NSA created 'European bazaar' to spy on EU citizens, Snowden tells European Parliament

National spy agencies across Europe are allowing the NSA to piece together their data into a larger picture, Snowden said

The U.S. National Security Agency (NSA) has turned the European Union into a tapping "bazaar" in order to spy on as many EU citizens as possible, NSA leaker Edward Snowden said.

The NSA has been working with national security agencies in EU member states to get access to as much data of EU citizens as possible, Snowden said in a testimony sent to Members of the European Parliament (MEPs) published Friday.

The European Parliament had invited Snowden to provide testimony for an inquiry into the electronic mass surveillance of EU citizens. That surveillance, often instigated by the NSA but carried out with help of EU member states, is quite extensive, he wrote.

The NSA has been pressuring EU member states to change their laws to enable mass surveillance, according to Snowden. This is done through NSA's Foreign Affairs Division (FAD), he said, adding that lawyers from the NSA and GCHQ work very hard "to search for loopholes in laws and constitutional protections that they can use to justify indiscriminate, dragnet surveillance operations that were at best unwittingly authorized by lawmakers," he said.

The efforts to "interpret new powers out of vague laws" is an intentional strategy to avoid public opposition and lawmakers' insistence that legal limits be respected, he said.

Recently, the FAD has used such pressuring techniques on Sweden and the Netherlands as well as on New Zealand, according to Snowden. Germany has also been pressured to modify a law on the secrecy of post and telecommunication correspondence to appease the NSA, eroding the rights of German citizens under their constitution in the process, Snowden said.

"Each of these countries received instruction from the NSA, sometimes under the guise of the U.S. Department of Defense and other bodies, on how to degrade the legal protections of their countries' communications," he said. The ultimate result of this NSA guidance is that the right of ordinary citizens to be free from unwarranted interference is degraded, and systems of intrusive mass surveillance are being constructed in secret within otherwise liberal states, he said, adding that this often happens without the full awareness of the public.

Ultimately, each national spy agency is independently hawking domestic access to the NSA and others "without having any awareness of how their individual contribution is enabling the greater patchwork of mass surveillance against ordinary citizens as a whole," according to Snowden.

Once the NSA has dealt with legal restrictions on mass surveillance in partner states, it pressures them to perform operations to gain access to the bulk communications of all major telecommunications providers in their jurisdictions, Snowden said. "Sometimes the NSA provides consultation, technology, or even the physical hardware itself for partners to 'ingest' these massive amounts of data in a manner that allows processing, he added.

"By the time this general process has occurred, it is very difficult for the citizens of a country to protect the privacy of their communications, and it is very easy for the intelligence services of that country to make those communications available to the NSA -- even without having explicitly shared them," Snowden wrote.

The deals between the NSA and foreign partners are set up in such a way as to provide the NSA with a means of monitoring a partner's citizens without informing the partner, and to provide the partner with a means of plausible deniability, he said.

"The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn't search it for Danes, and Germany may give the NSA access to another on the condition that it doesn't search for Germans. Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements," Snowden said.

Snowden, who said that he's still seeking asylum in the EU, also provided solutions to solve the mass surveillance problem.

It is easy to make mass surveillance more expensive through changes in technical standards, he said. "Pervasive, end-to-end encryption can quickly make indiscriminate surveillance impossible on a cost effective basis," he said, adding that the result is that governments are likely to fall back to traditional, targeted surveillance founded upon an individualized suspicion.

This traditional method is more effective than mass surveillance, according to Snowden. "I believe that spying serves a vital purpose and must continue," he said.

The European Parliament is set to vote on a draft resolution on Wednesday that seeks to keep data protection out of EU-U.S. trade talks. The MEPs want the EU to suspend two deals with the U.S., one on exchanging banking data and the other on the Safe Harbor privacy principles for U.S. firms holding European data, as, they say, the fight against terrorism can never justify secret and illegal mass surveillance.

The MEPs will also vote on a proposal for stronger safeguards for data transfers to non-EU countries. Wednesday's vote could result in the updating of 19-year-old data-protection laws. Under MEPs' amendments, companies breaking the rules would face fines of up to €100 million (about US$139 million), or up to 5 percent of their annual worldwide turnover, whichever is greater, according to the Parliament.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Government use of ITtelecommunicationonline safetyU.S. National Security Agencygovernmentinternetdata protectionEuropean Parliamentprivacyintrusionsecuritydata breachAccess control and authenticationencryption

More about EUEuropean ParliamentGCHQIDGNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts