A ‘mature debate’ on surveillance? Yes please!

Andrew Parker, the head of MI5, has said in a speech that he is hoping for a ‘mature debate’ on what he calls ‘intercepting communications data’ rather than surveillance: I’m sure that most people working in the area would very much welcome such a call. I know that I do. Mature debate is exactly what is needed. The question that immediately springs to mind is whether what Andrew Parker means by ‘mature debate’ is the same as what I would understand by the words. The record of the intelligence and security services and the government in relation to such a debate is not a very convincing one: it has been those who challenge surveillance powers who have shown more desire and willingness to debate than the services and their masters in government.

To suggest otherwise – indeed to hint that those challenging them have behaved like petulant, hyperbolic children – flies in the face of the experience of the last few years. There has been hype on both sides, of course – I can see why Parker and others dislike the term ‘Snoopers’ Charter’, for example – but on the other side the claims have been equally lurid and offensive: the suggestions by Theresa May and others that privacy advocates have ‘blood on their hands’ for opposing new powers have been regular and repellent. The record of seeking debate, however, has been distinctly one-sided. Back in 2012, when the coalition government first put forward the Communications Data Bill – dubbed by its ‘hyperbolic’ opponents the Snoopers’ Charter – the intention was to push it through without any real debate at all. Indeed, the hints were that it would be passed in a matter of weeks before the London Olympics. It took a lot of pressure to force the bill into proper scrutiny, and a special Joint Parliamentary Committee was eventually formed to examine it. Debate was very much sought by those interested in interception and surveillance powers: over 600 pages of written evidence was submitted to the committee from more than 100 witnesses (including myself). So yes, we want mature debate, whenever we get the chance.

That first batch of ‘mature debate’ did not get the results that the proponents of the Communications Data Bill wanted: the report of the Joint Parliamentary Committee was highly critical, and after the intervention of the then Deputy Prime Minister, Nick Clegg, the bill was dropped, with a promise of further debate and a new Bill to scrutinise. That new Bill, however, never materialised (though I understand that it was drafted) and neither did the promised further debate. Again, it was not those who challenged surveillance and interception that were avoiding the debate. Very much the opposite: we wanted more information and more debate, and our questions were largely fobbed off.

That debate, however, began to happen even without the participation of the intelligence and security services, when in June 2013 Edward Snowden dropped his bombshell on the whole business. The debate that followed might not have been mature at all times, but it was a debate – despite the efforts of the intelligence and security services, not because of those efforts. Indeed, most of the efforts seemed to be to shut down the debate, to shut Edward Snowden up, along with those in the media who worked with him, arresting them at airports, smashing their hard drives and so forth. Keith Vaz questioning whether Guardian Editor Alan Rusbridger ‘loved his country’ was a particularly mature part of this debate. All this was accompanied by yet more mature suggestions about opponents of surveillance having blood on their hands. The maturity level was immense.

Then, when the mature debate actually began – the three big inquiries, from the Intelligence and Security Committee, the Independent Reviewer of Terrorism Legislation and the Royal United Services Institute – along came the next attempt to shut down that debate: DRIP. The shabby process through which the Data Retention and Investigatory Powers Act was rushed through parliament in a matter of days without any opportunity for public debate and only a few brief hours of parliamentary debate – in a mostly empty chamber with MPs preoccupied with preparations for the forthcoming election – was about as far from opening up to mature debate as could be imagined. Barely a debate at all, let alone a mature one.

Even after that, there was a further attempt to force through legislation without debate – four members of the House of Lords, all associated in the past with the security side of government, tacked on pretty much the entire, rejected Communications Data Bill to the back of another bill, very late in the parliamentary process, to try to sneak in those powers once more without debate.

So, Andrew Parker, let’s have this mature debate. Please. As soon and as deeply as we can. But don’t pretend that you’ve been seeking it all along, or that those who are challenging you have wanted anything else.  What is more, let’s make sure it is a mature debate, and not the sort of ‘debate’ that happens when one side has all the power and has predetermined the result, like a parent telling a three-year-old what the rules are for their behaviour. A mature debate must leave a chance for different results. In this case in particular, mature debate does not mean a Brian Clough style discussion where you tell us your opinion, we tell you your opinion, and we agree that you are right. There has to be a possibility – and you have to be open to this possibility – that the powers of the intelligence and security services are in practice (as well as in law) curtailed. If there is no possibility of change, the debate – mature or immature – is meaningless.

