The backlash in the UK and Europe against US electronic mass spying is set to have a significant impact on security professionals and their organisations.
The crisis over the Prism mass surveillance programme, first revealed by whistleblower Edward Snowden in June, reached a new peak last week with the revelation that the US National Security Agency (NSA) bugged the mobile phone of German Chancellor Angela Merkel and more than 35 other world leaders - including Brazil and Mexico, as well as millions of French and Spanish citizens. It forced the White House to accept this week that “there needs to be additional constraints on how we gather and use intelligence”.
But the climbdown has come too late to prevent the dispute impacting on security pros, with much tougher pan-European data protection laws being introduced next year, as well as moves by European MEPs to tighten up the transfer of bank data to the US.
The draft privacy laws were significantly beefed up last week by the key pro-privacy European Parliament Civil Liberties Committee, with maximum fines for companies who break the law – by failing to report a data breach or misusing employee personal data – raised from E1 million or 2 per cent or global turnover, to E100 million or 5 per cent of turnover.
The admin burden on companies will also increase when the laws come in, with the ‘right to erasure' meaning firms have to wipe out any personal data they hold, if the person concerned requests it, and have to forward the request to all other businesses holding the same data.
Meanwhile, the European Parliament last week called for the EU-US bank data sharing deal to be suspended in response to NSA snooping. Their resolution, which now goes before the full European Commission, says any data-sharing agreement with the US must be based on a consistent legal data protection framework.
The pro-privacy lobby in Europe has been strengthened significantly by the continuing stream of allegations of electronic eavesdropping by the NSA and also British intelligence agency GCHQ.
This week, a nine-person delegation from the Civil Liberties Committee, led by British MEP Claude Moraes, is in Washington seeking first-hand answers from the US intelligence services and other agencies about the reported privacy violations. They are also investigating the alleged tapping of Belgian telecoms firm Belgacom by GCHQ.
Moraes has tweeted: “Boundaries must be set for NSA surveillance of the private data of millions of Europeans.”
And commentators believe the Committee's rule changes will hold sway when the new data protection laws are agreed by the full European Parliament. That is predicted to happen next year, despite an attempt by UK Prime Minister David Cameron at last week's EU Summit to insist on ‘not before 2015'.
The Civil Liberties Committee has been holding an inquiry in recent months into the Prism allegations and has heard from UK and US whistleblowers – who were given an unprecedented ovation when they appeared at the 30 September hearing.
Meanwhile, the US and UK authorities probably did not help their cause when GCHQ director Sir Iain Lobban and NSA director General Keith Alexander both declined to appear before the Committee. GCHQ, along with M16 and M15 had been opposing allowing intelligence gathered from intercepts to be admissible in court so as to avoid its surveillance powers becoming a subject of ‘damaging' public debate. The “scale of interception and retention required would be fairly likely to be challenged on Article 8 (Right to Privacy) grounds,” according to a leaked GCHQ briefing reported by the Guardian. For the same reason it did not want its work with the UK telecoms companies revealed, while they in turn featured damage to their international reputations for “going beyond what they were required to do by UK law,” according to the same document.
The UK is strongly implicated in Europe with the NSA's activities within the Tempora programme using UK and overseas based taps, while RAF Menwith Hill in Yorkshire, which provides communications and intelligence support services to the UK and the US, is the NSA's key eavesdropping hub in Europe and most of the staff there are US employees of the NSA. NSA whistleblower J Kirk Wiebe suggests in the Mail newspaper that Menwith is where Merkle's calls were intercepted, and by implication, potentially other European politicians too.
In the wake of revelations that GCHQ had attacked Belgian telco Belgacom, one commentator suggested that the only protection against NSA and GCHQ intrusion is membership of the Five Eyes, an English-speaking grouping of the US, UK, Canada, Australia and New Zealand, which shares signals intelligence. It is not clear if Germany or France may seek to join the Five Eyes, or agree a similar ‘no-spying' deal, but it is unlikely any true secret intelligence cooperation could extend to the 28 EU member states and still contain secrets.