The aftermath of the events in Paris has shown many of the worst things about the current media and social media. I’ve been watching, reading and following with a feeling, primarily, of sadness.

What depresses me the most – and surprises me the least – is the way that the hideousness has been used to support pretty much every agenda. I’ve seen the events used to ‘prove’ that we should leave the EU (‘control our borders’ etc) and that we should stay in the EU (‘solidarity’ with France), that we need less surveillance (it didn’t work this time, why not direct the effort and resources elsewhere) and that we need more surveillance (the threat is real, we must do everything needed). I’ve seen it said that we need to clamp down on Islam, that we need to support moderate Islam, that terrorists are all Muslims, that the vast majority of the victims of terrorism (and of ISIS in particular) are Muslims, that terrorism has no religion and so on. I’ve seen attacks on Corbyn, on Cameron, on a wide selection of journalists and ‘commentators’ for their responses to the events. I’ve seen the blame placed on Syria, France, Saudi Arabia, the US, the UK and of course Israel. We’re at war, I keep reading, though whether with ISIS, ‘terror’ or Islam as a whole seems a little unclear in the words of some.

I see some saying this shows how pointless the drone-killing of ‘Jihadi John’ was, and how this was in part revenge for it, and others saying how it shows the need for more such attacks. I read that this means we need to bomb Syria now – and then how it shows that bombing just makes it worse, and makes us a target. I hear that we’re too soft on refugees, and let the terrorists in under cover – and then that this just shows what the refugees have to suffer at home every day. It’s our fault for being too soft, it’s our fault for being too brutal, it’s not our fault at all.

All I can do is sigh. And feel more sadness. I see the points that everyone has. And yet all I feel is sadness. There isn’t an easy solution to any of this. There aren’t easy answers. There really aren’t, no matter how tempting some of the ideas might be. I wish there were.

Surveillance: thinking outside the box

One of the more common responses to criticism of the Investigatory Powers Bill – and indeed pretty much any extensive surveillance plan or law – is something along the lines of ‘but if it solves a single terrorist plot we should do it.’ The implication is that those of us who criticise the plans are somehow being ‘soft’ on terrorism, or even on the side of the terrorists. Or, more usually, that we’re indulging our own personal, individual and selfish ideas of privacy at the cost of critical security. I’ve written about some aspects of this many times before – about how privacy isn’t an individual right but one that underpins community rights such as freedom of assembly and association, how it’s critical for freedom of speech, and so forth – but there is another crucial side to this. Neither I nor any of those I know who advocate for privacy and more controls over surveillance are suggesting that we do nothing about crime or terrorism. Very much the opposite. When the debate is heard in the media it often seems as though privacy advocates are just blocking the security and intelligence services, and the police, from doing what is needed. That we’re suggesting that the risk of deaths through terrorist atrocities matters less than our abstract, theoretical and ultimately irrelevant ‘rights’. We’re not. What we are asking for is exactly that ‘mature debate’ that Andrew Parker of MI5 has asked for over surveillance.

Targeted surveillance?

There may be some who are calling for no surveillance at all, but very few. Most are calling for targeted rather than mass surveillance – and not just because they believe this would be more proportionate but because it might even be more effective. If you’re already looking for a needle in a haystack, why start by making that haystack as big as it can possibly be. Privacy advocates aren’t looking for there to be *no* strategy to locate and counter terrorist plots. For anyone to say ‘but we foiled this plot this way’ and not to see that the comparison needed isn’t between the (mass surveillance) policy being pursued and nothing, but between the policy pursued and some alternative policy that might even be more effective. We’re not saying ‘stop mass surveillance and do nothing’ but ‘stop mass surveillance and develop an alternative strategy’.

Scarce resources

This argument extends to resources too – particularly in today’s economic climate. One of the many questions that needs to be asked is whether the immense amounts of money, time, people and resources allocated to the current and planned surveillance programmes might be more effectively allocated elsewhere. The Charlie Hebdo killers, for example, had been under direct, targeted, physical surveillance by the French authorities some time before the shooting, but that surveillance had reportedly been dropped because of a lack of resources. How many additional, ‘traditional’ counter-terrrorism officers could be employed for the amount being spent on surveillance programmes? Has the question been asked?