Are you ready for this kind of debate? I hope so. Let’s have it as soon as we can.

Princes, Privacy and Power…

Prince CharlesLast week was a momentous one for information law. Two dramatic and potentially very significant rulings. The first was the Black Spider memos Freedom of Information  case through which it now appears certain that 27 ‘private’ letters from Prince Charles to government ministers will be published. The second was the decision in the Vidal-Hall vs Google case, which may have opened the doors for people whose privacy was effectively being invaded by Google to take action through the UK courts, despite their being unable to demonstrate economic damage from that privacy invasion. I won’t go into the legal details of either: far better legal minds than mine have already done so, the two pieces on the 11KBW blog about the Black Spider letters and Vidal-Hall vs Google respectively explain them really well. Instead, I want to look at one particular issue – the relationship between privacy and power, which is played out in different but related ways in both cases.

Princes, information and power

It is often said that ‘information is power’ – and in the case of Prince Charles’ Black Spider letters that does seem to be the case. Without knowing the contents of the letters – something that may shortly change – it can be assumed that power and information are central to them. The letters concerned – 27 of them – are letters written by Prince Charles to government ministers. The very fact that he wrote them, and could expect to have answers to them, shows that he had power and was using it (at the very least) to get information. He might have been using it to attempt to use that information to influence policy – we may be able to determine that as and when we see the content – but information is central to it. What is more, he knows that if we get hold of the information, he may lose some of his power, and we may gain some power over him – which is, presumably, why he is so keen for them to remain out of the public eye. Information really is power here.

Privacy, in this context, can be seen as control over information – and it is hardly surprising that Prince Charles invoked privacy in his response:

“Clarence House is disappointed the principle of privacy has not been upheld”

Privacy has value – it is a human right – and as an argument against disclosure, it feels better than saying (for example) that Clarence House is disappointed that it wasn’t able to exert its power as effectively as it wished, or that it is disappointed to be about to be losing some of its power. And yet that’s what’s really happening here. People with power have often used privacy as a way to maintain that power, to maintain their control over the situation. Indeed, in the courts, privacy has often been invoked by powerful people – from philandering footballers to secretive celebrities – to keep their lives and loves under wraps. Sometimes that’s entirely right – privacy really is a human right, and we all have that right. It is, however, a right that is held in balance, not an absolute right. It’s held in balance with freedom of expression, with freedom of information – and when looking at surveillance and so forth in balance with interests and needs like security. It is also a right that relates primarily to our private lives – not our public lives, or our professional lives. If we’re talking about professional lives, ideas such as confidentiality are more relevant – not quite the same as privacy, and subject to different checks and balances. Here, this really wasn’t about Prince Charles’ private life: writing to government ministers when you’re the heir to the throne is not a private life issues. I would defend Prince Charles’ right to privacy over letters to his children, his wife, his mother, his friends and so on just as much as I would defend anyone’s right to privacy over their correspondence – but that’s not what this is about.

Ultimately, that’s why the Black Spider Letters are becoming public – because there’s a public interest in our knowing the contents, which is what Freedom of Information is supposed to be about. It’s a redressing of a power imbalance.

The New Princes of the Internet

…which brings us on to Google, one of the new Princes of the Internet, in the Machiavellian sense, and the Vidal-Hall case. Ultimately, this is also about power. The essence of the story is about Google tracking people’s activities on the internet, without their consent – indeed, when they had directly said that they didn’t want Google to track them. Why does Google do this? To get information, and ultimately to get power. They use this information to get power over people – not just over the people they’re tracking, but people generally, as they gather more and more data about people’s behaviour and learn about how people use the internet, what they’re interested in and so forth. That information, those invasions of privacy (for that is what they are) is used for Google’s own purposes – and despite how they often like to appear, Google are not neutral indexers of the net, helping develop systems and services for the betterment of humankind, champions of freedom of speech and so forth. They do do a lot of that – but because by doing so they can make money.

Google are a business, and what they do they do for business reasons – and there’s nothing wrong with that at all. We do, however, need to be a bit more aware of how that works and what the implications of that are. Amongst other things, it means that they will use the information they gather to get power over us – ultimately power to make more money from us, or by using us as tools to make money from others and so on. Again, power is the key, and again, that’s where privacy is involved. They invade our privacy in order to gain power over us, and if we’re able to assert our privacy, to protect our privacy, they lose power.

