Brussels, 12/11/2013. An interesting LIBE committee hearing at the European Parliament yesterday, on Armistice Day. US Congressman Jim Sensenbrenner told MEPs that any abuses by the NSA had been carried out outside congressional authority, adding that, “I hope that we have learned our lesson and that oversight will be a lot more vigorous.”
In the past few years, he said, the NSA “has ignored, distorted and misconstrued all the protections that we passed into law in the Patriot Act.” The NSA has abused its trust, he said, adding that there has been so much secrecy that, “even if the NSA promised reforms, we would be unable to verify them.”
Mr Sensenbrenner is one of two Congressional sponsors of the US Freedom Act, a draft bill which if passed could end the NSA’s present freedom to collect and retain bulk data on individuals and businesses around the world. The bill targets Section 215, which provides the legal underpinning for the bulk collection and blanket retention of data. It currently has over 100 supporters in both Houses, he said, from organisations as far apart as the NRA, the NY Times and the LA Times.
The committee also questioned representatives from the Swedish and Dutch constitutional and oversight committees. Mr A H van Delden, Chairman of the Dutch Independent Review Committee on the Intelligence and Security Services (CTIVD), pointed out that although the Netherlands is awaiting a new report that should recommend strengthening his oversight role, the committee has just six full-time and three part-time researchers to carry out its work.
Asked by MEP Jan Philipp Albrecht (Greens/EFA, DE) if he had seen the Snowden documents, van Delden replied that he had seen the documents, but [at the time of the revelations] didn’t know what was in them.
Commercial communications encrypted? Or not?
The committee’s quizzing of senior representatives from Microsoft, Google and Facebook unearthed some interesting detail (Yahoo and Amazon declined the committee’s invitation, while Apple representatives were interviewed in Washington). All three insisted strenuously that they did not provide US government agencies with automatic access, whether open or by the back door, to their customers’ data.
However the question of encrypted communications drew differing responses. Niklas Lundblad, Google’s Director of Public Policy and Government Relations, claimed his company had offered its customers encrypted email communications since 2010 [meaning that they make use of the SSL protocol between user devices and the Google server], and encrypted web pages [meaning that they offer the https web address prefix] since 2011.
The three companies were rather more chary on the issue of privacy, or whether they encrypted communications links between servers. For Microsoft, Dorothee Belz, VP Legal and Corporate Affairs Microsoft EMEA, replied that server to server transportation is currently not encrypted, while Google’s Niklas Lundblad responded that the company is currently working on encrypting all such connections, an ongoing process.
Belz also claimed that Open Source encryption is no more secure than proprietary forms, and if anything is less secure than the proprietary alternative. However she admitted that the company’s software has vulnerabilities, like all software, she said.
Facebook’s Richard Allan, Director EMEA Public Policy, did not answer the question. Asked directly afterwards however, he said that server to server encryption was something the company would have to look at, given the new environment of public disquiet. Most companies have a mix of encrypted and unencrypted connections between servers, he explained, depending on the assessed level of risk to those links.
At one point the three representatives faced a stinging rebuke from the Committee’s chair, MEP Sophie in’t Veld, when she pointed out that under EU law they are expected to answer probing questions honestly. Microsoft’s Dorothee Belz responded that she should not be blamed for not following the rules, “I don’t think that we are not following the rules today,” she said, emphasising that they are observing the US rules. Google’s Lundblad answered that his company actually has a history of pushing back against [US] government requests for data, although he offered no statistics to support this view.