Snowden revelations impact Analysis

De La Quadrature du Net
Aller à la navigationAller à la recherche

Analysis

Analyse

Global security relationships are complex, embedded and often inscrutable. They have evolved over many decades, bolstered by secretive arrangements and an operational framework that is – at best – deeply opaque.

Au niveau mondial, les relations concernant la sécurités sont complexes, imbriquées et souvent impénétrables. Elles ont évolué sur plusieurs décennies, renforcées par des arrangements secrets et un cadre de travail opérationnel qui est - au mieux - profondément opaque.

However, since June 2013, much has been learned about the workings of the security ecosystem. A critically important sliver of that arena has been opened up, in particular the data collection and analysis operations conducted by the US National Security Agency and its close allies.

Néanmoins, depuis Juin 2013, on a beaucoup appris sur le fonctionnement de l'écosystème sécuritaire. Une brèche extrêmement importante a été ouverte dans ce milieu, en particulier sur la collecte de données et sur les opérations d'analyse menées par l'Agence de la Sécurité Nationale (en anglais : National Security Agency - NSA) des États-Unis et leurs proches alliés.

For those who are not specialists in this field, one of the best evidence-based primers on the subject was recently published [3] by the Electronic Frontier Foundation (EFF), outlining 65 key facts about the National Security Agency (NSA) that until 2013 were not known. This document is an effective starting point for anyone interested in the subject.

Pour ceux qui ne sont pas des spécialistes de ce champ, un des meilleurs livres factuels sur ce sujet, a été publié récemment [3] par l'Electronic Frontier Fondation (EFF), il expose 65 informations-clés relatives à l'Agence de la Sécurité Nationale (en anglais : National Security Agency - NSA) qui jusqu'en 2013 n'étaient pas connues. Ce document est un point de départ efficace pour toute personne intéressée par ce sujet.

The EFF summary does, however, focus primarily on US-based security activities. While these are of crucial to global privacy (or at least, the intrusion into privacy), there is much still to be discovered, both about the enabling international arrangements and the activities of individual non-US national security services.

Toutefois, Le sommaire de l'EFF se concentre principalement sur les activités de sécurité sises aux USA. Alors que celles-ci ont, au niveau mondial, un rôle crucial dans la vie privée (ou à tout le moins, dans l'intrusion dans la vie privée), il y a encore tant à découvrir, que ce soit sur les accords internationaux les permettant ou sur les activités de chaque service de sécurité nationale non américain.

It is equally true that the operational relationship between security services, law enforcement agencies and global police organisations such as INTERPOL remains largely unknown and – in terms of data policy – continues to be largely unaccountable. While important new information has been made public about how security agencies collect and exchange data within their own security community, relatively little is known about the use of that information or the extent to which it is passed to law enforcement agencies. That is, while the public now has a better understanding of how personal information is collected by agencies (particularly the NSA), relatively little is known about how that data is used beyond the point of collection. The accountability gap in the security realm is thus even greater than many inquiries and analysts have suggested.

Il est vrai également, que les relations opérationnelles entre les services de sécurité, les organismes chargés d'appliquer les lois et les organisations policières mondiales comme INTERPOL demeurent largement inconnues et - en terme de politique sur les données - continuent d'être grandement inexplicables. Pendant que l'on rendait public d'importantes nouvelles informations sur la façon dont les agences de sécurité recueillent et échangent des données au sein de leur propre périmètre de sécurité, on en sait toujours relativement peu sur l'usage de ces données ou sur l'étendue de ce qui est transmis aux organismes d'application de la loi. C'est que, bien que le public ait maintenant une meilleure compréhension de la façon dont les informations personnelles sont collectées par les organismes (en particulier la NSA), relativement peu de choses sont connues sur le traitement de ces données au-delà du point de collecte. La lacune de responsabilité dans le royaume de la sécurité est ainsi encore plus grande que ce que suggère de nombreuses enquêtes et analyses.

