Transcript of Snowden's testimony to Council of Europe
[This segment mine, the beginning of Snowden's opening remarks]
CHAIR: Good afternoon ladies and gentlemen, colleagues. I'd like to call this meeting to order so could everybody please take a seat? Okay, so the first item on our agenda is a hearing on mass surveillance and a report prepared by Mr Peter Omtzigt. We're joined here for this hearing by Mr Hansjörg Geiger, former head of the Bundesnachtrichtendienst and state secretary… actually we're not joined by Mr Geiger yet.
SCHIRMER: [unclear] He's just gone to look for something.
CHAIR: Okay, while we're waiting for him, I'd like to introduce Mr Douwe Korff, professor of international law at London Metropolitan University and we have
SCHIRMER: Mr Geiger [unclear] he was here before [unclear]
CHAIR: Mr Geiger, thank you. And we're joined on video link from Moscow by Mr Edward Snowden. Mr Snowden, can you hear us?
SNOWDEN: I can hear you. Can you hear me?
CHAIR: Yes. Thank you very much. Thank you.
Because we have a video link I would ask all participants to speak quite slowly, particularly when asking questions or expecting a response, because of a time – a possible time lapse in video link. Is that clear?
Okay, I'd like to call upon Mr Peter Omtzig, the rapporteur on mass surveillance to introduce his report on the topic of the hearing.
OMTZIGT: Thank you. Dear colleagues, and dear guests, I'm very pleased that we can have this hearing today. Its purpose is to provide some input for report on the Committee for Legal Affairs, which will be presented late this year to the assembly, on the topic of mass surveillance, and the second report on whistleblowing. For those interested in some details of the background of this hearing my introduction my introductory memorandum is available on the Committee's website. Our discussion was triggered by the courageous action of Mr Edward Snowden who blew the whistle on practices by the NSA that have been hidden from any public scrutiny for many years.
We now have the pleasure and the honor to have Mr Snowden among us, albeit only with the video link. Much to my regret he could not come to Strasbourg in person, because we were unable to arrange safe passage with the competant authorities. As you know, Edward Snowden faces serial criminal charges in the United States because of the revelations, and is therefore accompanied by his attorneys.
They will listen to the question the committee members will be invited to ask after the three expert statements have been made. In case questions will be asked that are not related to mass surveillance or that might increase the danger of criminal prosecution for Mr Snowden, his attorneys will have to advise him not to answer this type of questions.
Mr Snowden has also asked me to let you know from the outset, that the cannot reveal new information, but comment on that already published by the media from his perspective as an expert witness.
Our second speaker will be Hansjörg Geiger, former head of German BND, that's the German secret service. He will contribute to our debate from the perspective of intelligence professionals. He has a strong reputation of respect for fundamental rights and the rule of law and will argue that such principles need not prevent intelligence services from fulfilling their legitimate task.
Our third speaker, on the right, is my compatriot professor Mr Douwe Korff, he will look at the debate on surveillance from the legal respective. As it benefits our committee his main focus will be the European Convention on Human rights.
Regrettably the US authorities, who have also been invited to be represented at this podium have politely declined to attend. My thanks go in advance to the interpreters who are doing a challenging job in these circumstances. I'll give the floor to Mr Snowden.
SNOWDEN: I'd like to thank the committee for this invitation to testify. I also regret not being able to attend at Strassbourg directly I wasn't able to attend due to travel. Before I begin the prepared remarks I have to open with a short disclaimer. With the greatest respect I reserve the right to decline any question for which providing an answer would prove contrary to the public interest or to the national security of the state. I caution you that some of my comments appear more general than one might expect due to my technical experience and direct personal experience with many of these programs. I apologize in advance for the lack of precision, and ask that you bear in mind – and ask that you bear in mind that particular general answers may be the product of principle or circumstance rather than lack of specific knowledge.
I'm proud of the fact that despite the dramatic protestations of the Intelligence chiefs. No evidence has ever been shown by any government that the revelations of the last year caused any specific harm, and the guiding principle of my participation in today's testimony is to ensure this unbroken record of serving the public interest while minimizing any potential harms continues without interruption. I also note that any facts raised in today's testimony have been independently determined – by journalists to serve a vital public interest.
Beyond that, I remind the committee that even where there exists a compelling interest for making a particular disclosure, I may not be able to apply additional detail. Due to failures in whistleblowing legislation in the United States, there are no legal channels available for individuals such as myself who are employed as contractors, rather than direct federal employees, to safely testify in front of legislative committees. As such, I ask for your understanding that despite the executive policy changes, legal reforms, and court decisions to improve the rights of others that have occurred as a result of my disclosures, I remain in a position of significant legal jeopardy.
I believe last year showed that an expectation of persecution for political speech in the context of national security whistleblowing is not unreasonable. And although it goes without saying that at this point, I would like to clarify that I have no intention of harming the United States government or straining bilateral ties between any nations. My motivation is to improve government, not to bring it down.
I'd like to request that my previous testimony to the EU parliament be entered into the record, so that rather than exhaustively covering previous statements, we can use this time instead to discuss programs less well understood by the public, or perhaps that have been misinterpreted by journalists – as well as to address a few novel questions of particular significance that I've received from this committee, to briefly summarize my testimony to the EU parliament and establish the following points that we will likely touch on today.
Beginning and going forward from here, that the US government confirmed, in at least three independent determinations in the last six months, that the kind of dragnet mass surveillance we discussed today is ineffective in preventing terrorism. The government also asserted, at least twice that such programs appear to have no basis in law. That Western involvement in mass surveillance has set a dangerous precedent – encouraging and potentially legitimizing the activities of authoritarian governments that desire to construct similar systems.
