My new book: Internet Privacy Rights

IPR photoMy first book has just been published – the official publication date is 27th March 2014.

The title says quite a lot about the book: Internet Privacy Rights – Rights to Protect Autonomy. It is an academic book, in the CUP series ‘Cambridge Intellectual Property and Information Law’ (hence the morse code under my name) but I hope that it is accessible to people other than legal or IT academics – to me, the subject needs more exposure and more understanding far beyond the ivory towers of academia.

Not just legal rights…..

What’s more, the ‘rights’ that are the subject of the book are not ‘legal’ rights in a direct sense – though they have a relationship with legal rights. Rather, the book looks at the rights that we, people who use the internet (and that’s most of us), believe we should have, rights that we need to have, rights that businesses and governments need to take into account and respect if they are to have support from us. The law is only a small part of the story – often, as the case studies in the book point out, the laws are often inappropriately written, inconsistent and conflicting, feebly enforced or easily sidestepped. Understanding what people need and what they expect can be more important if businesses are to gain or keep the trust and support of their customers, and if governments are to retain the support of their citizens.

Rights to protect autonomy…

The other key to the ideas in the book is autonomy – and that given the nature of the internet and the ways that we use it, privacy (and privacy rights) is necessary to protect it. Invasions and infringements of privacy, from surveillance and tracking to profiling and misuse of data, can have an impact on far more than our ‘individual’ privacy – they can have an impact on pretty much every aspect of our lives, from ‘traditional’ civil rights such as freedom of speech, association and assembly to practical things like our job prospects, our relationships, our credit ratings and the prices we pay for goods. Our autonomy, our freedom to live as we would like to live, is threatened, not just our privacy – and this is something that still does not seem to be understood by many of those who instigate or support the regular and deepening infringements of our privacy.

The book looks at many of the different ways that our privacy is infringed, from government surveillance to behavioural advertising, from the activities of search engines to the numerous ways that data is vulnerable to hacking, loss and misuse. There are case studies and theoretical analyses – but though the case studies reveal many things that should disturb and concern us, I do not think that it is time for us to give up. Privacy is not dead yet – and I believe that we can find ways to make our future more ‘privacy-friendly’. Indeed, the way that such a future might look is part of the subject of the final chapter of the book.

Buying the book – and a discount available!

The book will be available from online stores (including Amazon) but the best way to get it is directly from CUP, the publishers – and that’s particularly true as they have offered a special discount to people who buy online through their website. Follow the link below, and use the discount code “InternetPrivacyRights2014″ for a 20% discount – it is valid until the end of May, but only for purchases through the CUP website here:

http://www.cambridge.org/gb/academic/subjects/law/intellectual-property/internet-privacy-rights-rights-protect-autonomy

There is also an e-book version available here:

http://www.cambridge.org/gb/academic/subjects/law/intellectual-property/internet-privacy-rights-rights-protect-autonomy?format=AR

and a Kindle Edition of the book, available through the Amazon website:

http://www.amazon.co.uk/Internet-Privacy-Rights-Intellectual-Information-ebook/dp/B00I0UNGL2/ref=sr_1_1_bnp_1_kin?ie=UTF8&qid=1395674601&sr=8-1&keywords=Internet+Privacy+Rights+Rights+to+Protect+Autonomy

Anyway, I hope you find it interesting – the main point of the book is really to contribute to the debate over privacy. It is a debate that needs to be had, particularly in the UK where we really don’t seem to discuss the issue enough, as the relatively muted debates over the actions of GCHQ and the NSA have shown. We need to talk about it much more.

Tony Benn’s five questions – and surveillance

TonyBennTony Benn’s death was announced today. He was one of my political heroes – and a man I admired in a whole lot of ways. I’m not going to write about him – there will be reams and reams written about him by writers far better than me – but just note that his wit and wisdom has application in many spheres.

One of the things he’s most famous for – and one of the things that will be mentioned again and again in the aftermath of his death – is his questioning of the legitimacy of power. His five questions reverberate far beyond the obvious. He asked of the powerful:

  1. What power have you got?
  2. Where did you get it from?
  3. In whose interests do you exercise it?
  4. To whom are you accountable?
  5. How do we get rid of you?

In the current climate, this does not just apply to the people with power, but the institutions of power. Think of the application to surveillance.

