‘Not putting things into your computer is a very effective tool’

It have been busy months for Peter Swire, professor at the Georgia Institute of Technology. In August 2013, he joined the Review Group on Intelligence and Communications Technologies. It was set up by president Barack Obama to review the NSA’s mass surveillance programs that came under harsh criticism after Edward Snowden revealed their existence. The other members of the group were Michael Morell (former deputy director of the CIA), Richard Clarke (chief counter-terrorism adviser under presidents Clinton and Bush), Cass Sunstein (one of the most decorated legal academics) and Geoffrey Stone (a noted civil liberty scholar).

Swire, who studied at the Brussels ULB in 1980-1981, wrote a long article on the Foreign Surveillance Act over a decade ago and has been closely following European data protection legislation for a long time. ‘I was in the Review Group especially as a privacy expert, and also for economic policy that I know’, Swire says. ‘In 2009 and 2010, I worked in the White House for Director of the Economic Council Larry Summers.’

The review of the expert group came out mid December. President Obama reacted to its recommendations a month later, in a speech on January 17 and with a new Presidential Policy Directive.

 

What did Obama expect from your Review Group?

Peter Swire: We were told that we should try to figure out where to go in order to enhance national security when it comes to intelligence and surveillance. We were told to think about relations with our allies, including the commercial side of that. And we were told to examine privacy and civil liberties, how to address the insider threat which Snowden had revealed so prominently, and also how to maintain public trust –at home in the US and abroad.

In order to do the review, did you get a magic key giving access to all of the NSA’s secrets?

Peter Swire: We had extensive briefings with general Alexander and anyone else we wanted to talk to. We had briefings from senior people, analysts and other agencies. If we had follow up questions, we had someone from each agency who was our liaison, including the FBI, the CIA and the NSA.

During the review process you saw a lot of classified information. What were you most shocked about?

Peter Swire: I won’t say things that are classified. I was very pleased to find out how careful about following the rules the NSA and other agencies were. They have very strong compliance systems. If an analyst looks at phone numbers he shouldn’t look at, the system will catch him.

Did you see the same documents as the one Edward Snowden got hold of?

Peter Swire: We had access to everything we asked for.

Numbers differ regarding how many documents Snowden managed to get his hands on, from 58.000 up to 1,7 million files (according to the Department of Defense). What is the accurate figure?

Peter Swire: The NSA has done an extensive assessment of the damage, and forensics on what has happened. I know it is a large number.

Constitutional Law Professor 

You met with Obama in the situation room in August 2013, and a second time after you finished your report. Which impression did Obama make on you?

Peter Swire: The biggest impression is how well he knew these issues. When you talk to busy leaders, they often have to get briefings from their staff to understand the details. Not Obama. He understood the details.

Don’t forget Obama was a constitutional law professor at the University of Chicago and a brilliant law student, so he understood the legal context. When he ran for president, he became known as being very knowledgeable about the internet. He used many online things to help get elected. And he has also been commander in chief for five years during the wars in Iraq and Afghanistan. So he has an understanding of national security ánd fundamental rights ánd the technology of the internet.

Both times we met, Obama was in the process of figuring out his own views on the issue. So he was using these meetings as a way to help him make his decisions.

How much of a priority is the NSA reform for Obama?

Peter Swire: In the last months before Obama’s speech [announcing the NSA reforms]¸ this was one of the top topics. His senior advisors on the national security side were spending a great deal of time on this. And Obama himself was deeply involved in the preparation of his speech and in the decisions for policy.

When you read the speech and the presidential policy directive, you should see this as the result of a deliberate process of self reflection by the US government and by Obama himself. I think it is a sign of democracy in action. If you think it is just pretend language in a bad faith attempt to deflect criticism, I encourage you to see this as the constitutional law professor having his opportunity in history to make a mark on how intelligence is done.

Which mark did Obama leave then? What is really going to change now?

