Tuesday, October 06, 2015

CJEU Schrems, The Irish Data Protection Commissioner and Facebook

The Court of Justice of the European Union has today declared the EU-US Safe Harbour agreement, which  facilitates the transfer of personal data from the EU to the US, invalid.

The Court opens by highlighting the provisions of the 1995 Data Protection Directive
Object of the Directive
1. In accordance with this directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.
Article 25 of the directive lays down the principles under which it may be permitted to transfer personal data to countries outside the EU, "a third country" (or countries), primarily that the 3rd country offer "an adequate level" of data protection. The European Commission has the power to declare 3rd countries compliant with EU standards but are obliged to engage in due diligence in accordance with procedures outlined in article 31 of the directive, to ensure the requisite checks and balances are in place.

Under article 26, EU member states can sanction personal data transfers to third countries not yet in possession of the Commission's seal of approval under a specific set of circumstances e.g. if the person whose data is to be transferred agrees to it.

From an initial scan of the decision, it seems that the Safe Harbour agreement of 2000, declaring the US a safe 3rd country for EU personal data transfers, has been declared invalid by the Court because the EU were not careful enough in checking out the US; and because untrammeled US mass surveillance practices would appear to make it an unsafe third country.

From paragraph 5, the Court outlines the Commission's Safe Harbour Decision 2000/520 (including principles and US organisations' self certification and dispute resolution processes) declaring the US a safe third country for personal data transfers. The agreement allowed for US law to override Safe Harbour obligations. So if US law explicitly imposes an obligation on US organisations to process or transfer data in ways that would breach the Safe Harbour principles it is ok for them to do so. The idea being to give US companies an exit when caught between complying with conflicting legal obligations.

At the time, privacy advocates were unhappy with the Safe Harbour decision, accusing EU negotiators of folding in the face of US demands. Several reviews of the agreement, including this one by a group of internationally renowned scholars, in the summer of 2007, have noted that the Safe Harbour scheme does not meet the requirements of the 1995 data protection directive or EU privacy standards. Documentary evidence, released to journalists by NSA whistleblower Edward Snowden in 2013, on the mass surveillance practices of the US and UK governments, have given weight to those conclusions.

The CJEU get to the Snowden revelations and the EU's response to these in paragraph 11 to 25 of the Schrems decision. In a kind of an 'ooops, oh dear, those nice US Safe Harbour compliant companies are doing things they shouldn't be with EU data; but let's not upset them because it's the government's fault' realisation, the Commission issued Communication COM(2013) 846 final and Communication COM(2013) 847 final; noting US mass surveillance (though they didn't call it that) "raises serious questions".

As our US cousins might say, you're darn tootin' it raises serious questions.

Paragraph's 26 to 36 deal with the Schems complaint about Facebook to the Irish Data Protection Commissioner and the Irish High Court.

Schrems asserted that Facebook's data transfers to the US undermined his fundamental rights to privacy and the protection of his personal data, guaranteed by articles 7 and 8 the Charter of Fundamental Rights of the European Union.

The Irish Data Protection Commissioner said not my job guv, get lost but even if it was, there was no specific evidence that the NSA had been playing with Mr Schrems's data.

Judge Hogan in the Irish High Court took a different view. Whilst accepting that electronic surveillance and interception "serve necessary and indispensable objectives in the public interest... the revelations made by Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies." [para 30 Schrems] Judge Hogan also noted that EU citizens have no effective right to be heard in relation to the "indiscriminate surveillance and interception" carried out on them on a large scale by US federal agencies like the FBI and NSA. Protections for privacy, fundamental rights and freedoms guaranteed by the Irish Constitution were essentially being undermined by indiscriminate and disproportionate mass surveillance by US authorities. On the basis of Irish law alone, the Irish Data Protection Commissioner was wrong to reject Mr Schrems complaint.

Judge Hogan's view, that then brings the Commission's Safe Harbour decision of 2000 into play. Does that decision, certifying the US as a safe place for EU personal data, bind member states, obliging them to accept that certification; or can a data protection authority of a Member State, independently examine the claim of a person concerning a breach of their rights by a third country, when the law and practices in the third country do not ensure an adequate level of protection? Additionally, given what we know from Snowden, Judge Hogan believes the Safe Harbour decision itself to be invalid - as the fundamental right to privacy would be rendered meaningless if "State authorities were authorised to access electronic communications on a casual and generalised basis without any objective justification based on considerations of national security or the prevention of crime that are specific to the individual concerned and without those practices being accompanied by appropriate and verifiable safeguards."

The Court's deliberations play out in paragraphs 37 to 107.