Privacy for ordinary people

It’s a subtle thing – none of the individual invasions of privacy is particularly significant – but that’s one of the reasons this ruling really is significant. By allowing people to take action even without proving economic loss, it could provide people who usually don’t have power the chance to protect their privacy. As noted above, privacy actions in the past have generally only been a tool for the powerful, not something for the rest of us – this might change that, and that is something that really matters.

Indeed, it could be the most important thing of all. Privacy, like all human rights, is most important as a way to protect those who don’t have power from those who do have power. It shouldn’t be a tool just for the rich and powerful – they already have a vast arsenal of tools at their disposal – it should be something that we can all use. We need privacy from all kinds of powerful entities, from businesses like Google and Facebook to a wide variety of governmental agencies and others.

What’s more, all those powerful entities invoke privacy for themselves to protect their own power. The Snowden revelations have showed how carefully governments have hidden their own actions from our scrutiny – indeed, how they continue to disclose as little of what they do as possible, and continue to ‘neither confirm nor deny’ the existence of many of their actions. Google, Facebook and others expect others to abandon their own privacy – indeed as shown in the Vidal-Hall case, sometimes they just ride roughshod over people’s privacy – whilst keeping their own actions as well hidden as possible. Google’s algorithms remain almost entirely opaque – trade secrets – no matter how often they talk about transparency. At a conference on Friday discussing the ‘Right to be Forgotten’, I asked the Google representative why they hadn’t updated their examples of right to be forgotten cases for almost a year, and the response I got was terse to say the least. They don’t want us to know what they do – while they want to know everything about what we do.

Redressing the privacy imbalance

For me, one of the key roles of the law is to redress this imbalance – to find ways to protect the privacy of ordinary people, and prevent princes – old princes like Charles and new princes like Google – both from invading our privacy and from invoking their own privacy to hold onto their power. In both the Black Spider Letters case and Vidal-Hall vs Google the law seems to have done exactly that, and the courts in both cases should be applauded. Of course there’s a long way to go, and those with power can and do use every means they can to hold onto that power. I fully expect the Black Spider letters to be heavily redacted as and when we finally see them, and Google is apparently seeking permission to appeal the Vidal-Hall case to the Supreme Court.

They may well succeed. Even if they do, the two cases this last week should be seen as victories, and both Prince Charles and Google should be more than a little afraid. Holding onto their power may be a little harder than they thought. I hope so.




A shout out for the Open Rights Group!

Screen Shot 2015-03-17 at 10.04.26Today is #DigitalRightsMatter day – and yes, I know there are days for many things (including, despite the complaints from some, an International Men’s Day (November 19th)). I’m usually fairly cynical about these days – but they do serve a purpose – to focus minds on significant issues, and hopefully to find ways to actually do something about them. In this case, the issue is digital rights – one close to my heart – and the thing to do is to support the Open Rights Group (ORG).

I should say, right from the start, that I’m on the Advisory Council of ORG so I have something of a vested interest – but I’m only on the Advisory Council because I think what ORG does is of critical importance, particularly right now. Never has there been a time when digital rights have been more important, and never has there been a time when they are more under threat. We use the internet for more and more things – from our work to our personal life, from our political activism to our entertainment, from finding jobs to finding romance. Indeed, there are pretty much no parts of our lives that are untouched by the internet – so what happens online, what happens to our digital freedoms and rights, is of ever increasing importance.

Now is when we need them

The threats that we face to our freedoms are growing at a seemingly exponential rate. Surveillance is almost everywhere, and the political pressure to increase it is frightening. Censorship, the other side of that authoritarian coin, is growing almost as fast – from more and more uses for ‘web-blocking’ to ‘porn’ filters that hide vastly more than porn, from critically important sex education websites to sites that discuss alcohol, anorexia and hate speech. David Cameron talks about banning encryption without seemingly having any idea of what he’s talking about – or the implications of his suggestions.

This last point highlights one of the reasons ORG is critically important right now. Politicians from all the mainstream parties seem to have very little grasp of how the internet works – and they reach for ‘easy’ solutions which get the right headlines in the Tabloid press but are not only almost always counterproductive and authoritarian but actually encourage the perpetuation of damaging myths that will make things continue to get worse. The media, left to their own devices, also have a tendency to look for easy headlines and worse.

