Ashley Deeks Proposes an International Legal Framework for Surveillance
University of Virginia School of Law professor Ashley Deeks says now may be the right time for more openness about the secret business of spying. She says more can be done to prevent ill will of the kind that resulted after Edward Snowden leaked information about U.S. electronic surveillance practices.
Deeks is an expert in international law who previously served as the assistant legal adviser for political-military affairs in the U.S. Department of State's Office of the Legal Adviser, where she worked on issues related to the law of armed conflict, the use of force, conventional weapons and the legal framework for the conflict with al-Qaida.
In her article, "An International Law Framework for Surveillance," recently published in the Virginia Journal of International Law, and in a recent Lawfare blog post, Deeks advocates for some basic rules among allies and for more discussion by the U.S. about how it holds itself accountable when it collects data.
Does every nation spy?
It seems safe to say that every nation that has the capacity to spy on other states does so. But states obviously have different interests and disparate resources. Smaller states with reduced capacities likely spy only on states whose actions directly concern them. Larger states with broad capabilities cast their nets more widely. And there are of course different forms of spying: The type of spying that has been in the news lately is electronic surveillance, but states can collect intelligence using other tools as well, including people located on the ground and satellites.
Do the largest nations conduct surveillance with roughly the same level of sophistication as the United States?
News reports make clear that the United States has a wide array of capabilities in terms of foreign electronic surveillance, but the Russians and Chinese have very sophisticated capabilities as well, particularly in the cyber arena. Another thing that became clear from the Snowden leaks was that a number of European states, including the United Kingdom, Sweden, and Germany, engage in robust bulk collection of electronic data that passes through their territories.
How feasible is a set of international ground rules for electronic surveillance?
To date, states have not really used international law to impose constraints on state-on-state spying. This is true for several reasons. Intelligence activities implicate a state's core national security interests, so states are loath to limit their ability to protect themselves by any means that are not obviously unlawful. Second, because it would be hard for states to detect violations of an agreement that reciprocally limited spying, states are less likely to enter into such a commitment in the first place. Third, states closely guard their spying capacities. It is difficult for states seriously to discuss ways to limit spying on other states without revealing certain information about their capabilities, which chills possible discussions. Finally, because spying historically was costly and the most significant threats came from other governments, states rarely focused on non-state actors. As a result, public pressure to regulate intelligence activity was minimal, because spying and covert action rarely affected the average citizen.
In my view, a number of these background facts have changed, making it more feasible for states now to develop some international ground rules. In particular, some states have come under significant pressure from individuals and corporations to constrain foreign surveillance, since so many individuals are personally affected by it. I would envision a group of like-minded states negotiating and adopting a set of procedural norms that would impose certain constraints on the way in which they each conduct overseas surveillance.
I'm not sure it would take the form of a treaty; it might be something more modest, such as a "commitment to principles" or unilateral but parallel statements indicating their view that certain norms reflect internationally acceptable behavior.
I don't think that all states are prepared to develop and adopt these norms, however. I would expect that only a small group of Western democracies would develop these rules, and would agree to apply them only among each other — not to states such as China and Russia. After all, states will be hesitant to unilaterally disarm in this area.
What norms could be developed among countries to better protect the privacy of individuals?
To be clear, many states (particularly Western democracies) already have domestic laws that help protect the privacy of their citizens and others in their territory against undue governmental intrusion. The debate on which I am focused is about the extent to which states should agree to provide certain protections to individuals who are notin their territory, and nottheir nationals.
Principles that states could adopt include: (1) notice to the public of the applicable rules; (2) limits on the reasons that states may collect or query data; (3) a requirement for periodic reviews of surveillance authorizations; (4) limits on how long the data can be held; (5) a preference for domestic action (i.e., action by the host state's intelligence services) rather than foreign action wherever reasonable; and (6) the existence of a neutral body to authorize surveillance ex anteor review it ex post.
I extracted these norms from common principles contained in domestic surveillance laws of the United States, the United Kingdom, Canada, Australia, and Germany. Though these principles currently only apply to domestic surveillance or transnational surveillance (i.e., when one of the parties to the communication is overseas and one is in the collecting state's territory), I argue that it would be manageable to apply these six norms to purely extraterritorial surveillance too.
Why is the development of norms important?
In early 2014, President Obama gave a speech in which he stated, "For our intelligence community to be effective over the long haul, we must maintain the trust of the American people, and people around the world." In making this comment, he was acknowledging that the United States requires the cooperation of many other states to help protect its national security. The United States works with other states to conduct counter-terrorism and counter-proliferation operations and cooperates with allies to garner better intelligence about state adversaries. If foreign governments face intense domestic pressure to stop cooperating with the United States because U.S. surveillance is viewed as unlawful, that makes the job of those tasked with protecting our national security much harder. Bringing allies' interpretations of shared international obligations into harmony — as international norm development would do — would promote sustainable intelligence cooperation and broader information-sharing.
In addition, U.S. companies such as Google and Yahoo are pressuring the U.S. government to modify its surveillance practices abroad. These companies fear the perception that they enabled NSA spying, and are suffering a significant loss of business overseas from customers who suspect that they will be easier targets for U.S. surveillance if they use U.S. products. Reports suggest that information in Snowden's leaks could cost U.S. cloud computing industry between $22 and $180 billion by 2016.
Adopting some common norms on this issue would help alleviate pressure from foreign allies, U.S. corporations, and other actors who are concerned about this issue.
You say in a recent Lawfare post that now is a good time for the United States to engage in some level of transparent international discussion about surveillance. What form would that take?
In that post, I was focused on the idea of "surveillance diplomacy." The U.S. government has been in discussions with foreign governments about the rules pursuant to which the United States conducts electronic surveillance. But it has not engaged in much public diplomacy abroad (such as speech-giving at universities, think tanks, and other public forums) about the who, what and why of foreign surveillance. The dust has now settled a bit, after the wave of Snowden leaks. And the United States has a comparatively good story to tell about how U.S. law regulates spying. "Surveillance diplomacy" could expose the disconnect between the perceived lawlessness of U.S. surveillance and the reality of the extensive rules and oversight mechanisms that apply. It also could expose the deficits of other nations' systems in this regard. To the extent that foreign intelligence services face fewer statutory restrictions and less oversight, that might prompt some uncomfortable conversations between foreign intelligence agencies, their overseers and their publics. That is not a bad thing for the United States.
In terms of oversight mechanisms, what does the U.S. do right?
The United States has an extensive statutory framework that regulates how it can conduct electronic surveillance in the United States or against American citizens abroad for foreign intelligence purposes. The law requires the involvement of a court (comprised of Article III judges) before the United States can conduct domestic or transnational foreign intelligence surveillance, which generally is not true for other countries. And the United States intelligence community is overseen by a wide range of actors, including congressional committees and several inspectors general. Finally, the United States has tended to be more transparent — within limits, obviously — about its activities than most other states have.
Until recently, no court, treaty body, or government had suggested that international law address foreign intelligence collection specifically. Why is that?
For many years, most people didn't tend to think that international rules such as those related to diplomatic relations, sovereignty, and human rights regulated spying. The conventional wisdom was that peacetime spying was just different, and that ordinary international legal rules that apply to diplomatic, economic, and military conduct simply didn't reach intelligence activities. Since much of a state's spying was directed at foreign officials, and since the technology was such that it didn't tend to sweep in lots of private communications, questions about whether such spying violated the human rights (such as the right to privacy) of foreign citizens simply didn't arise.
Does the U.S. gain any advantages by being viewed as the world's most successful eavesdropper?
The best situation for a state to be in is to be the world's most successful eavesdropper but not to have anyone know it. Knowing that a particular state is very skilled at surveillance makes that state's adversaries even more cautious, which makes the job of that state's spies even harder. On the other hand, according to news reports, the United States would like to get to a point in the cyber context where states are deterred from engaging in cyber espionage and other offensive cyber operations against it because those other states know the United States can and will respond. So in that context, being very good at detecting and defending against attacks may allow some level of deterrence.