The fundamental rights to privacy and data protection have been affirmed and re-affirmed in the Court time and again (Österreichischer Rundfunk and Others, Google Spain and Google, Ryneš, Rijkeboer, Digital Rights Ireland and Others). The independence of national supervisory authorities is an important element in protecting those rights in practice. They are obliged, however, to balance those rights with the interests of those requiring free movement of data and have no power relating to the processing of data, once it is transferred to another country. They do have an obligation, under articles 25, 26 and 28 of the 1995 directive, to monitor the transfer of data to a third country and ensure it complies with EU standards. Transfers may only be effected where the country the data is being sent to offers an "adequate level of protection".

Member states or the Commission may assess and determine whether protections offered by a third country are adequate. When the Commission makes a decision that a third country provides adequate protections it is binding on member states, until it is declared invalid by the CJEU. But that Commission decision cannot prevent EU citizens from pursuing a claim through the national supervisory authorities and, if necessary, national courts, if they have reason to be concerned that their fundamental rights are being undermined by the transfer to and processing of their personal data in a third country. If the national courts consider the complaint well founded, as did Judge Hogan in the Schrems case, they must refer it to the CJEU.

Bottom line - even if the Commission white-lists a country like the US, it does not prevent national data protection authorities investigating and national courts hearing an individual's complaint. And if an individual, like Mr Schrems, has a legitimate complaint, then it may be referred to the CJEU and the Commission's decision approving the US as a privacy respecting jurisdiction, may itself be reviewed [exclusively] by the Court of Justice.
"66 Having regard to the foregoing considerations, the answer to the questions referred is that Article 25(6) of Directive 95/46, read in the light of Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Decision 2000/520, by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection."
Paragraphs 67 to 106 review the validity of the Commission's Safe Harbour decision and constitute another CJEU warning over US and UK mass surveillance practices and the tepid European Commission response to these, following in the tradition of the Google Spain and Digital Rights Ireland cases from 2014.

Short version: the Commission failed totally, in its obligation to ensure that the laws and international obligations of the US actively respected the privacy rights of EU citizens, when approving the US as a trusted data protection nation, in their Safe Harbour decision of 2000. US organisations were permitted approval under a Safe Harbour self certification scheme which had no effective US public authority or legislative oversight (the US Federal Trade Commission's oversight being restricted to commercial disputes relating to unfair or deceptive practices in or affecting commerce and not the legality of interference with fundamental rights) and no remedies for individuals concerned about the potential abuse or misuse of their personal data. Not only did it fail, the Commission didn't even bother to check but eventually did get round to admitting, once the Snowden revelations emerged, that there might be "serious questions" over the Safe Harbour agreement.

Additionally the Commission, in the Safe Harbour decision, exceeded its authority in attempting to nullify national data protection authorities' powers to enable individuals to raise concerns about the processing of data in Commission approved third countries like the US.
86 ... Decision 2000/520 lays down that ‘national security, public interest, or law enforcement requirements’ have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them. ...
88 In addition, Decision 2000/520 does not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security.
89 Nor does Decision 2000/520 refer to the existence of effective legal protection against interference of that kind...
92 Furthermore and above all, protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary (judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 52 and the case-law cited).
93 Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail ...
94 In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (see, to this effect, judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 39).
95 Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter...
96 As has been found in particular in paragraphs 71, 73 and 74 of the present judgment, in order for the Commission to adopt a decision pursuant to Article 25(6) of Directive 95/46, it must find, duly stating reasons, that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order, a level that is apparent in particular from the preceding paragraphs of the present judgment.
97 However, the Commission did not state, in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. 98 Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid... 
99      ... national supervisory authorities must be able to examine, with complete independence, any claim concerning the protection of a person’s rights and freedoms in regard to the processing of personal data relating to him. That is in particular the case where, in bringing such a claim, that person raises questions regarding the compatibility of a Commission decision adopted pursuant to Article 25(6) of that directive with the protection of the privacy and of the fundamental rights and freedoms of individuals...  
102 The first subparagraph of Article 3(1) of Decision 2000/520 must ... be understood as denying the national supervisory authorities the powers which they derive from Article 28 of Directive 95/46, where a person, in bringing a claim under that provision, puts forward matters that may call into question whether a Commission decision that has found, on the basis of Article 25(6) of the directive, that a third country ensures an adequate level of protection is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
103 The implementing power granted by the EU legislature to the Commission in Article 25(6) of Directive 95/46 does not confer upon it competence to restrict the national supervisory authorities’ powers referred to in the previous paragraph of the present judgment.
104 That being so, it must be held that, in adopting Article 3 of Decision 2000/520, the Commission exceeded the power which is conferred upon it in Article 25(6) of Directive 95/46, read in the light of the Charter, and that Article 3 of the decision is therefore invalid.
105 As Articles 1 and 3 of Decision 2000/520 are inseparable from Articles 2 and 4 of that decision and the annexes thereto, their invalidity affects the validity of the decision in its entirety. 106 Having regard to all the foregoing considerations, it is to be concluded that Decision 2000/520 is invalid."
The Court concludes that the Safe Harbour Decision 2000/520 is invalid.

I would just repeat paragraph 93 for emphasis: "Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail"

So, in summary, national data protection authorities and national courts can review claims of abuse of personal data by third countries and the Safe Harbour EU-US agreement, Decision 2000/520 is invalid.
"On those grounds, the Court (Grand Chamber) hereby rules: 1. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
2. Decision 2000/520 is invalid."

Update: Peter Swire who was one of the US expert negotiators when the Safe Harbour provisions were agreed, yesterday criticised CJEU AG's opinion in the case, as suffering from particular inaccuracies concerning the law and practice of U.S. foreign intelligence law, notably the PRISM program. He particularly emphasises changes to US law since the original Snowden revelations notes with approval the PRISM program is governed by Section 702 of the law enacted in 2008 to amend the Foreign Intelligence Surveillance Act. I suspect, given s702's 'guilty of being a foreigner' provisions Caspar Bowden would have had a few words to say on the subject.

The full court don't get into the intricacies of PRISM but it does hint strongly that Kafkaesque mass surveillance, without remedy available to those affected, undermines the rule of law.

Update 2: Daniel Solove does a really accessible analysis of the Court's decision and its possible implications. I suspect he over-estimates the likely impact of the coming revisions to EU data protection laws, given the giant privacy avoidance loopholes built into the draft general data protection regulations. But it is still essential reading.

Update 3: I also highly recommend Andres Guadamuz's analysis of the case.

Update 4: Some typos plus one error relating to FTC corrected. There follow links to EU Commission/Parliament reviews of Safe Harbour in 2002, 2004 and the post Snowden reviews of 2013 COM(2013) 846 final Rebuilding Trust in EU-US Data Flows and COM(2013) 847 final on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU

Friday, September 25, 2015

John Oliver, Privacy International & Ryan Gallagher on mass surveillance

In the light of The Intercept's latest story on the Snowden documents, could I recommend revisiting John Oliver on government surveillance plus his Snowden interview...

 ... and Privacy International's short videos on communications surveillance, big data, data protection, metadata and privacy

Tuesday, September 15, 2015

In praise of Open University people

The Open University (OU) is a phenomenal institution with fundamentally decent ethos and values which it has been a privilege for me to be able to tell people I work for, for the past 20 years or so.  We are, however, facing some serious challenges.

The latest plan to deal with those challenges is to close seven front-line regional operations centres. The OU centres marked for closure are London, Oxford, Bristol, Birmingham, Cambridge, Leeds and Newcastle.

Understanding the OU deeply takes a long time. It is full of incredible people who care deeply about our students and who have repeatedly shown they will go to the ends of the earth for this place, even to the point of putting their own health and welbeing at risk. Staff in the East Grinstead regional office which was shut down by the University at the end of November 2014, worked evenings and weekends, even in the knowledge they would be unemployed by Christmas, to ensure the students were settled with experienced, well qualified-tutors for our courses starting last autumn. In the thick of all the complexity and accommodation of massive structural changes of the past few years, though, it's worth noting that fundamentally the OU is simply about putting people in touch with people, people who care.

Historically the OU turned a discredited education method - correspondence courses - into hugely effective supported open learning at a distance which, for over 40 years, has outstripped the personal support provided by most of the conventional university sector by a street. Through a combination of energy, novelty, creativity, mutual support, organisation, sense, care, goodwill, a following wind and the right people, we, by accident as much as by design, got a lot of the key structural things right in the early days -
  1. The course production module - multidisciplinary concentrated teams producing intensely peer reviewed, tailored, self-contained, high quality self-study print, audio, video,multimedia and networked course material 
  2. The central administrative infrastructure needed to support production and operation at scale, on everything from exams to summer schools and associated  logistics 
  3. The regional administrative infrastructure - essentially front end regional offices and operations - that put the OU in the local community and real people who cared in touch with the people who were our students; names and faces that students got to know and trust throughout their period of study.
  4. Above everything else, the foundation stone that the place is built on is the deep level of care and the goodwill of the staff and students.
Unparalleled care, dedication to duty and goodwill are at the heart of all public services from education to policing, the health services and beyond. Care, dedication to duty and goodwill, unfortunately are also things that cannot be easily measured or counted. Things that politicians and bureaucrats are not easily held accountable for and things in recent generations, therefore, that have been sadly neglected and badly damaged, across the entire public sector. Simplistic targets, process, efficiency and cost cutting are the order of the day.  

