Over at the Guardian today, Kenneth Roth—executive director of Human Rights Watch—argues for a worldwide human right of privacy:
It's time for governments to come clean about their practices, and not wait for the newest revelations. All should acknowledge a global obligation to protect everyone's privacy, clarify the limits on their own surveillance practices (including surveillance of people outside their own borders), and ensure they don't trade mass surveillance data to evade their own obligations. Of course it is important to protect security, but western allies should agree that mass, rather than narrowly targeted, surveillance is never a normal or proportionate measure in a democracy.
Washington is finally grappling with the Snowden revelations, holding hearings and considering legislation that might help to rein in the NSA's seemingly unconstrained power. Some of these bills would limit or end bulk data collection, institute greater transparency, and give the secret court that oversees surveillance requests a more adversarial character. These are important proposals, but none include protection for non-Americans abroad. The US has the capacity to routinely invade the digital lives of people the world over, but it barely recognises any privacy interest of those outside the US (emphasis added).
Roth's article echoes arguments made recently by David Cole on Just Security (here and here), to which Orin Kerr responded (here and here) on Lawfare. I fully agree with Orin's response to Cole, which essentially posits that the US government's obligation to respect the privacy of its citizens and those within its territory stems from a social contract not present with everyone else in the world.
But I'm hung up on an antecedent question in light of Roth's and Cole's arguments: What if we were to accept, in Roth's words, that there is some "global obligation to protect everyone's privacy"? What if we were to accept that the US has an obligation to to recognize the "privacy interest of those outside the US" and that presumably every other country had a reciprocal obligation to recognize the privacy interests of those inside the United States? What if, as Cole posits, we were to accept that every country in the world has an international law obligation to respect the privacy of every person in the world because of the extraterritorial application of the International Covenant on Civil and Political Rights? What does such a global right of privacy look like and how does it interact with the espionage activities of, say, every country in the world that does foreign espionage?
Neither Cole nor Roth addresses these questions—save that both assume that NSA's activities violate the global privacy right in question. But they seem to me important. Most espionage, after all, violates privacy; it involves stealing secrets, after all, secrets often composed of what people are thinking and saying to one another in private. Cole and Roth are presumably not suggesting that the warrant requirement of the Fourth Amendment should apply to all signals intelligence collection worldwide. But what are they saying?
The closest either comes to answering this question is when Roth says that "western allies should agree that mass, rather than narrowly targeted, surveillance is never a normal or proportionate measure in a democracy." The implication is that the legal obligation to privacy involves proportionality and also that the US's privacy obligation to citizens of democratic countries differs somehow from its obligation to citizens of non-democratic countries. As a preliminary matter, I'm not sure why that latter point should be the case. It seems a bit unfair to the poor Iranians to say that it's okay for the US to collect in bulk on them just because their own government behaves tyrannically. Talk about adding insult to injury!
More fundamentally, the distinction between mass surveillance and targeted surveillance seems to me inherently unstable. We actually do forms of "mass surveillance" all the time—including of our own citizens domestically: traffic enforcement cameras, airport security screening, anthrax testing of physical mail, to name only a few examples. None of these are narrowly targeted at people suspected of doing something wrong. They sweep in everyone who engages certain systems. What's more, the whole idea of foreign intelligence collection is to gobble large volumes of material and then try to make sense of it. SIGINT is only one example of this. What about satellite and drone surveillance of wide areas for long periods of time? Does that not also presumptively violate people's international human right of privacy to the extent it is not targeted at individuals? What about requirements that banks report transactions over a certain size? In other words, while I certainly agree with Orin that we should be skeptical of the notion of a global international law right of privacy, I confess that I'm stuck on an threshold problem: I don't even know what it means.