Big Brother and Big Data
If tomorrow, the government announced that every adult in the United Kingdom was to be electronically tagged and monitored 24 hours a day there would be a public and political outcry. Well actually, we already have such a system in operation through our use of smartphones whether turned on or not. We have agreed to this without an informed public debate and discussion. This was the opening remarks of a speech given by the UN Special Rapporteur for Privacy in a Digital Age, Professor Joe Cannataci, at the launch of the Northern Ireland Human Rights Commission’s Annual Statement at the Stormont Parliament in December 2016. Joe Cannataci is in a good position to know as a man with an unusual background. He is both an international law expert and a qualified software engineer.
In his report to the Human Rights Council in February 2017, Joe Cannataci noted that since the Edward Snowden revelations:
‘The status of the right to privacy in the surveillance area of activity has not improved. The states that reacted, and started to work on and passed new laws on the subject, at best, if at all, contain minor improvements in limited areas. In general, these laws have been drafted and rushed through the legislative process with political majorities to legitimise practices that should never have been implemented’.
One of those governments was the United Kingdom which introduced the Investigatory Powers Act in December 2016. The legislation went through its Parliamentary stages throughout 2016 but, there was limited public debate coinciding as it did with the EU Referendum and its aftermath. Three parliamentary committees including the Intelligence and Security Committee, media and journalist organisations, privacy campaigners and human rights NGOs were all severely critical of the legislation and while some changes were made, the substantive provisions remained unaltered.
The stated aim of the legislation was laudable with the government wanting to bring the powers available to law enforcement agencies to obtain communications and data about communications into one place, and make such powers clear and understandable and fit for a digital age. Sadly, not all of these aims have been met.
Under the legislation, intelligence services and the police can access computers, networks, mobile devices, servers and more under equipment interference powers. These powers include exploiting existing vulnerabilities in software to gain control of devices or networks to remotely extract material or monitor the user of a device. Such powers must be exercised through obtaining a warrant. The collection of bulk data from outside the UK where terrorism is suspected can also be gathered by security and intelligence agencies under a warrant issued by the Secretary of State. To aid police and intelligence services investigations, internet history must be stored for 12 months by internet companies, messenger and postal companies. Powers are granted to all intelligence services to access ‘bulk personal data sets’ allowing a wide sweep of data including from individuals not suspected of any wrong-doing. The powers also extend to requiring internet companies to supply in near real time (a phrase not defined) to authorities when a warrant has been obtained. The authorisation of interceptions does not require reasonable suspicion to justify interception and no need to demonstrate criminal involvement or a threat to national security. Powers to require public authorities’ access to journalist sources without media outlets being informed in advance was particularly contested. These sweeping new powers are subject to new oversight arrangements to govern the approving of warrants and other issues.
An investigatory powers commissioner who will be a senior judge and judicial commissioners will be appointed by the Prime Minister. Codes of conduct will also be published on many of the provisions contained in the legislation.
In plain terms everyone who makes a telephone call, sends an email, uses a website or uses Facebook will be affected by the legislation.
Of course, one powerful argument is that all this is necessary given the level of security threat facing the UK and beyond. The question however, is not just one of necessity but, also proportionality and can we trust the state to manage those powers and is there effective oversight?
Recent history suggests it is wise to be sceptical. There are two interesting cases before the European Court of Human Rights at Strasbourg triggered by Edward Snowden’s revelations and based on the use of surveillance under the legislation that applied prior to the Investigatory Powers Act. The first case Big Brother Watch and others against the United Kingdom concerns former surveillance laws and whether they meets human rights standards on the right to privacy and free speech. The second challenge is from ten human rights organisations and others including Liberty and Amnesty International and concerns the interception, inspection and retention of human rights NGO’s own communications. The original complaint went to the Investigatory Powers Tribunal (IPT). In response, the government would neither confirm nor deny whether the communications from human rights NGOs had been intercepted or not. The IPT decided to determine the issues based on the assumed fact that the United States National Security Agency had obtained the NGOs communications data and passed them to GCHQ where they had been retained, stored, analysed and shared and that GCHQ had itself also intercepted communications under its own Tempora programme. An initial public hearing of the case was followed by a closed hearing where the IPT considered GCHQ’s unpublished internal arrangements for processing data. The NGO applicants were neither present nor represented at the closed hearing. Some of the closed material was eventually disclosed and written submissions were made by the applicants.
The IPT found, in essence, that while there had been interceptions of human rights NGOs communications it was lawful and compatible with the right to private life under Article 8 and the right to free speech under Article 10 of the European Convention of Human Rights. The IPT did find technical breaches of the law for example, in terms of how long data was retained and that prior to the disclosures made in respect of this legal challenge, the arrangements were not ‘in accordance with the law’ in terms of human rights safeguards. The tribunal held that in the area of national security much less is required to be placed in the public domain than normal because otherwise the purpose of protecting national security will be put at risk.
Interestingly, the IPT’s judgment fails to address why human rights NGOs might be considered a threat to national security in the first place. The Northern Ireland Human Rights Commission as part of the European Network of National Human Rights Institutions has made a written submission in support of the applicants in both cases. The outcome of the applications to the European Court of Human Rights will be a litmus test of whether an international court will provide a stronger protection of privacy rights than domestic courts.
The pending exit from the European Union and the government’s desire to eventually get out of the scrutiny of the Court of Justice of the European Union (CJEU) also has long-term ramifications for privacy and protection of data protections. The CJEU has recently been at the forefront of reminding European Union member states of their duties to respect, promote and protect the human right to privacy in a digital age. In Tele 2 Sverige a judgment issued in December 2016, the CJEU recognised that while effectiveness in fighting organised crime and terrorism may depend on modern investigation techniques, nonetheless, however, fundamental this may be, it could not in itself justify national legislation providing for general and indiscriminatory retention of all traffic and location data for that fight. Moreover, where there are concrete indications to keep such data to fight terrorism and serious crime there must be restricting criteria, precise geographical limitations and effective oversight mechanisms in place involving meaningful checks and balances. A further case initiated from Ireland has once again been sent to the CJEU. This concerns the legality of current arrangements for the transfer of data from personal Facebook accounts in Ireland to the United States where there were fewer legal safeguards than apply under European Law.
There are ways of developing a proportionate approach to security and privacy rights. The most recent report of Joe Cannataci to the Human Rights Council in February 2017 began to sketch out a road map to effective safeguards and oversight to surveillance of citizens.
Perhaps the last word should be left to Edward Snowden. In response to why he became a whistle-blower he replied: ‘I do not want to live in a world where everything I do and say is recorded’. Sadly, in the United Kingdom his ambition is a long way from being achieved in December 2017.
Join the Conversation...
We'd love to know your thoughts on this article.
Join us on Twitter and join the conversation today.
Join Our Newsletter
Get the latest edition of ScopeNI delivered to your inbox.