CHAIR: Mr Snowden, could I just ask you to slow down? As the video link is a little difficult and our interpreters are having some difficulties. So if you could just speak more slowly, I would appreciate it.
SNOWDEN: Absolutely, [chuckle] I uh, I have too much in my statement. Shall I repeat that or continue from here?
CHAIR: If you could continue from here, but just more slowly. Thank you.
SNOWDEN: Thank you.
The US National Security Agency has a directorate that has worked to intentionally subvert the privacy laws and constitutional protections of EU member states against mass surveillance. That the body of public evidence indicates mass surveillance results in societies that are not only less liberal, but less safe. That the NSA shares mass surveillance technologies with some EU member states as well as access to its own mass surveillance systems. That reports of intelligence agencies using mass surveillance capabilities to monitor peaceful groups unrelated to any terrorist threat or national security purpose, such as the United Nations Children's Fund or spying on American lawyers negotiating trade deals, are in fact accurate.
That the secret court in the United States, that oversees mass surveillance programs, is best described as a rubber stamp court. This court has rejected only eleven of approximately 34,000 requests made by the government over a period of 33 years. It hears arguments only from the government, and its judges are appointed by a single individual, without the benefit of any outside confirmation or review. I add that this secret court was only intended to issue individual and routine warrants for surveillance, not to decide legal issues of global importance, or to authorize general untargeted warrants for, for instance, the clandestine wiretapping of anyone in Germany, as was recently revealed.
That the UK electronic surveillance service, GCHQ collected on a massive scale, images from webcameras, often within bedrooms in private homes, without any individualized suspicion of wrongdoing. This activity continued, even after the GCHQ became aware that the vast majority had no intelligence at all, and roughly 10% of all images, upon auditing, were discovered to be intensely private, depicting some form of nudity or other private intimacy. That the NSA had intentionally sought to collect similarly explicit sexual material regarding religious conservatives whose political views it disfavored and considered radical, for the purpose of exposing it to damage their reputations in order to discredit them within their communities. This is an unprecedented form of political interference that I don't believe has been seen elsewhere in western governments.
That no legal means currently exist to challenge such activities or to seek remedies for such abuses. That mass surveillance is used by the NSA, as well as partners and adversaries for the purposes of economic espionage. NSA had unlawfully compromised the world's major financial transaction facilitators to include SWIFT, and VISA, and in their reports they explicitly noted that such information provided, quote “rich personal information,” including data that “is not about our targets.”
That governments caught engaging in mass surveillance have in the last months attempted to …. have stopped attempting to justify the programs being related to national security and have instead shifted to a far looser restriction of “valid foreign intelligence purposes”. This is particularly problematic for human rights, because any government can justify almost any privacy violation on that basis and it reflects some governments are willing today to see a hard-won moral high ground, rather than implement surveillance reforms.
That I believe the international community should agree to new common standards of behavior, perhaps a convention on the prevention of mass surveillance, as well as the adoption of common technical [inaudible] mandating the use of secure-by-default protocols for the transmission of data, if they are to have any hope of protecting citizens' communications against unlawful surveillance.
That strong, pervasive encryption provides a robust defense against mass surveillance, but does not preclude governments from gaining access to the communications of specificity targeted individuals for the purposes of lawful and justified investigations.
Now I'd like to move on to the questions provided by the committee – my responses to them.
The question was: “to your knowledge does the NSA, or the NSA, or GCHQ or other signals intelligence services engage in sophisticated data-mining analyses of the data captured by the programs that I have exposed? Do they use sophisticated algorithms of the kind widely used in commercial data-mining, to seek out further people of interest?” To answer: yes algorithms are used to determine unknown persons of interests who are not actually suspected of any wrongdoing. This question is a good example of something that journalists and previous inquiries, working independently from public documents – nearly public documents – have had trouble properly interpreting. Some reporting on this issue has already occurred, but due to my inability to participate in the reporting at that time, these groups were unable to achieve complete understanding of the full meaning of these documents.
For example, [The following segment by Marcy Wheeler (@emptywheel): beginning time index 11:16 (NB: 14:34 in full video), some minor edits mine.] it has been reported that the NSA’s XKeyscore framework for interacting with the raw signals intercepted by mass surveillance programs allow for the creation of something that is called “fingerprints.”
I’d like to explain what that really means. The answer will be somewhat technical for a parliamentary setting, but these fingerprints can be used to construct a kind of unique signature for any individual or group’s communications which are often comprised of a collection of “selectors” such as email addresses, phone numbers, or user names.
This allows State Security Bureaus to instantly identify the movements and activities of you, your computers, or other devices, your personal Internet accounts, or even keywords or other uncommon strings that indicate an individual or group, out of all the communications they intercept in the world are associated with that particular communication. Much like a fingerprint that you would leave on, you know, a handle on your door or your steering wheel for your car and so on.
However, though that has been reported, that is the smallest part of the NSA’s fingerprinting capability. You must first understand that any kind of Internet traffic that passes before these mass surveillance sensors can be analyzed in a protocol-agnostic manner — metadata and content, both. And it can be today, right now, searched not only with very little effort, via a complex regular expression, which is a type of shorthand programming. But also via any algorithm an analyst can implement in popular high level programming languages. Now, this is very common for technicians. It not a significant work load, it’s quite easy.
This provides a capability for analysts to do things like associate unique identifiers assigned to untargeted individuals via unencrypted commercial advertising networks through cookies or other trackers — common tracking means used by businesses everyday on the Internet — with personal details, such as individuals’ precise identity, personal identity, their geographic location, their political affiliations, their place of work, their computer operating system and other technical details, their sexual orientation, their personal interests, and so on and so forth. There are very few practical limitations to the kind of analysis that can be technically performed in this manner, short of the actual imagination of the analysts themselves.
