Kenneth Roth, who leads Human Rights Watch, makes the case:
Existing legal frameworks [regarding privacy] were devised in an analogue age, when cross-border communication was rare and online communication and social media were unheard of. In that pre-internet age, surveillance techniques were labor-intensive and time-consuming, which helped to constrain arbitrary and abusive practices. The law has to catch up.
A good place to start would be a set of principles unveiled in September by a coalition of non-governmental groups and technology experts aimed at keeping communications surveillance lawful, necessary, proportionate, and subject to adequate safeguards against abuse. It’s time for governments to come clean about their practices, and not wait for the newest revelations. All should acknowledge a global obligation to protect everyone’s privacy, clarify the limits on their own surveillance practices (including surveillance of people outside their own borders), and ensure they don’t trade mass surveillance data to evade their own obligations.
Benjamin Wittes is unconvinced:
Roth says that “Western allies should agree that mass, rather than narrowly targeted, surveillance is never a normal or proportionate measure in a democracy.”
The implication is that the legal obligation to privacy involves proportionality and also that the US’s privacy obligation to citizens of democratic countries differs somehow from its obligation to citizens of non-democratic countries. As a preliminary matter, I’m not sure why that latter point should be the case. It seems a bit unfair to the poor Iranians to say that it’s okay for the US to collect in bulk on them just because their own government behaves tyrannically. Talk about adding insult to injury!
More fundamentally, the distinction between mass surveillance and targeted surveillance seems to me inherently unstable. We actually do forms of “mass surveillance” all the time—including of our own citizens domestically: traffic enforcement cameras, airport security screening, anthrax testing of physical mail, to name only a few examples. None of these are narrowly targeted at people suspected of doing something wrong. They sweep in everyone who engages certain systems. What’s more, the whole idea of foreign intelligence collection is to gobble large volumes of material and then try to make sense of it. SIGINT is only one example of this.
What about satellite and drone surveillance of wide areas for long periods of time? Does that not also presumptively violate people’s international human right of privacy to the extent it is not targeted at individuals? What about requirements that banks report transactions over a certain size?
David Cole joins the debate:
I confess that working out the proper contours of a right of privacy on a global scale would be challenging. It’s hard enough to get the Democrats and Republicans in Washington to come to consensus these days, much less China, Russia, the US, Germany, and Venezuela. But that challenge is faced by all international rights norms. It doesn’t mean that they are inconceivable, or not worth working toward. …
In the Foreign Intelligence Surveillance Act, for example, we require the FBI to make individualized showings that a target is an agent of a foreign power before authorizing wiretaps and physical searches – as long as the target is here in the United States. Why couldn’t such a requirement apply to targets abroad?
I confess I’m left very much where I started: With no idea, either procedurally or substantively, what it would mean to respect the privacy rights of everyone in the world while conducting espionage—except, perhaps, to not “intrude” on anybody. So while I don’t doubt that it is possible to imagine a worldwide privacy right that extends beyond borders, I still don’t think Cole has done so, beyond telling us that maybe such a right looks like FISA and maybe it doesn’t.
Cole has the final word:
I have merely been arguing that we need to rethink our untested assumption that the only privacy rights worth caring about are our own. The point of my post was to refute Wittes’s contention that such a transnational right to privacy was literally unimaginable. I pointed to the Foreign Intelligence Surveillance Act, which defines a right to privacy for US citizens and some foreign citizens – those residing here permanently — not as the only possible solution, but merely as an example demonstrating that it’s not impossible to both respect privacy rights and authorize intrusions on privacy for legitimate intelligence gathering purposes.