There are other questions to ask too. The full consequences of the current and planned proposals need to be considered. Things like the plans on encryption – insofar as it is clear what those plans actually are – can have many potentially dangerous results, from creating vulnerabilities to encouraging the development and use of more tools to sidestep or avoid the authorities. The forced retention of ‘Internet Connection Records’ (about which I have written before), for example, may encourage the broader use of systems like Tor, by both those who the authorities would like to be able to watch and by those they would not. Tighten the grip and more may slip through the fingers. Has there been any kind of assessment of this?

A new law?

It’s not true that many of those opposed to surveillance are opposed to having a new law – again, quite the opposite. David Anderson QC was quite right when he characterised the current state of affairs as ‘undemocratic, unnecessary and – in the long run – intolerable’.  A new law is crucial – but it needs to be as good as it can be, and for that to happen the debate has to be on the right terms. Straw men – and the essence of the ‘all or nothing’ and ‘my way or the highway’ arguments that are so commonly made is that they are straw men – should be exposed for what they are, if we are to have the debate that we need.

The problem with our debate – well, one of the problems with it – is that it’s couched in such simple, black-and-white, emotive and immature terms. On the one side, people are accused of being Orwellian oppressors, on the other side of being naïve do-gooders who can’t handle the truth and will have blood on their hands. Neither characterisation, it seems to me, is either particularly true or particularly helpful. We need to get beyond them if the debate is to be meaningful. The questions above – whether there are alternative approaches being explored or considered, whether the current plans are an appropriate and effective use of resources – would be a key part of a properly mature debate. Indeed, I hope they will become so as the debate on the Investigatory Powers Bill continues over the next few months. Alternatives must be discussed and explored – and I hope they will be.

A few words on ‘Internet Connection Records’

There are many things in the new draft Investigatory Powers Bill that need very careful attention – some of which may be cautiously welcomed, some of which need to be taken with a distinct pinch of salt. The issues surrounding ‘Bulk Powers’ (which we’re not supposed to call ‘mass surveillance’) and ‘Equipment Interference’ (which I presume we’re not supposed to call hacking) will be examined in great detail, and quite rightly so because they’re of critical importance, and clearly recognised as such. The issue of ‘Internet Connection Records’, on the other hand, does not yet seem to have been given the attention it deserves – but I am sure that will change, because the collection of them has massive significance and represents a major change in surveillance, for all that they are described in the introduction to the bill as just ‘restoring capabilities that have been lost as a result of changes in the way people communicate’. They don’t restore capabilities: they provide hitherto unprecedented intrusion into people’s lives.

Internet Connection Records (ICRs)

The description of ICRs in the bill leaves quite a lot to be desired. In the introductory explanation they are set out as:

Screen Shot 2015-11-05 at 09.33.33

In accordance with the bill, these ICRs will be captured and stored for a year by the communications providers. This means, essentially, that a rolling record of a year of everyone’s browsing history will be stored. Not, it seems, beyond the top level of website (so that you’ve visited ‘’ but not each individual page within that website, nor what you have ‘done’ on that website). The significance of this data is very much underplayed, suggesting it is just a way of checking that so-and-so accessed Facebook at a particular time, in a similar way to saying ‘so-and-so called the following number’ on the phone, and thus the supposed ‘restoring of capabilities’ referred to. That, however, both misunderstands the significance of the data and of the way that we use the technology.

The latter part is perhaps the most easily missed. Our ‘online life’ isn’t just about what is traditionally called ‘communications’, and isn’t the equivalent of what we used to do with our old, landline phones. For most people, it is almost impossible to find an aspect of their life that does not have an online element. We don’t just talk to our friends online, or just do our professional work online, we do almost everything online. We bank online. We shop online. We research online. We find relationships online. We listen to music and watch TV and movies online. We plan our holidays online. Monitoring the websites we visit isn’t like having an itemised telephone bill (an analogy that more than one person used yesterday) it’s like following a person around as they visit the shops (both window shopping and the real thing), go the pub, go to the cinema, turn on their radio, go to the park, visit the travel agent, look at books in the library and so forth.