And this kind of complex analysis is in fact performed today using these systems. I can say, with authority, that the US government’s claim that “keyword filters,” searches, or “about” analysis, had not been performed by its intelligence agencies are, in fact, false. I know this because I have personally executed such searches with the explicit authorization of US government officials. And I can personally attest that these kind of searches may scrutinize the communications of both American and European Union citizens without the involvement of any judicial warrants or other prior legal review.
What this means in non-technical terms, more generally, is that I, an analyst working at NSA, or, more concerningly, an analyst working for a more authoritarian government elsewhere, can without the issue of any warrant, create an algorithm that for any given time period, with or without human involvement, sets aside the communications of not only targeted individuals, but even a class of individual, and that just indications of an activity — or even just indications of an activity that I as the analyst don’t approve of — something that I consider to be nefarious, or to indicate nefarious thoughts, or pre-criminal activity, even if there’s no evidence or indication that’s in fact what’s happening. that it’s not innocent behavior. The nature of the mass surveillance — of these mass surveillance technologies — create a de facto policy of assigning guilt by association rather than on the basis of specific investigations based on reasonable suspicion.
Specifically, mass surveillance systems like XKeyscore provide organizations such as the NSA with the technical ability to trivially track entire populations of individuals who share any trait that is discoverable from unencrypted communications. For example, these include religious beliefs, political affiliations, sexual orientations, contact with a disfavored individual or group, history of donating to specific or general causes, interactions of transactions with certain private businesses, or even private gun ownership. It is a trivial task, for example, to generate lists of home addresses for people matching the target criteria. Or to collect their phone numbers, to discover their friends, or even to analyze the nature and proximity and location of their social connections by automating the detection of factors such as who they share pictures of their children with, which is capable of machine analysis.
I would hope that this goes without saying, but let me be clear that the NSA is not engaged in any sort of nightmare scenarios, such as actively compiling lists of homosexual individuals to round them up and send them into camps, or anything of that sort. However, they still deeply implicate our human rights. We have to recognize that the infrastructure for such activities has been built, and is within reach of not just the United States and its allies, but any country today. And that includes even private organizations that are not associated with governments.
Accordingly, we have an obligation to develop international standards, to protect against the routine and substantial abuse of this technology, abuses that are ongoing today. I urge the committee in the strongest terms to bear in mind that this is not just a problem for the United States, or the European Union, but that this is in fact a global, “global problem”, not an isolated issue of Europe versus the Five Eyes or any other country. These technical capabilities don’t merely exist, they’re already in place and actively being used without the issue of any judicial warrant. I state that these capabilities are not yet being used to create lists of all the Christians in Egypt, but let’s talk about what they are used for, at least in a general sense, based on actual real world cases that I can assert are in fact true.
Fingerprints — for example, the kind used of XKeyscore — have been used — I have specific knowledge that they have been used — to track and intercept the co.., to track, intercept, and monitor the travels of innocent citizens, who are not suspected of anything worse than booking a flight. This was done, in Europe, against EU citizens but it is of course not limited to that geographic region, nor that population. Fingerprints have also been used to monitor untold masses of people whose communications transit the entire country of Switzerland over specific routes. They’re used to identify people — Fingerprints are used to identify people who have had the bad luck to follow the wrong link on an Internet site, on an Internet forum, or even to download the wrong file. They’ve been used to identify people who simply visit an Internet sex forum. They’ve also been used to monitor French citizens who have never done anything wrong other than logging into a network that’s suspected of activity that’s associated with a behavior that the National Security Agency does not approve of.
This mass surveillance network, constructed by the NSA, which, as I point out, is an agency of the US military Department of Defense, not a civilian agency, and is also enabled by agreements with countries such as the United Kingdom, Australia, and even Germany, is not restricted to being used strictly for national security purposes, for the prevention of terrorism, or even for foreign intelligence more broadly.
XKeyscore is today secretly being used for law enforcement purposes, for the detection of even non-violent offenses, and that this practice has never been declared to any defendant or to any open court.
We need to be clear with our language. These practices are abusive. This is clearly a disproportionate use of an extraordinarily invasive authority, an extraordinarily invasive means of investigation, taken against entire populations, rather than the traditional investigative standard of using the least intrusive means or investigating specifically named targets, individuals, or groups. The screening of trillions — and I mean that literally, trillions — of private communications for the vaguest indications of association or some other nebulous pre-criminal activity is a violation of the human right to be free from unwarranted interference, to be secure in our communications and our private affairs, and it must be addressed. These activities — routine, I point out, unexceptional activities that happen every day — are only a tiny portion of what the Five Eyes are secretly doing behind closed doors, without the review, consent, or approval of any public body. This technology represents the most significant — what I would consider the most significant new threat to civil rights in modern times.
[the following segment by Daily Kos contributor "bobswern" Starting 25:34]
The committee should consider what truly bad actors will use these same capabilities for if we allow them to go unchecked. And, how we will develop enduring norms and technical standards to safeguard against such abuses wherever they will occur.
[the following segment mine: time index 25:53]
The next question: to my knowledge, have the NSA or GCHQ used these surveillance powers, and similar capabilities to spy upon highly sensitive and confidential communications of major human rights organizations, such as, but not limited to Amnesty International and Human Rights watch and/or smaller well-known regional or national non-government organizations?
The answer is, without question, yes, absolutely literally. The NSA has in fact specifically targeted the communications of either leaders, or staff members in a number of purely civil or human rights organizations of the kind described in the question, including domestically, within the borders of the United States.
