Author: Seumas Miller
Edward Snowden, a low level private contractor to the US-based National Security Agency (NSA), breached prima facie legal and moral confidentiality/secrecy obligations by engaging in unauthorized accessing, retrieving and/or releasing of a large volume of confidential data from NSA to the press and, possibly, to foreign powers, e.g. China, Russia. Snowden’s activities are a major, indeed stunning, breach of institutional confidentiality and were enabled by modern information and communication technology (ICT) and, specifically, the existence of vast amounts of communicable, searchable, analyzable, stored data on a computer linked to a network. As such, his activities were prima facie not only unlawful but also, given they undermined institutional processes and purposes, corrupt.
However, release of some of this data to the press might be morally justified by the public’s ‘right to know’, e.g. the public’s right to know that the NSA was engaged in an extremely large scale collection process of the data of US and other citizens. In a liberal democratic polity, if the state engages in this kind of large-scale collection process without the knowledge and approval of the citizenry then, arguably, it goes beyond its remit and, potentially, undermines public trust in the government and its security agencies. In short, whereas the collection process may well be justified in itself, the manner in which it was implemented rendered it a prima facie corrupt process. That said, the release by Snowden of confidential data to foreign powers, e.g. China and Russia, if it has taken place, is a form of cyber-espionage. Moreover, it also constitutes prima facie serious moral wrongdoing, since it potentially undermines legitimate security purposes and processes, and/or puts security personnel and others in harm’s way. Whether or not it was morally wrong, all things considered, depends on the countervailing moral weight to be attached to Snowden’s fulfilling the public’s right to know about the NSA’s data collection and related activities.
The key normative or ethical notions in play in relation to Snowden are whistleblowing, right to know, confidentiality and security. Let us take these in turn. The main elements of whistleblowing can be summarized as follows. The whistleblower is a member of an organization, and he or she deliberately places information about non-trivial wrongdoing on the public record, doing so for the purpose of having the wrongdoing stopped, and in the expectation that he or she may suffer some form of unwarranted interference and/or real or threatened reprisal.
The right to know is typically invoked in the context of the freedom of the press which is in turn associated with and, in part, derivable from the freedom of speech – the latter being one of the fundamental human freedoms. News media organizations have a particular role as an institution of public communication. Specifically, they have an institutional role as the free press in the service of the public’s right to know – the role of the Fourth Estate alongside the executive, legislature, and judiciary within a liberal democracy. Roughly speaking, the normative idea here is that in contemporary liberal democratic states, news media organizations – whether they are publicly or privately owned – have, or ought to have, as a fundamental institutional purpose the communication of information to the members of the public that the latter have a right to know.
Respect for, and exercise of, this right to know is necessary in order for the free citizens of a democratic polity to govern themselves responsibly (albeit indirectly via an elected government). Moreover, this right to know goes hand in glove with individual freedom of speech. For it is only under conditions of free speech that the truths which the citizens have a right to know are likely to be communicated. The institutional purpose of the news media – the free press – is in large part to see to it that the truths in question are publically communicated. This role of the news media is especially important in mass societies in which word or mouth is an unreliable means of public communication, albeit in contemporary mass society social media have complicated matters in this area somewhat.
What of confidentiality? Law enforcement operations give rise to stringent confidentiality requirements, given what is often at stake, for example harm to informants, the possibility that important investigations might be compromised. Military operations also give rise to stringent confidentiality requirements, such as ‘need to know’ principles and legal prohibitions under official secrets legislation; again, the stringency of these requirements can be justified given what is often at stake, for example harm to one’s own combatants, and the possibility that military missions might be compromised. At least in the case of security agencies, such as police, military and intelligence agencies, a degree of compliance with principles of confidentiality is a constitutive institutional good in the sense that security agencies could not successfully operate, i.e. could not provide security, without a high degree of confidentiality.
Security is a multi-faceted notion pertaining to both individuals and collectives. Personal (physical) security is a more fundamental notion than collective security; indeed, collective security in its various forms is in large part derived from personal security. Thus terrorism, for example, is principally a threat to national security precisely because it threatens the lives of innocent citizens. However, collective security is not simply to be identified with aggregate personal (physical) security. For example, terrorism might be a threat to the stability of a government and, as such, a national security threat, an example of which can be seen with the Islamic State’s occupation of large parts of Iraq and Syria. Aside from questions of the scope of security, for example personal, organizational, national, there is the matter of the type of security. Here a distinction between informational and non-informational security might be helpful. Informational security is self-explanatory and basically consists of ensuring that privacy rights are respected and confidentiality requirements are being met. Non-informational security pertains to physical or psychological harm to human beings, damage to physical ‘objects’ (including the physical environment and artefacts), and certain forms of harm to institutional processes or purposes, for example by means of corruption.
