Surveillance and Austerity

One of the most depressing aspects of the passing of the Data Retention and Investigatory Powers Act (DRIP)  this week was the level of political consensus. All three major parties backed it, aside from a few mavericks in Tory and Labour ranks. Despite some excellent speeches in the Lords, it passed through there in double-quick time, without their Lordships even deeming it worthy of a vote.  It got me thinking, what else has a similar level of consensus? The obvious answer, sadly, was austerity. Ed Miliband is due to give a speech today to Labour’s National Policy Forum which, it seems, will confirm Labour’s commitment to it.

There is no alternative…

There are more parallels between surveillance and austerity than we should feel comfortable with. Our main political parties view both surveillance and austerity as ‘given’, and as though there are no alternatives even worth considering, let alone exploring in any detail. Both, we are told, are for our own good. Those who resist both, we are told, are unrealistic dreamers or worse. If we don’t embrace both, we are told, there will be disasters, and the future is bleak.

Divisive and simplistic…

Both also rely on divisive and simplistic assumptions.

The essence of the drive to welfare ‘reform’, in particular, is the idea that there are ‘strivers’ and ‘scroungers’, and that the former are being made to suffer by the latter. The former, the ‘good’ people, don’t need welfare, and won’t suffer from the results of austerity.

The essence of the drive for surveillance is that there are ‘good’ people and ‘bad’ people – and that the ‘good’ people are being made to suffer by the ‘bad’. The former, the ‘good’ people, don’t need privacy, and won’t suffer from the results of surveillance.

In neither case are the divisive and simplistic assumptions true. As anyone who studies the details knows, the majority of people on benefits are also in work. People shift from being in work to being out of work, from being in need to being able to do without it. The whole idea of ‘scroungers’ is overplayed and divisive, particularly in relation to people with disability. Similarly, the idea that ‘good’ people have nothing to hide, so don’t need privacy, is one of the classic misunderstandings of privacy. We all need privacy – it’s part of what we need as humans, part of our dignity, our autonomy. It’s a pragmatic necessity too, as those in power do not always use their powers for good – the latest of the Snowden revelations, that the NSA pass around naked pictures of ordinary people that they find through their snooping is just another example of how this works. Privacy isn’t about hiding – it’s about what we need as people.

It’s all about power

Ultimately, though, the thing that surveillance and austerity really have in common is power. They’re ways that those with power can keep control over those without it. Keep poor people poor and desperate, and they’re more malleable and controllable. They’ll take jobs on whatever conditions those offering them suggest. Surveillance is ultimately about control – the more information those in power have, the more they can wield that control, whether it’s monitoring social media in order to stop protests or manipulating it to make people happy and like particular products or services.

What we can do about it is another question. The real point about the people in power is that they have power…. and reducing that power is hard. We should, however, at least do our best not to have the wool pulled over our eyes. This isn’t for our benefit. It’s for theirs.

DRIP: normalising the surveillance state.

Yesterday’s shameful passing of the Data Retention and Investigatory Powers Act, nodded through without amendment and without even the perceived need for a vote in the House of Lords, was not just very bad news for the UK, it was bad news for the world. The ease with which it was passed, the speed with which it was passed, and the breadth of the powers granted send signals around the world. Some of us have been warning about this effect for a long time – what we do in the UK is being watched around the world. If we, as a supposedly mature, liberal democracy believe that mass surveillance is OK, then that means that anyone could do it. Indeed, that any sensible state should do it.

I’ve been accused of paranoia by making such a suggestion. After all, this is just ‘emergency’ legislation, a mere stop-gap while a proper review of investigatory powers and data gathering goes on. Well,  within a few short hours of the passing of DRIP, its echoes were already being heard the other side of the world. Australia’s Attorney-General, George Brandis, used DRIP as an example, seemingly to help push forward his own proposals for data retention. As reported in ZDNet, he said:

“The question of data retention is under active consideration by the government. I might point out to you as recently as yesterday, the House of Commons passed a new data retention statute. This is very much the way in which western nations are going,”

This is how it goes – and one of the many reasons that the passing of DRIP yesterday was so shameful. If the UK does it, Australia does it. Then New Zealand and Canada.  Each new country adds to the weight of the argument. Everyone’s doing it, why not us? If the UK thinks it needs this to keep its citizens safe, we need it too? By the time the long-distant sunset clause kicks in, the end of 2016, every new country that’s added a data retention law to its books, however temporary, will be another reason to extend our own security services’ powers. It’s a vicious or virtuous circle, depending on your perspective.

Of course the normalisation works in different ways too. Less scrupulous nations will be able to say that if the Brits do it, so can we – and we won’t be able to claim that they’re oppressing their population, if we do the same to our own. Further, our security services will require more and more technology to do the surveillance – and the people who develop that technology will be looking for new markets. They may sell them to the Australians – but more likely they’ll find ready markets in governments with less of a tradition of liberalism and democracy. There’s a fine selection of such nations all around the world. They’ll also find markets of other kinds – businesses wishing to use surveillance for their own purposes… whether scrupulous or not. The very criminals that the supporters of DRIP like to scare us with will be looking too – there are so many uses for surveillance that it’s hard to know where to start.

Well, actually, it should have been easy to know where to start. To make a stand. To try to normalise freedom and privacy, respect for citizens fundamental rights and a willingness for open, honest debate on the subject. That, however, would have required rejecting DRIP. We didn’t do that. Shame on us.

 

DRIP: Parliament in disrepute?

I watched and listened to the parliamentary debate on the Data Retention and Investigatory Powers bill (DRIP) with a kind of grim fascination. The outcome was always inevitable – I knew that, as, I think did all opponents of the bill – but the debate itself seemed to me to be worth paying attention to. Not really in terms of the result, but in terms of the process, and in terms of the way in which parliament was engaging with the issues. There were, it has to be said, some quite wonderful speeches in opposition to the bill, and from many different directions. MPs like John McDonnell, Dominic Raab, Caroline Lucas, Diane Abbott, Pete Wishart, David Winnick, Duncan Hames, Clive Betts, Charles Walker, Dennis Skinner and of course Tom Watson and David Davis were all excellent. Indeed, as someone said at the time, the opponents didn’t lose the debate, they lost the vote.

Therein lies the problem – what was the point of the debate? The chamber was all-but empty for most of it. In the middle of the debate, I got so angry I tweeted a picture of the chamber – with a comment attached. The tweet went a bit wild…. retweeted 870 times at the last count, and included by Liberty in their summary of the debate.

Screen Shot 2014-07-16 at 07.32.41

I did, however, also get some serious criticism for the tweet. Some suggested I had faked it, because I missed out the caption at the bottom. Fair enough – I was too angry to get the screen capture right, but I don’t fake things. I satirise and parody, tease and joke – but I don’t fake. For avoidance of doubt, I took another soon after, this time with the caption:

Screen Shot 2014-07-15 at 16.36.42

Another criticism I received, quite aggressively, was that it was misleading to tweet the picture, and that most of the MPs were likely to be in their offices or their committee rooms, working hard, but following and listening to the debate as it was being broadcast throughout the house. That may well be true – and in no way was I suggesting that MPs don’t work hard. They do – well, a great many of them do – but at this particular moment, and on this particular issue, their attention was elsewhere, as was their physical presence.

I don’t blame the MPs for that part of it. Of course their attention was elsewhere – after all, they’d had this emergency debate foisted upon them at the last minute, and they already have busy lives and huge amounts of work to do, particularly with the parliamentary recess coming up, and with a reshuffle happening at that very moment. Naturally, MPs are distracted by the reshuffle – coalition MPs because their jobs are on the line, Labour MPs because they have to be ready to respond to the reshuffle. Naturally their jobs, their careers, their responsibilities come first.

That, though, is really where my tweet comes in. I said ‘This is how seriously our MPs take our privacy’. I meant it. They showed disrespect to the issue not just by not listening to the debate, but by accepting a process that meant that they only had a few hours of debate to listen to, and almost nothing to read or discuss about it. They accepted an unnecessary fast-tracking, effectively on trust – because they don’t really take our privacy seriously.

Frankly, I’m not convinced that they were listening to the debate – but if they were, that makes their voting even worse. If they listened to the debate and still voted the way they did, in a way that’s even more depressing than the more natural assumption that they were largely ignoring the debate and voting according to the whip. It would mean that they either didn’t understand the strong arguments against the bill, both analytical and impassioned – or they dismissed them as unimportant. Either way, it suggests they didn’t take our privacy seriously. At least, not seriously enough to think it needed proper, lengthy, public debate bringing in expert opinions and analysis. I’m a legal academic, specialising in internet privacy. I’ve written a book on the subject, and I’m one of the signatories of this open letter concerning DRIP – and frankly I haven’t had nearly enough time to properly analyse and understand this bill and its implications. We’ve only had a chance for the most basic of analyses – and if I can’t, how much understanding can MPs have of it?

As David Winnick, a veteran MP and member of the Home Affairs Select Committee put it:

“I consider this to be an outright abuse of parliamentary procedure. Even if one is in favour of what the home secretary intends to do, to do so in the manner in which it is intended, to pass all stages in one go, surely makes a farce of our responsibilities as MPs”

He’s right. It does. It brings parliament into disrepute. MPs should be ashamed of themselves.

