Privacy invasive law in Mexico – guest post by Lisa M Brownlee

I’ve written about this before – but things have moved on, and not in a good way. Some aspects of the law discussed are deeply troubling, and privacy activists around the world should be concerned. The following is by Lisa M Brownlee – an information security/privacy and intellectual property legal scholar and author residing in Mexico, and someone whose work is well worth following, as is Lisa herself, on Twitter, where her tag is @lmbrownlee1. Her work on an early version of the law being discussed was published in ArsTechnica.


 

Mexico’s new telecommunications law – including controversial surveillance and data retention provisions.

On Wednesday, August 13, in a 4-3 vote, Mexico’s personal data protection authority, IFAI, (Federal Institute for Access to Information and Data Protection) considered and voted against challenging the constitutionality of Mexico’s new telecommunications law, the Federal Telecommunications and Broadcasting Act (FTBA).

The National Human Rights Commission (CNDH) was also empowered to block the legislation on constitutional grounds but failed to do so by Wednesday’s challenge deadline. The Mexican legislature’s Chamber of Deputies, also empowered to prevent the law’s taking effect, was 12 signatures short of a vote to block the FTBA. FTBA therefore took effect on August 13.

Shortly after the vote, Mexico’s Secretary of Communications and Transport (SCT), Gerardo Ruiz Esparza welcomed the new law and hailed, among other provisions, the law’s authorization of SCT to establish new Internet connections in over 40,000 public places nationwide.

IFAI is mandated to protect the privacy and personal data of citizens, and thus had the authority to challenge the constitutionality of the data collection, retention and access provisions of FTBA Articles 189 and 190. During the hearing, IFAI members stated that the data collected and retained under the FTBA was not “personal data”, and that IFAI therefore lacked standing to bring the suit.

FTBA Article 189 requires telecommunications licensees and Internet service providers to provide real-time geographic location of any type of communication device to public servants and security officials at their request, without warrant. Article 190 provides for the collection of data pertaining to communications, including the-origin of calls, duration, location, text messages metadata, activity on the network, and for the retention of such data for up to 24 months. Both provisions provide warrantless access by a broad range of government and law enforcement personnel.

Human rights activists fighting the constitutionality of the FTBA’s geolocation and data retention and access provisions were disappointed in IFAI’s failure to take action. The Twitter hashtag #IFAIL arose shortly after the no vote, the tag being a play on IFAI’s name, designating failure to carry out its privacy and data protection authority.

The digital rights group R3D Mexico decried as indefensible the statement made by IFAI president Ximena Puente that the data retained by the telecommunications companies was not “personal data”, and later criticized the failure of IFAI, CNDH and the Chamber of Deputies to act.


 

We need to watch this space!

DRIP: web-mail and web-browsing….

One of the big questions concerning data retention and the hastily-passed DRIP is whether it applies to web-browsing activities. Indeed, Julian Huppert MP asked the question during that all-too-brief debate in parliament, and was assured that it did not. I was far from convinced by the answer, and remain far from convinced, particularly given the idea that this ‘update’ to powers is intended to cover activities like webmail and social networking messages. Some colleagues have been asking questions, and a reliable source within one of the US companies that operates webmail (amongst other things) told us that they don’t expect the data retention powers to apply, given that they have never done so and the government made clear that there was no change in that through DRIP. They added further that as a US company, they are in a very different situation to UK providers.

That leaves us in a very interesting situation. If you’re communicating by webmail or social networking, how can your activities be caught? I can see only two ways: directly from the webmail company, or by capturing web-browsing through the ISP. If there are other ways, I’d like to know… because in the current circumstances I can see only three options:

  1. That webmail and social networking will not be covered by DRIP. That’s almost inconceivable, given the intentions of DRIP and the extent to which communications of the kind that those behind DRIP want to capture take place on webmail and social networks; or
  2. That the non-UK webmail and social network providers have been misled, and DRIP will be used to compel them to gather and hold communications data concerning activities on their services; or
  3. That Julian Huppert – and parliament, and the people of the UK – has been misled, and DRIP will be used to gather web-browsing activities.

If there’s another option, I’d like to know it. It’s entirely possible, as I’ve been wrong often before, but I can’t see it immediately.

My instinct is that the third option is the most likely – and that the intent of DRIP was always to gather web-browsing activity. If we’d had proper time for scrutiny of the bill, and to get experts to ask questions in committee, we might know the answers – and make sure that appropriate balances and controls are put in place. We didn’t. I have a strong suspicion that was entirely intentional too.

DRIP: a shabby process for a shady law.

[An earlier version of this post appeared at The Justice Gap, here]

Thursday’s announcement by David Cameron and Nick Clegg that the coalition was going to expedite emergency surveillance legislation is something that should concern all of us, not just privacy activists. The speed with which the Data Retention and Investigatory Powers bill (‘DRIP’) is being brought into play, the lack of consultation and the breadth of its powers should matter to everyone. There is a reason that legislation usually requires time and careful consideration – and with a contentious issue like surveillance this is especially true. This is a shabby process, for what seems to be a very shady law. And, as David Davis MP has suggested, the ‘emergency’ is theatrical, not real. The need for new legislation was entirely predictable – and politicians and civil servants should have known this.

