Guest post: Data Retention: I can’t believe it’s not lawful, can you? A response to Anthony Speaight QC

Guest post by Matthew White

Introduction:

Ladies and gentlemen, Bagginses and Boffins. Tooks and Brandybucks. Grubbs! Chubbs! Hornblowers! Bolgers! Bracegirdles! Proudfoots. Put your butter away for I am about to respond, rebut, rebuke and more to a recent blog post for Judicial Power Project, by Anthony Speaight QC on data retention.

Blanket data retention is unlawful, please deal with it:

Speaight starts off by referring to the recent Court of Appeal (CoA) judgment in  Tom Watson and Others v Secretary of State for the Home Department [2018] EWCA Civ 70 and how the Court of Justice of the European Union (CJEU) has created problems and uncertainties with regards to data retention. As David Allen Green would say, ‘Well…’ Well, just to be clear, the position of the CJEU on blanket indiscriminate data retention is crystal clear. It . Is . Unlawful . It just happens that the CoA took the position of sticking their fingers in their ears and pretending that the CJEU’s ruling doesn’t apply to UK law, because its somehow (it’s not) different.

Just billing data is retained? Oh really?

Next, Speaight recaps the data retention saga so far, in that telecommunications companies have always recorded who uses their services, when and where, often for billing purposes. A long time ago, in a galaxy far, far away (a few years ago, and anywhere with an internet connection) this position was a robust one. But the European Commission (Commission) in 2011 highlighted that:

[T]rends in business models and service offerings, such as the growth in flat rate tariffs, pre-paid and free electronic communications services, meant that operators gradually stopped storing traffic and location data for billing purposes thus reducing the availability of such data for criminal justice and law enforcement purposes.

So, in a nutshell, data for billing purposes are on the decrease. This would explain why the Data Retention Directive (DRD) (discussed more below) affected:

[P]roviders of electronic communication services by requiring such providers to retain large amounts of traffic and location data, instead of retaining only data necessary for billing purposes; this shift in priority results in an increase in costs to retain and secure the data.

So, it’s simply untrue to refer to just billing data when talking about data retention, because this isn’t the only data that is or has ever been sought.

It’s the Islamists fault why we have data retention:

Speaight next points out that it was the advent of Islamist international terrorism that made it advantageous to place data retention obligations on companies. Oh really? Are we going down this route? Well….. demands for data retention can be traced back to the ‘International Law Enforcement and Telecommunications Seminars’ (ILETS) (6) and in its 1999 report, it was realised that Directive 97/66/EC (the old ePrivacy Directive) which made retention of communications data possible only for billing purposes was a problem. The report sought to ‘consider options for improving the retention of data by Communication Service Providers.’ Improve? Ha. Notice how 1999 was before 9/11? Funny that.

It doesn’t stop there though. A year later (still before 9/11), the UK’s National Crime and Intelligence Service (NCIS) made a submission (on behalf of the Mi5/6, GCHQ etc) to the Home Office on data retention laws. They ironically argued that a targeted approach would be a greater infringement on personal privacy (para 3.1.5). Of course, they didn’t say how or why this was the case, because, reasons. Charles Clarke, the then junior Home Office Minister, and Patricia Hewitt, an ‘E-Minister’ both made the claim such proposals would never happen (Judith Rauhofer, ‘Just Because You’re Paranoid, Doesn’t Mean They’re Not After You: Legislative Developments in Relation to the Retention of Communications Data’ (2006) SCRIPTed 3, 228; Patricia Hewitt and Charles Clarke, Joint letter to Independent on Sunday, 28 Jan 2000) and should not be implemented (Trade and Industry Committee, UK Online Reviewed: the First Annual Report of the E-Minister and E-Envoy Report (HC 66 1999-2000), Q93).

Guess what? A year later Part 11 of the Anti-terrorism, Crime and Security Act 2001 (ATCSA 2001) came into force three months after 9/11 (Judith Rauhofer, 331). The Earl of Northesk, however, pointed out that ‘there is no evidence whatever that a lack of data retained has proved an impediment to the investigation of the atrocities’ on 9/11 (HL Deb 4 Dec vol 629 col. 808-9). What this demonstrates is that data retention was always on the cards, even when its utility wasn’t proven, where the then Prime Minister Tony Blair, noted that ‘all the surveillance in the world’ could not have prevented the 7/7 bombings. It’s just that as Roger Clarke succinctly puts it:

“[M]ost critical driver of change, however, has been the dominance of national security extremism since the 2001 terrorist attacks in the USA, and the preparedness of parliaments in many countries to grant law enforcement agencies any request that they can somehow link to the idea of counter-terrorism.” (Roger Clarke, ‘Data retention as mass surveillance: the need for an evaluative framework’ (2015) International Data Privacy Law 5:2 121, 122).

Islamic terrorism was just fresh justification (7,9) for something that ‘the EU governments always intended to introduce an EC law to bind all member states to adopt data retention.’ Mandatory data retention was championed by the UK during its Presidency of the European Council (Council) (9) (and yes, that includes the ‘no data retention from us’ Charles Clarke (who was accused of threatening the European Parliament to agree to data retention (9))) and described as a master class in diplomacy and political manoeuvring (Judith Rauhofer, 341) (and they say it’s the EU that tells us what to do!!). Politicians goin’ politicate. Yes, the DRD makes reference to the Madrid bombings, but the DRD was not limited to combating terrorism (6), just as the reasons for accessing communications data in UK law under s.22 of the Regulation of Investigatory Powers Act 2000 (RIPA 2000) were not solely based on fighting terrorism. There is nothing wrong with saying that data retention (yeah, but not blanket, of course) and access to said data can be important in the fight against Islamist terrorism, but would you please stop pretending that was the basis on which data retention was sought?

Data retention was smooth like rocks:

Next, Speaight points to the ‘smooth operation’ of the data retention system. Smooth how and in what ways? Harder to answer that is, yess! Well….. in 2010, the Article 29 Working Party (WP29) pointed out that ‘the lack of available sensible statistics hinders the assessment of whether the [data retention] directive has achieved its objectives.’ The WP29 went further pointing out that there was a lack of harmonisation in national implementation of the DRD (2). This was, the purpose of the DRD (harmonising data retention across the EU), and it didn’t even achieve what it set out.

