bluedesign - Fotolia

Prism and the law: The state of play in August 2016

Computer Weekly assesses the history, legal aspects and latest developments in the story of the mass surveillance programme launched by the US National Security Agency

Based on an analysis for Computer Weekly, between 2007 and 2013, about 38 million people in the UK, including 2.9 million children aged between three and 17, had their emails intercepted and their data stolen by nine commercial companies acting for the US National Security Agency (NSA).

According to the then interception commissioner, Sir Anthony May, in a report to the prime minister in April 2014, interception is criminal and data theft is unlawful.

So far, the government has taken no action to have the police halt or prosecute email interceptions. The information commissioner, on a salary of about £140,000 a year and with a departmental budget of £21m, refused a High Court invitation to investigate the data theft in 2015.

Before looking further into these extraordinary facts, Computer Weekly looks at the law and Prism, the computer program used to make the interceptions and to steal the data.

This report is by Kevin Cahill, a veteran UK IT journalist and fellow of the British Computer Society. He is the only individual to have taken some of the Prism companies to civil court in the UK and has subsequently taken the issue to the Investigative Powers Tribunal, part of the UK High Court.

This court referred his complaint about the interception and theft of children’s data in the UK to the police and the information commissioner with an invitation to investigate. They have both so far refused to do so.

The other individual who took the regulators to court over Prism is Austrian lawyer Max Schrems. The judicial condemnation of Prism by the European Court of Justice and the striking down of Safe Harbour were a result of Schrems’ case against the Irish data regulator.       

Facts about Prism

The following facts about the Prism programme are taken from the evidence file at the Irish High Court in the case of Schrems v Ireland. This is sworn legal evidence, tried in a court of law.

Prism was a worldwide “mass and indiscriminate surveillance programme” launched by the NSA of the US government in September 2007.

The programme was executed on behalf of the NSA, based at Fort Meade, Maryland, US, by at least nine commercial companies headquartered in the US. The companies named in the evidence are Microsoft, Apple, Google, Facebook, YouTube, Yahoo, Skype, PalTalk and Hotmail. The orders given to the companies by the National Security Agency were to obtain  their clients’ “email, chat, video and voice, videos, photos, stored data,VoIP, file transfers, video conferencing, notification of target activity, logins, online social networking details, special requests”.

The NSA used a US law called the Foreign Intelligence Surveillance Act to give its orders over nine companies participating in Prism. This law has no legal effect or standing outside the territory of the US. Actions ordered by the US using the act cannot be legally carried out in any other country, and are both criminal and unlawful in most countries, especially the UK. (Ironically, they would also be unlawful if carried out in the US.)

This law purports to apply only to foreigners, except to do so is unlawful in almost all foreign countries under their own domestic law. The legal position in the UK was given to UK prime minister David Cameron on 8 April 2014 by the interception of communications commissioner, Sir Anthony May, and laid before parliament the same day. Here is what May wrote:

1. 4 “Public concern has centred on potential intrusive invasion of privacy (arising from the Snowden revelations). Such concerns have been expressed publicly in the US, Europe and other countries with greater force perhaps than in the UK. But unjustified and disproportionate invasion of privacy by a public authority in the UK would breach Article 8 of the European Convention of Human Rights just as much here as in other parts of the European Union.” (May’s italics) 

2.4 “Section 1(1) of RIPA (Regulation of Investigatory Powers Act) makes it an offence for a person intentionally and without lawful authority to intercept at any place in the UK, any communication in the course of transmission by means of a public postal service or public telecommunications system….”

Prism was formally confirmed in Washington by the chief lawyer for the NSA, Rajesh De, at a public meeting of the Privacy and Civil Liberties Board of the US government on 19 March 2014. The minutes of the meeting were recorded and published in the Federal Register in April 2014. De told the meeting that the companies, some of whom had denied knowledge of Prism, had their orders from the FISA Court and knew what they had to do.

FISA Court is not a court of law

The FISA Court is a court set up under the Foreign Intelligence Service Act. Irish High Court judge Gerard Hogan, who heard the Schrems case, had the following to say about the FISA Court:

Par 14. It is, however, appropriate to note that many of the activities of the NSA are subject to the supervision of the Foreign Intelligence Surveillance Court as provided by the US federal statute, the Foreign Intelligence Surveillance Act 1978 (the FISA Court). The FISA Court is a specialist court consisting of federal judges enjoying standard constitutional guarantees in relation to tenure and independence. This court entertains applications by the NSA for warrants in relation to foreign surveillance and interception of communications.

Par 15. It would seem, however, that the FISA Court’s hearings are entirely conducted in secret, so that even the court orders and its jurisprudence remain a closed book. The US security authorities are, in effect, the only parties who are, or who can be, heard in respect of such applications before the FISA Court. Yet the essentially secret and ex parte nature of the FISA Court’s activities make an independent assessment of its orders and jurisprudence all but impossible. This is another factor which must – to some degree, at least – cast a shadow over the extent to which non-US data subjects enjoy effective data protection rights in that jurisdiction so far as generalised and mass state surveillance of communications is concerned.