What power do they have? The power that surveillance provides is immense – as I’ve noted before, it doesn’t just impact upon privacy but upon a broad range of our human rights, from freedom of speech, assembly and association onwards.

Where did they get this power from? To a great extent just by grabbing it – the way that the Snowden revelations have demonstrated that surveillance has been kept secret, that the NSA and GCHQ have built empires almost without our noticing, should give us all pause for thought.

In whose interests do they exercise it? That is far from clear – the evidence that it ‘protects us from terrorism’ is flimsy at best. It looks to many of us as though it is primarily in instrument of control, in the interests of those already with power – or, perhaps even more directly, just in the interests of those doing the surveillance themselves, building their own power base. Either way, it doesn’t seem to be in the interests of us!

To whom are you accountable? This is one of the key questions – to date, those exercising surveillance have seemed all but unaccountable. In the UK, the Intelligence and Security Committee that is supposed to exercise scrutiny is pretty much unfit for purpose, a supine body that does exactly what it’s told.

How do we get rid of you? That is the biggest question of all – and should be asked again and again until we get an answer. So far, the only apparent concessions given about surveillance have involved transparency. They’ll tell us a little more about what they’re doing… but they don’t seem to be willing to even consider that there should be less surveillance – and in particular, no mass surveillance.

That’s what we need. And we should keep on asking Tony Benn’s five questions, in as many spheres as we can.

Guest post: In accordance with a flaw?

Guest post by @Super__Cyan

In accordance

Draconian new regulations threaten innocent tenants’ privacy.

Imagine junior staff of local councils being able request your bank details, your itemised phone bills? Keep calm, now is not the time for fear that comes later when this may soon be the law! Local councils may soon be given powers to authorise employees to request personal information if they suspect you are committing social housing fraud. This clearly raises issues of privacy, it looks pretty illegal, undermines the government’s position on civil liberties, such powers may already exist with better safeguards and it is of public importance even more so because it is being sneaked in through the back door!

The Prevention of Social Housing Fraud (Power to Require Information) (England) Regulations 2014 (the Regulations) is a draft statutory instrument that allows for local councils (Regulation 3) to authorise a member of staff to use powers granted by Regulation 4. Regulation 4 enables staff to require information from specified persons for housing fraud investigation purposes which are the prevention, detection or securing evidence for the conviction of one of the offences listed in section 7(7) of the Prevention of Social Housing Fraud Act 2013 (PoSHFA).

Regulation 4(2)(a) allows authorised staff to require information from a person falling within paragraph (3) (listed later) and 4(2)(b) has or may have possession of or access to any information about any matter that is relevant to housing fraud investigation purposes.

The person(s) information can be required from include:

  • any bank,
  • any lender
  • any water company
  • any gas company
  • any electricity company
  • any person who provides a telecommunications service,
  • any servant or agent of any person mentioned above.

That is a pretty hefty list, but I’ll only deal with one of these person(s), telecommunications service providers (or telcos), you know the guys that give you the internet, your phone network etc? Yup, them.

Regulation 4(6) makes clear that an authorised staff cannot request a specific type of communications data from telcos, that being traffic data.

So if we make our way to the Regulation of Investigatory Powers Act 2000 (RIPA) section 21 we can see that traffic data is mentioned in section 21(4)(a) and section 21(6). This is to be excluded, but on the other hand everything else in section 21 seems to be fair game, if we look at section 21(4)(b) and (c) with the former stating:

any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person— .

(i) of any postal service or telecommunications service; or .

(ii) in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system;

And the latter stating:

any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service.

What does this even mean? Section 21 of RIPA itself is vague and it is only made sense of if you look at the Acquisition and Disclosure of Communications Data Code of Practice (main page here). This Code of Practice is pursuant to section 71 of RIPA. This defines more comprehensively the types of communications data which can be requested by the authorised officer (see Chapter 2, paras 2.23-2.29) such as numbers called, duration and timing of a call etc. It is interesting that an itemised telephone call record (2.24) which according to the Code falls under use data would or should actually also fall under traffic data because who you call ‘identifies, or appears to identify, any person’ you’ve called. It may be poor drafting from the Code because it fails to recognise that either who you call falls under traffic data or use data or both.