In the light of this discussion of the moral right to know and the moral value of security, in particular, what are we to make of the NSA leaks by Edward Snowden? Is Snowden an heroic whistleblower, as some see him, or a de facto foreign espionage agent guilty of treason, as others hold? Speaking generally, these leaks were a breach of security in the sense that they infringed NSA confidentiality requirements and, indeed, US secrecy laws. As such, they undermined institutional integrity and, as such, were acts of corruption, at least prima facie, albeit apparently acts of noble cause corruption – corruption motivated by the desire to achieve good (assuming Snowden acted for the greater good, as he claims). However, the larger question is whether they undermined collective security in the stronger sense, for example, by compromising the legitimate intelligence-gathering methods and activities of the US and its allies, and by putting put the lives of security personnel and, ultimately, citizens at risk. On the other hand, there is the matter of the public’s right to know. Surely the US citizenry had a right to know that this large scale data collection was taking place. Moreover, the intelligence agencies, arguably, were acting outside their institutional remit and were themselves engaged in a corrupt practice, albeit one that may well be in itself morally justifiable. (An otherwise morally justifiable action might be corrupt if it has not been appropriately authorized, in this instance, democratically authorized (so to speak).) Indeed, assuming that the members of these agencies acted for the greater public good, their activity should perhaps be regarded as an instance of noble cause corruption. However, granted that the US citizens have a right to know, at least in general terms, about the data collection policies of their intelligence agencies and, indeed, have the right to approve or disapprove them, it does not follow that, objectively speaking, those policies should be allowed (or disallowed). So there are actually a number of issues here that need to be kept separate.
First, there is the question of the institutional harm done by Snowden; this is in part a question about corruption and, specifically, the corrupt activity of an institutional actor, Snowden. Second, there is the question of whether the NSA acted outside its institutional remit; this is also in part a question about corruption, albeit on the part of those in positons of authority within the NSA and government. Third, there is the question of the justifiability of the NSA’s bulk collection of data considered in itself, i.e. independent of whether it was, or need to be, appropriately democratically authorized. Fourth, there is the question of Snowden’s actions, all things considered. I have already suggested the answers to the first two questions. The answer to the fourth question turns on the answer to the third question. I address this third question in what remains of this section. I begin by trying to get a little clearer on some of the details.
As noted above, the NSA was engaged in the bulk collection of, in particular, the communication data of US and other citizens. The data in question was usually so-called metadata. Metadata does not include the content of telephone and other communications. Rather it is, for example, the unique phone number/email address of caller/recipient, the time of calls and their duration, and the location of caller/recipient. This collection of meta-data generally consisted of the bulk collection of telephone data both for domestic and international calls. The development of data-mining and analytics techniques and technologies has resulted in faster and more efficient interception of telephone and other types of communications, the integration of this data with existing data, and the analysis thereof for intelligence purposes. Intelligence agencies increased their focus on data mining and analytics technologies to extract new useable information from disparate data sources at the same time as non-state threat actors like terrorists were using multiple and more secure ways to communicate.
After 9/11, the US Foreign Intelligence Surveillance Court (FISC) authorized the collection of bulk metadata allowing the NSA access to call records. This was considered by government and the agency as the only effective way to continuously keep track of the activities, communications and plans of foreign terrorists who disguise and obscure their communications and identities. Meta-data security intelligence collection solutions such as those revealed in the Snowden leaks were also adopted because non-state actors (terrorists and transnational criminal syndicates) are using technological developments (in data processing, open source information and commercially available encryption), to communicate, plan attacks or conduct their own surveillance on national security and law enforcement authorities. Hence, intelligence agencies like the NSA had to exploit similar communications technology to track the ‘digital footprints’ in multiple data feeds (meta-data) – allowing them to respond more pro-actively to threat actor activities.
In addition to information about the meta-data program, Snowden’s revelations also included material about NSA’s PRISM program, which allows the agency to access a large amount of digital information – emails, Facebook posts and instant messages. The difference between meta-data collection and PRISM is that the later also collects the contents of those communications.