What about its true purpose? You know, spying on every EU citizen? Well the European Data Protection Supervisor (EDPS) responded to the Commission’s evaluation of the DRD. WARNING: EDPS pulls no punches. First, the EDPS reiterated that the DRD was based upon the assumption of necessity (para 38). Secondly, the EDPS criticised the Commission’s assertion that most Member States considered data retention a necessary tool when conclusions were based on just over a third (that’s less than half, right?) of them (para 40). Thirdly, these conclusions were in fact, only statements (para 41). Fourthly, the EDPS highlighted there should be sufficient quantitative and qualitative information to assess whether the DRD is actually working and whether less privacy intrusive measures could achieve the same result, information should show the relationship between use and result (43).

Surprise, surprise, the EDPS didn’t find sufficient evidence to demonstrate the necessity of the DRD and that further investigations into alternatives should commence (para 44). Fifthly, the EDPS pretty much savaged the quantitative and qualitative information available (para 45-52). A few years later, the CJEU asked for proof of the necessity of the DRD. There was a lack of statistical evidence from EU Member States, the Commission, the Council and European Parliament, and despite that, they had the cheek to ask the CJEU to reject the complaints made by Digital Rights Ireland and others anyway (ibid). Only the Austrian government were able to provide statistical evidence on the use (not retention) of communications data which didn’t involve any cases of terrorism (ibid). The UK’s representatives admitted (come again? The UK admits something?) there was no ‘scientific data’ to underpin the need of data retention (ibid), so the question begs, wtaf had the DRD been based upon? Was it the assumption of necessity the EDPS referred to? Draw your own conclusions. The moral of the story is that the DRD did not operate smoothly.

Ruling against data retention was a surprise?

Speaight then moves onto the judgment that started it all, Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland in which the CJEU invalidated the DRD across the EU. According to Speaight, this came as a ‘surprise.’

I felt a great disturbance in the Law, as if thousands of spies, police, other public authorities, politicians and lawyers suddenly cried out in terror, as the State were suddenly unable to spy anymore. I fear something terrible has happened.

So, who was surprised? Was it the European Parliament who had initially opposed this form of data retention as they urged its use must be entirely exceptional, based on specific comprehensible law, authorised by judicial or other competent authorities for individual cases and be consistent with the European Convention on Human Rights (ECHR)? Was it a surprise to them when they also noted that that ‘a general data retention principle must be forbidden’ and that ‘any general obligation concerning data retention’ is contrary to the proportionality principle’ (Abu Bakar Munir and Siti Hajar Mohd Yasin, ‘Retention of communications data: A bumpy road ahead’ (2004) The John Marshall Journal of Computer & Information Law 22:4 731, 734; Clive Walker and Yaman Akdeniz, ‘Anti-Terrorism Laws and Data Retention: War is over?’ (2003) Northern Ireland Legal Quarterly 54:2 159, 167)?

Was it a surprise to Patrick Breyer who argued that data retention was incompatible with Articles 8 and 10 of the ECHR back in 2005 (372, 374, 375)? Was it a surprise to Mariuca Morariu who argued that the DRD had failed to demonstrate its necessity (Mariuca Morariu, ‘How Secure is to Remain Private? On the Controversies of the European Data Retention Directive’ Amsterdam Social Science 1:2 46, 54-9)? Was it a surprise to Privacy International (PI), the European Digital Rights Initiative (EDRi), 90 NGOs and 80 telecommunications service providers (9) who were against the DRD? Was it a surprise to the 40 civil liberties organisations who urged the European Parliament to vote against the retention of communications data?

Was it a surprise to the WP29, the European Data Protection Commissioners, the International Chamber of Commerce (ICC), European Internet Services Providers Association (EuroISPA), the US Internet Service Provider Association (USISPA), the All Party Internet Group (APIG) (Abu Bakar Munir and Siti Hajar Mohd Yasin, 746-749) and those at the G8 Tokyo Conference? Hell, even our own assistant Information Commissioner, Jonathan Bamford, back in 2001 wouldn’t be surprised because he said ‘Part 11 isn’t necessary, and if it is necessary it should be made clear why’ (HL Deb 27 Nov 2001 vol 629 cc183-290, 252). Was it a surprise when prior to Digital Rights Ireland:

Bulgaria’s Supreme Administrative Court, the Romanian, German Federal, Czech Republic Constitutional Courts and the Supreme Court of Cyprus all [declared] national implementation of the DRD either invalid or unconstitutional (in some or all regards) and incompatible with Article 8 ECHR?

Was Jules Winnfield surprised?

The point I’m trying to hammer home is that (you’ve guessed it), the CJEU’s ruling in Digital Rights Ireland should come as no surprise. Still on the issue of surprise, for Speaight it was because it departed from decisions of the European Court of Human Rights (ECtHR) and the CJEU itself. Ok, let’s look at these ECtHR cases Speaight refers to. The first is Weber and Saravia v Germany, a case on ‘strategic monitoring.’ This is a whole different kettle of fish when compared to the DRD as this concerned the surveillance of 10% (I’m not saying this is cool either btw) [30, 110] of German telecommunications, not the surveillance of ‘practically the entire European population’ [56]. Ok, that may have been an exaggeration by the CJEU as there are only 28 (we’re not so sure about one though) EU Member States, but the point is, the powers in question are not comparable. The DRD was confined to serious crime, without even defining it [61]. Whereas German law in Weber concerned six defined purposes for strategic monitoring, [27] and could only be triggered through catch words [32]. In Digital Rights Ireland, authorisation for access to communications data in the DRD was not dependent upon ‘prior review carried out by a court or by an independent administrative body’ [62] where in Weber this was the case [21, 25]. Apples and oranges.

The second ECtHR case was Kennedy v UK, and it’s funny that this case is brought up. The ECtHR in this case referred to a previous case, Liberty v UK in which the virtually unfettered power of capturing external communications [64] violated Article 8 of the ECHR [70]. The ECtHR in Kennedy referred to this as an indiscriminate power [160, 162] (bit like data retention huh?), and the UK only succeeded in Kennedy because the ECtHR were acting upon the assumption that interception warrants only related to one person [160, 162]. Of course, the ECtHR didn’t know that ‘person’ for the purposes of RIPA 2000 meant ‘any organisation and any association or combination of persons,’ so you know, not one person literally.

And this was, of course, prior to Edward Snowden’s bombshell of surveillance revelations, which triggered further proceedings by Big Brother Watch. A couple of years ago, in Roman Zakharov v Russia, the ECtHR’s Grand Chamber (GC) ruled that surveillance measures that are ‘ordered haphazardly, irregularly or without due and proper consideration’ [267] violates Article 8 [305]. That is because the automatic storage of clearly irrelevant data would contravene Article 8 [255]. This coincides with Advocate General (AG) Saugmandsgaard Øe’s opinion that the ‘disadvantages of general data retention obligations arise from the fact that the vast majority of the data retained will relate to persons who will never be connected in any way with serious crime’ [252]. That’s a lot of irrelevant data if you ask me. Judge Pinto de Albuquerque, in his concurring opinion in Szabo and Vissy v Hungary regards Zakharov as a rebuke of the ‘widespread, non-(reasonable) suspicion-based, “strategic surveillance” for the purposes of national security’ [35]. So, I’d say that even Weber v Saravia is put into doubt. And so, even if the CJEU rules that data retention in the national security context is outside its competence, there is enough ECtHR case law to bite the UK on its arse.

Probably the most important ECtHR case not mentioned by Speaight (why is that?) is that of S and Marper v UK, this is the data retention case. Although this concerned DNA data retention, the ECtHR’s concerns ‘have clear applications to the detailed information revealed about individuals’ private lives by communications data.’ What did the GC rule in S and Marper? Oh, was it that blanket indiscriminate data retention ‘even on a specific group of individuals (suspects and convicts) violated Article 8’? Yes, they did and it was S and Marper to which the CJEU referred to on three separate occasions in Digital Rights Ireland [47, 54-5]. Tele 2 and Watson (where the CJEU reconfirmed that blanket indiscriminate data retention is prohibited under EU law) is just the next logical step with regards to communications data. And so far from being surprising, the CJEU in Digital Rights Ireland and Tele2 and Watson are acting in a manner that is consistent with the case law of the ECtHR.

The CJEU case law that Speaight refers to is Ireland v Parliament and Council which was a challenge to the DRD’s legal basis, not whether it was compatible with the Charter of Fundamental Rights, so I’m not entirely sure what Speaight is trying to get at. All in all, Speaight hasn’t shown anything to demonstrate that Digital Rights Ireland has departed from ECtHR or CJEU case law.

You forgot to say the UK extended data retention laws:

Speaight then rightly acknowledges how the UK government replaced UK law implementing the DRD with the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014) in lightspeed fashion. What Speaight omits, however, is that DRIPA 2014 extended retention obligations from telephone companies and Internet Service Providers (ISPs) to Over-The-Top (OTT) services such as Skype, Twitter, Google, Facebook etc. James Brokenshire MP attested that DRIPA 2014 was introduced to clarify what was always covered by the definition of telecommunications services (HC Deb 14 July, vol 584, 786). This, of course, was total bullshit (5), but like I said, politicians goin’ politicate.

Claimants don’t ask questions, courts do:

Speaight moves onto the challenges to DRIPA 2014, we know the story already, the High Court (HC) said it was inconsistent with Digital Rights Ireland, whereas the CoA disagreed, blah, blah. Speaight points out that the claimants had no issue with data retention in principle, which is true, but so what? Speaight also points out that the CJEU went further than what the claimants asked by ruling that blanket indiscriminate data retention was not permissible under EU law. Wait, what the fark? It’s not the bloody claimants’ that ask the CJEU a question on the interpretation of EU law as I’m pretty sure it was the Swedish referring court (via Article 267 of the Treaty on the Functioning of the EU, you know, a preliminary reference) that asked the CJEU:

Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime (as described [below under points 1-6]) compatible with Article 15(1) of Directive 2002/58/EC, 1 taking account of Articles 7, 8 and 15(1) of the Charter?

And the CJEU said no. End of discussion.

The ends don’t always justify the means and for clarity, the CJEU didn’t reject shit:

Speaight also says that the CJEU in Tele2 and Watson rejected AG Saugmandsgaard Øe’s advice that the French governments found access to communications data useful in its investigations into terrorist attacks in 2015. Such a position however, falls victim to several questions, such as under what circumstances was the data sought? Was it accessed as a consequence of the legal obligation to retain? Or was it already retained for business purposes? What were the results of the use of that data? Could the same results have been achieved using less intrusive means? Saying it is useful tells us nothing as the ECtHR has plainly said necessity (in a democratic society) is not as flexible as expressions such as ‘useful’ [48], and as the CJEU rightly noted, a measure in and of itself, even in the general interest cannot justify general indiscriminate data retention [103]. This demonstrates that the CJEU didn’t reject anything, they didn’t even refer to the French government’s evidence, they just said as fundamental as fighting serious crime may be, and the measures employed, cannot by themselves justify such a fundamental departure from the protection of human rights. Just because you can, doesn’t mean you should. A certain ECtHR said something similar in Klass v Germany in that States ‘may not, in the name of the struggle against espionage and terrorism, adopt whatever measures they deem appropriate’ [49].

The CJEU doesn’t have to answer what it wasn’t asked:

Speaight then whines about the CJEU not addressing the issue of national security, well they weren’t asked about national security in Tele2 and Watson, were they? Like I said, even if the CJEU doesn’t have competence to rule on national security based data retention, Roman Zakharov is watching you from Strasbourg (he’s not actually in Strasbourg, I don’t think, but you dig).

What’s your problem with notification?

Speaight also bemoans the obligation to notify saying this requirement could damage investigations and surveillance and went beyond what the claimants had asked. Well, again, the claimants weren’t asking the questions, ffs, and the CJEU made this point by referring to previous case law, notably, Schrems [95]. The CJEU made very clear that notification should be done ‘as soon as that notification is no longer liable to jeopardise the investigations being undertaken by those authorities’ [121]. This is consistent with the ECtHR’s stance. Both courts are aware that notification can defeat the purpose of the investigation, and sometimes even after it has concluded, notification may still not be appropriate. But Speaight seems to omit this crucial detail.