Open letter from UK legal academic experts re DRIP

I’m one of the signatories to the letter below – not just a few, but many very serious legal academics, some of the most distinguished in the field.


 

Tuesday 15th July 2014

To all Members of Parliament,

Re: An open letter from UK internet law academic experts

On Thursday 10 July the Coalition Government (with support from the Opposition) published draft emergency legislation, the Data Retention and Investigatory Powers Bill (“DRIP”). The Bill was posited as doing no more than extending the data retention powers already in force under the EU Data Retention Directive, which was recently ruled incompatible with European human rights law by the Grand Chamber of the Court of Justice of the European Union (CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and Seitlinger and Others (C-594/12) handed down on 8 April 2014.

In introducing the Bill to Parliament, the Home Secretary framed the legislation as a response to the CJEU’s decision on data retention, and as essential to preserve current levels of access to communications data by law enforcement and security services. The government has maintained that the Bill does not contain new powers.

On our analysis, this position is false. In fact, the Bill proposes to extend investigatory powers considerably, increasing the British government’s capabilities to access both communications data and content. The Bill will increase surveillance powers by authorising the government to;

  • compel any person or company – including internet services and telecommunications companies – outside the United Kingdom to execute an interception warrant (Clause 4(2));
  • compel persons or companies outside the United Kingdom to execute an interception warrant relating to conduct outside of the UK (Clause 4(2));
  • compel any person or company outside the UK to do anything, including complying with technical requirements, to ensure that the person or company is able, on a continuing basis, to assist the UK with interception at any time (Clause 4(6)).
  • order any person or company outside the United Kingdom to obtain, retain and disclose communications data (Clause 4(8)); and
  • order any person or company outside the United Kingdom to obtain, retain and disclose communications data relating to conduct outside the UK (Clause 4(8)).

The legislation goes far beyond simply authorising data retention in the UK. In fact, DRIP attempts to extend the territorial reach of the British interception powers, expanding the UK’s ability to mandate the interception of communications content across the globe. It introduces powers that are not only completely novel in the United Kingdom, they are some of the first of their kind globally.

Moreover, since mass data retention by the UK falls within the scope of EU law, as it entails a derogation from the EU’s e-privacy Directive (Article 15, Directive 2002/58), the proposed Bill arguably breaches EU law to the extent that it falls within the scope of EU law, since such mass surveillance would still fall foul of the criteria set out by the Court of Justice of the EU in the Digital Rights and Seitlinger judgment.

Further, the bill incorporates a number of changes to interception whilst the purported urgency relates only to the striking down of the Data Retention Directive. Even if there was a real emergency relating to data retention, there is no apparent reason for this haste to be extended to the area of interception.

DRIP is far more than an administrative necessity; it is a serious expansion of the British surveillance state. We urge the British Government not to fast track this legislation and instead apply full and proper parliamentary scrutiny to ensure Parliamentarians are not mislead as to what powers this Bill truly contains.

Signed,

 

Dr Subhajit Basu, University of Leeds

Dr Paul Bernal, University of East Anglia

Professor Ian Brown, Oxford University

Ray Corrigan, The Open University

Professor Lilian Edwards, University of Strathclyde

Dr Andres Guadamuz, University of Sussex

Dr Theodore Konstadinides, University of Surrey

Professor Chris Marsden, University of Sussex

Dr Karen Mc Cullagh, University of East Anglia

Dr. Daithí Mac Síthigh, Newcastle University

Professor Viktor Mayer-Schönberger, Oxford University

Professor David Mead, University of East Anglia

Professor Andrew Murray, London School of Economics

Professor Steve Peers, University of Essex
Julia Powles, University of Cambridge

Judith Rauhofer, University of Edinburgh

Professor Burkhard Schafer, University of Edinburgh

Professor Lorna Woods, University of Essex

Theresa May – even more reason to worry about DRIP….

Screen Shot 2014-07-14 at 19.00.29I watched and listened to the session of the Home Affairs Select Committee this afternoon: Home Secretary Theresa May was being questioned about a number of things, including DRIP. The session was, I suspect, intended to reassure us that everything was OK, and that we needn’t worry about DRIP. The result, for me at least, was precisely the opposite: it left me feeling even more concerned.

Theresa May is the minister responsible for DRIP, and her performance before the committee suggested neither competence in managing the process nor an understanding of what the issues were or why people would be concerned. It was a performance that mixed the incompetent with the contemptuous, not just failing to provide answers but suggesting that she didn’t think the questions were even worth asking.

Many things about it were poor. May failed to explain why the legislation had to be rushed through – she could not (or would not) explain why nothing had happened publicly since the ECJ ruling in April, and she could not (or would not) provide details as to why there was pressure now. Next, she could not answer the key question on extraterritoriality – whether the powers in DRIP were in fact new. She claimed to have had advice that the powers did exist before – but couldn’t say whether or not they had ever been used.