Another matter of similar concern is the practice of what the US Drug Enforcement Agency now calls “Parallel Construction” this is a technique whereby secret intelligence information in unlawfully used for law enforcement purposes. It is then concealed from courts, to include the courts of our European partners, depriving the accused of their right to challenge the legality of the initial surveillance. I will add that the initial intelligence information in such cases has often been gathered without the issue of any judicial warrant, as previously noted. This unlawful use of such secret evidence, whose existence or provenance has been concealed from both the defendant and the court itself represents a serious threat to both the right to a fair trial and the right to face one's accusers.
Given the growing global awareness of these intelligence practices, which we should recall, have been declared by the United States government itself to have no statutory basis in law. I would encourage the committee to take immediate steps to address those concerns. The failure of a state, to insure binding assurances, that intelligence information received from, of provided to, any foreign partner may not be used in such manners that could make them party to human rights violations carried out by trusted partners.
To continue, I'd like to point out what I consider to be the likely response to any political inaction by elected representatives on those issues and what I consider the future [transponding friction?] the likely response to inaction and the impact it will have on civil society. If a political solution to the problem of mass surveillance is not reached on an immediate basis, technical solutions are likely to be imposed by the international research and engineering communities. Should governments wish to retain the capability to easily monitor Internet communications, they must act with immediacy to address the problem of mass surveillance. It is critical that policy makers recognize that the laws of parliaments are necessarily subordinate to the physical laws of the universe itself, and if issues of liberty and human rights in the digital sphere are left to technologists to address, rather than elected bodies, governments are very likely to irrevocably lose some portion of their authority to interfere with the communications of legitimate targets.
To illustrate, I would want to state with respect, I'd like to correct the record on a point of the committee's introductory memorandum regarding the strength of encryption used today. Contrary to a point asserted in that memo, there are in fact today encryption schemes that not susceptible to any realistic brute-force attacks, on any time-scale, and I can confirm that this remains true even at the forefront of the classified state of the world. Properly implemented modern encryption algorithms backed by truly random keys, of significant length can require the application of more energy to cryptanalyze, or basically to derive the solution to and decrypt, than exists in the known universe. For example, if today we dedicated every supercomputer, every desktop computer, every smartphone on the planet to brute-forcing a single 256 bit keyspace of this type, our Sun, that's the Sun in our solar system, would literally stop burning, and we'll all be sitting around in the dark, before we actually solved the problem and had enumerated all the possibilities in that mathematical space. To quote Bruce Schneier, who I'll point out is one of the world's foremost cryptographers, who actually wrote the book on applied cryptography: “we cannot even imagine a world in where a 256 bit brute-force search is possible. It requires some fundamental breakthroughs in our physics and our understanding of the universe.”
The 256 bit keys that he discusses are incredibly common today, anyone in this room can learn how to encrypt everything on their computer, on their hard drive, with this sort of functionally unbreakable code (in the academic sense the word) within the space of a single weekend, not even an intel...– no intelligence agency anywhere in the world, working for ten years on this single program – single problem, can break such codes. However, law-enforcement agencies need not despair and be concerned that this will stop their work, as there are many other well-known ways around even such perfect (in the theoretical sense) encryption. Weaknesses in the specific implementation, of encryption's, in such encryption programs and libraries are common. In fact we just saw one today that could affect two-thirds of all traffic on the Internet.
Beyond that, there are also methods around even robust encryption programs that have no known direct vulnerabilities. These methods, called “side-channel attacks” can allow actors such as government agencies, police bodies, and so on to steal the keys necessary to decrypt certain communications, and complete their investigation without actually having to decrypt those communications by confronting the mathematical strength of the algorithms themselves.
These techniques can be analogized to investigators installing a hidden camera to record a suspect dialing the correct combination to his or her safe where they hide documents, or evidence, or what have you, without having the government actually crack the safe with drills and saws or the sheer guesswork of having to dial every punch combination. This distinction is of critical policy importance, because it is these kind of side-channel attacks that can only be applied successfully in a targeted, on a targeted individualized basis. But if the same techniques are used in the technical context of untargeted mass surveillance that's not premised on specific individuals, specific targets, and justified investigations, these attacks can be rapidly be detected, remediated and protected against by the community of security researchers in the academic community worldwide.
In the event that the political institutions of the international community fail to address today's surveillance abuses, this scenario, that of pervasive encryption that has to be countered by investigators in the case-to-case application of side-channel attacks, is, I believe, the most likely response of the technical, academic, and business communities to the intelligence operations of today. I do not believe that this is necessarily something that policy makers should be afraid, or reluctant to support. As even with real comprehensive surveillance reforms, we cannot trust legal protections enshrined in the laws of the developed world to be respected and enforced elsewhere. That can only be achieved by enforcing those laws through common interoperable technical standards, that are backed by our international institutions, the most cost-effective means to guard against this kind of systemic violation of community secure – of communications securities, the kind that we see in less liberal regions of the world today, seems to me to be pervasive encryption.
In summary, the issues that we are facing today are complex. There are a number of unanswered legal questions that have to be answered not just by intelligence agencies, who I do believe have necessary work, but by the public bodies and our elected representatives. It's very important to us, that we as a society determine the appropriate balance between the desire of intelligence agencies to perform the most efficient work possible, and to try new techniques that have never been proven and that now we see actually are. There's a growing body of evidence that they offer no real value, such as mass surveillance, and compare those against the traditional restrained means that we face.
Personally, I believe that human rights are best protected, and constitutional prohibited – prohibitions should be placed against the use of mass surveillance, and that favor the use of individual targeted surveillance. Individual targeted surveillance should be shown time after time, even in today's complex environment, even against specific hard targets, whether they're in North Korea, whether they're terrorists, whether they're sophisticated cyber-actors or anyone else to be effective.
[the following segment by Daily Kos contributor "bobswern" Starting 36:20]
Our human rights can only be protected if we insure that our laws have a clear meaning, and the meaning of the words within those laws cannot be secretly interpretated – interpreted – by any legal body or intelligence agency without the public’s knowledge and consent.