But should this be the case if a power to access communications data already exists? Regulation 3(2) allows a local council to grant requesting authorisation to an individual employed by that authority or any individual employed by another local authority or joint committee that carries out functions relating to housing fraud investigation purposes on behalf of that authority. Section 37 of the Protection of Freedoms Act 2012 (PoFA) (which inserts a section 23A into RIPA) requires judicial approval for the obtaining or disclosing of communications data.  The ‘relevant person’ mentioned in section 23A(1) is defined as an individual holding an office, rank or position in a local authority (section 23A(6)(a)(i) and (ii). And for the avoidance of doubt The Regulation of Investigatory Powers (Communications Data) Order 2010 in Schedule 2 Part 2, local councils (which fall within the section 11(8) definition of local councils in the PoSHFA) are an additional public authority which can acquire communications data for s22(2)(b) RIPA purposes, this states:

It is necessary on grounds falling within this subsection to obtain communications data if it is necessary…for the purpose of preventing or detecting crime or of preventing disorder.

An authorised staff in the Regulations only need reasonable suspicion which seems to be in contradiction with section 22(2)(b).

Where are the safeguards? Why is it that judicial approval is required under the PoFA but not under the Regulations? I very rarely make political points, but I think this is important. The 2010 Coalition Agreement expressly stated that:

We will implement a full programme of measures to reverse the substantial erosion of civil liberties and roll back state intrusion (page 11).

We will ban the use of powers in the Regulation of Investigatory Powers Act (RIPA) by councils, unless they are signed of by a magistrate and required for stopping serious crime (page 12).

Not many things reek as bad as political double standards, but that is a textbook example of it. Firstly, the PoFA may have improved ECHR compliance by implementing an ECtHR judgment on DNA retention. But this Regulation is contrary to that agreement, furthermore it is no longer true that councils require approval from magistrates to make de facto RIPA requests therefore circumventing section 23A in oblivious fashion. The Greeks would be proud of this Trojan horse of a statutory instrument. The Regulations do not even state the level of seniority which authorisation can be granted to, hence this could be junior staff (Regulation 3(2)). Should junior staff or an assistant be able to request such personal information from a wide range of persons?

This clearly has privacy implications and issues with other various rights. But I’ll deal only with Article 8 of the European Convention on Human Rights which notes that:

  1. Everyone has the right to respect for his private and family life, his home and his correspondence.
  2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

A simplified expression of Article 8 is this. Every individual has privacy rights and the state should steer clear of those rights except for in circumstances proscribed by Article 8(2). For your privacy rights to apply they must be interfered with or ‘engaged.’ This is straight forward, the European Court of Human Rights (ECtHR) in Copland v UK [2007] ECHR 253, at para 43 noted that:

[T]he use of information relating to the date and length of telephone conversation and in particular the numbers dialled can give rise to an issue under Article 8 as such information constitutes an ‘integral element of the communications made by telephone’…The mere fact that these data may have been legitimately obtained … is no bar to finding an interference with rights guaranteed under Article 8…Moreover, storing of personal data relating to the private life of an individual also falls within the application of Article 8 §1…Thus, it is irrelevant that the data held … were not disclosed or used against the applicant in disciplinary or other proceedings.

What this means is regardless of how private information was obtained or if it was used or not, the fact that it has been accessed is enough engage Article 8 and therefore requires justification under Article 8(2).

Interference or engaging privacy must be in accordance with the law, whereby requesting information must have some basis in domestic law (para 193). The Grand Chamber (GC) of the ECtHR in Stafford v United Kingdom  [2002] ECHR 470 (at para 63) held that the law should be accessible to the person concerned and foreseeable as to its effects. The GC in Amann v. Switzerland  [2000] ECHR 88 ruled that ‘a rule is “foreseeable” if it is formulated with sufficient precision to enable any individual – if need be with appropriate advice – to regulate his conduct (para 56). Publication of the law would seem to satisfy accessibility (Leander v Sweden [1987] ECHR 4 para 52-53).

If we take what was said in Malone v United Kingdom (1984) 7 EHRR 14, at para 67 ‘thus implies – and this follows from the object and purpose of Article 8 (art. 8) – that there must be a measure of legal protection in domestic law against arbitrary interferences by public authorities with the rights safeguarded by paragraph [Article 8(1)].’ This is to prevent the authorised staff from requesting information randomly. Regulation 4(5)(a) makes it so that authorised staff can request information of people who have committed, is committing or intends to commit an offence listed in section 7(7). It is worrying that authorised staff can request information based on the intention to commit an offence, I was not aware that authorised staff had developed the ability of telepathy. So there is no requirement for suspicion of attempted fraud merely suspicion of future intention. How are you supposed to regulate your conduct appropriately if staff are making assumptions about your mental state?