A predictable emergency

The trigger for the legislation was the ruling by the ECJ, on 8th April, that the Data Retention Directive was invalid – more than three months ago – but the signs that new legislation was needed have been there for far longer. The ruling by the ECJ exceeded the expectations of privacy advocates – but not that significantly, and the declaration that the directive was invalid should have been an outcome that civil servants and politicians were prepared for. Indeed, the Data Retention Directive has been subject to significant challenge since its inception in 2005. Peter Hustinx, the European Data Protection Supervisor in 2010 called it:

“…without doubt the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.”

Across Europe there have been protests and legal challenges to data retention throughout its history, from 30,000 people on the streets of Germany in 2007 to the declaration that data retention itself was unconstitutional in Romania. The challenge that eventually brought down the directive began in 2013.

The signs have been there in the UK too, and for far longer than three months. The Communications Data Bill – more commonly and appropriately known as the Snoopers’ Charter – was effectively abandoned well over a year ago, after a specially set-up parliamentary committee, after taking detailed evidence, issued a damning report. At that stage, even before the revelations of Edward Snowden reared their ugly head, the need for further legislation was evident.

So why, given all these warnings, has this emergency been manufactured, and why is legislation being pushed through so quickly? Is it that those behind the bill are concerned that if it received full and detailed scrutiny, the full scale and impact of the bill will become evident and, like the Snoopers’ Charter before it, it will fail? It is hard not to think that this has played some part in the tactics being employed here. What would there be to lose by delaying this a few months?

Companies like data too…

The suggestion that if the legislation isn’t pushed through this quickly then companies will suddenly start deleting all their communications data is naïve to say the least. Firstly, it’s hardly in most communications providers’ interest to delete all that data – actually, rather the opposite. Back in 2007, Google attempted to use the existence of data retention legislation as an excuse not to delete search logs – companies generally like having more data, as they (just like the authorities) believe they can get value from it. Moreover, businesses don’t often change their practices at the drop of a hat, even if they want to. They might, however, if they’re required to by law – and that may well be the real key here. Legal challenges to specific practices by specific companies in terms of data retention may well be in the offing – but this would take time, far more time than the few days – less than a week – that MPs are being given to pass this legislation.

Fundamental Rights

The underlying point here is that there is a reason that the Data Retention Directive was declared invalid by the ECJ, and a reason that both privacy advocates and academics have been concerned about it from the very beginning. The mass collection of communications data breaches fundamental rights – and DRIP, just like the Communications Data Bill before it, does authorise the mass collection of this data. It has the same fundamental flaws as that bill – and a few extras to boot. With the very limited time available to review the bill so far, it appears to extend rather than limit the powers available through the contentious Regulation of Investigatory Powers Act (RIPA) rather than limit them or modernise them (see for example the analysis by David Allen Green in the FT here – registration needed), and attempt to extend powers outside the UK in a way that is at the very least contentious – and in need of much more scrutiny and consideration.

Most importantly, it still works on the assumption that there is no problem with collecting data, and that the only place for controls or targeting is at the accessing stage. This is a fundamentally flawed assumption – morally, legally and practically. At the moral level, it treats us all as suspects. Legally it has been challenged and beaten many times – consistently in the European Court of Human Rights, in cases from as far back as Leander in 1987, and now in the ECJ in the declaration of invalidity of the Data Retention Directive. Practically, it means that data gathered is vulnerable in many ways – from the all too evident risks of function creep that RIPA has demonstrated over the years (dog-fouling, fly-tippers etc) to vulnerability to leaking, hacking, human error, human malice and so forth. Moreover, it is the gathering of data that creates the chilling effect – impacting upon our freedom of speech, of assembly and association and so forth. This isn’t just about privacy.

Safeguards?

Nick Clegg made much of the concessions and safeguards in the new bill, emphasising that this isn’t a Snoopers’ Charter Mark 2, but it is hard to be enthusiastic about them at this stage. There is a sunset clause, meaning that DRIP will expire in December 2016 – but there is nothing in the bill itself to say that it won’t be replaced by similar ‘emergency’ legislation, railroaded through parliament in a similar way. Moreover, December 2016 is well after the election – and the Lib Dems are currently unlikely to still have any influence at that stage. Julian Huppert in particular, my MP in Cambridge, is in a very precarious position. Without him, it’s hard to see much Lib Dem resistance to either the Tories or the Labour Party who set the ball rolling on mass surveillance state in the Blair years.

The rest of the safeguards are difficult to evaluate at this stage – they were originally said to be contained in secondary legislation that was not published with the bill itself, but when that secondary legislation was actually released, at around 4pm on Friday afternoon, it contained almost none of what had been promised. For example, the suggestion that the number of bodies able to use RIPA was to be restricted, was entirely absent. This list doesn’t just include the police and intelligence services, but pretty much all local authorities, and bodies like the food standards agency and the charities commission – another part of the function creep of RIPA. The breadth and depth of the surveillance that this bill, in combination with RIPA, would not only allow but effectively normalise, is something that should be of the deepest concern to anyone who takes civil liberties seriously.