That’s the end of my comments.
[This section mine: time index 36:37]
CHAIR: thank you very much Mr Snowden, and today's meeting comes at a particularity topical time as this morning the European courts have just struck down the data protection directive. Finding that it entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data. I suppose that as an Irish citizen, and that case arose out of an Irish reference, and the Irish application of the directive, I'd be particularly interested if either of the other two remaining experts who will speak will have any reflections, albeit preliminary reflections on the CJ judgment. I'd like to now call upon Mr Hansjörg Geiger to speak. Thank you.
GEIGER (voice of English translator): [Geiger's testimony has many missing small segments in the video, phrases or sentences may be missing] Members of the parliament, ladies and gentlemen, first of all, I'm very grateful indeed for this opportunity to take part in this hearing with you this afternoon. I firmly believe that it it is precisely here before the Parliamentary Assembly of the Council of Europe, that we must critically engage with the subject of mass surveillance by the intelligence services from the perspective of safeguarding human rights and basic freedoms. And I do beg your forgiveness, if I do not refer to the very important Article 8 of the European Convention on Human Rights, but rather to the German Constitutional Court, which in actual fact, has laid down the basis for the decision taken today by the ECJ in Luxembourg. Because the Constitutional Court has derived a right to freely determine one's personal information from articles in the German Basic Law, the right to human dignity, whereby all individuals should freely determine what data about their person shall be made public and who, and when, those data shall be accessed by others.
And this right to self-determination is one, which in the view of the German Constitutional Court is incompatible with mass surveillance. We're talking about the mass analysis of data which is assembled to form a personality profile of an individual. And we've just heard from Mr Snowden that, that is not one of the goals of the mass surveillance that is carried out, namely assembling a comprehensive personality profile of an individual citizen, because if that is the case than individuals can no longer determine what information is known about them by others at any given time.
So one of their basic rights is infringed, namely this right in German law to freely determine their personality profile. Now of course we have Article 8 of the European Convention on Human Rights and other articles, which mean that we can draw the same legal conclusions, I would refer you here to Article 1 of the United Nations charter as well as the Universal Declaration of Human Rights.
Because if we interpret them correctly, it is abundantly clear that safeguarding of human rights in an era of mass communication has just been described to us by Mr Snowden, one indeed we've learned about in documents made available to us, is not compatible with those provisions. So to put it bluntly, if we have unfettered massive data surveillance by intelligence services then this is simply incompatible with safeguarding human rights.
Now, I cannot go into all the different facets of this issue, but there are of course issues pertaining to international law here. For example, what about the surveillance of allies, because that, of course, is against the spirit of international law. Against this backdrop, what can be done? I take the view that we need to take rapid action in order to try and to remedy these breaches of law, put an end to these unfettered activities carried out by intelligence services, at the very least to reduce them, and that is why we need to look to international agreements at the level of the United Nations or at the very least at the level of the Council of Europe, but they are, of course, going to take many years to come into fruition, now they should not be ruled out, and it should of course you should continue work on such international conventions.
But ladies and gentlemen, we need a rapid solution, one that can enter into force rapidly, and in a globalized world, national [missing segment] and do and that is why, I would submit that we need a code for intelligence services, and that would be the first step. Now the objective of any such intelligence services code would be to put an end to unfettered mass surveillance by intelligence services, and limits on surveillance, such limits being for purposes [unclear] strictly needed by the state. Now this means that we would be put in cooperation between western intelligence, at the very least, on completely new footing, and we would put an end to the surveillance of such states by one another, or at the very least keep it within legally acceptable confines.
Because, ladies and gentlemen, you know yourselves that these days intelligence services are the last bastions of state interference, and that is why they act accordingly on occasion. Because they are off limits, as it were, but it is important that intelligence services not work against one another and certainly NATO allies should not be carrying out surveillance of one another. Because the watchword really should be that allies do not spy on one another. Because that is simply unseemly.
That is why, ladies and gentlemen that the state of the European Union as well as NATO partners come up to put together an intelligence code that can be agreed amongst all of them. And that code ought to regulate exactly what is allowed and what is prohibited between allies and partners. And such a code would also stand as a signal that there was transparency, there was a guarantee for the citizens of those countries. Now any such code needs to be straightforward but I believe at the very leas that it should comprise of four simple rules.
First of all any form of mutual political, economic espionage must be prohibited absolutely. Secondly any intelligence activity on the territory of a another member state may only be carried out with that state's approval, and only take place within a statutory framework. And I will move in due course on to points 3 and 4, but before I do so I just want to say that global data flows as well as the opportunities that exist these days to analyze and store that data show people just what dangers lie ahead. Because they jeopardize our basic rights, and citizens therefor are threatened and no longer able to commune as [video drop out] international data flows, now regardless of where data is accessed, may only be accessed for the purpose of clearly defined purposes, for example preventing the proliferation of terrorism or preventing very serious criminal acts. And in no event may data be tracked analyzed or stored if it is data from a friendly state. Only targeted information may on an exceptional basis be allowed for specific individual cases. As part of this surveillance, any data that is stored, either data about individual citizens or economic data that is not needed for this clearly defined purpose must be deleted or destroyed.