(The FISA Court has become more open since Judge Hogan’s critique, but has no jurisdiction outside the US and does not admit foreigners, against whom all its orders are made.)

The judgment of the Irish High Court on the PRISM programme. Hogan G. 18/6/2014

Par 11. According to the Washington Post, the programme is codenamed Prism and it apparently enables the NSA to collect personal data, such as emails, photographs and video, from  major internet providers such as Microsoft, Google and Facebook. This is done on a mass scale in accordance with orders made by the US Federal Intelligence Court sanctioning such activities.

Par 13. While there may be some dispute regarding the scope and extent of some of these programmes, it would nonetheless appear from the extensive exhibits contained in the affidavits filed in these proceedings that the accuracy of much of the Snowden revelations does not appear to be in dispute. The denials from official sources, such as they have been, were feeble and largely formulaic, often couched in carefully crafted, suitably ambiguous language designed to avoid giving diplomatic offence. I will therefore proceed on the basis that personal data transferred by companies such as Facebook Ireland to its parent company in the US is thereafter capable of being accessed by the NSA in the course of mass and indiscriminate surveillance of such data. Indeed, in the wake of the Snowden revelations, the available evidence presently admits of no other realistic conclusions.

This judgment was made public in Dublin on 18 June 2014, and largely unreported outside the Irish media. The judge, Gerard Hogan, referred his judgment to the European Court of Justice, because significant elements of European data protection law were involved.

Contrary to a press release by the US Embassy in Brussels before the European Judge Advocat General’s opinion in September 2015, neither Facebook – in effect the defendant – nor any of the other Prism companies named in the evidence were excluded from presenting their case to the Irish High Court. Neither was the US government, which had been “indicted” by Judge Hogan as ordering the “mass and indiscriminate surveillance” he found had happened. All could have applied to Judge Hogan to plead, but none did.

Dramatic consequences

There were dramatic consequences. The judgment of Hogan cannot be appealed. His condemnation of the US for conducting “mass indiscriminate surveillance” in Europe is permanent, as is the subsequent judgment of the European Court of Justice.

Once the matter had passed from the national High Court to the European Court, no further appeal was possible. The US government knew this, as did the Prism corporations named in the evidence.

In September 2015, the Judge Advocat General at the European Court in his preliminary opinion was even more critical of the US than Hogan had been, but his language was so obtuse and obscure that it was hard to decide what he was saying, save that he agreed with, and endorsed, the Hogan findings of fact.

Within weeks, the Grand Chamber of the European Court, in an unusual move, went further than either Hogan or the Judge Advocat. On 6 October 2015, the European Court of Justice struck down the Safe Harbour arrangement for the legal transfer of data from Europe to the US on the grounds of the Prism surveillance. So incensed was the court by what it had heard that it granted no “grace period” for companies or governments to adjust to the biggest disruption to digital trade ever to occur.

It did so because of Hogan’s findings that the US was engaged in “mass and indiscriminate surveillance”.        

It also ordered the Irish data controller, Helen Dixon, to investigate Schrems’ original complaint from 2013 that had led to Hogan’s original judgment.

Snowden revelations

In June 2013, The Guardian and a raft of international media published the revelations of Edward Snowden, a whistleblower who had worked for the NSA and the CIA. His major disclosure was the Prism mass surveillance programme.

In the wake of these disclosures, Austrian law student Max Schrems, who already had extensive knowledge of the scale of US internet supplier accumulation of personal data on Europeans, especially at Facebook, added the Prism revelations to complaints he had been pursuing since 2011 with the Irish data regulator, a civil servant called Billy Hawkes.

Facebook is headquartered in Ireland and Hawkes was the regulator for Facebook throughout Europe. He dismissed Schrems in the grossest terms, describing him as frivolous or vexatious and threw his complaint out.

Enter Judge Hogan

Schrems took Hawkes’ dismissal of his complaint to the Irish High Court, where it landed before Ireland’s most eminent lawyer, Judge Gerard Hogan.

Hogan made short work of Hawkes. He treated the Snowden revelations as they should have been treated by European governments and regulators from the beginning – as prima facie evidence of wrongdoing. He was able to do this because Dublin solicitor Simon McGarr, acting for Schrems and another complainant, Digital Ireland, compiled all the Snowden revelations into 14 lever-arch files of sworn evidence and submitted them to Hogan.  

This removed Snowden from the realms of media hearsay and made his revelations evidence at law. This was the event that should have alerted both the US government and the nine Prism corporations that they were at huge legal risk. They ignored it and snubbed Hogan’s court. As a result they became subject to Hogan’s judgment – permanently.