That, however, is only part of the problem. The other aspect is perhaps even more important – the inferences that can be gleaned from analysis of the ICRs. There are two different sides to this:

  1. The first is the ‘logical’ analysis of web browsing data: the kind of inferences that can be made by looking at the kinds of sites visited, the times that they are visited and so forth. This can be very direct, like using knowledge that a person visited sites connected with a particular religion to ‘guess’ their own religion, or that they visited sites connected with a particular health condition to ‘guess’ that they might be concerned about their own health. It can also be less direct but similarly logical – men who spend a lot of time watching Top Gear might be thought to have sympathy for Jeremy Clarkson’s views on ‘political correctness’ or be skeptical about climate change, or people who visit a lot of ‘news’ websites might be particularly interested in politics. People who visit pizza delivery websites regularly might be ‘guessed’ to have unhealthy lifestyles. The number of possibilities are huge – and not just relating to the actual sites visited, but the time and pattern of those visits. Browse a great deal in the middle of the night, and that says something very different to browsing only during working hours.
  2. The second is perhaps even more concerning: the ‘big data’ analysis of ICRs. One of the critical aspects of ‘big data’ is that it picks up traits and establishes correlations rather than seeking to find logical connections for things. This has been studied by academics, with some surprising findings – the story from one such study that ‘liking’ (in Facebook terms) curly fries correlates to higher intelligence makes the point. This kind of data – and it really is ‘big data’ – allows far more inferences to be drawn than are immediately obvious. Moreover, it is a kind of analysis that is being worked on, and worked on extensively, by some of the biggest, most powerful and most technologically advanced corporations in the world. What Google, Facebook and others develop in order to identify target audiences for advertising or markets for products is just as suitable for identifying people with particular political views.

The problems with these inferences should not be underestimated. If they’re accurate, they represent major intrusions into people’s privacy – sometimes they allow the analysts to predict behaviour better than the people themselves can predict it – whilst if they’re inaccurate they can mean that terrible decisions are made about people. When this is confined to advertising the impact is rarely that significant (though it can be, as the non-apocryphal stories of revealed pregnancies and sexuality have shown) but if decisions are made on a similar basis by law enforcement or security services they could be hideous.

So we should not underplay the importance of Internet Connection Records. They matter a great deal – and gathering them is a major step in surveillance. What is more, asking communications service providers to gather and hold them adds a whole raft of new vulnerabilities. The Talk Talk hack – and Talk Talk are precisely the kind of company who would be forced to hold this kind of data – should make the vulnerability to hacking crystal clear. This kind of data is perfect for identity theft, scamming, blackmail (Ashley Madison style) and far more crimes, and the servers holding it might as well have big red signs on them saying ‘hack me please’. The chance of individual misuse of the information should also not be downplayed – in the initial draft of the Bill it looks as though access to the data will not be via warrant, but through the ‘Designated Person’. The past has shown how individuals can misuse systems for personal reasons – this kind of data can be very tempting.

The chance of ‘function creep’ is perhaps even more concerning. Where systems are built and data gathered for one purpose, it is hard to resist using it for another, seemingly obvious and sensible reason. That’s how RIPA ended up being used for dog fouling, fly-tipping and school catchment enforcement when it was intended for terrorism and serious crime. If you build it, it will be used, and not just for the original purpose.

None of this is to say that Internet Connection Record should definitively not be collected – but that the ‘mature debate’ that has been called for on surveillance should be about what they can really be used for, and the depth of the intrusion into people’s lives that they really represent. The bar should be set very high here, and the case to gather and hold this information needs to be a very good one indeed. The arguments put forward so far do not seem strong enough to me – perhaps more will be provided in the process through which the bill is scrutinised over the next few months. If not, this is a part of the bill that should be opposed very strongly.

MPs, privacy and the Wilson Doctrine

A ruling of the Investigatory Powers Tribunal in the case brought by MP Caroline Lucas, peer Baroness Jones of Moulsecoomb and former MP George Galloway, has effectively confirmed the death of the Wilson Doctrine, which was thought to protect the communications of MPs and members of the House of Lords. Indeed, to a great extent it confirmed that this doctrine had always been a bit of a fiction, despite being confirmed at various stages by Margaret Thatcher, Tony Blair, Gordon Brown and Theresa May – the latter as recently as July this year. ‘Obviously,’ Theresa May told the House of Commons in the all-too-short debate that made up the shabby process that pushed the Data Retention and Investigatory Powers Act through Parliament in double quick time, ‘the Wilson Doctrine applies to parliamentarians’. And yet, in practice, it doesn’t and it didn’t.

What does apply, as the Investigatory Powers Tribunal details, is a set of codes of practice and guidelines that are intended to govern the interception of communications in general, and which have some specific mentions of Members of Parliament. That these codes of practice have only come into the public eye recently – and in part because of legal actions taken by NGOs Liberty and Privacy International – and that they have unclear (and probably non-existent) legal enforceability, and some exist only in draft form just adds to the lack of clarity in the area. There can (and will) be many technical discussions about the ruling and its precise implications, but I do not propose to go into them here. Instead, I want to look at the bigger questions. The only overall conclusion that can be drawn from the ruling is that the Wilson Doctrine is effectively dead. The biggest question is whether that matters in any real way.

Do MPs deserve special protection?

It would be fair to say that MPs do not have a great reputation these days, if they ever have. They’re rarely considered honest or trustworthy, suspected of feathering their own nests through the expenses system, of being in the hands of lobbyists and largely only in it for themselves. There is a tendency to think that rather than their deserving more privacy than ‘ordinary’ people, they deserve less – they should be more open to our scrutiny than they are, more exposed to the public, given that they are supposed to be serving the public.

There is certainly an element of truth in that – and things like the exposé of Malcolm Rifkind and Jack Straw’s lobbying activities seemed to receive a good deal of public support, even if the Commons Standards Committee ultimately exonerated them. And yet MPs communications do matter, and there are some very good reasons to give them special protection. The principle point isn’t to protect the MPs themselves, but the people who are communicating with them. When people contact their MPs, they are often in a vulnerable position. They might be whistle-blowers, they might feel themselves in danger – what they are very likely to be doing is seeking help, and have nowhere else to turn. One of the key points about the Wilson Doctrine is not – or should not be – to protect MPs’ shady dealings with lobbyists or worse, but to protect the individual, vulnerable people who wish to communicate with them.

It’s easy not to feel sympathy for MPs. Indeed, it’s easy to feel anger, frustration or worse towards them – but they do play a critical role, and they are supposed to represent us. In that role, they need special protection, just as lawyers need special protection when communicating with their clients, and journalists with their sources. The point isn’t to protect the lawyers or journalists, but their clients and sources respectively.

Modern surveillance

One of the arguments that underpins the IPT’s ruling is that modern surveillance is different from that which existed in Wilson’s days – and that the oversight of that surveillance and the rules that govern it are better than what existed in Wilson’s days. The current system, according to this logic, the one based around the somewhat notorious RIPA, provides more oversight, more accountability and more transparency than has been seen before. As expressed in the ruling (para 34):

“MPs’ communications with their constituents and others are protected, like those of every other person, by the statutory regime established by Part 1 of RIPA 2000. The critical control is the requirement for a Secretary of State’s warrant, which can only be issued if the requirements of Section 5 are satisfied. That regime is sufficient to protect such communications and nothing further is required by the ECHR.”

It is a system that as the IPT points out has been found to be generally satisfactory by the European Court of Human Rights – though they do not note that the case in which this was found, Kennedy, was in 2011. This, critically, was before the revelations of Edward Snowden that ultimately suggested that our surveillance system is very, very different from what we (and presumably the ECtHR) thought it was.

Indeed, this latter point is really the key. Yes, since Wilson was PM we have a more detailed and rigorous legal regime surrounding interception of communications – but we also have a vastly different degree of interception going on. The number of ways that this interception goes on is enormous, and the arguments concerning it have not be resolved in any satisfactory way. Does interception ‘happen’ when data is gathered, or when it is accessed? Does gathering of meta-data constitute interception? Does algorithmic analysis of such data matter, or should we only be concerned when human intervention occurs? All these questions and many more are still very much under debate – to assume that the situation is clear and simple is to fundamentally misunderstand the current state of affairs. Even in the last few weeks, with the monumental invalidation of the Safe Harbor agreement, the US and the CJEU have disagreed fundamentally about what constitutes ‘indiscriminate surveillance’.

Further, the legal regime for surveillance, as review after review in the last year has pointed out, has not kept up with the nature of the surveillance, and the oversight has been revealed to be far, far less effective than it might be. The Intelligence and Security Committee has demonstrated itself to be little more than a rubber stamp body, engaging in little more than political theatre at times. Do we have effective oversight? The jury, I would say, is very much out on this: the clearly recognised need for reform of the laws governing surveillance puts it in severe doubt. The admission of the effective non-existence of the Wilson Doctrine makes this even clearer.

The need for reform

That puts yet another little bit of pressure on the need to reform. The forthcoming Investigatory Powers Bill is due to be published very shortly – will it have anything about the Wilson Doctrine in it? A parliamentary debate has been scheduled for Monday, specifically about the Wilson Doctrine, and I would hope that the question of whether to have anything specific about the Wilson Doctrine within the new bill, or within codes or regulations referred to in the bill, would be one of the issues discussed. Personally, I think our political representatives do need special protection, as do lawyers and journalists, but I think we all need more protection than we currently receive. I would also hope that the minds of MPs are focussed by a debate that actually impinges on their own activities, and that they can learn from this why all of us need and deserve privacy.

In praise of U-turns…

There have been two big political U-turns today – even if one of them seems not to be regularly described as a U-turn – and both are good news.

The first is from the Labour Party, who have decided to oppose George Osborne’s so-called ‘Fiscal Charter’ after all, to much distress and derision in much of the media. The second is from the Conservative Party, in their role as the ruling party, who have decided to withdraw from their contract to supply a training programme for Saudi prisons. Despite being described somewhat differently in the media, the two have some striking similarities.

Screen Shot 2015-10-13 at 18.49.34

Both are direct changes of heart. Both involve some distress within the parties concerned. The Parliamentary Labour Party meeting at which the new Shadow Chancellor announced his decision was described as ‘a total fucking shambles’, whilst Defence Secretary Philip Hammond is reported to have accused Michael Gove of naïveté in cancelling the Saudi contract, and raised the issue in the National Security Council.

And yet both ‘U-turns’ are good news. In both cases a previous mistake has been corrected, and a better policy decision has been reached. That’s the thing: U-turns are good ideas when a bad decision has been made. And in politics, many bad decisions are made – so very often the dreaded ‘U-turn’ is actually a good idea. Sometimes it’s needed because more information has come to light. Sometimes it’s because circumstances have changed. Sometimes it’s because a new option has emerged. And sometimes, as in both of these cases, it’s because the original decision was a very bad one. In Labour’s case, John McDonnell may well simply not have understood the nature of Osborne’s trap – Labour has a long history of falling into the traps set for it, sadly, partly through the kind of naïveté that Philip Hammond apparently accused Michael Gove of, and partly because the Tories have been very good at setting traps from which there is no obvious escape. Here, though, John McDonnell had a way out, and, eventually, clumsily and shambolically, he took it. Some have said his change of heart came after talking to the people about to lose their jobs in Redcar, but in the end it doesn’t matter. What matters is that he has changed his mind, and been strong enough to do the necessary U-turn.

Gove’s U-turn is equally admirable – and I say that as someone who has been far from a fan of Gove (!) over the last few years. In his case, the change of mind may have been prompted by the public outcry, the balance tipped by Jeremy Corbyn, or some other reason – or it may just have been that he is more of a decent, principled man that his predecessor Chris Grayling or his cabinet colleague Philip Hammond.  Again, in the end, it does not matter – what matters is that Gove, too, has been brave and strong enough to do the necessary U-turn.

