Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 0:14
CT. Tea.
Speaker 2
0:17 – 1:02
Welcome to CDT's Tech Talk, where we dish on tech and Internet policy, while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski, and it's time to talk tech. This week, we have a guest host, CDT's very own Greg Nojime. Greg sits down with doctor Thorsten Wesseling from the German think tank, SNV. Greg and Thorsten have a fascinating conversation about government surveillance practices in The US and in countries across Europe. Are any countries leaders in protecting the civil liberties of citizens when it comes to intelligence practices and data collection? And does strong oversight always lead to better privacy protections? Take it away, Greg.
Speaker 0
1:06 – 1:39
Hi. Welcome to Tech Talk. My name is Greg Nojime, and I'm the director of CDT's project on freedom, security, and technology. And I'm happy to say that we're joined today by Thorsten Wertsling of, SNV, a Berlin based think tank that focuses on the intersection of technological change and public policy. Thorsten, welcome. It's a pleasure to be here. Thank you, Greg, for having me. I'm so glad you could come. Tell us a little bit about SNV. What do you do there? And, tell us about the foundation. Sure.
Speaker 1
1:40 – 2:35
You put it nicely, actually, the way you put it. It's the intersection, the nexus between public policy and technological change. You know, in Germany, like in Washington, we have a number of think tanks that look into, advising, parliament and executive on different range of topics. But up until recently, there wasn't a dedicated think tank that looked into digital policy making. And so we have, we are very small. We have not more than 15 people who really focus on on content work. And among those people, I'm one of them, looking into surveillance governance. There's another one who looks in artificial intelligence and its impact on foreign policy. There's someone that looks at the Internet of Things and cybersecurity. So you get a flavor of of the topics that we're looking into. Do you focus mostly on Germany,
Speaker 0
2:35 – 2:36
on Europe,
Speaker 1
2:36 – 3:26
or are you looking worldwide? It has been mostly German focus. That is because, most of our work, work, is really directly tied to, for instance, a new law that comes out of the parliament, or our funding requires that we have a a specific Germany focus. But as of late, there have been new developments. So it has become, a bit more, frequent for us to take a European perspective. At least in my work, I do that quite often. And I also know about it very, from the start. We had one project that had, a Transatlantic focus. So that's the transatlantic cyber forum. And there we look at, different cybersecurity policies, not just from a European, but also from an American and, German perspective.
Speaker 0
3:27 – 3:37
Thorsten, we're speaking at the CDT office in Washington DC on a really hot day. What brings you to this, hot part of to this hot town, Washington?
Speaker 1
3:39 – 4:33
Greg, that's right. It's quite hot here in Washington today, but I'm glad to be here because I'm with I'm bringing with me a draft compendium of best practice on intelligence, legislation and oversight. And And this is part of a project that we're doing that we're about to get into in further detail. But I'm, of course, conducting interviews here in Washington with a range of different, NGOs, but also people at the house and, also trying to reach out to business, representatives who have a stake at the way in which, governments respond to the revelations of Edward Snowden and, the reform of surveillance that took place in different countries, and I'm trying to get a better understanding of what good practice I can put in the compendium from from The US side. So you're doing a study about intelligence oversight mechanisms.
Speaker 0
4:33 – 5:22
Is that right? And and, so in The US, I know we have mechanisms like the intelligence committees themselves Mhmm. The House and Senate intelligence committees. We have the privacy and civil liberties Oversight Board, and we have the Foreign Intelligence Surveillance Court, the FISA Court. Mhmm. You know, guys in my position, people in my position will often say that they're not doing an adequate job of oversight and that we could always learn, about new mechanisms and about new methodologies for oversight. Mhmm. Is the goal of your paper to kind of compare different mechanisms and and figure out which ones are working and and should be emulated?
Speaker 1
5:22 – 8:02
Mhmm. If you allow me to say that, I will tie this response to a project we're doing. It's called the European Intelligence Oversight Network. Because there, it's really about, capacity building, learning from different countries. You know, there cannot be a blueprint for best oversight because of cultural differences, of different laws. You know, you cannot, compare necessarily one on one the situation in The US with other European countries. But every country is conducting, a range of intelligence functions that are putting, their, that bring about challenges for the oversight bodies. And when they have when they're confronted with those challenges, it might actually be interesting to, to discuss how to meet this challenge and what other countries have been, labor let experimenting with. And I think, this is the the focus of my study. So we will focus on one particular aspect of intelligence, collection. It would be the foreign intelligence collection, non targeted, communications data. And this is a practice that every country, no matter how small or big, and those that we have selected from in Europe and also in North America are, performing. And there are different oversight bodies in most countries that have been recent, changes to intelligence legislation. And now my focus is to see what good practice can I identify in the legal provisions of some countries when it comes to, the mandate for performing this intelligence functions, and then on the design of the oversight institutions and their particular oversight instruments? And there too, it was actually quite revealing to see, the broad different approaches that some countries have taken. And I think, you know, it's easy to go and say intelligence is something that we should not conduct as as a gentleman's agreement. We don't read each other's mail. But then again, there are severe security challenges. And and, our approach at least is not to say we don't want intelligence services abandoned or anything like it, but we can say we can work with different civil society actors and oversight bodies and in dialogue with with people open enough to get into contact with us from the intelligence services and say, look, there is a way to improve your practice. And one key would be by studying what other countries have been doing and bring that to the attention of those who have to make decision makers. It's interesting. That's very interesting.