Most importantly, though, when pushed by David Winnick on the key point – compliance with the ECJ ruling that struck down the Data Retention Directive, she fumbled and obfuscated when asked about the ruling. She either did not understand or deliberately pretended not to understand that the key point of the ruling was that blanket gathering of data was in conflict with fundamental rights. Ultimately, that’s the real point here – and she either could not or would not answer it.

To put it directly, the ruling said that blanket gathering of data, gathering data on everyone, regardless of suspicion, guilt or innocence, or any particular reason, was not appropriate. That is what the Data Retention Directive (DRD) did, and why the ECJ struck it down. They’re right, too. This isn’t some esoteric or obscure point, it’s a fundamental one, parallel to the idea of the presumption of innocence. The DRD did it, and DRIP does it – which is why at the very least we need to discuss it in much more depth. The session with Theresa May left me thinking that she either didn’t understand it or she dismissed it as unimportant. Now you may disagree on proportionality, and believe that mass surveillance is a proportionate response, but to dismiss the issue as unimportant and unworthy of discussion is indefensible.

Mind you, I don’t think people will be talking that much about this – because Theresa May’s performance when questioned about the appointment and subsequent resignation of Lady Butler-Sloss was even worse, if that can be believed. All in all, Theresa May looked neither trustworthy nor competent. It’s hard to imagine someone less appropriate to trust with the open-ended and extensive powers granted by something like DRIP.

DRIP: a shabby process for a shady law.

[An earlier version of this post appeared at The Justice Gap, here]

Thursday’s announcement by David Cameron and Nick Clegg that the coalition was going to expedite emergency surveillance legislation is something that should concern all of us, not just privacy activists. The speed with which the Data Retention and Investigatory Powers bill (‘DRIP’) is being brought into play, the lack of consultation and the breadth of its powers should matter to everyone. There is a reason that legislation usually requires time and careful consideration – and with a contentious issue like surveillance this is especially true. This is a shabby process, for what seems to be a very shady law. And, as David Davis MP has suggested, the ‘emergency’ is theatrical, not real. The need for new legislation was entirely predictable – and politicians and civil servants should have known this.

A predictable emergency

The trigger for the legislation was the ruling by the ECJ, on 8th April, that the Data Retention Directive was invalid – more than three months ago – but the signs that new legislation was needed have been there for far longer. The ruling by the ECJ exceeded the expectations of privacy advocates – but not that significantly, and the declaration that the directive was invalid should have been an outcome that civil servants and politicians were prepared for. Indeed, the Data Retention Directive has been subject to significant challenge since its inception in 2005. Peter Hustinx, the European Data Protection Supervisor in 2010 called it:

“…without doubt the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.”

Across Europe there have been protests and legal challenges to data retention throughout its history, from 30,000 people on the streets of Germany in 2007 to the declaration that data retention itself was unconstitutional in Romania. The challenge that eventually brought down the directive began in 2013.

The signs have been there in the UK too, and for far longer than three months. The Communications Data Bill – more commonly and appropriately known as the Snoopers’ Charter – was effectively abandoned well over a year ago, after a specially set-up parliamentary committee, after taking detailed evidence, issued a damning report. At that stage, even before the revelations of Edward Snowden reared their ugly head, the need for further legislation was evident.

So why, given all these warnings, has this emergency been manufactured, and why is legislation being pushed through so quickly? Is it that those behind the bill are concerned that if it received full and detailed scrutiny, the full scale and impact of the bill will become evident and, like the Snoopers’ Charter before it, it will fail? It is hard not to think that this has played some part in the tactics being employed here. What would there be to lose by delaying this a few months?

Companies like data too…

The suggestion that if the legislation isn’t pushed through this quickly then companies will suddenly start deleting all their communications data is naïve to say the least. Firstly, it’s hardly in most communications providers’ interest to delete all that data – actually, rather the opposite. Back in 2007, Google attempted to use the existence of data retention legislation as an excuse not to delete search logs – companies generally like having more data, as they (just like the authorities) believe they can get value from it. Moreover, businesses don’t often change their practices at the drop of a hat, even if they want to. They might, however, if they’re required to by law – and that may well be the real key here. Legal challenges to specific practices by specific companies in terms of data retention may well be in the offing – but this would take time, far more time than the few days – less than a week – that MPs are being given to pass this legislation.

Fundamental Rights

The underlying point here is that there is a reason that the Data Retention Directive was declared invalid by the ECJ, and a reason that both privacy advocates and academics have been concerned about it from the very beginning. The mass collection of communications data breaches fundamental rights – and DRIP, just like the Communications Data Bill before it, does authorise the mass collection of this data. It has the same fundamental flaws as that bill – and a few extras to boot. With the very limited time available to review the bill so far, it appears to extend rather than limit the powers available through the contentious Regulation of Investigatory Powers Act (RIPA) rather than limit them or modernise them (see for example the analysis by David Allen Green in the FT here – registration needed), and attempt to extend powers outside the UK in a way that is at the very least contentious – and in need of much more scrutiny and consideration.

Most importantly, it still works on the assumption that there is no problem with collecting data, and that the only place for controls or targeting is at the accessing stage. This is a fundamentally flawed assumption – morally, legally and practically. At the moral level, it treats us all as suspects. Legally it has been challenged and beaten many times – consistently in the European Court of Human Rights, in cases from as far back as Leander in 1987, and now in the ECJ in the declaration of invalidity of the Data Retention Directive. Practically, it means that data gathered is vulnerable in many ways – from the all too evident risks of function creep that RIPA has demonstrated over the years (dog-fouling, fly-tippers etc) to vulnerability to leaking, hacking, human error, human malice and so forth. Moreover, it is the gathering of data that creates the chilling effect – impacting upon our freedom of speech, of assembly and association and so forth. This isn’t just about privacy.

Safeguards?

Nick Clegg made much of the concessions and safeguards in the new bill, emphasising that this isn’t a Snoopers’ Charter Mark 2, but it is hard to be enthusiastic about them at this stage. There is a sunset clause, meaning that DRIP will expire in December 2016 – but there is nothing in the bill itself to say that it won’t be replaced by similar ‘emergency’ legislation, railroaded through parliament in a similar way. Moreover, December 2016 is well after the election – and the Lib Dems are currently unlikely to still have any influence at that stage. Julian Huppert in particular, my MP in Cambridge, is in a very precarious position. Without him, it’s hard to see much Lib Dem resistance to either the Tories or the Labour Party who set the ball rolling on mass surveillance state in the Blair years.

The rest of the safeguards are difficult to evaluate at this stage – they were originally said to be contained in secondary legislation that was not published with the bill itself, but when that secondary legislation was actually released, at around 4pm on Friday afternoon, it contained almost none of what had been promised. For example, the suggestion that the number of bodies able to use RIPA was to be restricted, was entirely absent. This list doesn’t just include the police and intelligence services, but pretty much all local authorities, and bodies like the food standards agency and the charities commission – another part of the function creep of RIPA. The breadth and depth of the surveillance that this bill, in combination with RIPA, would not only allow but effectively normalise, is something that should be of the deepest concern to anyone who takes civil liberties seriously.

The shabbiest of processes

This is just one part of the shabbiness of the process. Two more crucial documents,  ‘Impact Assessments’ performed by the Home Office concerning the data retention and interception aspects of the bill, were also released – but without even a mention, so that the first that was heard of them by most concerned people was early on Saturday morning, when vigilant investigators found them all but hidden on the Home Office website. Two documents, full of technical details looking at why the laws were ‘needed’ and what the risks and benefits of the laws would be, the alternatives and so forth, pretty much hidden away. These, together with the Bill itself and the Regulations, combine to produce something with a serious level of both legal and technical complexity – something that needs very careful study and expert analysis. And to do this analysis, we are given essentially one weekend, and no warning.

How serious this is was highlighted by a brief twitter conversation between David Allen Green and MP Julian Huppert this morning:

Screen Shot 2014-07-12 at 18.53.05

 

David Allen Green (@JackofKent) is asking a straight and direct, technical and legal question – and Julian Huppert can’t answer it. Julian is perhaps the most technically expert of the entire House of Commons – if he doesn’t understand the bill, its impact and how it changes the current situation, how much less can other MPs? And yet they are expected to debate the bill on Monday, and pass it almost immediately. This is patently wrong – and highlights exactly why parliament generally has significant time for analysis and for debate, and parliamentary committees call experts to give testimony, to tease out these kinds of answers. Julian Huppert should not be criticised for not knowing the answer to the question – but he should be criticised for supporting a bill without allowing the time for these questions to be asked, investigated and answered. They need to be.

This is an wholly unsatisfactory state of affairs. Indeed, the whole thing is highly unsatisfactory, and in a democratic society, it should be unacceptable. That our MPs seem willing to accept it speaks volumes.

——————–

The key documents can be found here:- study them if you have time!

The draft bill

The draft regulations

The impact assessment for interception

The impact assessment for data retention.

Privacy-friendly judges?

Supreme court sealYesterday’s ruling by the Supreme Court of the United States, requiring the police to get a warrant before accessing a suspect’s mobile phone data, was remarkable in many ways. It demonstrated two things in particular that fit within a recent pattern around the world, one which may have quite a lot to do with the revelations of Edward Snowden. The first is that the judiciary shows a willingness and strength to support privacy rights in the face of powerful forces, the second is an increasing understanding of the way that privacy, in these technologically dominated days, is not the simple thing that it was in the past.

The stand-out phrase in the ruling is remarkable in its clarity:

13-132 Riley v. California (06/25/2014)

“Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life,” Boyd, supra, at 630. The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought. Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple— get a warrant.”

Privacy advocates around the world have been justifiably excited by this – not only is the judgment a clearly privacy-friendly one, but it effectively validates some of the critical ideas that many of us have been trying to get the authorities to understand for a long time. Most importantly, that the way that we communicate these days, the way that we use the internet and other forms of communication, plays a far more important part in our lives than it did in the past. The emphasis on the phrase ‘the privacies of life’ is a particularly good one. This isn’t just about communication – it’s about the whole of our lives.

The argument about cell-phones can be extended to all of our communications on the internet – and the implications are significant. As I’ve argued before, the debate needs to be reframed, to take into account the new ways that we use communications – privacy these days isn’t as easily dismissed as it was before. It’s not about tapping a few phone calls or noting the addresses on a few letters that you send – communications, and the internet in particular, pervades every aspect of our lives. The authorities in the UK still don’t seem to get this – but the Supreme Court of the US does seem to be getting there, and its not alone. The last few months have seen a series of quite remarkable cases, each of which demonstrates that judges are starting to get a real grip on the issues, and are willing to take on the powerful groups with a vested interest in downplaying the importance of privacy:

  • The ECJ ruling invalidating the Data Retention Directive on 8th April 2014
  • The ECJ Google Spain ruling on the ‘Right to be Forgotten’  on 13th May 2014
  • The Irish High Court referring Max Schrems’ case against Facebook to the ECJ, on 19th June 2014

These three cases all show similar patterns. They all involve individuals taking on very powerful groups – in the data retention case, taking on pretty much all the security services in Europe, in the other two the internet giants Google and Facebook respectively. In all three cases – as in the Supreme Court of the US yesterday – the rulings are fundamentally about the place that privacy plays, and the priority that privacy is given. The most controversial statement in the Google Spain case makes it explicit:

“As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name” (emphasis added)

That has been, of course, highly controversial in relation to freedom of information and freedom of expression, but the first part, that privacy overrides the economic interest of the operator of the search engine, is far less so – and the fact that it is far less controversial does at least show that there is a movement in the privacy-friendly direction.

The invalidation of the Data Retention Directive may be even more significant – and again, it is based on the idea that privacy rights are more important than security advocates in particular have been trying to suggest. The authorities in the UK are still trying to avoid implementing this invalidation – they’re effectively trying to pretend that the ruling does not apply – but the ruling itself is direct and unequivocal.

As for the decision in the Irish High Court to refer the ‘Europe vs Facebook’ case to the ECJ, the significance of that has yet to be seen, but Facebook may very well be deeply concerned – because, as the two previous cases have shown, the ECJ has been bold and unfazed by the size and strength of those it might be challenging, and willing to make rulings that have dramatic consequences. The Irish High Court is the only one of the three courts to make explicit mention of the revelations of Edward Snowden, but I do not think that it is too great a leap to suggest that Snowden has had an influence on all the others. Not a direct one – but a raising of awareness, even at the judicial level, of the issues surrounding privacy, why they matter, and how many different things are at stake. A willingness to really examine the technology, to face up to the ways in which the ‘new’ world is different from the old – and a willingness to take on the big players.

I may well be being overly optimistic, and I don’t think too much should be read into this, but it could be critical. The law is only one small factor in the overall story – but it is a critical one, and if people are to begin to take back their privacy, they need to have the law at least partly on their side, and to have judges who are able and willing to enforce that law. With this latest ruling, and the ones that have come over the last few months, the signs are more positive than they have been for some time.

 

Addendum: As David Anderson has pointed out, the UK Supreme Court showed related tendencies in last week’s ruling over the disclosure of past criminal records in job applications, in R (T ) v SSHD [2014] UKSC 35 on 18th June. See the UKSC Blog post here.

Edward Snowden one year on: the good, the bad and the ugly

SnowdenThe first of the revelations of Edward Snowden happened a year ago today. At the time, I was in California, at the Privacy Law Scholars’ Conference in Berkeley – and there could have been no more appropriate place. For privacy scholars, Snowden’s revelations changed the world – and is changing the world still. Much of what he revealed many of us already suspected – but we were often thought of as conspiracy theorists for it, and looked down on or sidelined as a result.  That’s no longer true – and that’s one of the things that for me, we should thank Edward Snowden for.

I’m not going to write much now – there will be many people far more expert than me writing about what Snowden’s revelations mean – but I just want to say a few words about the good, bad and ugly things that have emerged over the last year. There’s much more to come, I think – we still know very little about what is going on. I hope that we manage to keep privacy and surveillance near the top of the agenda for a long time to come, because the changes that I think we need to have happen have not yet happened in any real way. Snowden gave us a great opportunity – we have not yet taken it.

The good…

The best thing to come out of the Snowden revelations, for me, is that we now understand, at least to some extent, quite how much surveillance is going on. We don’t know the detail, and may indeed never know the detail, but what we do know is enough to make it a fair assumption that pretty much all of our internet activity is being monitored – or at least the data is gathered or gatherable – pretty much all of the time. Not just our classical ‘communications’ – email messages etc – but our every activity. Our social networking, our online chat, our web-browsing, our telephone calls, mobile calls, SMSs, the music we listen to, pictures we view and upload. Everything. Knowing that, rather than vaguely fearing that it might happen, changes a great deal – and puts us in a far stronger bargaining position in our dealings with the authorities.

Surveillance – and privacy – has had its profile raised significantly. That has had consequences. It has had an impact in law – in the UK, for example, stopping the Communications Data Bill (the ‘Snoopers’ Charter) from re-emerging, despite attempts from advocates of ‘security’. It has, arguably, emboldened the courts – and in particular the European Courts. They might not admit it publicly, but it seems very likely that the Snowden revelations played a part in strengthening the resolve of the European Court of Justice in producing two of the strongest, most ‘privacy-friendly’ and in some ways most surprising judgments of recent years, first of all declaring the Data Retention Directive invalid, then, most recently, effectively declaring that there is a ‘right to be forgotten’. Neither of these rulings were expected – but both emphasise the idea that privacy really matters.

The Snowden revelations have also meant that privacy ‘stories’ of all kinds get a lot more attention – and that has meant that not just the authorities but businesses have been forced to react. Sometimes it’s just lip-service, but there’s been a lot more discussion of privacy by companies which in the past have been almost dismissive of it as an issue. The internet giants – Facebook and Google in particular – are talking more and more about privacy. They’re making a point of distancing themselves from the authorities, trying to force more transparency, claiming that they don’t cooperate with authorities willingly, bringing in more ‘privacy-friendly’ services and so forth. Facebook has even allowed a degree of pseudonymity, and Google hasn’t fought against the right to be forgotten as aggressively as they might have, for example. All these moves should be viewed with a distinctly cynical eye, however… which brings me to the bad side of what has happened in the last year.

The bad…

Well, the worst thing is that nothing has really changed. The surveillance is still going on, and the political concessions worldwide have been largely superficial. The US’s political changes, which for a moment looked as though they might be meaningful, have been emasculated. In the UK…. well, more of that later.

The next worst thing about the reaction to the Snowden revelations, for me at least, has been the way that many people still seem to think that corporate and governmental surveillance are somehow disconnected and should be treated very differently. For many, it seems that government surveillance is hideously bad, and corporate surveillance largely harmless or irrelevant. For me, however, one of the main lessons to learn from what Snowden revealed was the closeness of the links between the two. To a great degree, governments piggy-back on corporate surveillance – if the corporates didn’t gather so much data about us, encourage us to reveal so much about ourselves, share so much that we really don’t need to share and so forth – then the authorities wouldn’t have so much to feed on. If the corporates didn’t build systems to gather data and monitor our activities and develop profiling systems to reveal even more, governments wouldn’t be able to use backdoors into those systems or use those same profiling systems in their own ways.

We still don’t know – and probably will never know – how much the corporates collaborated with the authorities, and how willingly, but in some ways that really doesn’t matter: the systems are intrinsically and perhaps inextricably linked. We still don’t seem to have taken this on board, and still seem to be allowing the corporates pretty much free rein. I’m a little disappointed that this is still happening.

The third, and perhaps equally unsurprising, bad thing for me about what has happened in the year since Snowden’s revelations first came out, is how little we in the UK have reacted. The level of debate here is still very poor, the extent to which we in the UK still simply accept what we’re told by our lords and masters, is very disappointing. The two main political parties remain fully behind surveillance – their only concessions have been to a little more accountability and transparency. The Liberal Democrats – and my own MP, Julian Huppert – have been the one bright light, but as their party is in near terminal decline, that doesn’t help very much. The overall quality of political debate on the subject has been appalling, and shows little sign of improving. I still have hopes, but it doesn’t look good…

The ugly…

The worst thing, for me, has been the way in which the enemies of Snowden, Glenn Greenwald and others have tried to make this personal, and attack their motives, their personalities, and so forth. Similarly, in the UK, large elements of the press tried to portray the Guardian as somehow enemies of the state – traitors, whose editor should be jailed and who are putting the entire nation at risk. At times this has got very ugly.