And that is the point. It takes guts to do a U-turn: the easy option is to be stubborn, to be seen to be ‘strong’ and ‘consistent’. It takes more strength to dare to change. Now neither McDonnell nor Gove have gone quite that far – neither of them is admitting that this really is a U-turn, that the previous policy – their previous policy – was wrong. It would be great if they could, but the media attitude to U-turns is so poisonous that admitting them is too difficult. If only that were not the case, we might have far better government. If politicians could admit to mistakes, admit that their old policies need changing, we would all be better off. I can’t see it happening – but on those rare occasions when the good U-turns happen, we should applaud them and those who make them. So here’s to John McDonnell and Michael Gove. Thanks for the U-turns!

Dear Tristram Hunt

Dear Tristram Hunt

I was very interested to read about your speech at the University of Sheffield last night – sorry not to have been able to attend, but having read various reports, including some tweeted by your good self, I wonder if you have really understood some of the issues you’re discussing. I mean, there is a great deal that I agree with in what you say, but there is one particular issue that you have highlighted that I suspect needs more careful analysis: the role of social media, and of Twitter in particular.

You are quoted as saying that the Labour Party pays too much attention to the ‘narrow online world of Twitter’, and that ‘What the algorithms which underpin our digital lives do is take information about us and fire similar information back at us,’ There is a good deal of truth in that – indeed, academics and other experts have been discussing the issue for some time. Professor Cass Sunstein, in his seminal work ‘Republic 2.0‘, raised the issue of political polarisation within online communities in 2002. Eli Pariser’s ‘The Filter Bubble‘ in 2012 addressed the effect of Google algorithms on what we see and don’t see on the net, while my own Internet Privacy Rights in 2014 discusses what I call ‘Back-door Balkanisation’, through which communities are automatically polarised by the combination of Google algorithms, invasions of privacy and the desires of commercial enterprises. It is a known effect, albeit one known within fairly narrow communities. It is not, however, so simple as ‘algorithms firing back similar information at us: it is more complex than that, and I’d recommend some serious study in the area.

Most importantly, it is not something to be afraid of, but something to be understood and to be harnessed. It is something powerful and important – and something modern that you, as a self-proclaimed ‘moderniser’ should embrace. It is a feature of online communities that isn’t going away, either, no matter how many speeches are made against it, or how many articles are written about it in the Spectator or the New Statesman.

You see, there are two fundamental problems with dismissing the ‘narrow online world’: firstly that it consists of real people, and secondly that those people are likely to be exactly the politically engaged people who are crucial in getting a political party moving, particularly a party like the Labour Party, who doesn’t have the mainstream media on its side and doesn’t have massive donations from vested interests. Labour needs its activists, and those activists are more likely than most to use the social media. The clue is in the social. Dismissing the social media means dismissing the very people that you need on your side.

The fact that  you and the other ‘modernisers’ dismiss the online world is sadly characteristic of their problems in the Labour leadership contest: a misreading of the nature of the contest. Many ‘modernisers’ seemed to think they were fighting a general election, trying to win the middle ground, to persuade the readers of the Daily Mail that their candidates were the best – when the contest was actually with Labour members and activists. Those members and activists were far from persuaded by the appeals to the Daily Mail. They were actively put off by the appearance of Tony Blair, the interventions of John McTernan (calling the nominators of Corbyn morons, for example) and by the suggestions that anyone voting for Corbyn was stupid. In your speech, Tristram, you suggest that Labour is losing touch with the voters – why did you not apply that logic to the leadership contest? It was the self-styled ‘modernisers’ and ‘moderates’ who had lost touch with the voters in the leadership contest – and seemed to have forgotten who those voters actually were.