The shabbiest of processes

This is just one part of the shabbiness of the process. Two more crucial documents,  ‘Impact Assessments’ performed by the Home Office concerning the data retention and interception aspects of the bill, were also released – but without even a mention, so that the first that was heard of them by most concerned people was early on Saturday morning, when vigilant investigators found them all but hidden on the Home Office website. Two documents, full of technical details looking at why the laws were ‘needed’ and what the risks and benefits of the laws would be, the alternatives and so forth, pretty much hidden away. These, together with the Bill itself and the Regulations, combine to produce something with a serious level of both legal and technical complexity – something that needs very careful study and expert analysis. And to do this analysis, we are given essentially one weekend, and no warning.

How serious this is was highlighted by a brief twitter conversation between David Allen Green and MP Julian Huppert this morning:

Screen Shot 2014-07-12 at 18.53.05

 

David Allen Green (@JackofKent) is asking a straight and direct, technical and legal question – and Julian Huppert can’t answer it. Julian is perhaps the most technically expert of the entire House of Commons – if he doesn’t understand the bill, its impact and how it changes the current situation, how much less can other MPs? And yet they are expected to debate the bill on Monday, and pass it almost immediately. This is patently wrong – and highlights exactly why parliament generally has significant time for analysis and for debate, and parliamentary committees call experts to give testimony, to tease out these kinds of answers. Julian Huppert should not be criticised for not knowing the answer to the question – but he should be criticised for supporting a bill without allowing the time for these questions to be asked, investigated and answered. They need to be.

This is an wholly unsatisfactory state of affairs. Indeed, the whole thing is highly unsatisfactory, and in a democratic society, it should be unacceptable. That our MPs seem willing to accept it speaks volumes.

——————–

The key documents can be found here:- study them if you have time!

The draft bill

The draft regulations

The impact assessment for interception

The impact assessment for data retention.

Surveillance: ten ways to fight back!

The-Day-We-Fight-Back-2-e1391612024967

Today, 11th February 2014, is ‘The Day We Fight Back” – a day of campaigning against mass surveillance. It’s a day where campaigners are trying to raise awareness of the issue – and begin fighting against it. The big question is how can we fight back – what can we actually do. It often seems as though privacy is dead, and that there’s nothing we can do about it. I don’t think so – there are lots of things we can do, lots of things we must do. Here are just ten….

1     Support The Day We Fight Back

One of the most important things in the whole fight is to raise awareness – and to take advantage of opportunities to spread the message that surveillance is a big issue. Days like The Day We Fight Back help to do that. Check out the website here. Tweet about it. Blog about it. Talk about it with your friends and colleagues. Make it something that people notice.

2     Lobby your politicians – or unseat them!

Let the politicians know that you care about this – because, ultimately, they are supposed to be your representatives. It may not feel as though they listen to you much – but if enough people tell them the same thing, if enough people bother them, then they may finally get up off their backsides and do something. And if they don’t, use your vote against them. Politicians make a difference here – or rather they could, if they could be bothered. Most of them don’t understand what’s going on – try to educate them! Help them to understand, and don’t let them get away with bland, meaningless reassurances.

3     Don’t let the corporations off the hook!

The Snowden revelations were shocking, revealing a degree of governmental surveillance that surprised many people, and made a lot of people angry with their governments – but we shouldn’t be fooled into thinking this is just about governments, or just about specific agencies like the NSA and GCHQ. The malaise is far deeper than that – and corporations are in it right up to their necks. In many ways corporate surveillance is worse than governmental surveillance – it can have real impact on people, messing with their credit ratings and insurance premiums, affecting their job prospects, the prices they pay for things and more.

The NSA and GCHQ to a great extent piggyback on the surveillance that the corporates do, utilise the tools that the corporates create, mine the data that the corporates hold – if the corporates weren’t doing it, the agencies couldn’t tap into it. What’s more, corporations actively lobby to undermine privacy law, obfuscate over their privacy policies and do a lot more to undermine the whole concept of privacy. We shouldn’t accept that – let alone allow themselves to portray themselves as the good guys in this story. They’re not. Right now, they’re the henchmen and sidekicks of the NSA and GCHQ – if they want our support, they need to start supporting us.

4     Don’t just demand transparency – demand less surveillance!

There’s a lot of talk of transparency, particularly in relation to governmental requests for data from the likes go Google, Facebook, Twitter etc. Transparency is great – but it’s not nearly enough. We shouldn’t let ourselves be fobbed off with talk of transparency – we need less surveillance. We need to demand that surveillance is cut back – not just that there is better accountability and transparency. Accountability often ends up in farces like the UK’s Intelligence and Security Committee’s hearing with the heads of MI5, MI6 and GCHQ – no real scrutiny at all, just a bit of lip service and a lot of back-slapping. It’s not enough. Not nearly enough.

5     Join or support civil society

Civil society groups all over the world are key players in this – and they need your support. Here in the UK, the Open Rights Group, Privacy International and Big Brother Watch have been in the forefront of the campaigns against surveillance. In the US the Electronic Frontier Foundation have been crucial. In the Netherlands Bits of Freedom have done wonders. These, however, are not groups with the scale or resources of the governments and corporations that are behind the surveillance – so they need every bit of support they can get.

6     Challenge the media!

The mainstream media, for the most part, have not played the part that they could in the fight against mass surveillance. The Guardian has been an honourable exception – and their role in making sure that the Snowden story has seen the light of day has been, for me, one of the most important pieces of journalism for many years – but generally the whole issue has been the subject of far less attention than it should have had. That’s sadly common – because reporting of almost all technology matters is pretty disappointing. We need to challenge that – and shame the media into doing a better job. When they misreport stories about surveillance they should be challenged – using the social media, for example. And, perhaps even more importantly, when they report on technology without seeing the privacy aspects we should challenge that too. One key example right now is the subject of ‘Smart Meters’ – they have deep problems in relation to privacy, but when you see a report in much of the media it only talks of the advantages, not the risks. That’s not good enough.

7     Educate yourself

Part of the reason that surveillance has grown, almost without our noticing, is that far too many of us – and I’m certainly one of them – have not kept ourselves up to date. This year is supposed to be the ‘Year of Code’ – and though that campaign is pretty farcical it does highlight the fact that most of us don’t really know how the tech we use works. If we don’t know how it works, it’ll be much harder for us to protect ourselves. I’m making a commitment right now that I’m going to learn cryptography – and that I’m going to use it.

8     Use and support privacy friendly tech

That brings the next point. There are a lot of privacy-friendly tools out there and we should use them. Search with duckduckgo or startpage rather than Google. Use Ghostery or Abine’s DoNotTrackMe to monitor or block those who are tracking you – remembering that commercial trackers can be hijacked by the authorities. These are just a few of the tools available – and there are more coming all the time – but they need to be used in order to succeed. They need support if they are to grow.

9     Keep your eye on the news

There are more stories about surveillance and other invasions of privacy appearing all the time – keep your eye on the news for them, and let other people know about them. It’s hard to keep up, but don’t give up. Don’t expect to know everything, but if we don’t keep up with the news we aren’t going to be in a position to fight. Information is power – which is a great deal of what surveillance is about. We need to be informed in order to fight back

10     Make sure the fightback isn’t just for a day

This is the most important thing of all. Campaigns for one day are pretty meaningless – and the authorities will generally let them ride, possibly with a few little comments but almost no action. Political pronouncement and political action needs long-term campaigning. Shifts in attitudes don’t happen in a day – so we need to keep this campaign going…. and expect it to be a long, attritional fight. It won’t be easy – but it’s worth it.

Surveillance and Consent

I was fortunate enough to speak at the Internet and Human Rights Conference at the Human Rights Law Centre at the University of Nottingham on Wednesday. My talk was on the topic of internet surveillance – as performed both by governments and by commercial entities. This is approximately what I said – I very rarely have fully written texts when I talk or lecture, and this was no exception. As you can see, I had one ‘official’ title, but the talk had a number of alternative titles…

Surveillance and Consent

Or

Big Brother is watching you – and so are his commercial partners

Or

What Edward Snowden can teach us about the commercial Internet

Or

To what do we consent, when we enter the Internet?

In particular, do we consent to surveillance? If we do, by whom? When? And on what terms? There are three parts to this talk:

1) Government surveillance and consent

2) Commercial surveillance and consent

3) Forging a (more) privacy friendly future?

1: Government surveillance and consent.

Big Brother is Watching You. He really is. Some of us have always thought so – even if we’ve sometimes been called conspiracy theorists when we’ve articulated those thoughts. Since the revelations of Edward Snowden this summer, we’ve been taken a bit more seriously – and quite rightly so.

The first and perhaps most important question to ask is why the authorities perform surveillance? Counter-terrorism? That’s the one most commonly mentioned. Detection and enforcement of criminal law? Crime prevention? Prevention of disorder? Dealing with child abuse images and tracking down paedophiles? Monitoring of social trends? There are different degrees to all these areas – and potentially some very slippery slopes. Some of the surveillance is clearly beneficial – but some is highly debatable. When looking in the area of crime and disorder this is particularly true when one considers police tactics in the past, from dealing with the anti-nuclear movements in the sixties, seventies and eighties to the shocking revelation about the infiltration of environmental activists more recently. Even this summer, the government admitted that it monitored people’s social media activities in order to ‘head off’ the badger cull protests. Was that right? Are other forms of ‘social control’ through surveillance acceptable? They should at least raise questions.

When looking at government surveillance, we need to ask what is acceptable? Where do we draw the line? Who draws that line? How much of this do we consent to? There are a number of different ways to look at this.

Societal consent?

Do we, as a societies, consent to this kind of surveillance? It is not at all clear that we do, even in the UK, if the furore that lead to the defeat of the Snoopers Charter is anything to go by, or the reaction to Edward Snowden’s revelations in most of the world (though not so much in the UK) is any guide. Do we, as societies, understand the level of surveillance that our governments are performing? It doesn’t seem likely given the surprise shown as more and more of the reality of the situation is revealed. Can we, as societies, understand all of this? Perhaps not fully, but certainly a lot more than we currently do.

Parliamentary consent?

Do we effectively consent by delegating our decisions to our political representatives? By electing them, are we consenting to their decision-making, both in general and in the particular area of internet surveillance? This is a big political question in any situation – but anyone who has observed MPs, even supposedly expert MPs, knows that the level of knowledge and understanding of either the internet or surveillance is appalling. Labour’s Helen Goodman, the Tories’ Clare Perry, the Lib Dems’ Tom Brake, all of whom have been (and still are) in positions of power and responsibility within their own parties in relation to the internet have a level of understanding that would be disappointing in a secondary school pupil.

The Intelligence and Security Committee, who made their first public appearance in November, demonstrated that they were pretty much entirely incapable of providing the scrutiny necessary to represent us – and to hold Big Brother to account on our behalf. Most of the Home Affairs Committee – and the chair, Keith Vaz, in particular, demonstrated this even more dramatically this Tuesday, when questioning Guardian Editor Alan Rusbridger. Keith Vaz’s McCarthy-esque question to Rusbridger ‘do you love your country’ was sadly indicative of the general tone and level of much of the questioning.

There are some MPs who could understand this, but they are few and far between – Lib Dem Julian Huppert, Labour’s Tom Watson, the Tories’ David Davis are the best and perhaps only real examples, but they are mavericks. None are on the front benches, and none seem to have that much influence on their political bosses. Parliament, therefore, seems to offer little help. Whether it could ever offer that help – whether we could ever have politicians with enough understanding of the issues to act on our behalf in a meaningful way, is another question. I hope so – but I may well be pipe dreaming.

Automatic or assumed consent?

Perhaps none of this matters. Could it this kind of government surveillance something we automatically consent to when we use the Internet? Simply by using the net, do we automatically consent to being observed? Is this the price that we have to pay – and that we can be assumed to be willing to pay – in order to use the internet? Scott McNealy’s infamous quote – you have zero privacy anyway, get over it – may be old enough to represent common knowledge. Can we assume that everyone knows they have no privacy? Would that be reasonable, even if it were true? It isn’t true of the public telephone system – wholesale wiretapping isn’t acceptable or accepted, not even of the metadata.

I don’t think any of these – societal, parliamentary or ‘assumed’ really work, or would be sufficient even if they did – because amongst other things because we simply haven’t known what was going on. Our consent, such as it existed, could not have been informed consent, in either of the two ways that can be understood. We did not have the information. We were deliberately kept in the dark. And experience suggests that when we do know more, we tend to object more – as events like the defeat of the Snoopers’ Charter demonstrate.

Do we know what we are consenting to?

Do we understand what the implications of this surveillance actually are? This isn’t just about privacy, no matter how much people like Malcolm Rifkind tries to frame it that way. It isn’t just about individual either – sometimes through this kind of framing it can seem as though asking for privacy is an act of selfishness, and that we should be ashamed of ourselves, and sacrifice our privacy for the greater good – for security.

This is quite wrong – and in many ways framing it in this way is deliberately deceptive. There is a significant impact on many kinds of human rights, not just on privacy. Freedom of expression is chilled – both by overt surveillance through the panopticon effect and through covert surveillance through the imbalance of power that allows control to be exerted. Freedom of association and assembly are deeply affected – both online through the disruption and chilling of online communities, and offline through the disruption of the organisation of ‘real world’ protest and so forth. There’s more too – profiling can allow for discrimination. Indeed, as we shall see, discrimination of a different form is fundamental to commercial surveillance – so can be easily enabled in other ways. Ultimately, too, it can even impact upon freedom of thought – as profiling develops, it could allow the profiler to know what you want even before you do.

So even if we have given consent before, that consent is not really valid. The internet is not like old-fashioned communications. We do more online than we ever did through other forms of communication The nature of the surveillance itself has changed – and the impact of it. Any old consent that did exist should be revoked. If Big Brother wants to keep watching us, He needs to ask again.

2: Commercial surveillance and consent

This is an issue much closer to the common legal understanding of consent – and one that has been much debated. It’s one of the key subjects of the current discussions over the reform of the data protection regime. Edward Snowden, however, has thrown a bit of a spanner into that debate, and those discussions.

To understand what this means, we need to understand commercial surveillance better. Who does ‘commercial’ surveillance? What do I mean by commercial surveillance? Surveillance where money is the motivation – or, to be more precise, where commercial benefit is the motivation. This means things like behavioural tracking – for various purposes – but it also means profiling, it means analysis, all of which are done extensively by all the big players on the Internet, with little or no real idea of consent.

Does commercial surveillance matter?

Commercial surveillance does not often seem to be something people (other than a few privacy geeks like me) care about that much. It’s just about advertising, isn’t it? Doesn’t do anyone any harm? Opt-out’s OK, those paranoid privacy geeks can avoid it if they want, for the rest of us it’s what pays for the net, right? For people like me, there are big concerns – and in some ways it might matter more for most people than surveillance by the NSA and GCHQ. The idea – the one that’s being sold to us – is that it’s about ‘tailoring’ or ‘personalisation’ of your web experience. We can get more relevant content and and more appropriate advertising…

…but that also means that it can have a real impact on real people, from price and service discrimination to an influence on such things credit ratings, insurance premiums and job prospects. Real things that matter to almost all of us. There’s even the possibility of political manipulation – from personalised political advertising to detailed targeting of key ‘swing’ voters, putting even more political influence into the hands of those with the deepest pockets – for it is the deepest pockets that allow access to the ‘biggest’ data, and the most sophisticated profiling and targeting systems.

What Edward Snowden could teach us…

Some parts of the revelations from Edward Snowden should make us think again. PRISM, in particular, should change people’s attitudes to commercial surveillance. This is what Edward Snowden has to teach us. Look at the purported nature of the PRISM program. ‘Direct access’ to the servers of the big Internet companies – including Google and Facebook. Who does commercial surveillance more than Google and Facebook? What’s more, the interaction between governments and businesses is much closer than it might immediately seem. They share technology – and businesses have even let governments subvert their technology, building backdoors, undermining encryption systems and so forth. They share techniques – and even share data, whether willingly or otherwise.

Shared techniques…

Behavioural profiling is just what governments want to do. Behavioural analysis is just what governments want to do. Behavioural targeting is just what governments want to do Is identifying potential customers any different from identifying potential suspects? Is identifying potential markets any different from identifying potential protest groups (such as those involved in the aforementioned badger cull protest)? Or potential dissidents? Is predicting political trends and political risks any different from predicting market trends? Is ‘nudging’ a market that different from manipulating politics? The Internet companies have built engines to do all the authorities’ work for them (well, OK, most of the authorities’ work for them). They just need to tap into those engines. Tailor them a bit. It’s perfect surveillance, and we’ve helped build it. We’ve ‘consented’ to it.

Who is undermining privacy?

So who is undermining privacy? The spooks with their secret surveillance… ….or the business leaders telling us to share everything and that, as Mark Zuckerberg put it, ‘privacy is no longer a social norm’? This ‘de-normalisation’ of privacy – apologies for the word, which I suspect doesn’t really exist – amounts to an attempt to normalise surveillance. The extent to which this desired and pushed-for ‘de-normalisation’ has contributed to the increasing levels of surveillance is essentially a matter for conjecture, but it’s hard not to see a connection.

Paranoid privacy geeks like me have been warning about for a while – but just because we’re paranoid, it doesn’t mean we’re wrong. In this case, it’s looking increasingly as though we were right all along – and that the situation is even worse than we thought.

Is this what we consented to when we signed up for Facebook? Is this what we consent to each time we do a Google search? Is this what we expect when we watch a YouTube video or play a game of Words with Friends? I don’t think so. With new information there should come new understanding – and a reassessment of the situation. We need to decide.

3: A (more) privacy-friendly future?

A three-way consensus is needed. People, businesses and governments need to come to an agreement about what the parameters are, about what it acceptable. About what we consent to. All three groups have power – but at the moment only the authorities seem to be really wielding theirs.

Imagine what would happen if Facebook’s Mark Zuckerberg, Google’s Sergey Brin, Apple’s Tim Cook and their fellows from Microsoft, eBay, Twitter etc all came together and said to the US government ‘No’! Would they be locked up? Would their companies be viciously punished? It seems unlikely – they are much more powerful than they realise. We often talk about the power of the corporate lobbyists – this power could be wielded in a positive way, not just a negative way…

…but it only will if there’s a profit in it for the companies concerned. And that’s where we come in.

We have a key part to play. We need to keep making noises. We need to keep informing people, keep lobbying. Make sure that the companies know that we care about privacy – and not just in relation to governments. Then the companies might start to make a move that helps us.

There are some signs that this might be the case – from the noises from Zuckerberg and so on about how upset they are about the NSA to the current crop of ‘Outlook.com’ advertisements that proclaim loudly how they don’t scan your emails the way that Google do – though it is difficult to tell whether this is just lip service. They talk a lot about transparency, not so much about a reduction in actual surveillance by government – let alone by themselves. If they can wield this power in our favour it could help a lot – but it will only be wielded in this positive way if we make them. So we must be clear that we do not consent to the current situation. We do not consent to surveillance.

Guest post: Go home, Superman!!

[Guest post by @Super__Cyan]

Superman 1

Would the Home Office dare do this to the Man of Steel? After all, he is an illegal alien. Maybe the Home Office would be more inclined if he looked like this?

Superman 2

(For those who do not know, this is Superman from Earth-Tangent)

This is just to point out the growing concern that officials of the Home Office are conducting ‘racist and intimidatory profiling’ see also this storify by @anyapalmer. This is not to discuss stop and search powers, more on general stop and search powers by yours truly can be seen here. Two things are worth some attention, first this image from the @ukhomeoffice twitter account:

Superman Home Office

And this page on the Home Office’s site which has the interesting headline of ‘Immigration offenders arrested in Home Office operations.’

Are there any human rights issues with these? Possibly, the image of the person being taken away could raise issues of privacy, and as we know that same old Article 8 of the European Convention of Human Rights might be engaged where it stipulates that:

  1. Everyone has the right to respect for his private and family life, his home and his correspondence.
  2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Private life, the European Court of Human Rights (ECtHR) in Von Hannover v Germany 59320/00 [2004] ECHR 294 has pointed out that this includes a person’s picture (para 50). Let’s just assume for the sake of this post that the Home Office officials have lawful authority for taking those pictures, because if they didn’t that would be illegal. So if the officials have lawful authority, what then? Is the Article 8 issue now exhausted?

Not quite, because the subsequent use of those pictures can still leave the Article 8 issue live. This can be seen in Peck v United Kingdom 44647/98 [2003] ECHR 44 here the applicant was filmed by a CCTV attempting to commit suicide by cameras operated by Brentwood Borough Council in a public street. A few months later, the Council issued two photographs taken from the CCTV footage for publication in an article about the preventative benefits of CCTV. The applicant’s face was not specifically masked. Extracts from the CCTV footage were also shown on regional television in which the applicant’s face had been masked at the Council’s request.

The ECtHR pointed out that the Independent Television Commission considered the masking of the applicant was not adequate because the applicant’s distinctive features (para 16). Many of the applicants friends and family who saw the ‘Crime Beat’ programme recognised the applicant (para 21) including people who knew him, like colleagues (para 54). So the important questions would be, from that image, could the individual be identified? Is the obfuscation adequate? Because on the on the @ukhomeoffice ‘Photos and videos’ page there is an image of an official whose obfuscation is telling.

The ECtHR reaffirmed the position that interaction even within the public context falls within the ambit of Article 8 (para 57). Also reiterating that using photographic equipment that records in a permanent nature gives rise to considerations regarding interference with Article 8 (para 59). But here the applicant was not arguing against the use of CCTV footage but the that it was the disclosure of that record of his movements to the public in a manner in which he could never have foreseen which gave rise to such an interference (para 60). The ECtHR concluded that the Council’s disclosure constituted a serious interference with the applicant’s Article 8 rights (para 61). This could be the case also for the present image.

After determining whether this was in accordance with the law and pursued a legitimate aim (which was satisfied para 64-67) the ECtHR also pointed out that ‘the applicant was not charged with, much less convicted of, an offence. The present case does not therefore concern disclosure of footage of the commission of a crime’ (para 79). Drawing analogies with Peck and the image tweeted by the Home Office is that the person is arrested on ‘suspicion’ so there are some similarities. The ECtHR criticised the Council for not taking the utmost care in ensuring the media masked those images and stated:

In sum, the Court does not find that, in the circumstances of this case, there were relevant or sufficient reasons which would justify the direct disclosure by the Council to the public of stills from the footage in its own CCTV News article without the Council obtaining the applicant’s consent or masking his identity, or which would justify its disclosures to the media without the Council taking steps to ensure so far as possible that such masking would be effected by the media. The crime-prevention objective and context of the disclosures demanded particular scrutiny and care in these respects in the present case (para 85).

For reasons such as these the ECtHR found the United Kingdom in violation of Article 8. This is not intended to suggest that this would be the likely outcome regarding the present images the Home Office has tweeted, but none the less great caution should be taken when releasing images of individuals to the public.

There is another issue that may be applicable here, and again it’s something to do with Europe, and something to do with human rights, a recipe for disaster! This time Article 6(2) of the ECHR may be relevant which states that:

Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law.

This disallows premature declarations of guilt by public officials. In Allenet de Ribemont v. France 15175/89 [2007] ECHR 112 emphasised that not being charged but being arrested falls within the ambit of being “charged with a criminal offence” (para 37). Kouzmin v. Russia (link in French) points out that public official does not need to be an already elected representative or employee of the public authorities at the material time. It may include persons of recognised public standing, from having held a public position of importance in the past or from running for elected office (para 59-69). It seems pretty sure the Home Office’s twitter account would satisfy this as it is a public authority (para 49).

The ECtHR in Ismoilov and Others v Russia 2947/06 [2008] ECHR 348 stressed that:

A fundamental distinction must be made between a statement that someone is merely suspected of having committed a crime and a clear declaration, in the absence of a final conviction, that an individual has committed the crime in question. The Court emphasises the importance of the choice of words by public officials in their statements before a person has been tried and found guilty of a particular criminal offence.(para 166)

So essentially the Strasbourg Court is saying that poor choice of words could violate Article 6(2). The hashtag used in the tweet with the images states ‘suspected #immigrationOFFENDER.’ Offenders are those that have been convicted of an offence, a sex offender is someone who has been found guilty of a sexual offence, see generally F & Anor, R (on the application of) v Secretary of State for the Home Department [2010] UKSC 17. Obviously the word suspected demonstrates the suspicion the individual is under, but adding ‘offender’ in the hashtag is certainly poor choice of words, it may have been more appropriate to tweet ‘suspected of #immigrationOFFENCES.’ As pointed out the headline on the website does not, however help the case for the Home Office as it clearly states of ‘Immigration offenders arrested in Home Office operations.’ Only if one reads the body of the text will they discern that those arrested are suspected of an offence, this is sadly only after the website states ‘immigration offenders’ twice before even mentioning ‘suspected.’

Calling someone a ‘bribe-taker’ was enough to violate Article 6(2) in the case of Butkevičius v Lithuania so it is not that farfetched to suggest ‘immigration offender’ may as the ECtHR said ‘encourage the public to believe him guilty and prejudged the assessment of the facts by the competent judicial authority’ (para 53). Similar sentiments by Richard A. Edwards and Associate Professor @NoelleQuenivet regarding the presumption of innocence can be found here and an excellent post from the aspect of data protection here by @bainesy1969. I suppose this may all hinge on whether the individual is identifiable, but the ECtHR in Butkevičius v Lithuania noted that:

‘[Article 6(2)] will be violated if a statement of a public official concerning a person charged with a criminal offence reflects an opinion that he is guilty before he has been proved so according to law’ (para 49)

This implies a violation is possible irrespective identification. Regardless, the Home Office could not have trolled harder, as at the bottom of its site it asks:

Superman home office question

Perhaps the better question would be ‘Is there anything right with this page?’

