Officials from the so-called “Five Eyes” group of English-speaking countries, which closely cooperate on surveillance and intelligence matters, are pushing to work even more closely not only with each other, but with major private sector players in the tech industry.
Following a conference late last month in Ottawa, official representatives of the countries involved — the United States, the United Kingdom, Canada, Australia and New Zealand — laid out their vision in a joint communique.
“Our five country partnership, founded after the Second World War and strengthened during the Cold War, is more relevant today than ever as we deal with the relentless threats of terrorism, violent extremism, cyber-attacks, and international instability, while retaining our deep commitment to the shared values of democracy, human rights and the rule of law,” it states.
The communique from the conference does not spell out which human rights, exactly, the Five Eyes value in common, yet at least one backer of their latest plans stressed their supposed concerns about the privacy rights of at least their own respective citizens.
“As recent debates over warrantless surveillance in the U.S. have demonstrated, public suspicion of government overreach creates a political environment in which it can be difficult for intelligence agencies to justify their activities,” notes Chuck Alsup, president of the group Intelligence and National Security Alliance, in a recent editorial discussing the Ottawa conference. “Thus, critically, the Five Eyes ministers’ communique ‘affirmed that building public trust within our countries is required to move forward on national security issues. Enhanced safeguards and greater efforts to promote transparency are critical in this respect.’”
Alsup also writes that “to maintain public support for robust intelligence collection in democratic political systems, each of the Five Eyes governments must strengthen and clarify the legal frameworks that govern intelligence activities and address growing privacy concerns among the citizenry of all five nations.” He goes on to write at greater length on the topic of privacy.
“In addition to discussing how to collaborate on shared threats, the ministers explicitly acknowledged that their efforts — most notably their engagement with communications firms — must respect their citizens’ privacy rights,” Alsup writes. “Privacy and civil liberties protections differ in each of the five countries. The changing nature of communications via the Internet and the proliferation of social media for both innocent and nefarious purposes has tested the limits of our understanding of a right to privacy in an increasingly connected world. The sharing of such information between countries when their interpretations of privacy differ presents complex challenges.”
Indeed it does. Interestingly, however, despite Alsup’s focus on the subject, the official communique from the conference makes no mention whatsoever of “privacy.”
Instead, it discusses how the Five Eyes are “committed to explore more timely and detailed information sharing on the detection of terrorist and foreign terrorist fighter movements, and to explore possibilities to further improve criminal information sharing practices,” and “engaging with Communication Service Providers to address online terrorist activities and propaganda,” among other initiatives.
In mentioning that the Five Eyes would look to work more closely with Communication Service Providers, the communique adds that the five nations will “support a new industry forum led by Google, Facebook, Microsoft and Twitter.”
The mention of “more timely and detailed information sharing,” meanwhile, could point to what might in practice amount to Five Eyes countries sharing intelligence with other member countries without reviewing it first, Alsup’s article seems to suggest.
“To release raw intelligence to foreign countries — even to close allies — reports must be reviewed by the agency collecting it,” he writes. “But actionable information must be shared in real-time to enable effective military or police responses, and such reviews could delay dissemination of intercepted phone calls, emails, and internet chats that expose terrorist plots or the movement of fighters and weapons as they unfold.”
It is not entirely clear what the Five Eyes countries mean by their newly announced commitment “to develop our engagement with communications and technology companies to explore shared solutions while upholding cybersecurity and individual rights and freedoms.” As the Globe and Mail noted, “the Five Eyes did not expand on what it means by ‘engagement’ and what possible shared solutions would be.” The same goes for the terms “upholding cybersecurity,” and “individual rights and freedoms.”
Yet a lack of public clarity on the details of the relationship between the biggest U.S. tech companies and the intelligence community is nothing new.
With the exception of Twitter, for example, all of the companies leading the industry forum that the Five Eyes has announced its support for were exposed in 2013 as having cooperated with the National Security Agency on a surveillance program called Prism. At the time, Google, Facebook and Microsoft all denied knowing about the program, yet an NSA lawyer later disputed this.
Further complicating matters, after an ISIS-inspired shooting in San Bernardino, California in 2015, Apple — which claimed to have “never heard of” Prism, despite its inclusion in NSA documents on the program — very publicly defied the FBI’s request that it help unlock a phone tied to the crime because it had the “exclusive technical means” to do so, a claim later described as “bullshit” by NSA leaker Edward Snowden. This year’s “Vault 7” release from Wikileaks, meanwhile, has also included information on so-called “zero-day” exploits for Microsoft Windows and other companies’ products that were apparently being hoarded by the Central Intelligence Agency.
One explanation for what’s going on with this latest announcement following the conference in Ottawa is that “the Five Eyes are handing off responsibility to the private sector,” the Globe and Mail paraphrased University of Ottawa national security expert Wesley Wark as saying.
“They’re increasingly moving from a legal instrument to enforce some solution or another to a softer regulatory matter and partnerships with the private sector to see if some kind of understanding can be arrived at about how to deal with that very narrow band of communication that might be of concern to national-security communities,” Wark reportedly said. That could mean that those looking for a clear legal framework for who is responsible — the governments or the tech companies — for hacking whose communications, and in what circumstances they’re allowed to do this, may have to wait a while yet.
“He suspects the Five Eyes will not go as far as requiring companies to hold decryption keys, but rather agree among themselves to develop capabilities to decrypt certain types of information upon request and under legal authority,” the article continues. “But Dr. Wark says one thing is for sure: The companies, many of which work internationally, will not be open to legislative requirements from governments.”