And that brings me back to the online world, in its narrow, polarised, echo-chamber form. As I noted at the start, it is true that this effect can and does happen. However, it happens only when there are voices to echo, and when those echoes resonate. That is what happened with Corbyn and his enormous victory both in the social media and in the leadership contest. His words and views resonated within the relevant community, and gained power as a result.

The lesson to learn is not that this is irrelevant and should be avoided – but, as I said earlier, that it should be understood and harnessed. In some situations – and a leadership election is one of them – it is critical, and if the ‘modernisers’ had been modern enough to understand the online world they might have done a lot better in that contest. The online world can have great power and effect in some situations. It works really well for some forms of activism – and the ‘echo-chamber’ effect is actually one of the reasons for that.

That doesn’t mean, of course, that it is the only tool, or that this lesson means we should spend all our time and effort in online campaigning. The ‘Twitter bubble’ is a bubble, just as the ‘Westminster bubble’ is a bubble, and the ‘media bubble’ is a bubble. Social media has its place, just as focus groups have their place, and working with the mainstream media has its place. They have strengths and weaknesses, and different uses at different times. Each should be used with huge pinches of salt, but should be used. Labour, and you and your fellow ‘modernisers’ need to understand that. Don’t dismiss the online world. If you are truly a ‘moderniser’ you should embrace it, understand it, and engage with it. Don’t treat Twitter as somewhere for you to broadcast your views, but as the interactive and responsive medium that it can be at its best. Then you might harness its power rather than fear it.

Kind regards

Paul Bernal

P.S. There are a great many people on Twitter and elsewhere who have the best interests of the Labour Party very much at heart, and who would be not only willing but able to help you and others with better engagement and understanding of the often unruly and sometimes intimidating online world. I am one – and having recently rejoined Labour I would be very happy to do my bit.

The Surveillance Elephant in the Room…


Yesterday’s decision in the Court of Justice of the European Union (CJEU) in what has been dubbed the ‘Europe vs Facebook’ case was, as the Open Rights Group puts it, a ‘landmark victory for privacy rights’. Much has already been written about it. I do not propose to cover the same territory in any depth – the Open Rights Group blog post linked to above gives much of the background – but instead to examine the response of the European Commission, and the elephant in the Commission’s room: surveillance.

The judgment was published yesterday morning, and its essence was very simple. The ‘safe harbor’ agreement, which effectively allows personal data to be transferred from the EU to the US by some 4,000 or so companies, was declared invalid, because though under the agreement the relevant US companies promise to provide protection for that data in many ways – security, promising not to repurpose it, misuse it, hold it longer than necessary and so forth, essentially along the lines of European Data Protection law – there was one thing that it could not provide protection from: surveillance by the US authorities.

As the CJEU put it (paragraph 94 of the ruling):

“…legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life…”

This is where the European Commission comes in. It was the Commission that made the ‘safe harbor’ decision, setting up the safe harbor system, which should, in accordance with data protection law, have ensured that data was adequately protected in the US. The Commission did not ensure that – and did not even state that it did – primarily because the state of US surveillance law (and, as far as we know, US surveillance practice) could not allow it. US surveillance law means that ‘national security, public interest, or law enforcement requirements’ override privacy and other rights where non-US citizens are concerned, and EU citizens have no form of protection against this, or legal remedies available.

The Elephant in the Room

This, it must be clear, is a fundamental issue. If the US can do this, without control or redress, then whatever systems are in place, whatever systems are brought in to replace the now invalidated ‘Safe Harbor’, will similarly breach fundamental privacy rights. No new ‘safe harbor’, no individual arrangements for particular companies, no other sidestepping plans would seem to be possible.  Unless US surveillance law – and, US surveillance practice – is changed, no safe harbor would seem to be possible.

The Commission, however, does not seem willing – or perhaps ready – to confront this issue. Their brief statement in response to the ruling, published yesterday afternoon, does not mention surveillance even once. That in itself is quite remarkable. The closest it gets to accepting what is, in fact, the essence of the ruling, is a tangential reference to ‘the Snowden revelations in 2013’ without mentioning anything about what those revelations related to. There is no mention of US surveillance law, of the NSA, of national security or of anything else relating to it. The surveillance elephant in the room looms over everything but the Commission seems to be pretending that it does not even exist.