Fourth rule: telecommunications and internet companies cannot be required or forced by intelligence services to allow them unfettered access to their massive databanks of personal data, and that would only be possible if there were a court order to do so. Now there would be a decisive advantage for citizens for all contracting states if we had such a code. Because that way data would not only be protected in their own country according to domestic law, but also be protected against any unfettered access by the intelligence services in all contracting states, and such an intelligence code would not jeopardize the security of contracting states. Because if there were a specific and real threat then the required steps could be taken by the state concerned, and it would be possible, then to ensure that the courts could monitor the use of data which was made available by telecommunications companies. We could also use the kinds of good governance codes that we already have for industry as a model. The kind that are set out the way in which companies should be governed. Because these codes of good governance for example, are well-known in many western countries. And this would be at the very least the first step, namely having an agreement between the states that would be affected. So this would be a non-statutory measure, and the advantage of this, doing it at the level of NATO [unclear] European Union would be that member states would be strengthened in their dealings with intelligence services when it came to negotiations.
Now participation in any kind of intelligence code would be completely voluntary, but if a country did not wish to subscribe to such a code of conduct, they would have to realize that they would be possibly accused of wrongful actions by their allies and friends, as has happened in the case of the transmission of passenger traffic data. Now each individual state has to of course control its own intelligence services. But there are other areas in which intelligence services escape national controls.
Now in future, we are going to continue to be reliant on whistleblowers, because in actual fact whistleblowers are a very useful means seeing to it that intelligence services do sure that they abided by any such intelligence code. But to summarize, ladies and gentlemen, the boundless surveillance and storage of data is not compatible with human rights, and that is why we need to try and limit this amongst the community of western values and any such intelligence services code will be an important and necessary first step.
Thank you very much.
CHAIR: Thank you very much, and I'd like to ask professor Korff to speak and thank him in advance for agreeing to summarize his presentation, so that we have time for Questions and discussion at the end. So thank you, professor.
D. KORFF: I'll be very quick indeed, because I believe it's more important that people can ask perhaps some questions of Edward Snowden. I just want to say how grateful I am for his intervention here, and he has confirmed the issues that we put before him, about the spying on human rights organizations, and in particular about the analyses. You have my paper in printed-out form, so you can just read my slides rather than me going through them. I want to point out three issues, and I think they've been confirmed, that we haven't looked at the surveillance exposures in full at all yet. We have looked mostly at the capturing of data through cable-splitters and deep-packet inspections and all the tools placed on the Internet cables. But I'm very pleased that today that Edward Snowden has confirmed that what is really threatening is the mass analysis of this data.
That I will try, if you can find this, um sorry, um this slide. This is the total picture that we still have to look at, we've only looked at the top left, with the interception of data from the the cables. What you must look at is the green bit in the middle. All the data is there, and all the analysis that are there. And the second thing that we haven't looked sufficiently is governments keep on saying that they're doing this to stop us from being attacked by terrorists. As Edward Snowden has again confirmed today, these surveillance capabilities are being used against perfectly innocent political activists, human rights workers, gays, all kind of out-groups in society all over the world. This is serious threat to global society.
And the final thing, I would very happily agree with Professor Geiger, we need to completely reexamine the national and international frameworks for the operation of the intelligence services. I completely endorse his call for an international codex, perhaps an international convention. The only qualification I would add is I think the Council of Europe is the appropriate organization for dealing with this, because unlike the European Union, the council of Europe is not restricted in areas related to national security.
I have a paper, that again you found summarizing the cases of the European Court of Human Rights, just behind you, which I think gives some guidance on what national security agencies should and should not be able to do. So let me leave it at that and call on you, to anybody that has some questions to please email me and I'll try and derive further answers.
I how we got Edward Snowden back? Yes, thank you.
CHAIR: We ought to leave an opportunity for you to answer some questions here rather than by email. Mr Díaz Tejera. Sorry um, excuse me, Mr Omtzigt would like to add a couple of points first then introduce...
Pierre OMTZIGT: Thank you very much, and let me thank you very much, Mr Korff for the brief presentation, and for Mr Geiger for the very clear presentation and for Mr Snowden for the new, extensive points on data-mining and fingerprinting and the specific targeting of human rights organization – ooh, very difficult, we can see as a threat – be seen as a threat – to state security. We still have about 15 minutes to ask some questions. So we'll try to group the questions from here from the MPs that are present in about 2 or 3 questions at a time. Who would like to ask the first questions? Can you first, before you ask the question tell who you are and where you're from? Since it's live broadcast. – Slow.
Díaz TEJERA: I will try.
Thank you, Thank you Chairman. Only very simple question. I think that all member of all kind of intelligence service know very well the law. My question is – why some people that are working on this – feel – has this new idea that – is necessary another law – a more law? For me is not necessary. Only is necessary to submit with this law – is not necessary another – because that everybody that are working on this intelligence service know very well our criminal code – and the process of code – is not necessary. Why to you think it is? Please.
[Transcriber note: the gist of this is “Why do you need a new law instead of enforcing existing laws?”]
OMTZIGT: Ok. Someone else has a question Mr Gaudi.
GAUDI: Hello my Name is Gaudi Tomasz from Hungarian delegation. I have a short comment and two questions if it's possible.
I think it's fairly hypocritic that we have English initiative has been launched to apply sanctions against Russia, because of Crimea, but you have UK's liability is clearly proven in the mass surveillance scandal, including David Miranda's affair [unclear] by Mr Snowden for whom Russia has provided asylum from the US, where he would have faced serious criminal consequences, maybe life imprisonment or death penalty. It's again a typical application of double standards which can be frequently be experienced here, not only in the Council of Europe, but in international organizations like the European Union. Let's break down this illegal custom and let us apply legal proscriptions defending personal da...
OMTZIGT: Mr Gaudin
GAUDI (crosstalk): One, one, one short sentence. Defending personal data...
OMTZIGT (crosstalk): I would like to ask you to...
OMTZIGT: Mr. Gaudi, I'll cut you off if..... I'd like you to ask a question. You have been taken away [unclear] in the last parliament session, I do not want that to happen again.
GAUDI: Just one one last line..
