Privacy Advisor

CPO, Activist, Former NSA Counsel Square Off at DPC

December 17, 2013

By Sam Pfeifle
Publications Director

The most fiery discussion at the IAPP Data Protection Congress in Brussels came during its final session, with IAPP VP of Research and Education Omer Tene doing his best to referee a conversation between former U.S. National Security Agency (NSA) General Counsel Stewart Baker, anonymous Internet platform Tor’s Jacob Appelbaum, Vodafone CPO Stephen Deadman and Ralf Bendrath, policy advisor to German MEP and Data Protection Regulation Rapporteur Jan Philip Albrecht titled “Have You Been NSA’d? Government Access and the New EU Regulation.”

The highly anticipated session didn’t fail to deliver. Tene opened the discussion by declaring, “It’s already a great win for the privacy community that we’re having this session,” and it was hard to argue after seeing the likes of Baker and Appelbaum, polar ideological opposites, not only sitting side-by-side but later even posing for a goofy picture together.

However, the session was not without its heated moments.

Baker, now a partner at DC law firm Steptoe & Johnson, was allowed first whack at the question of how to square constitutional rights to privacy in the U.S. with the revelations of wholesale surveillance on the part of the NSA.  

“Everybody does this,” he claimed, “and trying to regulate it is something that only the U.S. and European Court of Human Rights has tried to do.” He noted that the current Data Protection Directive in the EU has specific exceptions for law-enforcement access and that mechanisms like Safe Harbor were never meant to cover government access.

“In Europe,” Baker said, “they’ll have to start at home if they want restrictions on espionage.”

Tene followed this up by pointing to the fact that France, just a few days after criticizing the U.S., passed its own law expanding law-enforcement access to online data and that, in the U.S., protection against search and seizure is a constitutional right.

“Yes,” responded Bendrath, “but only for U.S. persons. In Europe, it’s a fundamental right for everybody.” He noted a major point of contention in Europe is that Europeans have no means of judicial redress in the U.S. if they feel they’ve had their privacy rights violated.

Baker asked for a point of clarification: “Does the European Convention on Human Rights protect Afghani residents from a European surveillance agency?”

Bendrath responded in the affirmative.

This led to another exchange initiated by Appelbaum, who noted the chilling effect on democracy that persistent surveillance can create. “We are on the edge of what we once considered normal democratic life,” he said, “where we didn’t have to concern ourselves with freedom of association online.”

Then he directed comments at Deadman, noting that communications firms are complicit in this surveillance.

Stewart Baker (left) and Jacob Appelbaum pose for a playful photo after a very serious discussion on government surveillance at the IAPP Data Protection Congress 2013.

“I’ve been talking about human rights and the Internet for years,” Deadman responded. “This isn’t just a quirky side issue. It’s an important issue for the industry.”

Noting that Vodafone doesn’t currently operate in the U.S., he continued that “privacy is essential to our DNA, but, ironically, in every country that we operate, a condition of being there is rolling back that right. The government has the right to do whatever it wants.” He said the crowd would be amazed by the technological capabilities that have to be built in to comply with government requests in various countries.

“And the further you go from Europe, the more murky it gets,” he said. “For companies like mine, trying to navigate respect for customers’ human rights and not going that tiny step beyond the law in that country is a very difficult challenge.”

This led Appelbaum to question why, then, Vodafone complied with Egyptian demands to shut down the Internet during protests there, when that clearly was not supported by Egyptian law.

Deadman was very serious in his reply: “Yes, during the Arab Spring we were forced by Egypt to take down our network … But this wasn’t a decision made by executives in offices in London who could just push a button. This was done by our Egyptian CEO, by Egyptian citizens. We can’t operate in a country and engage in mass civil disobedience. We can’t just say, ‘Disobey the government, no matter the risk to your families.’ There are governments that are autocratic.”

Appelbaum asked why, then, was Vodafone doing business in Egypt. “Are there any red lines?”

“We pulled out of Myanmar and human rights was one of the reasons,” Deadman said. “If human rights is a reason, there’s often other reasons as well … but by not being in a market like Egypt, well, we connect people to the Internet. We’re a reason they can use Twitter. If we’re not there, someone else is there.”

There were a number of other interesting exchanges, including Baker saying Bendrath was “wrong in interesting ways” and Appelbaum gaining applause from the crowd for inciting the public to “leak more documents.” We were able to grab a rough recording of the entire session through my iPhone, should you want to spend an hour with it in the headphones:

Deadman got in some of the final words (right around 1:05 of the recording), speaking clearly as one for whom the topic was hardly theoretical. “We haven’t really hit the nail on the head with the balance of intelligence vs. privacy,” he said. “What disturbs me is that we weigh security in societal terms and then weigh privacy in individualistic and ephemeral terms. Privacy is a societal value. We have to look at it in those terms. The ability to speak freely, to organize ourselves, the ability to innovate and go against the grain. All of those are things society benefits from. There is a balance. As long as the sides of the scales are appropriately weighed, it’s okay. I don’t think anybody knows just how to do that yet.”

Read More By Sam Pfeifle:
Keynote: Forget Notice and Choice, Let’s Regulate Use
EU, U.S. Officials Indicate Potential Privacy Agreement at Data Protection Congress
Top Six Inadequacies Found During Privacy Audits
Big Data Jobs Board Sees Privacy Jobs Growing Fastest