Guest Post: Asking the wrong questions?

[Guest post by @Super__Cyan]

Wrong Question

Has the Stop and Search Consultation made a glaring oversight regarding a particular question asked? Does it overlook the crucial question, that being whether the power itself to stop and search without reasonable grounds is sufficient to satisfy the United Kingdom’s obligations under the European Convention on Human Rights?

The key question is Q6, in relation to s.60 Criminal Justice and Public Order Act 1994 (particularly s.60(5)) which notes that:

“To what extent do you agree or disagree that the ‘without reasonable grounds’ stop and search powers described in the paragraphs above are used by police in a way which effectively balances public protection with individual freedoms?(page 8)

This issue arises because it asks about the use of that power rather than the power itself. The question implies that such a power may be acceptable on the condition that it effectively balances public protection with individual freedom. Is the very premise of that question missing the point? To answer it in the positive or negative would accept from the outset the use of stop and search without reasonable grounds as being acceptable.

Did the United Kingdom forget about Gillan and Quinton? Gillan and Quinton v United Kingdom concerned the lawfulness of stop and search powers under terrorism legislation. The applicants primarily argued that these laws violated their Article 8 rights. Article 8 of the European Convention of Human Rights (ECHR) stipulates that:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The European Court of Human Rights (ECtHR) concluded that stop and searches in the present case interfered with Article 8 (at para 65). The argument is that stop and search powers under s.60 (although are slightly different in form to s.44) apply a fortiori and therefore would too amount to an interference with Article 8. Once interference has been established it is necessary to move on to Article 8(2), as interference has to first be ‘in accordance with the law’ which requires some basis in domestic law for the power exercised.

This requirement can be further subdivided into what the ECtHR regards as ‘the quality of the law’(para 63) which needs to be compatible with the rule of law this requires the law to be accessible to the person concerned and foreseeable as to its effects (para 50). Publication (para 52-53) of the relevant law goes a long way in satisfying the ‘accessibility’ requirement which is the case with s.60. The foreseeable rule requires the law to be formulated with sufficient precision to enable any individual – if need be with appropriate advice – to regulate their conduct (para 56). It is difficult to envisage how someone can regulate their conduct if a search can occur irrespective of conduct and on grounds that do not need to exist or even be aired.

In Gillan the ECtHR stressed the importance of laws being in accordance with the law to protect against arbitrary interferences by public authorities (para 77). When rightly finding a violation of Article 8 the ECtHR noted that:

Not only is it unnecessary for him to demonstrate the existence of any reasonable suspicion; he is not required even subjectively to suspect anything about the person stopped and searched.(para 83)

The ECtHR was also struck by the statistical evidence showing the abuse and misuse of the s.44 powers and accepted there was a clear risk of arbitrariness in the grant of such a broad discretion to the police officers (para 84-85). Possibly the most essential sentence of the judgment is as follows:

[I]n the absence of any obligation on the part of the officer to show a reasonable suspicion, it is likely to be difficult if not impossible to prove that the power was improperly exercised. (para 86)

The ECtHR concluded that the relevant provisions were not in accordance with the law, which ultimately meant the stop and search powers failed at the first legal hurdle under Article 8(2). Academics have tended to agree with the ECtHR: Gray, providing a comparative perspective with Australia has argued that the police should be required to show ‘reasonable suspicion’ as a basis for conducting a search, rather than arbitrarily conducting searches on anyone they choose. This would, to a far greater degree effectively balance public protection with individual freedoms. J. Miller, N. Bland and P. Quinton recommended that s.60 needs to be considered carefully given their likely impact on community confidence and inefficiency at producing arrests. They also demonstrated that these searches are actually far less successful at producing arrests.

They also pointed out that officers were ‘more ready to search people under this power where evidence was not strong': this clearly demonstrates the risk of arbitrariness the ECtHR were all too concerned about (for instance, searching more white people just to even up the number of searches on black and Asians. More recently Her Majesty’s Inspectorate of Constabulary raised concern regarding s.60 as they uttered ‘establishing a belief that is ‘reasonable‘is therefore of utmost importance.

What’s the conclusion? Well, perhaps question six should be redrafted to an extent which would give respondents the opportunity from the outset to consider whether the law itself is efficient because as pointed out there are serious concerns regarding stop and search without reasonable grounds in terms of legality and efficiency. Forcing them to accept question six in its current form is not a healthy way to debate such a serious issue. Furthermore, it would be better this way to urge Parliament to alter this provision rather than testing their luck in the courts. So it is suggested question six could be more appropriate and useful if it was redrafted to:

“To what extent do you agree or disagree that the ‘without reasonable grounds’ stop and search powers described in the paragraphs above effectively balances public protection with individual freedoms?(Please give reasons)”

And as Dr Lanning would say: