Spying Abuses Are Still a Concern, 10 Years After Edward Snowden

Ten years after Edward Snowden revealed that intelligence agencies abuse their authority to spy on people in the United States and around the world, the whistleblower continues to cast a long shadow. Here at home, Congress is thinking of extending surveillance powers amidst debates informed by concerns about privacy. Overseas, Irish regulators just slapped Facebook parent Meta with a massive fine under a European Union law meant to address governments siphoning data acquired by private companies. Snoops and their targets alike, we're all living in a world shaped by Snowden.

Just as the 9/11 attacks supercharged the security state with new power to intercept communications, Edward Snowden fueled concerns that the snoops' authority extended much too far. The result has been an ongoing tussle between those who say they want the intelligence community to protect us, and people concerned that we need protection from the intelligence community.

"Social media giant Meta was the latest to face a big penalty Monday when Ireland's privacy watchdog fined it a record €1.2 billion euros for privacy violations under the European Union's General Data Protection Regulation (GDPR)," Politico reported this week. "The Irish decision relates to 2013 revelations from Edward Snowden, the U.S. National Security Agency contractor, that American spooks were unlawfully accessing people's personal information via the country's tech giants."

Europe's Heavy-Handed Privacy Law

By "relates to 2013 revelations from Edward Snowden," Politico's Clothilde Goujard and Mark Scott mean the European Parliament ushered through the GDPR amid reports that alphabet agencies in English-speaking countries hoover up information collected by private companies. In 2019, Hallie Coyne wrote a paper for The Cyber Defense Review exploring "the significant impact that Snowden's leaks had on the development of the European Union's General Data Protection Regulation (GDPR)—a piece of legislation that has fundamentally changed the nature of data privacy in the EU, and the world over."

That's not to say the GDPR is good legislation. The E.U. has a wide reputation for turning every concern, no matter how justified, into an excuse for heavy-handed bureaucracy. In the current case, Ireland's Data Protection Commission itself preferred to simply order Meta to stop transferring private user data to the United States and objected that a heavy fine "would exceed the extent of powers that could be described as being 'appropriate, proportionate and necessary.'" But the Irish body was overruled by the European Data Protection Board.

The GDPR also hampers innovation with high compliance costs and penalties threatened for new technologies and services that run afoul of the bureaucracy. Undoubtedly, the regulatory gauntlet stifles entrepreneurs and favors the sort of companies, like Meta, that can afford billion-euro fines.

But if the E.U. was destined to be a rule-bound bureaucracy that favors large firms over small competitors, the specific form of its red tape was partially shaped by Snowden's legacy.

America's Ongoing Surveillance Debate

The snooping discussion in the United States is rather healthier, if no less frustrating.

"The revelation that the Federal Bureau of Investigation used a foreign-spying tool to search for information about defendants in the Jan. 6 attack on the U.S. Capitol and the 2020 George Floyd protests has set back the Biden administration's effort to win reauthorization of a law it says is a critical tool for national security, lawmakers in both parties said," The Wall Street Journal's Dustin Volz and Byron Tau reported this week. "The law, known as Section 702 of the Foreign Intelligence Surveillance Act, lets the National Security Agency intercept the communications of foreign terrorist or espionage suspects that pass through U.S. telecom and internet companies. But the tool also vacuums up data about American citizens living in the U.S., for instance when they communicate with people overseas."

Section 702 was called out by Edward Snowden for its abuse by snoops to spy on Americans. Several years later, amidst calls for reform, we learned that the National Security Agency "collected more than 150 million records about the phone calls of Americans in 2016" as Reason's Scott Shackford reported. While shocking, that represented a reduction in domestic snooping as alphabet agencies responded to pressure from the public and from some legislators.

It's difficult to know precisely the extent to which the surveillance state still stretches its power to spy on foreign targets to monitor Americans, since the Supreme Court shields much snooping behind arguments that revealing abuses would threaten national security. That's yet another invocation of the "state secrets privilege" that has long concealed misconduct and incompetence. But, as the Journal noted, we do hear enough, on occasion, to remind us of the danger.

"A newly released Foreign Intelligence Surveillance Court (FISC) opinion from April 2022 revealed that the Federal Bureau of Investigation (FBI) has continued to abuse its access to information collected under Section 702 of the Foreign Intelligence Surveillance Act (FISA), including by searching for racial justice protestors, activist groups, and political campaign donors," the Electronic Privacy Information Center specified last week about the recent reports. "The FISC detailed the FBI's 'pattern of conducting broad, suspicionless queries' of information collected under Section 702, a sweeping warrantless foreign intelligence surveillance authority."

In 2023, the surveillance community is engaged in the same misuse of the same powers that Edward Snowden pointed out in 2013. And that's why we're having familiar debates between fans of the security state and those concerned about civil liberties.

A Legacy of Warnings and Limited Results

"Despite the public outcry, investigations by Congress, pronouncements by President Obama, and federal court rulings. I don't think much has changed," security expert Bruce Schneier wrote in a Snowden retrospective for the Internet Engineering Task Force. "The NSA canceled a program here and a program there, and it is now more public about defense. But I don't think it is any less aggressive about either bulk or targeted surveillance. Certainly its government authorities haven't been restricted in any way. And surveillance capitalism is still the business model of the Internet."

The Electronic Frontier Foundation's Matthew Guariglia, Cindy Cohn, and Andrew Crocker have a slightly more upbeat perspective. They celebrate the end of some abuses, while seeing room for improvement.

"Some things are undoubtedly better–under the intense scrutiny of public attention, some of the National Security Agency's most egregiously illegal programs and authorities have shuttered or been forced to end," they write. "But it's not enough—not even close.  There's still much work to be done to rein in our overzealous national security state, break political gridlock, and end the extreme secrecy that insulates some of the government's most invasive tactics."

Ten years ago, Edward Snowden informed the world that the U.S. government and its allies were engaged in mass surveillance against whole populations. While the snoops themselves are now under scrutiny, we have yet to finish the hard work of addressing those privacy violations.