Peter Swire: I would emphasize two changes. One is that the system for surveillance for domestic phone calls will change. The government today is holding a very large fraction of domestic US phone calls. The president said that this kind of program will end.

The second change is a presidential directive that Europeans will be treated very much like Americans when they come into the database for surveillance. In the past, when emails or phone calls were intercepted, there were pretty strict rules regarding US persons: their name would be masked and there were limits regarding how information about the person’s name would be shared with other agencies. In a major change from past practice, the president said these rules would apply also to Europeans and other foreigners.

Double standards 

According to independent privacy expert Caspar Bowden, a system of double standards is upheld. On the one side you have US citizens and non US citizens on American soil, on the other side non US citizens outside of the US on the other hand. Correct?

Peter Swire: The systems will not be identical, but the basic approach will be to treat Americans and Europeans the same under the surveillance laws.

Why can’t foreigners be granted the same privacy guarantees as US citizens?

Peter Swire: Constitutional protections apply within the borders of the US to American citizens and non American citizens. If you are a European and you are visiting in the US, you get all these constitutional protections. But if you are in Brussels, then all the constitutional provisions do not apply outside of the US.

Then there’s the US privacy act. It is a fairly specific law that applies to systems of records held by the US government. The Department of Homeland Security, that deals with passenger records and immigration etcetera, has had a policy for several years for files that contain US and non US records. The same access and correction rights apply for US persons and non US persons.

The statute (which is what Congress wrote) only applies to US persons. Our recommendation was: the same provisions that Homeland Security has, should be spread to other agencies. That, I have been told, is under further review.

In your review, you made 46 recommendations for NSA reform. How many have been picked up by Obama?

Peter Swire: 70 percent has been accepted in letter or spirit.

Regarding the other 30 percent: which one are you most sad about because it has not been picked up?

‘Companies that are violating sanctions with Iran or manufacturing weapons of mass destruction, are certainly subject to espionage.’

 

Peter Swire: I hope in the future there will be a split between the NSA and the military Cyber Command. The US Cyber Command is in the first few years of its existence as a separate combat command in the army. This is a military function that emphasizes effective warfare techniques. I think that intelligence is a process that is quite separate from warfare. But the president decided that the Cyber Command was still too early in its development, that it still required a closer coordination with the NSA. I however think that as the military side of cyber expands, it will make sense to split these two into separate units.

Spying on companies

Surveillance data are not used for economical espionage purposes and are not shared with American companies, you stressed during a press briefing in Brussels. A Belgian parliamentary investigation into Echelon came to another conclusion: ‘American intelligence services are systematically collecting economic intelligence. This information is forwarded to government entities with the purpose of benefiting American companies to win foreign contracts.’ Who is wrong, the Belgian senate or you?

Peter Swire: I am not commenting on a report from 13 years ago. The policy does not exclude espionage about economic topics. For instance companies that are violating sanctions with Iran or manufacturing weapons of mass destruction, are certainly subject to espionage. The policy is that the espionage results are not given to US companies for their commercial advantage.

Presidential Policy Directive 28 can be cancelled by the next president or even by Obama himself, even in secret. Can’t Congress make the policy more solid?

Peter Swire: A law by Congress indeed is more permanent. But if the president would try to repeal this directive secretly, the chances of leaks are very high, because the rules apply to tens of thousands of people. A secret law that is contrary to the published law is a very risky strategy for the president. I think it is unlikely to happen.

Will US Congress make the directive more permanent? Will it take an initiative?

Peter Swire: In general the US Congress worries more about American voters than it does about people overseas. That is the normal way of politicians –maybe this also goes for Belgian politicians. One reason for the president to take action, is to assure allies and friends around the world that we will have these safeguards that apply to all people.

Billions of dollars at stake

Is the PPD28 enough to regain trust from the EU?

