Snowden’s role has been confirmed by the Guardian, who along with the Washington Post last week published details of a FISC court order instructing Verizon to hand over communications meta data to the NSA, and the NSA’s separate PRISM operation that has access to the servers of major US corporations such as Google, Microsoft and Facebook. The documents concerned had been provided by Snowden, who has been working as a contractor at the National Security Agency for the last four years.
"I have no intention of hiding who I am because I know I have done nothing wrong," he told the Guardian. "I understand that I will be made to suffer for my actions," but "I will be satisfied if the federation of secret law, unequal pardon and irresistible executive powers that rule the world that I love are revealed even for an instant... I can't in good conscience allow the US government to destroy privacy, internet freedom and basic liberties for people around the world with this massive surveillance machine they're secretly building.”
He apparently chose to go to Hong Kong because "they have a spirited commitment to free speech and the right of political dissent" (left over from its history as a UK colony), and “because he believed that it was one of the few places in the world that both could and would resist the dictates of the US government,” (because of its current status as part of China). Although there is an extradition treaty between Hong Kong and the US, it could prove difficult for the US government. "There is a bar under Hong Kong's extradition law,” Tim Parker, an immigration lawyer based in Hong Kong, told the BBC... “to extradition for an offence that is of a political character, [where] the prosecution is thought not just to be the application of the criminal law, but to crush that person or to crush their dissent.”
Meanwhile, the reverberations of his actions are only just beginning to be felt. What effect those revelations will have in Europe – and particularly on the proposed General Data Protection Regulation – remains to be seen. The GDPR is thought to be struggling, particularly because of the persistent lobbying of large US companies. “It’s ironic,” Amelia Andersdotter (a Swedish MEP and member of the Pirate Party) told Infosecurity, “that I have lobby documents on GDPR asking for more flexibility from just about every company on the list in Washington Post.”
Although European data protection tends to include exclusions on the grounds of national security and legitimate court orders, it becomes a stretch when both the national security and court orders are American but relating to European citizens. “I could see why European citizens should not automatically expect to be fairly treated by the American government. But in the data protection regulation we are somewhat getting ripped off by our own legislators and that's much more difficult to understand. If our own governments don't care about us even when we are exposed en masse to the activities of foreign intelligence agencies, what legitimacy do they have?” She doesn’t mention the UK by name, but includes “member states where we would normally be used to political decisions being made with a high degree of integrity.”
The UK is pressing for the Regulation to be implemented as a Directive, which would allow local interpretation. The official reason is economic; that the Regulation will cost UK jobs (the EC claims it will do the opposite). However, the long-standing close relationship between GCHQ/MI5 and NSA/CIA – especially given the PRISM surveillance apparatus – will benefit from a more relaxed data protection regime.
It explains, said Andersdotter, “why both American companies and the American government have been so desperate to water down our data protection legislation. Luckily the parliament can still decide not to go along with that, and so can the Council of Ministers. At least in theory our governments do work in our interests.” It is possible that a public backlash to Snowden’s revelations could strengthen the hands of those in Europe still arguing for a strong General Data Protection Regulation.