OMTZIGT. We have a debate on the Crimea tomorrow and Thursday in the plenary.
GAUDI. … Line. Sorry. So insist on bring all perpetrators to justice...
OMTZIGT: Mr Gaudi. if you have a question, could you please ask it?
GAUDI: My questions: so first, how would you describe European countries' involvement in the so-called NSA scandal? Second one is, in one of your first interviews, you said that you main fear that the whole story, all your revelations, would have no consequences. What do you think about the consequences so far?
OMTZIGT: Last one in this round. Mr Wadephul from Germany.
WADEPHUL (voice of translator): Yes thank you very much, I'm Wadephul from the German delegation. Now, Mr Snowden, you said that there are various agreements with Germany, amongst other countries, and that the exchange of data took place on that basis. Could you tell us a little bit about the nature about that data that was transferred to Germany by the NSA? Was it the kind of data you were talking about earlier, data that came about as a result of mass surveillance of citizens. Citizens who were not suspected of any kind of criminal activity?
My second question is as follows: you hinted that the British intelligence services have acted in a similar fashion to the NSA. Do you have any knowledge of other European services. Or the intelligence services of Russia or China may be acting in a similar fashion?
OMTZIGT: … Questions of Mr Díaz Tejera and Mr Gaudi..
SNOWDEN: (pregnant pause) I'm sorry, were you prepared for my answers?
OMTZIGT: Yes, please.
SNOWDEN: OK, let me go down the list. The first was why should we have new laws as opposed to respecting old laws? The key there is from the perspective of senior intelligence officials, from the perspective of the intelligence community. When new technologies are created, and they want to take advantage of them, what they do is they go back to old laws, and they've got, at least in the United States, they have literally hundreds of lawyers. More [unclear] lawyers than [unclear], roughly 125 lawyers for the National Security Agency, and they task these lawyers with creating new definitions of the meanings of the words in the old laws, to provide new authorities without asking the legislatures for them. Now, I think it would be great if we could get them to stop that, but in order to do that, we would have to pass specific legal prohibitions to prevent that. Until we do, this practice is common, it will continue. And as I've previously stated, the NSA actually encourages foreign partners, particularly EU member states to follow that practice, and use that sort of backdoor ability to interpret themselves into gaining new authorities without requesting the passage of specific laws.
The next question was how is – how would you describe Europe's involvement in mass surveillance? I'll tie that in with the question about other agencies outside of the US and EU and maybe Russia and China. The key I would say is that, almost all nations that have well-funded intelligence services, that have an excess of resources, are using these sort of authorities, are using these sort of capabilities, or if they do not have them yet, they're actively perusing them. Because it's not a well-regulated environment, there are no real rules or restrictions, there are no well-established international standards, because this hasn't been debated yet. This all happened in secret, without the public awareness, and that made it sort of fertile ground for them to experiment with new capabilities, new technologies, new desires, that have led into the situation we are in today. So yes, they are involved, and there is a very tight partnership between between the US, and other countries. And again it's – we shouldn't beat up the United States government specifically on this, they are the most capable actor, simply because they are the most well-funded actor.
The next was how to I feel about the progress we've made since the revelations, since these disclosures began? This is a very complicated question, obviously there's a lot of ground to cover, it's very difficult to achieve revolutionary change overnight, particularly on the topic of human rights, which the average person doesn’t get excited about, they don't necessarily get passionate about. But the key is we've made incredible progress, the legislatures and newspapers of almost every country in the world, every citizen who had not even heard of these capabilities is now talking about them, how they impact them, and deciding how they feel about it and the kind of world they want to live in in the future. And that was the specific intent, purpose, the motivation behind all disclosures. The fact that people are now aware of the world they currently live in, and they have the ability to affect the world they would live in in the future, by voting, voting in a more informed manner. I think is worth everything that's happened and all of the costs that I've incurred.
And the final question was the nature of the data exchange between the United States and Germany. I have to be careful on that, I'm going to have to refer to my lawyer, and maybe submit a written response later. Because I am at risk of legal jeopardy for anything I say there. But what has been reported, and what I can sort of generally comment on is that the exchange is deep and it is common. I can say from my personal experience the NSA has within its databases, within XKEYSCORE on a daily basis the communications of innocent German citizens who are unsuspected of any crime. German citizens, German websites, German businesses, German services – it's all in there, just as it is with every other country.
And the NSA and Germany do exchange data back and forth, they have a close partnership. That partnership is beneficial, and it's not a problem in a lot of contexts, but it should be subject to public oversight, and the necessary accountability of the law. The fact that this data is being collected, it's being intercepted, it's being analyzed, it's being stored without the consent of the public or their representatives is a serious concern, and it should be addressed. I hope that the parliamentary inquiry in Germany will specifically ask tough questions about the nature of this relationship and how it can be improved upon and made more accountable.
OMTZIGT: Then Mr Korff, do you have anything to add on the first question of [unclear]
KORFF: Yes, I have a very short answer to that, and I hope that I can ask a very brief question to Edward Snowden himself. On the question of law, the basic parameters are there, if you look at the case law of the European Court of Human Rights, there are basic principles that effectively say surveillance has to be targeted and proportionate. And what we've heard from Edward Snowden is that the complete opposite has occurred, and I do think we need to reestablish that and spell out in much more detail what exactly this means for national security agencies and I totally agree with Professor Geiger, that we need an international convention to support that and to clarify what intelligence agencies can do, how they cooperate, and how they should not spy one each other, especially not between friends.
Mr Snowden, I know you're a technical expert, and not a legal expert, but on a number of occasions you have said that the NSA is helping friendly countries effectively subvert their own laws, putting loopholes in existing laws, reading loopholes into existing laws. Can you say anything more about that, and can we expect more detail about that, and can you please, if you know anything about that, also mention the international treaties between the friendly parties?