Despite these shortcomings, the evidence presented in this report indicates that the Snowden disclosures have resulted in an overall change in public perception and a spike in political sensitivity around such issues as accountability of security services. While this has not so far translated universally into concrete reforms, the shift is an indication that an additional foundation stone may have been laid in some countries that will enable tangible reform.

Malgré ces défauts, les preuves présentées dans ce rapport montrent que les révélations de Snowden ont eu pour résultat une modification générale de la perception publique et un regain d'intérêt pour les problèmes de responsabilité des services de sécurité dans la sphère politique. Bien que cela n'ait pas, jusqu'ici abouti, universellement, à des réformes concrètes, le changement montre qu'une pierre supplémentaire a été posée dans certains pays qui permettra des réformes tangibles.

GRAPHIQUE : How would rate the impact of Snowden disclosures…

Reform, however, cannot be measured merely through the actions of government. Industry has to some extent responded in a proactive manner to institute a range of measures to improve privacy and security. At the time of publication of this report Vodafone, one of the world’s biggest mobile providers, is on the point of disclosing basic details of the “backdoor” access that security agencies have to its networks, allowing security bodies to listen in to any phone channel they choose.

Néanmoins, on ne peut pas mesurer les réformes uniquement par le biais des actions des gouvernements. l'industrie a, jusqu'à un certain point, répondu de façon proactive en engageant une série de mesures pour améliorer le secret de la vie privée et la sécurité. Au moment où nous publions ce rapport, Vodafone, une des plus grands opérateurs téléphoniques au monde, est sur le point de révéler des détails fondamentaux sur les accès "backdoor" [accès dérobé] que les agences ont sur son réseau, permettant aux services de sécurité d'écouter quelque soit le canal de téléphone choisi.


In its report on the disclosure, the Guardian [4] commented: The company has broken its silence on government surveillance in order to push back against the increasingly widespread use of phone and broadband networks to spy on citizens, and will publish its first Law Enforcement Disclosure Report on Friday . At 40,000 words, it is the most comprehensive survey yet of how governments monitor the conversations and whereabouts of their people.

Dans son rapport sur les révélations, le Guardian [4] commente :
La compagnie a rompu le silence sur la surveillance par le gouvernement, afin de contrer l'augmentation constante de l'usage du téléphone et des réseaux à haut débit dans l'espionnage des citoyens, et elle publiera son premier rapport de transparence [en anglais : Law Enforcement Disclosure Report] Vendredi. En 40 000 mots, c'est l'étude la plus exhaustive à ce jour sur comment les gouvernements surveillent les conversations et la localisation de leur peuple.

Such detailed transparency was unheard-of before the Snowden era. Clearly, there has been a significant shift in view amongst some corporations in response to what is perceived as an abuse of surveillance facilities by security and law enforcement. Australian authorities, for example, made an extraordinary 685,757 requests for communications metadata in 2013, almost three times the number of requests per head of population made by the UK, and more than a hundred-fold greater than Germany.[5]

Une tel niveau de transparence ne s'est quasiment jamais vu avant l'ère Snowden. Clairement, il y a eu un changement de point de vue significatif parmi les entreprises en réponse à ce qui est perçu comme un abus des moyens de contrôle par les services de sécurité et de respect de la loi. Les autorités australiennes, par exemple, ont réalisé le chiffre astronomique de 685 757 requêtes sur les métadonnées de communication en 2013, rapporté au nombre d'habitants, c'est presque trois fois plus qu'au Royaume-Uni et cent fois plus qu'en Allemagne.[5]

As the industry report below in this report observes, the move to transparency in the relations between corporations and government has been significant, but was not triggered exclusively by the Snowden disclosures. Indeed the transparency trend has been in progress since at least 2009. Of greater importance perhaps is the trend to the endemic strengthening of communications security. This development – pursued by a number of companies – goes beyond mere transparency and moves toward creating at least the beginning of a more privacy-secure communications ecosystem. Whether this results in an escalation of the technology arms race is yet to be seen.