It does not stop there, Regulation 4(5)(b) allows information to be requested if the authorised staff have reasonable grounds to believe a person to be a relative of the suspect.  This includes spouse/partner, (grand)parents, (grand)children, (half)siblings, aunts/uncles and nephews/nieces under section 113 of the Housing Act 1985 imported by Regulation 4(11). Authorised staff do not even need actual proof of familial relations to be able to request information. Information can be requested irrespective of whether they are even living in the same property as the suspect. So family members who have no fraudulent involvement or household associations with the suspect can have their privacy invaded. Ironically Regulation 4(5)(b) does not capture non-family members who may live with the suspect.

The arbitrary nature of the power is of further concern because once authorised staff make a request, under Regulation 5 it is an offence to (a) intentionally delay, obstruct authorised staff or (b) refuse or fail to provide the requested information without reasonable excuse. So a company may be reluctant to query the requests that seem unreasonable or disproportionate simply because of the offence of non-compliance. Therefore there does then seem to be an in accordance with a flaw, this would be enough for a violation without considering anything else (para 63). I suppose this gives the title more meaning now.

Even if the Regulation was somehow deemed to be in accordance with the law the ECHR requires measures to be necessary and proportionate. As you can see, fraud would fall under this umbrella term of 22(2)(b) of RIPA and Article 8(2). If such a similar and even broader power exists are these Regulations necessary? Having said that, the term ‘broader power’ probably isn’t the right word because for instance RIPA requests only dealt with communications data. Is such an exhaustive list necessary for the function of the authorised staff? Should this be a job for the police and not employees of a local council?

Necessity requires the least restrictive measure in pursuit of an objective (Mark Elliott, ‘Proportionality and deference: the importance of a structured approach’ in Christopher Forsyth et al (Ed), Effective Judicial Review: A Cornerstone of Good Governance (Oxford University Press 2010)). How can the Regulations be seen as the least restrictive approach to privacy when the authorised staff could make requests from a variety of sources, or all of them if they reasonably believed it was needed? This only strengthens the point that the power exercised by authorised staff is arbitrary.

Conclusion

I’m aware that the Regulations are specifically targeted at social housing fraud, but I do not think that there is any need for a disparity between the approach authorised staff must take under RIPA and the Regulations. As draconian as RIPA is, the approach taken i.e. necessity (section 22(2)) and proportionality (22(5)) is more likely to conform to the ECHR’s standard of human rights protection and the Coalition’s own stated commitments. But it does seem that both provisions fail to strike the right balance, on the one hand the Regulations are only aimed at tackling social housing fraud, and it seems that only employees that deal with social housing fraud investigation can be authorised officers, but there is no necessity or proportionality requirement nor is there any judicial oversight, nor any insight into the seniority of the employees who can request substantial amounts of private information, and it most spectacularly bypasses the (better defined) safeguards of RIPA. With the PoFA it seems that anyone employed by a local authority can gain access to communications data under the vague terms under section 22(2)(b) of RIPA, but yet is subject to judicial oversight. The idea that specific officers can gain access to communications data for specific legal purposes is a much better safeguard against abuse than having the power employed in a broad manner.

Having said that, if these Regulations are going to become law, they need more careful scrutiny and a quick blog post just to highlight the Regulations’ existence isn’t sufficient. Very importantly The Prevention of Social Housing Fraud (Detection of Fraud) (Wales)Regulations 2014 (which almost mirrors the Regulations) which still need approval should be rejected by National Assembly for Wales for the same reasons expressed above in relation to the Regulations. Can this be said to be necessary in a democratic society, when giving staff of local councils sweeping powers to snoop on citizens by stealth? This should not only interest privacy advocates, housing and human rights legal folk but every individual citizen because it is the citizens who will be subject to these laws.

The Government: You’re making a big mistake (saying that these Regulations are likely to be unlawful)!

Super Cyan: Not as big as yours, I fear.

High fives to @RichGreenhill for the heads up, advice and comments on initial drafts.