The collection of bulk metadata is morally problematic in that there is a presumption against the gathering of personal information on citizens by government officials, including law enforcement and other security personnel. This problem is evident in the metadata collection arising in the Verizon and PRISM controversies. Verizon involved the collection by the NSA of the metadata from the calls made within the US, and between the US and any foreign country, of millions of customers of Verizon and other telecommunication providers whereas PRISM involved the agreements between NSA and various US-based internet companies (Google, Facebook, Skype and so on) to enable NSA to monitor the on-line communications of non-US citizens based overseas. While privacy laws tend to focus on the content of phone calls, emails and the like, the Verizon episode draws our attention to metadata. It has been argued that since this data is not content its collection is morally unproblematic. To this it can be replied, firstly, that such metadata is collected to facilitate the communication purposes of callers/recipients and their telecommunication providers, and is consented to only for this purpose. Secondly, metadata enables the non-consensual construction of a detailed description of a person’s activities, associates, movements and so on, especially when combined with financial and other data. The availability to security agencies of such descriptions is surely an infringement of privacy and, therefore, needs justification.
As we saw above, Verizon and PRISM have raised legitimate privacy concerns, both for US citizens and for foreigners, for example in relation to metadata collection and analysis. Regarding metadata collection and analysis in the context of domestic law enforcement, the solution, at least in general terms, is evidently at hand; extend the existing principles of probable cause (or, outside the US, reasonable suspicion), and the existing relevant accountability requirements, for example, the system of judicial warrants.
However, some of these privacy concerns pertain to foreign citizens. Consider the FISA (Foreign Intelligence Surveillance Act) Amendments Act of 2008. It mandates the monitoring of, and data gathering from, foreigners who are outside the US by the NSA. Moreover, data gathered but found not to be relevant to the foreign intelligence gathering purpose of, say, counter-terrorism is not allowed to be retained. Importantly, however, there is no probable cause (or reasonable suspicion) requirement unless the person in question is a US citizen.
This is problematic in so far as privacy is regarded as a human right and, therefore, a right of all persons, US citizens or not. Moreover, these inconsistencies between the treatment of US citizens and foreigners are perhaps even more acute or, at least obvious, when it comes to the infringement of the rights to privacy and, for that matter, confidentiality of non-US citizens in liberal democratic states allied with the US, for example EU citizens.
Intelligence-gathering, surveillance and so on of citizens by domestic law enforcement agencies is reasonably well defined and regulated, for example in accordance with probable cause/reasonable suspicion principles and requirements for warrants; hence the feasibility of simply extending the law enforcement model to metadata collection within domestic jurisdictions. However, this domestic law enforcement model is too restrictive, and not practicable, in relation to intelligence gathering from, for example, hostile foreign states during peacetime, let alone wartime.
The privacy rights of the members of the citizenry during wartime are curtailed under emergency powers; and the privacy and confidentiality rights of enemy citizens are almost entirely suspended. Military intelligence-gathering during war-time has few privacy constraints and, given what is at stake in all-out wars, such as World War II, this may well be justified. However, these are extreme circumstances and the suspension of privacy rights is only until the cessation of hostilities. Accordingly, this military model of intelligence-gathering is too permissive in relation to covert intelligence gathering from, for example, fellow liberal democracies during peacetime.
Intelligence gathering activities, notably cyber-espionage, of the NSA do not fit neatly into the law enforcement model or the military model. At any rate the question arises as to what is to be done in relation to cyber-espionage, in particular. On the one hand, the US and its allies cannot be expected to defend their legitimate national interests with their hands tied behind their backs. So their recourse to (what is in effect) cyber-espionage seems justified. On the other hand, there is evidently the need for a degree of moral renovation of cyber-espionage as it is currently conducted.
Arguably, Edward Snowden was morally justified in making known the NSA’s bulk data collection processes to the public. The US public, in particular, had a right to know what its intelligence agency was doing in this area, given that it was engaged in going beyond its democratic remit in engaging in widespread infringements of the privacy rights of the US citizenry. On the other hand, arguably the manner in which Snowden went about these disclosures, and perhaps the scale of the disclosures, was unnecessary in terms of what the public had a right to know, and harmful to the NSA in particular and to US security interests in general.
 Much of the material in this section is derived from Seumas Miller Institutional Corruption: A Study in Applied Philosophy (Cambridge University Press, 2017) Chapter 10 and from Patrick Walsh and Seumas Miller “Rethinking ‘Five-Eyes’ Security Intelligence Collection Policies and Practices Post 9/11/Post-Snowden” Intelligence and National Security vol. 31 no. 3 2016 pp. 345-368.