That’s one of the places that ORG comes in. It campaigns on these issues – current campaigns include ‘Don’t Spy On Us’ dealing with surveillance, Blocked! which looks at filtering, and 451 Unavailable which tries to bring transparency to the blocking of websites by court orders. It produces information that cuts through the confusion and makes sense of these issues – and tries to help politicians and the media to understand them more. And it works – ORG representatives are now quoted regularly in the media and when they make submissions to government inquiries they’re the ones who are given hearings and referred to in reports.

They do much more than this. They help with court cases working with other excellent advocacy groups like Privacy International – the current challenge to the Data Retention and Investigatory Powers Act (DRIPA) is just one of many they’ve been involved in, and these cases really matter. They don’t always win – indeed, sadly they don’t win often – but they often force the disclosure of critical information, they sometimes bring about changes in the law, and they raise the profile of critical issues. ORG are also part of the critical European organisation EDRi who bring together digital rights groups from all over Europe to even more effect.

Now is when they need us

ORG, like other advocacy groups, regularly punches above its weight. It doesn’t have the massive resources of the government agencies and international corporations whose activities they often have to campaign against. There are no deep pockets in ORG, and no massive numbers of staff – they rely on donations, and on volunteers. That’s where #DigitalRightsMatter day comes in – ORG is trying to find new members, get more donations and find access to more expertise. Can you help?

ORG’s joining page is here

Their blog about #DigitalRightsMatter day is here

I would encourage anyone to consider joining – because Digital Rights really do matter, and not just on #DigitalRightsMatter day.

Now it’s time for a review OF the ISC

Screen Shot 2015-03-13 at 06.45.25Like many others in the privacy field, I had waited for the Intelligence and Security Committee report ‘Privacy and Security: A modern and transparent legal framework’ with some trepidation – though after having made a submission myself, and participated in the ISC’s ’round table’ events that formed part of the consultation I had felt a little less overwhelming pessimism than I had previously. Having read it through after its release yesterday I feel a little underwhelmed. It isn’t quite as bad as I had feared – but it does come close. The general feeling I had, though, was that the ISC is still essentially out of touch, out of date, and unable to fulfil the critical role of scrutiny that it is tasked with.

One particular paragraph made the point most directly – and it concerned one of the most important areas of the review insofar as it relates to the areas that I work in. Paragraph 80 began with this startling sentence:

“We were surprised to discover that the primary value to GCHQ of bulk interception was not in reading the actual content of communications, but in the information associated with those communications.”

Surprised? Really? No-one who has paid any attention to the field over the last decade at least should have been surprised that the ‘information associated with those communications’ – essentially what is generally referred to as ‘metadata’ these days – is what GCHQ would be interested in. Academics and privacy advocates have been going on about it for years and years – and if the ISC were ‘surprised’ that this is what GCHQ are most directly interested in then it means one of three things: either they’ve not been paying attention (which is their main role), they don’t understand the technology at all (which is critically important to their role), or they’re deliberately dissembling about it (which means they can’t be trusted in their role).

That they even make the admission that they were ‘surprised’ in the official report suggests that they don’t understand the gravity of that admission, and how much it shows that they don’t understand what is happening. They compound that admission later on in the report, in paragraphs 136 and following, when they ask the question of whether Communications Data is ‘as intrusive’ as content, and essentially dismiss the possibility, hence giving the authorities much more freedom. They seem to have forgotten at this point what they had learned in paragraph 80, that the primary value is in the ‘information associated with’ the communications – their surprise didn’t illicit the kind of questions that it should have.

To be clear, the argument made by people like me is not that this information is more intrusive than content – but that it is more useful, for a number of reasons, from the fact that it can be analysed algorithmically (rather than by rooms full of old-fashioned spies pouring over reams of print-outs, which seems to the the ISC’s idea of surveillance), and that qualitative information can be gleaned from it. Profiling information – the kind of information that the massive internet advertising industry uses – that can be automatically processed and used. That, however, was something else that indicated how much the ISC was out of touch – they didn’t seem to acknowledge or understand the nature of the current, commercial, surveilled nature of the internet, and the critical role played by the corporations. Bruce Schneier put it most eloquently when talking about the NSA:

“The NSA didn’t wake up and say, ‘Let’s just spy on everybody.’ They looked up and said, ‘Wow, corporations are spying on everybody. Let’s get ourselves a copy.”

The corporates are much more interested in metadata because they understand its value – and so do GCHQ. The profiling techniques used by advertisers to find customers are the same sort of thing that GCHQ might use to find terrorists – just using different parameters. That the ISC doesn’t understand this – or didn’t understand this – is deeply revealing. One of the brighter spots of the report, however, is that they do at least make a tentative step towards recognising it through their new category of ‘Communications Data Plus’ in their recommendations. As they put it:

  • It is essential to be clear what constitutes CD. In particular, there is a ‘grey’ area of material which is not content, but neither does it appear to fit within the narrow ‘who, when and where’ of a communication, for example information such as web domains visited or the locational tracking information in a smartphone. This information, while not content, nevertheless has the potential to reveal a great deal about a person’s private life – his or her habits, tastes and preferences – and there are therefore legitimate concerns as to how that material is protected.
  • We have therefore recommended that this latter type of information should be treated as a separate category which we call ‘Communications Data Plus’. This should attract greater safeguards than the narrowly drawn category of Communications Data.

Personally, I suspect that the ‘grey area’ defined in this way will turn out to be the vast majority of what was previously considered ‘communications data’ – when data aggregation is considered, in particular, most data can be highly revealing. If the ISC had paid more attention to the advertising industry – effectively, if it had understood the context in which surveillance happens these days – it would not have had such a surprise. I look forward to hearing what these ‘greater safeguards’ it will attract will be.

There is much more in the report that should ring alarm bells – the discussion of encryption, the seemingly new idea of ‘bulk personal datasets, the casual dismissal of arguments against the fundamentally intrusive nature of ‘bulk collection’, and the attempt to characterise those who seek privacy as being happy to accept a few terrorist atrocities as a fair price to pay for a little personal privacy – and I am sure they will be written about extensively elsewhere. There was one other thing that struck me, though. At no point in the report, as far as I can see, did they mention the fact that the Data Retention Directive was  declared invalid in April 2014, and that the reason for its invalidity was that:

“It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.”

Did the ISC not know about this, or not think it was relevant? If the former, they’re incompetent, if the latter, they’re dismissive of what are considered to be fundamental rights. Mostly, though, my suspicion is that they thought it was not within the terms of their review – and that, itself is revealing. Again, the words that spring to mind are ‘out of touch’. In a body charged with oversight of the intelligence services, being out of touch is a fundamental flaw.

The fall of the Chair of the ISC, Sir Malcolm Rifkind, through his being duped into selling his services to a fake Chinese company set up by journalists, highlights the point even more. Time for a change – and a root and branch change. The ISC is right to call for better transparency – but we need better oversight too, and the starting point of that better oversight should be a replacement of the ISC. More technical competence, more people ‘in touch’ with the real world, less subservience to those in authority who are supposed to be subject to their oversight, more openness to new ideas, more willingness to listen to people who don’t immediately fit into their world view.

We’ve had the review by the ISC. Now it’s time for a review of the ISC.

Guest post: Deeper than Privacy Failure

Shatter the silence

Guest post by @Super__Cyan

Publishing names of individuals has implications that can go beyond privacy

As stated by the Guardian, Politics Home and various other media outlets (see the Internet for rest), survivors of child sexual have received death threats after their identities and personal details were published by the Home Affairs Select Committee. After complaints from the victims, the committee began to redact he names of individual survivors from the correspondence on its website. The Committee said in a statement:

‘Last week, some material from the Independent Panel Inquiry into Child Sexual Abuse came into the committee’s possession in the course of our inquiry. The material included directions to panel members about how they should answer questions from the committee, as well as email exchanges between panel members about the panel’s external communications strategy. These emails included the names of third parties. At the request of the individuals concerned, the material has been redacted to remove references to these individuals. The names of all these individuals were already in the public domain. (bolding this will be explained later).

In their letter to May the survivors said: “The release of emails and correspondence constitute a breach of data protection and also a breach of trust….”

Now here is where human rights may strike again. The survivors acknowledge that the names being leaked constitute a breach of data protection and trust, but it also involves a possible breach of Article 8 of the European Convention of Human Rights (ECHR) which states that:

  1. Everyone has the right to respect for his private and family life, his home and his correspondence.
  1. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

So essentially this means everyone has a right to privacy, subject to qualifications set out in subsection two. Public authorities, like local councils and the police aren’t allowed to arbitrarily mess with these rights. And the Human Rights Act 1998 (HRA) which brings the ECHR from across the pond to allow UK courts to enforce it. So not only does the European Court of Human Rights have the ability to tell the UK (as it would be the state, not the public authority in this instance) off for violating the rights of those under its jurisdiction, but UK courts have a similar ability to tell public authorities off. I feel like I mentioned this before somewhere….But for Article 8 to even be used as a sword, it has to be engaged.  Private life which is not susceptible to exhaustive definition which includes an individual’s name and other means of personal identification (the claimant’s address and date of birth) therefore falling within the ambit of private and family life for the purposes of Article 8 (see S and Marper v United Kingdom 30562/04 [2008] ECHR 1581)

So unless you are Sauron…


…you should be fine.

I bolded the quote regarding the names already being in the public domain, Eady J in McKennitt v Ash [2005] EWHC 3003 (QB), para 81, noted that:

‘[I]t does not necessarily follow that because personal information has been revealed impermissibly to one set of newspapers, or to readers within one jurisdiction, that there can be no further intrusion upon a claimant’s privacy by further revelations.’

The point here is that even if what the Home Affairs Select Committee says is correct, this may not preclude a breach of Article 8.

However, all this talk about human rights means squat when it comes to the Home Affairs Select Committee, because of the definition of a public authority in the HRA. This is because of the cleverly crafted s.6(3) of the HRA. This section does not include either House of Parliament or a person exercising functions in connection with proceedings in Parliament within the definition of a public authority (the italics are what are applicable to the Home Affairs Select Committee.) Therefore despite Article 8 being engaged, it has no application because the right cannot be enforced against the Home Affairs Select Committee. This would explain why in the letter to the Home Secretary, T. May only data protection and breach of trust were mentioned. I could get all political with this but I don’t like politics.

But does the human rights protection end there? Not necessarily. We’ve established that Article 8 has no application in this particular circumstance but it might in another and this is because of the death threats made to survivors. There is not much that has been revealed about the nature of the threats as this can be crucial, but it is important to look at the relevant case law. The European Court of Human Rights (ECtHR) found itself presiding over the case of Hajduová v. Slovakia (Application no. 2660/03) which involved a mother who had been verbally and physically attacked by her husband which also included death threats. At para 49 the ECtHR noted that:

The Court observes that the instant application is distinguishable from the cases to which it has referred concerning domestic violence resulting in death (see, in particular, the Court’s judgments in the cases of Kontrová v. Slovakia, no. 7510/04, ECHR 2007-VI (extracts) and Opuz cited above, in which it found violations of Articles 2 and 13 and Articles 2, 3 and 14 of the Convention respectively). It is clear that A.’s repeated threats following his release from hospital, which constitute the basis of the applicant’s complaint under Article 8 of the Convention, did not actually materialise into concrete acts of physical violence (compare and contrast the case of Bevacqua, cited above, in which the Court found that the State had breached its positive obligations under Article 8). Notwithstanding, the Court considers that given A.’s history of physical abuse and menacing behaviour towards the applicant, any threats made by him would arouse in the applicant a well-founded fear that they might be carried out. This, in the Court’s estimation, would be enough to affect her psychological integrity and well-being so as to give rise to an assessment as to compliance by the State with its positive obligations under Article 8 of the Convention.

This means that Article 8 could be engaged and violated even if threats do not materialise.

Moreover, this issue runs deeper than a failure to protect privacy, again because of the death threats that were made to survivors. This therefore brings the issue within the ambit of Article 2 which states that:

  1. Everyone’s right to life shall be protected by law. No one shall be deprived of his life intentionally save in the execution of a sentence of a court following his conviction of a crime for which this penalty is provided by law.
  1. Deprivation of life shall not be regarded as inflicted in contravention of this article when it results from the use of force which is no more than absolutely necessary:

(a) in defence of any person from unlawful violence;

(b) in order to effect a lawful arrest or to prevent the escape of a person lawfully detained;

(c) in action lawfully taken for the purpose of quelling a riot or insurrection.

Article 2 consists are two aspects, positive and negative obligations, a positive obligation to protect life, and a negative obligation to refrain from the unlawful taking of life. Under these circumstances, only the positive obligations are relevant here which can be further subdivided into two categories, prevention and investigation. In Osman v UK 23452/94 [1998] ECHR 101 it was established that authorities have a duty to prevent and suppress criminal offences if it is established that:-

(a) the authorities knew or ought to have known at the time of the existence of a real and immediate risk to the life of an identified individual from the criminal acts of a third party, and

(b) that they failed to take measures within the scope of their powers which, judged reasonably, might have been expected to avoid that risk.