SNOWDEN: My comment on that would be similar to the last one. I have to be really careful, I don't want to supersede the work of journalists, I want to make sure they have the full boundaries to make to make their own independent, public interest determinations in cooperation with their governments. What I can say, is that it's at this point established, and I believe admitted, at least in the United States on a number of occasions, that this sort of legal exchange program, almost sort of a legal advocacy, legal advisement campaign is very well funded, and it's common. It's seen as serving the national interests of the United States, and because of that, I expect it to continue. And there are reasonable, reasonable justifications for why this should occur. Now the manner in which it's occurring, which is where there's sort of this subversion, peeling back of established protections, of prohibitions on surveillance. I would agree that is a serious problem that needs to be addressed.
I would say it is very likely you will see more and very specific reporting about this sort of operation, and I don't believe it's a mystery, or it's going to surprise anyone who follows any national security. I know that journalists have agreed that this is in the public interest to reveal. That some of these countries specifically include Germany, Sweden and the Netherlands have been a target, and the UK has also been a, not just a target of it, but a willing participant in that sort of [unclear].
And that's the end of my time, thank you.
OMTZIGT: I just spoke to Mr Geiger, and he unfortunately doesn't have anything to add on the... Last question?
GEIGER: Mr Snowden,
OMTZIGT (crosstalk): Ah, he wanted to ask you a question.
GEIGER (voice of translator): Mr Snowden, I would be interested whether you and your colleagues were regularly informed on the legal limits of the activities of the NSA.
OMTZIGT: Floor to add another question to Mr Snowden.
CHAIR: Yes, thank you, one of the basis upon which the ECJ struck down the data protection directive, was it did not require the retention of data with – was that it did not require the retention of data within the EU and of course the courts could not ensure compliance with EU law by authorities outside of the EU. Given that fairly restrictive interpretation by the court, do you think that it will be possible for the wide-scale data sharing which is going on between EU member states and the US in particular to continue? Thank you.
SNOWDEN: The first question was I aware and I believe were the journalists aware of the legal limits on NSA surveillance? And yes, we are. The key is, the legal limits are actually extremely weak. There are policy limitations, there are regulatory limits that don't have any penalty for transgressing, they don't have any sort of remedy assigned to them, whether it's criminal, whether it's procedural for when those rules are broken, other than a good [unclear].
Because of the structural weakness in the constraints on the intelligence collection, it creates a situation where bad behavior is incentivized. Senior officials such as former NSA and CIA director Michael Hayden who … in the United states have said regularly that they are happy, they want to interpret every authority that they get in the most abusive, the most open manner possible. They want to get, sort of, “chalk on the cleats of their sporting shoes” as they called it. they want to be right on the boundaries of what's allowable. Because there's no penalty, because they gain tremendously. I think that's, that any lawmaker, any policymaker should keep that mindset at the forefront of their mind in their determination process when they're designing national security regulations. Because these individuals are always going to press for new borders, and they're always going to press to readapt the authorities that they've already been granted as time and technologies change.
The other question was data retention in light of the court ruling, how that would change. I haven't had a chance to review the court ruling, so I can't say with specificity. What I would say, is again that the National Security Agency, at least for itself has a pack, a team, a hoard of lawyers, where their purpose in life is to interpret decisions, interpret rulings, interpret laws and regulations in the most permissive way. Even if it requires the intentional abuse of language, to redefine word in a manner that the lawmakers, judges, and the policymakers did not intend.
On that basis, I think it's unlikely that we will see sweeping change. I do believe, at least in European states that we will change the manner they share, they will reevaluate their policies, and there will be a significant benefit from this. But until it's established in law with specificity, with a detailing of the intent of the policymakers, and strong language that cannot be misinterpreted, that cannot intentionally be misinterpreted, this issue won't end.
Beyond that, I would caution one more time that even if we have good government, even if we have perfect governance, perfect policies, and perfect regulations in the western liberal sphere, within the US, within the European Union, that those rules will not necessarily be respected overseas, until bodies, until regulatory authorities take strong steps to ensure that are standards are protecting our communications by default, regardless of whether any particular bad actor respects our laws or doesn't. Technology is the fallback for policy in this specific case.
CHAIR: Thank you very much Mr Snowden. I'd like to, if that's it, I'd like to behalf of the committee I'd like to thank Mr Snowden, Mr Geiger, and Professor Korff for coming here today and for sharing their views with us, and I'd just like to call upon Mr Omtzigt to wrap up this particular aspect of today's meeting. Thank you.
OMTZIGT: Also from my heart, thank you Professor Geiger, Professor Korff, and a special thanks to Mr Snowden, for joining us from Moscow. You've given an extensive description of the data mining, of the specific targeting of human rights organization, of the lack of judicial and political oversight, and the lack of binding assurances from the US on the data abuses. You've given a clear answer on the deep cooperation between the Germans and the NSA but also of the Dutch and the UK and the NSA. UK wasn't surprising. Thanks Professor Geiger for suggesting a codex for intelligence services and specifically stating that whistleblowing is an effective means of enforcing such a codex, we shall continue preparation – preparing our reports both on mass surveillance and whistleblowing. We would have liked to have had a second hearing this week, but due to the fact that there is an extensive debate on the Russian annexation of the Crimea – Mr Gaudi already entered on that, that takes away some time in this organization, because this is the organization in which both Russia and Ukraine are members discussions, do there are large discussions, we have to postpone that to June. We'd like to invite Mr Snowden to the second hearing in June, on the 24th of June, and all of you as well. In the meantime we hope to get a written reply to the last question you have, and also a written reply from the US government, who may have a few things to explain.
Thank you very much for coming.