The US government was, in practice, “indicted” for criminal activity in the UK and many other European states. The US government was also “indicted” for the unlawful theft of data throughout Europe. So were the US government agents, the nine Prism corporations. And, by implication, the police forces of Europe and their governments were also indicted, alongside the 28 European data regulators, who, at a cost of between €400m and €500m a year, had obstructed individuals seeking to exercise their rights to privacy and to the law.

Irish regulator investigates

In November 2015, following the European Court judgment, the Irish regulator went before Judge Hogan and promised to speedily do the investigation Hogan had first ordered her to do in June 2014.

In June 2016, Helen Dixon announced a result from her new investigations – that standard contractual clauses, a pseudo legal device to enable European data to be transferred to the US, might not be legal. She applied to the Irish High Court to have her decision sent to the European Court of Justice for review.

But not via Judge Hogan. He had been “promoted” out of the High Court to the Appeal Court by the Irish government. Dixon’s case did not make it to the main High Court either, but to the Commercial Court. Most critically, she made no mention of the core of Schrems’ complaint: Prism.

Schrems’ complaint had been about mass surveillance. Hogan had ruled it unlawful, and so had the European Court of Justice. Nonetheless, Dixon made no mention of these judgments in the course of an investigation, almost nothing of which has been made public. In effect, she sidestepped and ignored the judgments of the two courts that had issued her with orders to investigate Schrems’ complaint.  

Dixon, the independent regulator by statute, also made no mention of the extensive contacts between herself and officials of the Irish government or with officials at the US Embassy between October 2015 and June 2016, before she proceeded to court.

Privacy Shield

Her application was more disingenuous than it looked. On 1 August 2016, the new, post-Safe Harbour agreement, called Privacy Shield, came into force, apparently making standard contractual clauses, sometimes called model clauses, for transferring European data to the US legal – at least temporarily. Her application to both the Commercial Court and to the European Court appeared to be totally redundant – a pure play for time, and away from the danger zone of Prism.

And if Dixon was playing for time, she certainly got it. No fewer than 11 hearings are scheduled on the matter at the Commercial Court in Dublin between now and the end of the year, with a full hearing in February 2017.

In court, time is money – a lot of money. Dixon’s strange approach will involve Schrems in all those hearings, with perhaps four or five days in court at the full hearing next year. He has complained about being bankrupted by the process, a strategy that Dixon could not possibly have foreseen when conversing with the Irish government and the Americans in Dublin.

Schrems has already forked out for four days in court recently, just to find out who could make presentations called amicus curiae (friends of the court) at the final hearing. His days in court will not cost him much less than €10,000 a time. In a very strange outcome, at a two-day hearing in July, no fewer than nine parties asked to be made amicus curiae.

The applicants for amicus curiae status, which carries no liability for the costs of other parties, divided into two groups – a group of lobbyists led by counsel for the US government, the “indicted” perpetrator in the Prism mass surveillance, together with lobbyists mainly representing the affected Prism corporations. And a group of applicants representing privacy advocates.

Judge McGovern admitted the US government and the lobbyists but refused all the privacy advocates.

The US government plea, already entered in summary by counsel at the Irish High Court, is that US law applies throughout the world and if it is law in the US, it is law everywhere else. The only party that will argue against this, or at least criticise it, since cross examination of amicus curiae parties is not normally allowed, is Schrems, who is a full litigant in the case. Facebook is also present, as de jure defendant.

But it does not stop in Dublin. Until Brexit happens, Dixon has regulatory responsibility for about 30 million Facebook users in the UK, a constituency she has studiously ignored to date, despite complaints to her. 


So why is the US going to such lengths to defend what has been judged criminal and unlawful conduct in Europe?

The US has advanced three main reasons as to why it needs Prism-style surveillance of foreign populations. It says Prism is necessary to prevent crime, to prevent terrorism and to impede paedophiles.

Given that Prism is itself unlawful in most countries and unlawful throughout Europe, any suggestion that a criminal programme could prevent crime seems unrealistic. Collecting the personal data of 38 million people in the UK and up to 340 million people in Europe seems to have little to do with the kind of targeted intelligence that might identify and stop terrorism.

Finally, intercepting children’s emails and stealing their data, apart from being criminal and unlawful, amounts to digital paedophilia.

Contained in the Snowden evidence is the real reason. The US has engaged in “indiscriminate and mass surveillance” in order to create profiles of people, companies, communities and countries so they can be manipulated via the mass media.

It has done this without a single European government stepping in to stop it, or a single one of Europe’s 28 regulators even making a serious investigation.

The possibility of universal mass surveillance became clear to the NSA in the early part of this century, as the reach of the nine largest US internet providers grew to more than 50% of all internet users on the planet. The internet giants were developing a reach that the spooks in Fort Mead, the NSA’s HQ in Maryland, could only dream of.

So the spooks stepped in and more than nine corporations obliged by delivering their clients’ data. It was, and is, the largest hack in human history – so far.

Read more on Network security strategy