Lawyers getting mad:

Speaight notes that criticism of Tele2 is not confined to Eurosceptics. Sure, but you don’t have to be a Europhile to defend it either. He also noted that it was roundly condemned by all the participants at a meeting of the Society of Conservative Lawyers. Well, no shit to my Sherlock, the name kinda gave it away. He also notes that the former Independent Reviewer of Terror law, David Anderson QC, said it was the worst judgment he knew of. Wait til Anderson reads the ECtHR’s case law on this matter then, which if anything, on proper reading goes further than Tele2. Speaight also points out that Demonic Grieve QC MP was pissed and that a well distinguished member of the French Bar, Francois-Henri Briard basically saying we need more conservative judges to trample on fundamental rights. If a judgment that protects the fundamental rights of all EU citizens pisses off a few lawyers, so be it.

Conclusions:

I’ve spent way too much time on Speaight’s post, and the really sad thing is, I’ve enjoyed it. It’s hard to have a conversation about data retention when you first have to sift through a load of bollocks, and there was plenty of bollocks, just to make your point. And by the time you’ve cleared through all the falsities and misleading or exaggerated points, you run close to 4k words without actually saying what your position is. So, my position for this blog post is, we should always shoot down rubbish when it shows its ugly face or else it festers. Actually, the point is, I can believe that blanket indiscriminate data retention is unlawful.

Dave Eggers’ The Circle: a book for our times…

I was introduced to Dave Eggers’ novel, The Circle, by Professor Andrew Murray – one of the pre-eminent scholars in IT Law in the UK, and also on of my PhD supervisors. I know I’m very late to this game – the book came out in 2013, and all the cool people will already have read it or reviewed it, but in this case I think it’s worth it. And the fact that someone like Andrew Murray would recommend it should give pause for thought: this isn’t just an entertaining piece of science fiction, it’s a book that really makes you think. It’s not just a dystopian vision of the future, it’s one that is far, far closer to reality than almost any I’ve read – and dystopian novels and films are pretty much my favourite genre.

It’s a book that reminded me why, unlike most of my schoolmates, I always preferred Brave New World to 1984 – and why, of the various privacy stories of the last few months I suspect, ultimately, the Facebook Experiment and the ruling over the Right to be Forgotten will matter more than the passing of the deeply depressing DRIP. In the end, as The Circle demonstrates graphically, we have more to fear from corporate domination of the Internet than we do from all the spooks and law enforcement agencies.

The Circle from which the novel gets its name is a technology company that combines a great deal of Google and Facebook with a little dash of Apple and a touch of Twitter. It dominates search and social media, but also makes cool and functional hardware. Egger’s triumph in the Circle is that he really gets not just the tech but the culture that surrounds it – little details like sending frowns to paramilitaries in Guatemala echo campaigns like #BringBackOurGirls in their futility, superficiality and ultimate inanity. The lives portrayed in the Circle should send shivers down the spines of any of us who spend much time on Twitter or Facebook: that I read the book whilst on a holiday without much Internet access made the point to me most graphically.

Privacy is theft

Eggers echoes both 1984 and Brave New World in using slogans to encapsulate concepts – exaggerating to make the point. For the Circle, these are:

Secrets are lies
Sharing is caring
Privacy is theft

All three are linked together – and connected to the idea that there’s something almost mystical about data. We don’t just have no right to privacy, we have a duty to disclose, a duty to be transparent. A failure to disclose means we’re depriving others of the benefits of our information: by claiming privacy, we’re stealing opportunities and advantages that others have the right to. If we care about others, we should share with them. This is Facebook, this is Google Flu Trends – and it’s the philosophy that implies that those of us who oppose the care.data scheme through which all our health data will be shared with researchers, pharmaceutical companies and many others, are selfish Luddites likely to be responsible for the deaths of thousands.

It is also the philosophy behind a lot of the opposition to the right to be forgotten. That opposition is based on the myth – one that Eggers exposes excellently – that the records on the Internet represent ‘the truth’ and that tampering with them, let alone deleting anything from them, is tantamount to criminality. Without spoiling the plot too much, one of the characters is psychologically and almost physically destroyed by the consequences of that. Eggers neatly leaves it unclear whether the key ‘facts’ that do the damage are actually real – he knows that this, ultimately, isn’t the point. Even if it all were true, the idea that maintaining it and exposing it would be a general good, something to be encouraged and fought for, is misguided at best.

It’s about power – and how it’s wielded

In the novel, The Circle has the power – and it wields it in many ways. Emotional manipulation, keeping people happy and at the same time keeping them within the Circle, is the key point – and the echoes of the Facebook Experiment, about which much has been written, but much has missed the deeper points, are chilling here. One of the real functions of the experiment was for Facebook to find ways to keep people using Facebook…

Another of the key ways that the Circle wields power is through its influence over lawmakers – and the same is sadly evident of Google and Facebook, in the UK as much as in the US. In the UK in particular the influence over things like opposition to data protection reform – and the right to be forgotten – are all too clear. It would be great if this could change, but as in the novel, the powers and common interests are far too strong for much chance. More’s the pity.

As a novel, The Circle is not without fault. I guessed the main plot twist less than half-way through the book. There’s a good deal of hyperbole – but this is dystopian fiction, after all – and the tech itself is not exactly described convincingly. What’s more, the prose is far from beautiful, the characters are mostly rather two-dimensional, and often they’re used primarily to allow Eggers to make his points, often through what amount to set speeches – but Huxley was guilty of that from time to time too. Those speeches, however, are often worth reading. Here, one of the dissidents explains his objections:

“It’s the usual utopian vision. This time they were saying it’ll reduce waste. If stores know what their customers want, then they don’t overproduce, don’t overship, don’t have to throw stuff away when it’s not bought. I mean, like everything else you guys are pushing, it sounds perfect, sounds progressive, but it carries with it more control, more central tracking of everything we do.”

“Mercer, the Circle is a group of people like me. Are you saying that somehow we’re all in a room somewhere, watching you, planning world domination?”

“No. First of all, I know it’s all people like you. Individually you don’t know what you’re doing collectively. But secondly, don’t presume the benevolence of your leaders.”