Speaker 0
8:04 – 8:19
Let me back up a little bit. You'd said that the report focuses on bulk collection, non targeted collection. Did I also hear you say that the Americans aren't the only ones who are doing that? Mhmm. What other countries engage in bulk collection? So,
Speaker 1
8:20 – 10:23
there we have, of course, a a question of definitions. In Germany, for instance, there is a different collection of, communications data. There is the targeted collection, individual measures about a a person or a group that you have identified as being a threat. So that's one. Then you can have they would still fall under the targeted definition, having identified different threats, and you would collect communications data whether they would come in, to Germany or out of Germany. And, so for this, they call international, but that still has one leg in in our country. Mhmm. There are two they can collect this, data only with, selectors and and or they have to go sift through the the collector communications by means of selectors, and these selectors have to be authorized. And then you have foreign intelligence collection, like the and this is the bulk of of what, the German intelligence services does is the communications data collection that has neither its origin or its destination in Germany that but but that may be transiting through Germany. And for that, there are two there have been no changes, and there have been, there's a new oversight body that has been created for for and they give some higher data protection to European Union citizens for that non targeted. But the German would say depending on whom in government, people would tell you, well, that still is targeted. And, of course, we get into a lot of discussions. Is there such a thing as a non targeted bulk collection? And I'd say, yes. There is. And, and for that, you also need standards, and some countries have, have put that into a different perspective than in The US. So so in Germany Yeah. For bulk collection,
Speaker 0
10:24 – 10:36
there's a highest level standard protection for Germans Mhmm. Then an intermediate level of protection for EU citizens, and then a lower level of protection for
Speaker 1
10:36 – 11:03
Americans and other people who are not EU citizens and not Germans. Yeah. Well, that is a there's they even make us a fourth category that is European Union member states and European or member states of the European Union and, official bodies of the European Union. It's like the European Parliament. And for this, there's even a higher category than for European Union citizens. So if you want, there are, like, four categories. We've we've had a big debate
Speaker 0
11:03 – 11:51
in, among civil society about discriminating between one's nationals and the nationals of other countries when it comes to intelligence surveillance. The United States does have that discrimination built into its system, particularly when the surveillance is directed outside The United States. For for surveillance inside The United States, it's relatively equal between, citizens and noncitizens, between citizens, residents, and non non citizen, non residents. What do you think about the idea of, preferring one's nationals, providing extra protection to one's nationals as compared to other people?
Speaker 1
11:52 – 14:42
Mhmm. So we can make this very practical. Some European countries like The Netherlands, they don't do this. They don't distinguish between, international and domestic communications in their collection of communications data. Germany does this similar to The US. And the first thing that comes to my mind is that we are a foreigner pretty much everywhere else and than in our country. So if we travel, we are foreigner, and it is somewhat, worrisome that you know that your protections go away when you travel to a foreign land. And and I and I think that the safeguards that are in place are not nearly sufficient. And, and if the and there's a lot to be said and questioned about the, technological ability to make, such a clear distinction between national and nonnational communications data. So if you were saying that, of course, you have excellent filters filter mechanisms in place that can put the you know, and as we say, in Germany, we have four different buckets that you would have to put the collected data in. So the rest of the world, the EU citizens, the EU member states, and then your German or residents in Germany. And it's quite a technological challenge for the intelligence community to really satisfy those different data protection regimes in their, collection and in their filtering. And even if we are very we apply a very conservative assessment and say those filters would work with an accuracy level of, let's say, 99%, that still leaves in the millions of communications datas that would be collected falsely identified and that would be, not, in standards with what their own laws would say. So then Katterjee, an EU union data might fall under the rest of the world, or a German citizen, might find its communications data in the same bucket as it would be for the the rest of the world. And that is a challenge. And it it's a challenge for the oversight bodies because they have more reporting mechanisms. And, my focus would be make it as targeted as possible so as to, so as not to, overburden the the oversight bodies and and others, in the upholding this this different categories of data protection. So I I find this, to be not the best practice.
Speaker 0
14:44 – 15:02
Mhmm. So you're so you're kind of in the middle of this study now. You've you've, looked at different countries' oversight mechanisms. What are you finding? What stands out to you? Yeah. Did any particular country do something interesting that you'd wanna hold up,
Speaker 1
15:03 – 16:52
as as something that others should emulate? Yeah. I think, now that I'm in The US, I thought it might be interesting for you to to discuss a few things that, I see as good practice coming out of Europe and that might be, of interest to an American audience to see where where I stand on on on some of those things. And, And, I think, for instance, I can point to something in The Netherlands. Bear in mind that we focus the study on one particular intelligence function, the the collection of communications data. There might be other great, innovations coming out for other, review of, you know, intelligence functions such as commuter network exploitations or, you know, more human, issues that come up for but for the communications data collection, for instance, I see that The Netherlands have now, an adequacy review review process for their foreign intelligence partners. That would mean that for in future, the the Dutch foreign intelligence services needs to draft a waiting note with five different criteria that it would assess the quality, of their common of their foreign intelligence corporation partner. And if, this is subject to the review of the oversight body, and this, I think, would be quite, a good mechanisms for, for for actually, for the executive as well to to really say, why are we cooperating with them? What's the risk of of conducting business with with such intelligence partner from country x? So for example,
Speaker 0
16:53 – 17:12
the Dutch would be deciding whether to share information with the NSA based on four or five I can tell you. Waiting criteria Mhmm. That would determine whether the NSA meets what is essentially an adequacy standard. Is that is that a fair assessment? Yes.
Speaker 1
17:13 – 17:49
They would say the democratic embedding of the intelligence security services, the respect for human rights in the country, concerned, the professionality and the reliability of the service concerned, the legal powers and possibilities of the service, and the level of data protection maintained by the service concerned. These are the five criteria which are new in the Dutch, intelligence legislation that I found quite interesting because, it there is an oversight component to it because this, will be reported to the oversight body, and the oversight report body is then in a better position
Speaker 0
17:49 – 18:12
to, to assess the the and review the oversight corporation. So, do will we know whether the, NSA, meets the adequacy, test that The Netherlands has imposed or what other countries have met it or will meet it, or is that all gonna be, in a black box?
Speaker 1
18:13 – 20:15
That's, I'm not so sure. I you know, for me, it's already a good enough practice that I know that there's a country out there that that puts certain criteria and and and demands from the executive to draft notes on the, and assess their corporation partners on those five, abilities. But there are more, and you stop me when when when you when you want to dive in deeper in one point. But let me just go through five issues, and then maybe you can say that's a point we wanna discuss in further detail. So for instance, I already mentioned that the the Dutch don't discriminate between, the citizenship, when it comes to the collection of communications data. The Germans, to their credit, although there there's problems with, the technological, ability to filter the date the data, they also give greater protection to nonnational nationals in their foreign communications data. As so that's one thing. Then there is a growing list of things that may not be advanced by means of bulk data collection. For instance, in Germany, there there is a provision that you cannot use this for to gain economic advantages. That is something you might have in the presidential policy directive '28. But then again, in Germany, it's a law. And in The US, it's an executive decree. And, you know, with different presidents, you may want to harden an executive decree into, actual law. Canada is an interesting one as well because, they have in their law that the there's a specific requirement to make an intelligence case in a bulk SIGINT application. So it requires the service to independently demonstrate conditions under which unselected collection would be necessary.
Speaker 0
20:16 – 21:10
That is to demonstrate why normal collection methods are insufficient. Let's dig in on that one. So the Canadians have a rule that says, you've gotta go targeted unless targeted won't work, in which case you can have a bulk collection. Who's making that decision about whether a targeted collection would work or not? Because it to me, you know, that that's a decision that an intelligence agency would have to make kind of routinely. And PPD 28, the presidential policy directive number 28 Mhmm. In The US, for example, says that intelligence surveillance has to be as tailored as possible Mhmm. And that, human intelligence should be preferred over signals intelligence when it has when the signals intelligence is gonna have a more detrimental impact on civil liberties and privacy.
Speaker 1
21:10 – 22:23
So so in Canada, who's making that decision? I think it's also within the executive. So it's within the intelligence service, but it is an oversight component. And they just just, passed four days ago the c 59 bill in Canada. And they will you know, we don't know when the when the senate in in Canada will will will or not adopt this this bill, but people say maybe by February or March, we have a new Canadian intelligence law with c 59. And there will be a new oversight body, and CIRA, it's called. And it has a very broad, oversight review over not just a particular intelligence community, service, but also a wide range of, security agencies. And I think their, oversight remit is also to study the way these, to the way in which an intelligence case has been independently demonstrated by well, I don't know. When you say independently demonstrated, it's still within the executive, but then the oversight body has a role to to assess whether or not they agree, to the demonstration
Speaker 0
22:23 – 22:52
that was put forward by the executive. Mhmm. Mhmm. And that's, again, something different than an executive decree. Yeah. It's interesting because in in The United States, when it comes to surveillance of people outside The United States for intelligence reasons, and the and the surveillance is conducted wholly outside The United States, there really isn't much involvement of an oversight body in that activity. It's more, the province of the executive branch.