Comme le montre ce rapport de l'industrie ci-dessous, le mouvement vers la transparence des relations entre les entreprises et les gouvernements a été significatif, mais il n'a pas été exclusivement déclenché par les révélations de Snowden. En effet, la tendance vers plus de transparence a progressé depuis au moins 2009. Le plus important est peut-être la tendance à un renforcement endémique de la sécurité des communications. Ce développement - partagé par nombre d'entreprises - va au-delà de plus de transparence et évolue vers la création, au minimum, d'un début d'écosystème de communications sécurisant la vie privée. Reste à voir si cela donnera lieu à une escalade dans la course aux armements technologiques.

Critics are right to point out that the mere disclosure of information about the extent of systemic intrusion by security agencies is not, in itself, a sufficient response. Nonetheless, corporations have started to move, by degrees, to changing the dialogue around surveillance, particularly with regard to legal and ethical principles. This shift to some extent reflects the commercial market for privacy that has been evolving for some years.

Les critiques ont raison de pointer le fait que plus de révélations sur l'extension de l'intrusion systématique par les organismes de sécurité n'est pas en soi, une réponse suffisante. Néanmoins, les entreprises ont commencé à bouger, petit à petit, pour changer le dialogue sur la surveillance, en particulier en ce qui concerne la légalité et l'éthique. Ce changement reflète, dans une certaine mesure, le développement depuis quelques années, du marché commercial autour de la vie privée.

This trend was eloquently expressed by Microsoft’s General Counsel Brad Smith on the first anniversary of the Snowden debut. Arguing that the US needs to respect international sovereign protections [6], Smith argued: These concerns have real implications for cloud adoption. After all, people won’t use technology they don’t trust. We need to strike a better balance between privacy and national security to restore trust and uphold our fundamental liberties.

Cette tendance a été exprimé avec éloquence par Brad Smith, conseiller général de Microsoft pour le premier anniversaire de l'affaire Snowden. Arguant que les États-Unis ont besoin de respecter les protections suprêmes internationales [6], Smith a dit :
Cette affaire a des implications réelles dans l'adoption du "cloud". Après tout, les gens n'utiliserons pas des technologies dans lesquelles ils n'ont pas confiance. Nous devons nous intéresser à un meilleur équilibre entre respect de la vie privée et sécurité nationale pour redonner confiance et maintenir nos libertés fondamentales.

Civil Society has also responded with measures that will help build stronger constituencies and coalitions including such initiatives as the Thirteen Principles [7] and the Don’t Spy on Us coalition.[8]

La société civile a aussi répondu avec des mesures qui aideront à construire des circonscriptions plus fortes et des coalitions permettant ce genre d'initiatives tel que le treizième principe [7] et la coalition "Don't spy us" [ne nous espionnez pas]. [8]

The bigger picture

La situation globale

While this report is centred on reviewing measurable reforms, the authors understand that the one-year period being assessed is in many respects too short a time frame to gauge the true impact of the Snowden influence.

Nevertheless, the period may be considered in terms of trends, i.e. whether the pace of reform has accelerated, slowed or reached a plateau.

In some respects - and despite the encouraging trends described above - the outcome for reform is not entirely positive. More than half the countries surveyed for this project reported that there has been little media or political activity as a result of the disclosures. Of the remainder, around a half identified tangible reforms that had been pursued, and most of those correspondents expressed concern that reform activity had slowed in recent months. Overall, around one sixteenth of countries are on target for even the most marginal reform of their security services.

GRAPHIQUE : Can you recall any specific that has been taken by your governement…

This situation should not diminish the significance of the broader trend of public awareness and political activity. There have been several substantial outcomes, including action by the UN, the European Parliament and the White House. A noticeable geo-political shift has occurred, though this dynamic largely excludes Africa and Asia.