Now clearly this would be trickier if the threats were made anonymously, but that doesn’t mean that a state has no options to try and find the identity of the issuer of death threats. For example, if the threats were sent electronically, powers in the Regulation of Investigatory Powers Act 2000 could be used in the hopes of identifying the issuer of such threats or caught under s.127 of the Communications Act 2003. In Branko Tomašic and others v Croatia (Application no. 46598/06) although a case concerning domestic violence (therefore a history of abuse) and eventual murder, the ECtHR acknowledged that:

The above findings of the domestic courts and the conclusions of the psychiatric examination undoubtedly show that the domestic authorities were aware that the threats made against the lives of M.T. and V.T. were serious and that all reasonable steps should have been taken in order to protect them from those threats. The Court will now examine whether the relevant authorities took all steps reasonable in the circumstances of the present case to protect the lives of M.T. and V.T.(para 53).

The ECtHR concluded that there were no adequate measures were taken to diminish the likelihood of M.M. to carry out his threats upon his release from prison and this was sufficient to enable the Court to find a violation of the substantive aspect of Article 2 of the Convention on account of failure of the relevant domestic authorities to take all necessary and reasonable steps in the circumstances of the present case to afford protection for the lives of M.T. and V.T. (para 60-61).

Though it is not clear whether these threats were made anonymously or by individuals known or by what means, this post is aimed at highlighting the possible application of human rights laws that public authorities should be aware of when it concerns a situation like this. The Home Affairs Select Committee very fortunately would not be under any obligation despite their disclosure but other public authorities are. It is true that ‘not every claimed risk to life can entail for the authorities a Convention requirement to take operational measures to prevent that risk from materialising’ (Branko Tomašic and others v Croatia (Application no. 46598/06) para 50) but at the same time they should still be taken seriously.

A poem for Data Protection Day

Today is Data Protection Day – or Data Privacy Day in the US. I thought I’d write a little poem to mark the occasion – so here it is:


Privacy’s dead, I’ve heard it said

It’s time to face the truth

It’s only fogeys who complain

Just listen to the youth


The young don’t care, don’t care at all

They share all day and night

And only those with things to hide

Put up some kind of fight


But is this true, I ask myself

Do kids not really mind?

Just talk to them, you’ll find they do

Their views are much maligned


But what they see as privacy

May not be what you say

For privacy’s not quite so clear

As hiding things away


What’s private may be bad or good

It may be big or small

It may not seem to matter much

But that’s just not your call


And in these days of online life

Of smartphones and the net

We pour our lives out digit’ly

In ways we might regret


…if data’s not protected well

And that means we need law

Law that’s written well and strong

With our rights at the core


Can law solve problems on its own?

Of course not, don’t be fooled

But law can play a crucial part

It can be one key tool


That’s why, though there are problems – huge

And many a massive flaw

I still campaign and still support

Data protection law



Apologies for the scansion…… and some of the rhymes!


The Snoopers’ Charter: Shameful Opportunism

The news that four peers are trying to bring back the Snoopers’ Charter – in its last incarnation the Communications Data Bill – is depressingly predictable, but perhaps even more shameful than other attempts at legitimising mass data gathering and surveillance. It displays shameful opportunism that seems to plumb new depths – and in a number of different way

1     Bringing it in based on an event

It is a bit of an axiom that reactive law – knee-jerk law – is a bad idea. Law by its nature needs to be considered carefully, not passed in the heat of a moment. The more oppressive and ill-considered of ‘counter-terror’ legislation, however, seems to tend to be done this way all too often. The USA-PATRIOT Act (whose long name, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act is worth a read in itself) is perhaps the best known example, but the Data Retention Directive worked just the same way, passed in the wake of the 7/7 bombings in London, and even making reference to those bombings in its preamble. That this directive was declared invalid by the Court of Justice of the European Union last year should give pause for thought. The CJEU said that the directive “entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.” Authoritarian legislation, passed in haste, takes a long time to overturn. Even now, the repercussions are still being felt

2     Bringing it in based on this particular event

Hanging legislation on a hideous event is one thing – bringing it in based on this particular event, the Charlie Hebdo shootings, is even worse, as a careful examination of this event should have revealed not that more mass data gathering and surveillance is necessary, but rather the opposite. As I have written before, the shootings in Paris damage rather than enhance the case for mass data gathering and surveillance. The perpetrators were known to the authorities – they didn’t need to be rooted out by mass surveillance. The authorities had stopped watching them six months before, because, it seems, of lack of resources, resources that might have been available if a targeted rather than mass surveillance approach had been taken. This is part of an almost overwhelming trend – the killers of Lee Rigby and the suspects in the Boston bombings were also known to the authorities. There was no need for mass data gathering and surveillance to stop them – so to use this particular event as an excuse for bringing back the Snoopers’ Charter is particularly shameful.