I don’t know Snowden or Greenwald. I don’t know their motivations. I don’t know what kind of people they are – and frankly, I don’t really care. I’m not going to suggest that they’re saints or even heroes – but the attempts that have been made to assassinate the characters of the people involved, to cast them as traitors, as spies and so forth, seems very ugly indeed. It’s as though some people think that by casting aspersions on the people they can make the information they have provided somehow less valid. I don’t think it can. Shooting the messenger doesn’t make the message any less valuable.

What matters, to me at least, is the message. The information that they have provided to us. That information has been crucial in changing the way that we look at how the internet works, and has helped to put us in a position where we can at least try to build a more positive, more privacy-friendly future for the internet. That matters. It matters a lot.

Data Retention: taking privacy seriously

The repercussions of yesterday’s landmark ruling of the  Court of Justice of the European Union that the Data Retention Directive is invalid, and has been so since its inception are likely to be complex and wide-ranging. Lawyers, academics, politicians and activists have been reading, writing, thinking and speculating about what might happen. With the directive declared invalid, what will happen to the various national implementations of that directive – in the UK, for example, we have The Data Retention (EC Directive) Regulations 2009. Will it need to be repealed? Will it need to be challenged – and if so how, and by whom? What will the various communications service providers – the ISPs, the telecommunications companies and so forth – do in reaction to the declaration? What will happen to other legislation that at least in part relies on retained data – the Regulation of Investigatory Powers Act 2000 (RIPA) for example. Will the police and intelligence services change what they do in any way, shape or form? Will the various governments attempt some kind of replacement for the Data Retention Directive? If so, what form will it take?

These are just some of the open questions – and the answers to them are only just starting to emerge. Some will be clear – but a great many will be very messy, and will take a lot of time, energy and heartache to sort out. The question that should immediately spring to mind is how that all this mess, and the resultant wastes of time, energy, expertise and heartache could have been avoided. Actually, the answer is simple. It could have been avoided if privacy had been taken seriously to start with.

Underestimating privacy

For a long time, privacy hasn’t been taken nearly seriously enough. It hasn’t been taken seriously by the big operators on the internet – Facebook, Google, Apple, Microsoft, Yahoo! and so forth. Their policies and practices have treated privacy as a minor irritant, dealt with by obscure and unfathomable policies that people will at best scroll through and click OK at the bottom of without reading. Their products have treated privacy as an afterthought, almost an irrelevance – a few boxes to tick to satisfy the lawyers, that’s all. Privacy hasn’t been taken seriously by the intelligence agencies or the police forces either – just the province of a few geeks and agitators, the tinfoil hat brigade. It hasn’t been taken seriously by some of the open data people – the furore over care.data is just one example.

Privacy, however, does matter. It matters to ordinary people in their ordinary lives – not just to geeks and nerds, not just to ‘evil-doers’, not just to paranoid conspiracy theorists. And when people care enough about things, they can often find ways to make sure that those things are treated with respect. They fight. They act. They work together – and often, more often than might immediately seem apparent, they find a way to win. That was how the Communications Data Bill – the ‘Snoopers’ Charter’ was defeated. That is why Edward Snowden’s revelations are still reverberating around the world. That’s why behavioural advertising has the bad name that it does – and why the Do Not Track initiative started, and why the EU brought in the ‘Cookies Directive’, with all its flaws.

All these conflicts – and the disaster that is the Data Retention Directive – could have been avoided or at least ameliorated if the people behind these various initiatives, laws, processes and products had taken privacy seriously to start with. This is one of the contentions of my new book, Internet Privacy Rights – people believe they have rights, and when those rights are infringed, they care about it, and increasingly they’re finding ways to act upon it. Governments, businesses and others need to start to understand this a bit better if they’re not going to get into more messes like that that surrounds the Data Retention Directive.  It’s not as though they haven’t had warnings. From the very start, privacy advocates have been complaining about the Directive – indeed, even before its enactment the Article 29 Working Party had been strongly critical of the whole concept of mass data retention. That criticism continued over the years, largely ignored by those in favour of mass surveillance. In 2011, Peter Hustinx, the European Data Protection Supervisor, called the Data Retention Directive “the most privacy-invasive instrument ever” – and that was before the revelations of Edward Snowden.

They should have listened. They should be listening now. Privacy needs to be taken seriously.

 

Paul Bernal, April 2014

Internet Privacy Rights – Rights to Protect Autonomy is available from Cambridge University Press here. Quote code ‘InternetPrivacyRights2014′ for a 20% discount from the CUP online shop.