Speaker 1
22:54 – 25:08
Torsten, we only have a couple minutes left. One kicker one. I would like to put into your attention. So that's oversight interfaces. That's something that in The US, I don't think, has been established yet. So it's the direct oversight body. So they have, the ability to, follow the intelligence collection. And if they want to do random checks on whether or not, the intelligence collection is, the way it's intended in the in the law or not, they have now a much better access to question is, of course, and this is for the future, whether or not, the oversight interface that now exists in France, Netherlands, United Kingdom, Norway, and Sweden can be used effectively. So having access directly to the IT systems and the at the interception point, also to the in France, they have the, it's called, where they have a private, like, have another intermediary where all the collected data is being stored, and then the oversight body has direct access to that facility. Having this access is great. The question is whether they can make good use of it. And for this, you need a lot of technological, knowledge and and have to hire the right people to make best use and then have the human technology interface that actually makes sense and that they would make better use of this interface. So there's another thing, also when it comes to automated deletion. So I think there is, there is I don't I don't have seen this the much information about this, but I know that the Dutch oversight service, for instance, has a project called three oversight three point o, and they've taken some money to, meet with IT experts and to develop tools whereby, it can automatically automatically detect if, the service should no longer hold on to this data, and then it has to be deleted, and they can automate it, they have an automated fashion to to ensure that. That overcomes,
Speaker 0
25:09 – 26:05
a problem that we've faced in The US when it comes to, retention periods for intelligence that's collected, you don't wanna retain information that's irrelevant, and you don't wanna retain information that was unlawful to collect. But often, the information that's collected is never looked at. So having a way to delete that data without having looked at it Mhmm. And still have the data saved if it's going to be useful and was lawfully collected, I think is a interesting advance. Thorsten, is there anything that you can see from your early findings that the Americans need to learn from what other countries are doing and vice versa. What do the Americans do that's particularly interesting that other countries might consider adopting?
Speaker 1
26:05 – 27:16
Right. So I let me start with the the latter part of your question. So I think there are a lot of good nuggets that I've collected, from from The US side that I want to bring to the attention of of European oversight bodies. And I think one of the strengths in The US is really transparency reporting. There's quite, the public reporting on individual authorization approval decisions, looking at the Pfizer rules of procedure or the FISC rules of procedure, and then also having adversarial proceedings in authorization, process, the amicus that you have, the rule here in The US. These are things that where I find, The US has a lot to bring, and, that we are we are studying carefully in order to make sure that the European oversight bodies can also be brought to to have more rigorous reporting and advanced transparency standards in that reporting in order for the public to get a better understanding of what what is happening. And and that too is in the interest of the intelligence services because it gives provides legitimacy.
Speaker 0
27:18 – 27:30
Thorsten, I know you have another project, on Oversight, the European Intelligence Oversight Network. Tell us a little bit about that before we close. Thanks, Greg. Yeah. So, this is actually tied to the research that I'm doing. So,
Speaker 1
27:31 – 28:44
we feel that there is a lot of, intelligence corporation. Rightly so, European intelligence services and their American and Canadian counterparts are very closely connected. They have joint interfaces, databases, and the like. Whereas, the oversight landscape is very fragmented still. So you would still have, very few opportunities for the German oversight body to meet with their Danish or Norwegian or French counterparts and actually come together and and share, experience that they've made. And I think sometimes it's also important to have civil society included in this dialogue, and therefore, we have just started this European intelligence oversight network where we had a first workshop in May, where different authorization body representatives from, from several European countries attended our first workshop, and we presented a draft paper. And now we have this radically tested with them, and they get they had a chance to give us good feedback on on some of the, best practice that we've identified, identified, and we wanna make this a more long term engagement. So, this is what we're doing at the moment. Sounds interesting.
Speaker 0
28:46 – 29:05
Firstly, I wanna thank you for joining us, here at CDT on Tech Talk. And, we look forward to the report when it's finished, and we hope to help you get the word out, about different oversight mechanisms for intelligence surveillance that work. Thank you very much. Thanks, Greg. It's been a pleasure.
Speaker 2
29:10 – 29:27
That's it for this episode of Tech Talk, and a very special thanks to Greg Nojime for guest hosting. For the very latest on CDTs advocacy efforts around government surveillance and cybersecurity, follow us on Twitter, like us on Facebook, or visit cdt.org I'm Brian Wasilowski thanks for listening