It’s been 10 years since Edward Snowden holed up in a Hong Kong hotel room and exposed Britain and America’s mass surveillance operations to a group of journalists. His bombshell revelations revealed how the US and UK governments were spying on their citizens, intercepting, processing and storing their data, and sharing this information. Since then, although neither state has lost its appetite for hoovering up huge amounts of personal data, new transparency and oversight constraints, together with the growth of encrypted technology, have tilted the balance towards privacy.
Snowden’s revelations sparked outrage and anger. Bulk interception was being done without a democratic mandate and with few real safeguards. When the scope of this surveillance came to light, officials claimed most of the information was not “read” and therefore its collection did not violate privacy. This was disingenuous; the data could reveal an intimate picture of someone’s life – a fact that was upheld in later legal challenges, which proved the surveillance violated privacy and human rights law.
After the leaks, three reviews took place in the UK. The first was done by parliament’s intelligence and security committee (ISC). It did little to interrogate what the spies were actually up to, even while acknowledging that new legislation was required. A review by David Anderson QC, the independent reviewer of terrorism legislation, was more circumspect and suggested a series of improvements. Finally, the Home Office convened a panel (of which I was a part, alongside an ex minister, former security chiefs and Martha Lane Fox) that produced a report and a series of recommendations.
These three reports eventually led to the 2016 passage of the Investigatory Powers Act, which clarified what types of state surveillance were allowed and how these needed to be authorised. The act allowed bulk interception – much to the dismay of many privacy campaigners – but changed the process governing how this interception was authorised. This meant that while a secretary of state could sign off a warrant justifying the most intrusive powers, that warrant must also be approved by an independent judicial commissioner.
The legacy of Snowden’s leaks is mixed. Bulk interception and surveillance hasn’t stopped, despite there now being greater transparency and more oversight. “There are a few more safeguards, but mostly it continues,” Caroline Wilson Palow, the legal director at Privacy International (PI), told me. The greatest legacy of Snowden’s leaks are the legal challenges they have made possible. Until these revelations, it was nearly impossible to bring a legal case challenging state surveillance. There have now been several successful lawsuits.
Beginning in 2013, civil rights organisations, including PI, Liberty and Big Brother Watch, began challenging bulk interception and surveillance in the European court of human rights and English courts. The human rights court rulings set a precedent across Europe that such spying requires prior independent or judicial authorisation that must be meaningful, rigorous and check for proper “end-to-end safeguards”. Earlier this year, MI5 was found to have acted unlawfully by the investigatory powers tribunal in retaining huge amounts of personal data after a case was brought by PI and Liberty. None of these cases would have been possible if Snowden’s information hadn’t come to light, and hopefully they put pressure on the intelligence agencies to pay attention to the legal safeguards.
As technology evolves, so too does surveillance. States have found new ways to spy on citizens, particularly using the mobile phones we all carry around. Intrusive spyware such as Pegasus, sold by the Israeli surveillance company NSO Group, can turn a person’s phone into a 24-hour surveillance machine. A 2021 investigation by the Guardian and other media organisations showed how activists, journalists and lawyers had been targeted by malware bought by countries such as Saudi Arabia, the United Arab Emirates, Hungary and India. Too often, security services conflate protection of those in power with protection of the public. Politicians have long used their security services and surveillance powers to stifle protest and dissent by targeting anyone who might legitimately challenge (or even question) their hold on power. This is why the interests of the security services so often come at the expense of the public. Even so, the rallying cry of protecting the public is often used to justify such invasive surveillance.
We can see something similar happening with the UK’s online safety bill. Discussions about this have conflated the public’s legitimate concern about bad online behaviour with the security services’ agenda of breaking end-to-end encryption. Gaining a backdoor to encrypted chat has been on spies’ wishlist almost since the internet was invented. But there is no guarantee this will make the internet safer or free from harm. In its current form, the bill would effectively deputise spying activities to technology companies, which could scan users’ messages and social media posts for evidence of harms that they could then report to the authorities. Understandably, there’s huge demand for more accountability online, where bad and dangerous behaviour often goes unchecked. But the proposed bill will allow intelligence agencies to spy on ordinary citizens via technology platforms.
The fact is, the majority of online abuse isn’t happening in secret. It’s in plain sight and still nothing is done about it. Bad behaviour online has few consequences. Women face rape and death threats simply for daring to speak out online. Any teenager can access radicalising messages from racists and misogynists or watch extreme pornography showing physically violent, hostile depictions of sex. They don’t need cryptography to view such things. This raises the elephant in the room around any discussion about online safety: the business model of big tech. It, too, relies on mass surveillance but of a different kind, where users’ behaviour is watched by machines in order to build algorithms, so that social media can serve up posts they think we’ll engage with. The monetisation of users’ attention has incentivised tech companies to create algorithms that tend toward extreme, radicalising content as that is the kind that draws the most engagement. Breaking encryption does nothing to solve this problem.
Snowden’s leaks put paid to any doubt we live in a surveillance society. But thanks to the revelations, the security services themselves came under scrutiny and were found lacking. Mass surveillance was checked, if only through more accountability. Now we face another push by the state to spy on us under the guise of online safety. Let’s not be fooled that surveillance makes us safer. The reality is nothing puts us in more danger.