3     Trying to rush the legislation through

It is almost never appropriate to rush legislation through – but sadly this is also all too familiar. Last summer, Parliament brought itself into significant disrepute by rushing through the Data Retention and Investigatory Powers Act (DRIP) in a matter of mere days, with no real time for scrutiny, no opportunity for independent expert analysis, and no real opposition from any of the main parties. This is not the way to legislate – it wasn’t right then, and it wouldn’t be right now.

4     Doing this in the midst of investigations and legal challenges

The one saving grace in DRIP was that it was intended to give breathing space, to allow proper, detailed and careful consideration to the many issues involved in surveillance. At the same time, there are a series of reviews over surveillance legislation in process – from the Intelligence and Security Committee and by the Independent Reviewer of Terrorism Legislation to start with. Moreover, DRIP itself is subject to legal challenge. To try to pass much more comprehensive and far-reaching legislation even before these reviews have been completed and their reports scrutinised, and before the legal challenges even make their way into the court room, is also deeply shameful – prejudging the results of those reports, and, in effect, disrespecting all those involved.

5     Doing this in the face of a clear CJEU ruling

What is perhaps even worse, is that on the face of it the planned legislation flies directly in the face of the CJEU ruling on data retention. The ruling was strong, clear and direct – but does not seem, on immediate reading of the legislation, to have been taken into account at all. Of course this may be wrong – but as the new legislation only appeared yesterday, and is planned to go before the Lords on Monday, there has not been time for proper, detailed analysis – and nor has there been any kind of explanation or reconciliation presented. This again highlights the point of taking time over legislation – and going through proper, detailed procedures.

6     Using a highly dodgy political method

The method which has been chosen to try to introduce this law is, to put it mildly, somewhat doubtful. Rather than a full Bill, the four peers have tabled an amendment – 18 pages of additional clauses – to an existing bill, the Counter Terrorism and Security, which has already gone through most of the processes necessary before becoming law. It’s like slipping in an entirely new law just before the first law is passed – it makes a mockery of parliamentary process, and in effect disrespects the whole of parliament.  Describing it as trying to sneak in the Snoopers’ Charter by the back door may even be too kind.

7     Ignoring the committee

The original Communications Data Bill was subject to analysis by a full parliamentary committee – and that parliamentary committee came out with a highly critical report, a report which ultimately led to the abandonment of the Bill.  By trying to bring it back now, seemingly virtually unchanged, the peers proposing the amendment are ignoring the committee and its findings – and as a consequence ignoring the whole process of parliamentary scrutiny.

8     Doing it at this time, in the run up to the election

To try to push through legislation like this in the run up to the election is in itself highly dubious tactics. Politicians have their minds on other things – and many of them may care much more about being re-elected than about whether the details of legislation to be passed are a good idea or not. Whether they ‘look’ good is what matters, and whether that makes them more electable. Right now, in the light of the anger and fear resulting from the Charlie Hebdo shootings, to oppose something that might make people safer, will be difficult – and may hinder the electoral prospects of MPs. This kind of thing has happened before – the way that the Digital Economy Act was passed in 2010 springs to mind – and again makes the timing of the bringing forward of the amendment feel very wrong

Why are they doing it this way?

The whole process – all these layers of opportunism – should make the alarm bells ring. This is a hugely significant piece of law – not just in terms of what it does but in terms of what it signifies, in terms of what kind of society we want to be living in, what kind of an internet we want to have. If we are going to make decisions like this, we should make them in careful, considered ways, weighing the evidence and seeking expert opinion. That’s the idea behind the parliamentary committee system, and the time it takes to bring laws in through normal procedures.

Why, then, are these procedures being avoided, and why are these underhand methods being used? It is hard to escape the conclusion that it is because those pushing it are afraid that if it is given the appropriate amount of time, of attention, and of scrutiny, then it will once again be defeated, as it was the last time around. In the cold light of day, do we want to live in such a surveillance society? I’m not sure – but I do think that trying to make those decisions in this way, in the heat of the moment and without the opportunity to give proper thought and proper scrutiny, is a disastrous way to proceed. Those behind it should be ashamed.