The US authorities, however, are quite aware of the elephant – in a somewhat panicky press release last week, between the opinion of the Attorney General that presaged the CJEU ruling, the ‘US Mission to the European Union’ said that the ‘United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens‘. They do not, however, seem to have convinced the CJEU of this. Far from it.

Heads in the sand

In a way it should not be a surprise that the Commission seems to have their heads in the sand about this issue. It is not at all easy to see a way out of this. Will the US stop or change its surveillance practices and law? It is hard to imagine that they would, particularly in response to a ruling in a European court. Can they provide convincing evidence that they are not engaging in mass, indiscriminate surveillance? Again it seems unlikely, primarily because the evidence points increasingly precisely the opposite way.

There are big questions about what actually constitutes ‘surveillance’ – does surveillance occur when data is ‘collected’, when it is accessed automatically or analysed algorithmically, or when human eyes are involved? The US (and UK) authorities suggest the latter, but the European Courts (both the CJEU and the European Court of Human Rights) have found that privacy rights are engaged when data is gathered or held – and rightly so, in the view of most privacy scholars. There are many reasons for this. There is a chilling effect of the existence of the surveillance apparatus itself and the ‘panopticon’ issue: we alter our behaviour when we believe we might be being watched, not just when we are watched. There is the question of data vulnerability – if data has been gathered, then it might be hacked, lost or leaked even before it is analysed. The very existence of the Snowden leaks makes it clear that even the NSA isn’t able to guarantee its data security. Fundamentally, where data exists, it is vulnerable. There are other arguments – the strength of algorithmic analysis, for example, may well mean that there is more effective intrusion without human involvement in the process, the importance of meta-data and so forth – but they all point in the same direction. Data gathering, despite what the US and UK authorities might wish to say, does interfere with our privacy. That means, in the end, that fundamental rights are engaged.

What happens next?

That is the big question. The invalidation of safe harbor has huge repercussions and there will be some manic lobbying taking place behind the scenes. The Commission will have to consider the surveillance elephant in the room soon. It isn’t going away on its own.

And behind that elephant there are other elephants: if US surveillance and surveillance law is a problem, then what about UK surveillance? Is GCHQ any less intrusive than the NSA? It does not seem so – and this puts even more pressure on the current reviews of UK surveillance law taking place. If, as many predict, the forthcoming Investigatory Powers Bill will be even more intrusive and extensive than current UK surveillance laws this will put the UK in a position that could rapidly become untenable. If the UK decides to leave the EU, will that mean that the UK is not considered a safe place for European data? Right now that seems the only logical conclusion – but the ramifications for UK businesses could be huge.

More huge elephants are also looming – the various world-wide trade agreements currently being semi-secretly negotiated, from the TPP (Trans-Pacific Partnership – between the various Pacific Rim countries including the US, Australia, NZ, Japan) to the TISA (the Trade In Services Agreement), TTIP (Transatlantic Trade and Investment Partnership – between the EU and the US) and CETA (Comprehensive Economic and Trade Agreement – between Canada and the EU)  seem to involve data flows (and freedom from government interference with those data flows) that would seem to fly directly in the face of the CJEU ruling. If data needs to be safe from surveillance, it cannot be allowed to flow freely into places where surveillance is too indiscriminate and uncontrolled. That means the US.  These agreements would also seem likely to allow (or even require) various forms of surveillance to let copyright holders ensure their rights are upheld – and if surveillance for national security and public safety is an infringement of fundamental rights, so would surveillance to enforce copyright.

What happens next, therefore, is hard to foresee. What cannot be done, however, is to ignore the elephant in the room. The issue of surveillance has to be taken on. The conflict between that surveillance and fundamental human rights is not a merely semantic one, or one for lawyers and academics, it’s a real one. In the words of historian and philosopher Quentin Skinner “the current situation seems to me untenable in a democratic society.” The conflict over Safe Harbor is in many ways just a symptom of that far bigger problem. The biggest elephant of all.