near the 1 Tb / second or more of traffic passing through an Internet connection handling Silicon Valley and various international exchanges.) If true, this is clearly an invasion of privacy on a grand scale - but that does not make it equivalent to a wiretap on each and every person whose Internet traffic passes through the San Francisco hub.
Thus, categorizing the US as among the worst nations in the world in communications interceptions is at least somewhat hyperbole. In part, this is because the report focuses at least as much on safeguards and government posture as it does on actual measured practice of surveillance. Even though the United States and Italy report vastly different rates of wiretapping requests per capita, the report groups the two nations together in the same category of communications interception largely due to the similar lack of sufficient safeguards on privacy.
As a report on those safeguards, this report is terrific. The framework for assessing privacy protections and official policies towards surveillance and privacy are insightful and highlight the fact that no country protects privacy in all of its facets. With a few minor quibbles, there is little to directly dispute in terms of the analysis (though the rankings are subjective and arguably sensationalistic).
Where we hope to add value to the surveillance discussion is in determining the actual practice of Internet surveillance worldwide. General impressions of surveillance are not particularly reliable, particularly since in many cases governments have as much incentive to exaggerate their surveillance capabilities as to hide them (i.e., a widespread belief in pervasive surveillance may be more effective in curtailing dissent than surveillance itself). Isolated pieces of evidence are valuable from the perspective of confirming that a given form of surveillance is occurring in a given state, but do little to further an assessment of the extent to which surveillance is deployed. And extensive evidence is extremely hard to collect, as many (though not all) forms of computer-based surveillance are impossible to detect by a participant in a communication. A worldwide network of Mark Kleins and others with internal knowledge of the cooperation between ISPs and government agencies would be wonderful but unlikely - particularly since repressive states engaging in extensive secret surveillance are unlikely to be tolerant of whistle-blowing.
Thus, as a first step, we are exploring the technical capacity for various forms of computer-based surveillance. While not actually determining the practice of surveillance in any given state, this study is designed to place limits on the capacity for surveillance, as well as to examine the costs and risks associated with various types of surveillance and the possible mechanisms for avoiding surveillance. Ultimately, by answering "how" Internet surveillance is most likely conducted, and by understanding the legal restrictions and political situation in various states, we hope to be able to narrow down the possibilities.
Coupled with rare but extant evidence of actual surveillance, we intend to map out both the possibilities and the known practices of various nations worldwide. Measuring the frequency of surveillance may not be possible at the moment, but simply to say that a given nation is known to employ one type of surveillance, is capable of employing another, but is not capable of employing a third, is (we hope) a valuable contribution, especially to democratic and political activists and others deeply concerned with the privacy of their communications over the Internet.