Peter Swire: There are some people who are angry about the US spying. I think Germany is the place where this anger is most visible, but also in the US we hear similar criticism from some activists. I think the president’s speech made many new statements about US policy and how it would be careful and appropriate towards the Europeans and other allies. I think the audience was pleased to hear that.

Paul Nemitz, director Fundamental Rights and Citizenship at the DG Justice of the European Commission,  at the privacy conference in Brussels commented on EU US relations. He referred to billions of dollars at stake. Do you see that as a threat?

Peter Swire: I hope that data protection disputes don’t stop the TTIP negotiations between Europe and the US. The trade deal involves hundreds of billions of euros. I hope we can have this free trade agreement to create economic growth for everyone without letting data protection block this.

Is the US worried about a EU member state taking the step of an inter state complaint?

Peter Swire: There are many diplomatic discussions between the EU and the US. I am not aware of any particular legal complaint before a tribunal.

Ethical approach

Research by professor Martin Scheinin of the European University Institute shows the efficiency of surveillance is very low. Then what’s the use?

Peter Swire: The NSA has supported the allied military efforts in Iraq and Afghanistan. For the last ten years, they’ve had a tremendous amount of experience acting in real time to handle threats, such as attacks by IEDS on allied soldiers. With ten years of experience, you learn a lot of things. This saves lives and prevents attacks. After this intense period of experience, there are very strong capabilities that the NSA has. That’s consistent with documents that have been published in the press.

 In a 1998  interview with Le Nouvel Observateur Zbigniew Brzezinski (former national security advisor of president Carter) said: ‘The ethical debate on intelligence is only there in the case of classic espionage. One can ask: is it appropriated to recruit agents in Bonn or Paris? But as far as eavesdropping or pictures are concerned, what is the ethical question?’ Is that still the ethical approach of the US in terms of intelligence?

Peter Swire: Throughout history, nations have spied on other nations. The art of war [a reference to the famous book by Sun Tzu] urges leaders to spy all the time on foreign issues. What’s remarkable to me, is that the president’s new directive places many legal limits on spying for people who are not even citizens. This is a legal development that is quite different from the history. It shows the president’s appreciation of the importance of privacy. It is a directive on spying activities and it says citizens of other countries should have important civil liberties protections. That’s historical.

How do you protect your own data? Tor? PGP? Encryption?

Peter Swire: These issues are clearly top secret, and I would have to give you a classified rating in order to tell you the answer (laughs).

For many people, the first step is to have excellent back up off site. One of the biggest risks to your data is that you lose them. In terms of adversaries: not putting things into your computer is a very effective tool. When I became a member of the Review Group, I was thinking: “It’s possible that foreign services will target my computer.” So some of my work I didn’t put into my computer.

There has been a lot of attention paid to the report and some people wanted to know the answers of the report before it was public. To be clear: I was not concerned about US services but about foreign agencies. There are press reports –I am not confirming nor denying them– that agencies have the capabilities to penetrate even computers that are not connected to the internet. The traditional strong safeguard was to separate the computer physically from the internet. Now press reports say that’s not enough to guarantee security. The most paranoid people may therefore keep things off from their computers.

The Belgian military secret service ADIV late 2012 became victim of a cyber attack and called the US Cyber Command for help. Did you know this story?

Peter Swire: It’s the first time I hear that anecdote for Belgium. But there are similar anecdotes in American industry and in other places. The NSA has great technical skills on cyber defense. Cyber offense and cyber defense are closely related. So for engineers, the best attackers often know where to plug the holes. It is an important role for the NSA today to do defense for US government computers and to help friends.

Whilst defending, the opportunity to attack might be there as well.

Peter Swire:  That would be a risk. They would believe that the Belgians would be doing maximum double checking at that moment. So when the lights are on and people are watching you carefully, that’s a hard time to put a bug in a system.

Thank you for the interview.

MO* spoke to Peter Swire on January 25, after he participated in the international conference Computers, Privacy and Data Protection in Brussels.