In that brief exchange Eggers shows how well he gets the point. A little later he nails why we should care much more about this but don’t, focussing instead on the spooks of the NSA and GCHQ.

“Here, though, there are no oppressors. No one’s forcing you to do this. You willingly tie yourself to these leashes.”

That’s the problem. We don’t seem to see the risk – indeed, just as in the novel, we willingly seem to embrace the very things that damage us. Lawmakers, too, seem not to see the problem – and as noted all too often allow themselves to be lobbied into compliance. The success of Google’s lobbyists over the right to be forgotten is testimony to this. Even now, people who really should know better are being persuaded to support the Circle sorry, I mean Google’s business model rather than address a real, important privacy issue.

Coming to a society near you…

We’re taking more and more steps in the direction of the Circle. Not just the Facebook experiment and the reaction to the ‘right to be forgotten’ ruling – but even in the last week or two a House of Lords committee has recommended an end to online anonymity, effectively asking service providers to require real names before receiving services. This is one of the central planks of the way the Circle takes control over people’s lives, and one which our lawmakers seem to be very happy to give them. There are also stories going around about government plans to integrate various databases from health and the DVLA to criminal records… another key tenet of the Circle‘s plans… The ‘detailed’ reasons for doing so sound and seem compelling – but the ultimate consequences could be disastrous…

Anyway, that’s enough from me. Read the book. I’ll be recommending it to
my Internet Law and Privacy students, but I hope it’s read much more widely than that. It deserves to be.

20140804-222408-80648421.jpg

If privacy is dead, we need to resurrect it!

Back in 1999, Scott McNealy, then CEO of Sun Microsystems, told journalists that privacy was dead.

“You have zero privacy anyway,” he said, “Get over it.”

In internet terms, 1999 was a very long time ago. It was before Facebook even existed. Before the iPhone was even a glint in Steve Jobs’ eye. Google was barely a year old. And yet even then, serious people in the computer industry had already given up on privacy.

The reactions of many politicians around the world – and particularly in the US – to the revelations of the activities of the NSA, GCHQ and others has echoed this sentiment. Privacy was already dead, many of them seem to be assuming, the only problem here is transparency. ‘We should have told you what we were doing’ seems to be one of the most common lines, ‘and we’ll find a way to be more open about it in the future’. The big companies echo that line, wanting to be allowed to say more about when they’ve given over information, about how many requests for data there have been and so forth – rather than calling for anything stronger, rather than saying that they in any way resisted the authorities desire for surveillance. Indeed, the suspicion of many observers from outside the industry is that rather than resisting government agencies’ surveillance plans, some of these companies were actively cooperative or even complicit.

It’s not just about transparency

For me, that’s not enough. This shouldn’t be an issue of transparency – because it’s not just transparency over surveillance and privacy that matters, it’s the surveillance itself. At the Society of Legal Scholars conference in Edinburgh yesterday, I listened to Neil Richards talk about the dangers of surveillance (his written paper can be found here) and found myself in total agreement. Surveillance in itself is harmful to people, in a number of ways – it can chill action and even thought, it creates and exacerbates power imbalances, it allows for sorting and discrimination, and it can and often is misused for personal or inappropriate reasons.

There are benefits to surveillance too – and reasons that surveillance is sometimes necessary – but the kind of total and generally secret surveillance that seems to be being performed by both government agencies (and the NSA in particular) and corporations seems to be totally out of balance – and it seems to be based, to some degree, on the assumption that privacy is dead anyway. For many, the only question seems to be how they can convince people to ‘get over it’. That is not enough. Yes, privacy may be dead – but if it is, we need to resurrect it. It may take a miracle – but it still needs to be done.

Can privacy be resurrected?

In an excellent article in the Guardian, Bruce Schneier talks about the role of engineers in the process. As he puts it:

“By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.

This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.

And by we, I mean the engineering community.”

Schneier knows what he is talking about – he is one of the real experts in the subject – and his piece is both compelling and surprisingly hopeful. Effectively he suggests – and I think he’s right – that there could be a way to re-engineer the internet, to take out the back doors, to rebuild the infrastructure of the internet so that surveillance is no longer the paradigm.

Schneier’s piece outlines what might be a technical route to the resurrection of privacy – but that resurrection needs more than just the technical possibility. It needs action from more than just the engineering community – it needs a political will, and that means that it needs action from a whole lot of us. It needs lawyers, advocates and academics to continue to challenge the legal justification for this kind of surveillance – the defeat last year of the Communications Data Bill (the UK’s ‘Snoopers’ Charter’) demonstrates that this kind of thing is possible. It needs journalists and bloggers to keep on writing about the subject – to make sure that surveillance and privacy isn’t just of passing interest, forgotten after a few weeks.

It needs ordinary people to keep taking an interest – because, ordinary people can and do make a difference. They make a difference to the companies who operate on the internet – Microsoft’s recent advertising campaign’s strap-line was ‘your privacy is out priority’, demonstrating that they at least thought that the idea of privacy could be a selling point, even if their complicity in the PRISM programme has made the words seem pretty hollow. Ordinary people matter to politicians, at least when election time comes around – and it’s worth noting that in the presidential debate in the German elections happening right now, the candidates were asked specifically about NSA surveillance. There IS public and political interest in this subject. The more there is, the more chance there is of action.

Ultimately, we need to challenge the very assumptions that underlie the surveillance. We need to challenge the idea that the threat of ‘International Terrorism’ is so great that almost anything that can be done to fight it should be done without question or fetter. That’s necessary for more than just privacy, of course, as a vast array of our civil liberties have been curtailed in the name of counter-terrorism – but it is still necessary.

Is it all doomed to failure?

It might be that privacy really is dead. It might be that resurrecting it is effectively impossible – and it will certainly be incredibly difficult. The strength of the security lobby, the power of those in whose interests the surveillance is carried out, from the commercial to the governmental, is more than intimidating. The whole thing may be doomed to failure – but even if it is, it’s a fight worth fighting. There’s a huge amount at stake. And miracles do happen.

Four fears for authoritarians

“It is not power that corrupts but fear. Fear of losing power corrupts those who wield it” Aung San Suu Kyi: Freedom from Fear

Recent events in the UK have been disturbing for believers and supporters of civil liberties. In many ways it feels as though our civil liberties are under a greater, more sustained attack than at any time since the Blair inspired near-paranoia that led to ideas such as the ID card database, the Interception Modernisation Programme (the predecessor of the Snoopers’ Charter) and 42 day detention amongst other hideously illiberal measures. What is perhaps more dangerous is that today’s attacks are in some ways more insidious, more seemingly disconnected, more apparently ‘reasonable’ when considered individually and hence more likely to gain public support – even by those who consider themselves to be very much supporters of human rights. Make no mistake about it, though: they are connected, and inspired by the same sense of fear that inspired Blair, Straw, Blunkett et al. They’re inspired by the same fear that have enveloped authoritarians for centuries: a fear of losing control.

1) Fear of a strong, independent, determined press

An independent press is the scourge of the authoritarian – and authoritarians know it all too well. The powerful have never liked a free press – from the pamphleteers of the 18th century to Tygodnik Solidarność in Communist Poland, an independent, brave and determined press has been crucial to the resistance to oppression. That’s why, regardless of the legality or otherwise of their actions, the Government’s first supervising the smashing of the Guardian’s laptops and then detaining David Miranda should be viewed very seriously indeed. It’s an attempt to stifle, to cow, to intimidate and to control the press. That’s serious. Very serious indeed.

2) Fear that people will learn what they’re doing

Authoritarians everywhere want their own actions, their own methods, their own systems to remain secret. they don’t want the ordinary people to know what they’re doing – partly because when people know what they’re doing, they generally object, partly because the authoritarians know that what they’re doing is in many ways wrong, partly because if people know what’s going on they can take measures against it. Make no bones about it, the Snowden revelations matter – it matters that we know about the level of surveillance that the authorities are performing, and how much they’re lying about it.

3) Fear that people are hiding things from them

The idea that people are hiding their thoughts, their plans, their associations – even their thoughts and dreams – is perhaps the thing that scares authoritarians the most. That’s why they consistently spy on their own citizens, using whatever methods they can find. In Burma, it was estimated that more than 1/3 of the populace was paid to inform the authorities, whilst the Stasi’s use of informants and other spies is now stuff of legend. The current obsession with internet surveillance – both legally, using the Snoopers’ Charter and its equivalents worldwide and ‘quasi-legally’ using the techniques and systems of PRISM, Tempora and so forth – is a reflection of that same fear, that same concern that people are hiding things. It’s an obsession that amounts, ultimately, to a belief that your entire nation, your own populace, is suspicious. We could all be traitors and enemies of the state – so we should all be watched. Orwell understood this – which is why 1984 hits the nerves so closely, and rings so true.

4) Fear that people can learn too much

A knowledgeable populace is a dangerous populace – so a good authoritarian has to control access to information. That’s why books are burned, that’s why censors are employed, that’s why education is closely controlled – and why, in the current technological climate, the internet is considered so dangerous. That, not the fear of pornography, is the key to the current plans to censor the internet. I’m not saying that the likes of Claire Perry think in these terms: I’m quite sure she doesn’t. Her desires for censorship come from another, not wholly unrelated angle: the idea of controlling the morals of the populace. Claire Perry, however, is being used by others who wish to take greater control over what people can learn – control of pornography is in some ways a Trojan Horse, to allow control over everything. Once the filters are built, the terms upon which they can filter can be (indeed will be) modified. It allows control over information – and hence over the populace.

It’s all about control – and the internet

Ultimately, control is the bottom line. All these events, all these actions, are about control. Controlling the press. preventing people learning about government actions, spying on people in their every action, controlling what they can have access to – it’s all about control. These aren’t separate issues: they all interlink, and the internet is the mechanism through which they link. To control the information people have access to online, you need to know what they’re doing online. To control the newspapers, you have to control the internet, because these days that’s how the newspapers distribute their information, far more than by print. That means, amongst other things, controlling twitter – which is why the authorities are getting keener and keener to control twitter, and why they will latch onto every opportunity to do so, whether that be the desire to stop trolling or abuse, or to control for copyright and so forth.

We need to see this bigger picture – and resist this drive for control. Some of the elements may seem eminently reasonable – most notably the porn-filters and the desire to root out abusive tweeters – but we need to understand the bigger picture too. We need to consider slippery slopes – even if that means we get ridiculed as conspiracy theorists. If the Snowden story tells us nothing else, it should tell us that not all conspiracy theorists are wrong. The stakes here are very high indeed – it’s about freedom itself.

They’re taking over the internet!

bond_vill05There’s a big story going around at the moment: the UN’s trying to take over the internet, or some variant of that. It’s all based on the current ITU proposals at the World Conference on International Telecommunications (WCIT) currently taking place in Dubai… Lots of people – and I mean LOTS of people – are spreading this story of terror and danger. What’s at stake? Freedom of expression, anonymity, privacy, the whole openness of the internet etc etc…

…and yet I find it very difficult to get enthusiastically behind the fight, though I’m a fierce advocate of all of those things, and care deeply and passionately about the future of the internet as an open and free place. So why do I find it hard? Not because I agree with the ITU’s proposals – I don’t, I think they’re generally very bad and very unhelpful. There are, however, a few reasons:

  1. The prime characteristic of the ITU, as for so many UN bodies, is not an ability to actually do anything – let alone control or ‘take over’ anything. UN peacekeepers aren’t exactly brilliant at keeping peace, UN resolutions tend to be ignored by almost anyone who might be affected (ask anyone who pays attention to what goes on in Israel and Palestine), UN charters are aspirational at best. Whatever they do is unlikely to have any real effect – unless others want it to have an effect. The UN has some great strengths – and some of the UN bodies do excellent work – but for those strengths to come into play, they need the states involved to want them to work. The various Human Rights declarations, for example, help to set standards that were then applicable (and applied) worldwide…
  2. The ITU itself is far from the most competent of ‘secret’ organisations – for all their supposed secrecy, they just ‘gave’ the information on their DPI proposals to the excellent @Asher_Wolf when she asked them for it….
  3. What’s more, opposition to the ITU’s proposals is already huge – and if anyone imagines that the US or the EU will quickly acquiesce to whatever the ITU suggests, they really don’t understand international politics or international law
  4. To suggest that these ITU proposals offer the biggest threat to any of the issues concerned at the current moment. In every areas there are far greater threats, far closer to home.
  5. You want a threat to privacy? Look more closely at our own governments – what the UK government is proposing with the Communications Data Bill, that’s a REAL threat to privacy. What’s being revealed by the NSA whistleblower William Binney about surveillance in the US is a vastly, vastly worse than anything imagined by the ITU. Our governments don’t need the ITU in order to invade our privacy….
  6. You want a threat to anonymity on the internet? Look much more close to home – look at Facebook’s ‘real names’ policy, and the same for Google! Google are one of the strongest supporters of the fight against the ITU – and yet they still have what amounts to a real names policy for Google plus!
  7. You want a threat to freedom of expression? Look very hard at the ‘entertainment industry’, whose copyright trolls do more to block people’s expression than almost anyone else. They use notice and take down, they want ‘piracy’ sites blocked, they want to be able to block users from accessing the internet at all if there’s suspicion of piracy.

…and yet it’s the UN, and in particular the ITU that’s the target of the attacks. I don’t particularly like the ITU, and I don’t like these proposals one bit, but they won’t destroy the openness of the internet – because they won’t be able to make it happen. The others, on the other hand – our own governments, our ‘own’ industries, from Facebook and Google to the ‘entertainment’ industries, they’re already doing a lot to restrict all those freedoms that they claim to care so passionately about. Why? Because there’s money in it for them…. just as that’s the main real reason for their concerns about the ITU proposals – one part is to effectively levy a kind of tax on companies like Google. When money matters, it’s easy for industry to play the ‘good guys’. When money works the other way…..

No reason to be complacent – keep fighting!

All this ranting isn’t meant to stop people fighting the ITU proposals – we should! They should be opposed with vigour, because they’re not good at all. There are some distinctly worrying things about these proposals, and some particular risks attached. There’s the risk that they can be used to spread the idea that surveillance, that the removal of any effective form of anonymity, become the norm – and that they are allowed to spread as a result of this kind of thing. The UN is an ‘aspirational’ organisation, so ideas spread by it can be seen as somehow acceptable, and supportable – and used in some ways to ‘justify’ bad things that are happening.

This risk – of the ‘normalisation’ of this kind of thing – is something that we need to oppose, and oppose strongly. It is, however, something quite different from the suggestion that the UN is actually trying to take over the internet. That idea shouldn’t be overblown, or hyped up to the degree that it is. There’s an element in crying wolf about this too – if we keep going on about something being likely to ‘destroy the internet’ we’ll miss the real threats. I don’t want that to happen – and to an extent is is already happening, with ideas like Facebook and Google’s ‘real names’ policies not being subject to nearly sufficient scrutiny, and the copyright lobby still wielding enormously disproportionate power. Let’s get things a bit more in proportion….

Choose your dystopia – part 2!

I wrote a piece yesterday, ‘Choose your dystopia‘ in which I looked at some of the best dystopian visions and how our current government seems to be using them as templates rather than as nightmares to be avoided… and I invited people to suggest some other dystopias that might also be relevant. Some of them, the first in particular (for which I thank @guy_herbert and @EinsteinsAttic), were so good that they warranted another post… so here it is!

Brazil

Terry Gilliam’s masterpiece is one of my all-time favourite films – from the astonishing visual imagery and the glorious absurdity to the deep tragedy that is the underlying message.

The parallels with the current government are many-faceted. Brazil paints a picture of a nation of underwhelming greyness characterised by a government of incoherence and incompetence – omnishambles anyone? It posits a society where the slightest irritant is labelled a terrorist – Robert De Niro’s rebellious plumber is a brilliant creation. Tony Blair may have started the ball rolling in this way, but Cameron and Clegg have taken that ball and run with it. Their embrace of the likes of the Snoopers Charter, Secret Courts and so forth are all predicated on the kind of illusionary enemies that are the essence of Gilliam’s nightmares. The ultimate fate of poor Sam Lowry is a cautionary tale for anyone advocating a breaking of conventional rules at a time of emergency….

Minority Report

Even those of us who are far from fans of Tom Cruise can find things to enjoy about Minority Report – the strength of the underlying Philip K Dick story and the quality of the film-making mean that even Cruise can’t stop it being an interesting, some might say excellent film.

What are the parallels here? Well, once again we should look for the Communications Data Bill – the Snoopers’ Charter. Whilst Minority Report relies on the prescience of psychics to predict crime and stop it before it ever happens, the Snoopers’ Charter can and almost certainly would use the predictive ‘ability’ of computer-based profiling to try to assess potential criminals, terrorists or paedophiles. If ‘we’ can work out who ‘they’ are before ‘they’ do things, then ‘we’ should be able to stop ‘them’. The accuracy and reliability of these predictions may well be getting better – and we can be pretty sure that the ‘experts’ in GCHQ will be looking to this kind of thing more and more. The pitfalls – and the risks to civil liberties – are another matter. Moreover, the idea of convicting people before they do things – for threatening behaviour rather than actually doing damage – has parallels with our willingness to convict people for what they post on Facebook or Twitter – mentioning riots rather than actually perpetrating them, or posting pictures of burning poppies rather than actually burning them…. Some kind of thought police? Hmmm….

The Old Men at the Zoo

A book significantly less known than most of those I’ve mentioned so far, but one no less worthy. Angus Wilson’s 1961 book portrays the struggles of a succession of old men running the London Zoo whilst politics change around them.

What has this to do with our Government? Well, one of the attempts to bring the zoo to relevance and success is to harken back to the old, traditional ways of Britain – to try to recreate an ideal vision of the Great British countryside, with foxes and badgers, lovely rolling hills. It’s a romantic vision, one based on a rose-tinted and illusionary vision of what once was – and is, of course, doomed to failure…. and is pretty much exactly what Michael Gove is trying to recreate with his plans for the education system. Indeed, Michael Gove would play the part of one of the Old Men at the Zoo perfectly – and the results would be the same.

Logan’s Run

This classic SF movie from the 70s portrays a post-apocalyptic world populated only by young, good-looking, people. Everyone is a perfect specimen – there are no old people, no sick people, no disabled people

What are the parallels here? Well, I don’t think Iain Duncan-Smith has contemplated actually killing any less-than-perfect physical specimens, but the treatment of disabled people under this government has been pretty horrendous. The result has been a significant increase in abuse and discrimination towards the disabled – some have even labelled it a kind of demonisation – and a sense that the government would much rather they simply didn’t exist.

Choose your dystopia….

I’m sure there are more – and I’m open to suggestions…. but there are certainly enough to be worried about! Does this government want us to think of them as a nightmare? It sometimes looks that way…

Choose your dystopia…

(See also Choose your dystopia Part 2 – here)

I’ve always been a great fan of dystopian fiction – nightmarish visions of where our society is heading. I started reading them in my teens – well before the year 1984 – and still read them, and watch the various film and TV versions with great interest. So do many people. I do wonder, however, whether our current government has been reading and watching them rather too much – and rather misunderstood the point. In many ways, their recent policies and practices seem to be moving towards making them a reality. The trouble is, they don’t seem to have quite decided which of the dystopian visions they prefer – and may indeed be heading for a mish-mash of them all!

1984

The first and perhaps best known of the dystopian visions the government appears to be emulating is George Orwell’s 1984. Indeed, had the government of Big Brother had the facilities which the government is attempting to bring in with its Communications Data Bill (about which I’ve blogged many times – e.g. here), it would have been ecstatic.

Through the systems envisaged in the Communications Data Bill, the current government can get surveillance of our every action on the internet, our every phone call, our movements (through the geo-location data on our mobile phones), who and what we like, our taste in music, even the books we read if we use Kindles or iPads. It can use this data and the sophisticated profiling techniques developed by the internet industry to develop detailed pictures of pretty much every aspect of our lives. With the Communications Data Bill, Big Brother is more than just watching you….

Brave New World

Aldous Huxley’s Brave New World was always my ‘favourite’ dystopia – and in lots of ways I suspect his nightmare visions are closer to reality than Orwell’s 1984. It envisages in some ways a ‘softer’, more subtle form of control – a world where consumption is the primary motivation for everything, and where people are directed to consume exactly what they’re told.

The consumerism is something that the current government – and indeed most previous governments in this country – would immediately recognise, but there are other elements which match our government’s vision. The first is the mantra of ‘choice’. In Brave New World, everyone thinks they have choice – to play Electromagnetic Golf or Escalator Squash or Centrifugal Bumble-Puppy. Lots of ‘choice’, but all those choices meaningless, and designed to manipulate people into doing what’s to the benefit of the elite. Ring any bells?

There’s another element that might ring some bells: the society in Brave New World is strictly class based – you’re given your class at birth, and that determines everything. Each class is carefully conditioned to know their place, and it’s the Alpha plusses who rule… We may not have sleep-teaching in today’s society  – though Michael Gove might well approve if we did. And when Andrew Mitchell was accused of having told some police officers to know their place, it wasn’t so much the actual words that rang true but the way that they fitted with the image that many people had of the government….

The Trial

Kafka’s The Trial is a very different kind of dystopia, but one that also seems to be having echoes for this current government:

There are many deeply disturbing aspects to The Trial, but the one that has the most direct echoes today is the idea of a secret trial, where no-one really knows what’s happening and why. In liberal societies, justice is supposed not only to be done but to be seen to be done – and due process is supposed to be something that we can follow and we can rely upon – if trials are secret, unaccountable and invisible, that is lost…. and yet that is the essence of some of the proposals currently being put forward by the government in the Justice and Security Bill (see here for a Q&A on it). Mind you, the whole system of ‘justice’ for ‘terror suspects’ of not only this government but its predecessor has had more than a touch of The Trial to it: people detained without charge, without trial, and with the evidence against them kept hidden…

Robocop

The 1987 movie Robocop (to be remade in 2013/2014) portrayed a nation in financial crisis, people afraid of crime, and the overwhelming spectre of privatisation of police operations.

Most of that scenario fits very well today – with the likes of G4S in the role of OCP. With the newly elected Police and Crime Commissioners in place, the possibilities for selective ‘outsourcing’ of operations have increased significantly – and the opportunities for the profit motive overwhelming the need to ‘serve’ the public have similarly grown. Those opportunities are what underlie the dystopian nature of the society of Robocop…. and though we don’t (yet) have the technology of Robocop, the growing use of Tasers, of drones and so forth make it not that far from what we have seen.

V for Vendetta

Alan Moore’s seminal graphic novel, later turned into a film, seems to be the latest dystopian vision aimed for by the government of David Cameron.

His latest vision – to restrict the use of judicial review, because it was ‘wasting time’ and getting in the way of economic growth – would be disturbing enough for anyone interested in due process, in accountability and in justice, but the language and imagery he used is perhaps even more disturbing. It’s in this imagery that the echoes of V for Vendetta come in. Cameron suggested that our current economic crisis is akin to being at war – and that as a consequence we should use similar ’emergency’ powers to those employed during the war.

“Normal rules were circumvented. Convention was thrown out… …Well, this country is in the economic equivalent of war today – and we need the same spirit. We need to forget about crossing every ‘t’ and dotting every ‘i’ – and we need to throw everything we’ve got at winning in this global race.”

It’s exactly this kind of evocation of ‘spirit’ that characterises the government in V for Vendetta – echoing the similar stories in 1984, a state of constant war. Allowing governments to circumvent normal rules, to avoid due process, is very often the start of a slippery slope of the worst possible kind. I might be accused of following Godwin’s Law by suggesting a similarity with pre-war Germany – except for the fact that Cameron himself brought Godwin’s Law into play by mentioning Hitler himself!

Choose your dystopia

All the different elements of the dystopian vision seem to be coming into play together. We’ve got the consumerist, class-controlled society of Brave New World, the ever-present surveillance of 1984, the secret courts and hidden ‘justice’ of The Trial, the privatised and profit driven policing of Robocop, and all wrapped up in the hysterical and hyperbolic rhetoric of V for Vendetta. Which dystopia will Cameron choose? All of them, it seems….