At this early stage it is difficult to determine the extent to which the disclosures have influenced other social and political developments. In Turkey, for example, the Snowden revelations came during the peak of the Gezi uprising. Since it became obvious that there is almost no privacy in social media (which was heavily and effectively used in the events), the "occupiers" were concerned about how the collaboration between large ICT companies and the NSA might extend to the Turkish government. This resulted in an awareness of Internet privacy issues and some web sites that provide advise on privacy issues emerged.[9]

Many of the country assessments in this report highlight the significance of the shift in thinking over privacy and security issues, emphasising the real potential for future reform. Spain, for example, observed: There are signs that a debate has been sparked, at least in specific milieus and in relation to cybersecurity, social media and privacy concerns. And while the media and political passivity is an immediate challenge, general privacy concerns have managed to become the standard in technology reporting and policy. In this evolving context, every new revelation on the use and abuse of surveillance powers is contributing to strengthening the need for a true public debate on the possibilities and risks of the surveillance society.

Colombia also emphasised the broader influence of this change of perspective: If Snowden's revelations have had some influence in Colombia it was to highlight the fact that intelligence decisions cannot be based solely on State security rationale. To some extent, these revelations have served to demonstrate that there are limits to state surveillance activities. It has also shown that there is a need to guarantee citizens' rights, as well as to establish civil society oversight mechanisms. Yet, it will take some time to translate this recognition to the domestic reality.

while Canada reinforced the interactive elements of the reform process: In conclusion, the media and Parliament’s attention to signals intelligence has increased significantly, and these efforts have dovetailed with ongoing concerns over the scope and nature of privacy- invasive activities by domestic state agencies.

The disappointing media coverage in many parts of the world could be a result of either under-management or over-management of the Snowden disclosures. Despite a perception that the Snowden disclosures have became a global news story, reports from the majority of non-US nations indicate that media coverage in many countries has been minimal or non-existent. Concern was expressed that the story was “owned” as a proprietary package by the Anglo-American press and was of little direct relevance to most parts of the world. This perception only shifted at the local level when such countries as Pakistan and Mexico were specifically cited in leaked documents.

Possible shortcomings in the Guardian’s handling of the Snowden episode could be explained by a business motivation to create roots in a more lucrative global market, particularly the US.[10] Nonetheless – as the experience of such countries as Brazil has demonstrated in this report – the newspaper’s handling of the story has in some respects been highly effective, even if over-protective of the data.

Future action

One challenge for the years ahead will be to extend this issue beyond the Trans-Atlantic domain and into a truly global context. This requires more than mere media attention and goes to the question of innovative, integrated strategy that binds all elements of the reform community. There are several key initiatives globally that will strengthen and streamline citizen-led initiatives to pressure governments and corporations to create better defences for privacy over the next few years.

The data in this report may help indicate some other important pathways to future action for reform. One of the most significant of these relates to interactivity between different strands of the reform community. Civil society and the tech community have not adequately adapted to the challenges raised by the Snowden revelations. For example, the interface and the communications between policy reform (e.g. efforts to create greater accountability measures, privacy regulations) and technical privacy solutions (e.g. designing stronger embedded security) are worryingly inconsistent and patchy. Few channels of communication and information exchange exist between these disparate communities. There was also a sense that reform strategy needed to become more effective – even aggressive – if further progress was to be made in the foreseeable future.

One response to these outcomes has been an informal agreement among several NGO’s to participate in a collaborative process over the summer called “Code Red”. This initiative will aim to build working interfaces that do not currently exist, and seek accelerated resources and funding for cutting- edge technical responses, legal challenges, direct action and innovative policy reform.

A further announcement about this initiative will be made in early September.

NOTE [les notes de pas de pages ont été regroupées en note de fin de partie]
3 - https://www.eff.org/deeplinks/2014/06/65-65-things-we-know-about-nsa-surveillance-we- didnt-know-year-ago
4 - http://www.theguardian.com/business/2014/jun/06/vodafone-reveals-secret-wires-allowing- state-surveillance
5 - http://www.theguardian.com/business/2014/jun/06/vodafone-reveals-secret-wires-allowing- state-surveillance

6 http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/06/04/unfinished- business-on-government-surveillance-reform.aspx
7 - https://en.necessaryandproportionate.org/text
8 - https://www.dontspyonus.org.uk/org
9 - One successful example is Capul.tv. http://capul.tv
10 - http://thenextweb.com/media/2013/07/30/the-guardian-newspaper-moves-its-uk-us-and- australian-websites-to-a-new-com-domain-today/