Vice-chancellors, like all senior officers in the public sector, have been under intolerable pressure to rationalise and provide more for less.  The OU’s vice-chancellor, Peter Horrocks is quoted by the Times Higher Education Supplement as saying that the regional centre closures were aimed at providing students with the “best possible experience”.
“With developments in technology changing how we work, the student’s experience of the OU has not been limited by geography for some time. This is a difficult decision and I fully recognise the impact it will have on many of our staff, but we cannot afford to stay still.
This recommendation, if approved, would allow us to enhance student support in a way that’s simply not possible in our current office network, and offer our students the sort of support they expect and deserve.”
At its heart, education is a gift economy and the OU, for most of its life, has been the high water benchmark service for that economy, with care and goodwill at the core of its DNA.

I had been trying to hold onto the hope that when the dust settles on all the upheaval, we at the OU and the higher education sector in the round would emerge heavily bruised but re-trenched and largely intact. I'm now seriously concerned that we are evolving towards a future where students are numbers to be processed rather than people we care about and enable to develop their inherent talents and potential. 

Education cannot be done by treating people as numbers and it cannot be packaged as standardised widgets and sold via automated processes. Putting people in touch with people is the key. 

When universities feel they are forced to put the futures of the staff who care at risk - in this case incredibly special, unbelievably caring, dedicated OU people, with impossibly high standards, who demand nothing but the best of themselves and our institution in support of our students - then we put the futures of our students, our universities and our education system as a whole at risk.

Thursday, July 09, 2015

RIP Caspar

It's hard to believe but privacy activist, Caspar Bowden, has died following a short battle with cancer.

My first encounter with Caspar was on a listserv when he was director (and co-founder) of the Foundation for Information Policy Research. I believe it was the late 1990s but he was telling me off for spelling his name wrong. I apologised and we subsequently became friends. The substance of what we were discussing is lost to my memory but I suspect it was something around key eschrow and the original crypto wars at the time. It's shocking that Caspar should be lost to the security and privacy community just as that ugly battle is rearing its head again, with politicians and securocrats both sides of the Atlantic demanding back door access to encryption.

Combative and prickly, Caspar was also unfailingly kind and generous.

Whilst at FIPR Caspar worked tirelessly to inform parliamentarians and the public of the personal data pollution dangers of the burgeoning information age and ill designed regulations like the Regulation of Investigatory Powers Act (RIPA). He won the Winston award in 2000 for his work on RIPA and he carried that activism into his role as Chief Privacy Officer of Microsoft (initially for Europe, the Middle East and Africa, then for 40 countries worldwide) between 2002 and 2011. 

Long before the Snowden revelations, Caspar was warning of the nature of a huge range of privacy invading behaviour, commercial and governmental, and the facilitating evolving regulations round the world; not least the US Foreign Intelligence Surveillance Act 1978 (FISA) and the FISA Amendments Act 2008, in particular s1881, subsequently implemented as s702 FISA, Procedures for targeting certain persons outside the United States other than United States persons. His report, "The US surveillance programmes and their impact on EU citizens' fundamental rights", for the Civil Liberties, Justice and Home Affairs (LIBE) committee of the EU parliament is the definitive document on the subject.

It was Caspar's insistence on publicly spreading the word about this s702 'guilty of being a foreigner' provision of FISA that he recently explained led to his parting of the ways with Microsoft. 

Caspar was a big believer in a Rawlsian model of justice, a stickler when it came to the universality of human rights and was unstinting in his criticism of corporate or government entities or agents who sought to undermine those rights and principles; and even of US civil rights organisations who he felt passively endorsed the notion of better rights for US citizens.

He was a member of the board of directors of the Tor project. In recent times had become convinced of the potential of Qubes to form at least part of the technical architecture of a counter-insurgency against the seemingly all powerful, unstoppable erosion of personal privacy, by corporate and government agencies and others. 

Caspar was a rare polymath, an expert practitioner in the computer science, the laws of multiple jurisdictions, the technology more generally, identity management and information ethics. And he was prepared to wrestle with the user unfriendly inconveniences of privacy enhancing technologies, as the almost meltdown of his laptop, 4 minutes into his 'Reflections on Mistrusting Trust' talk at QCon last summer, demonstrated. 

For some time he had been contemplating and working on the establishment of a pan-European privacy rights organisation. It would be an appropriate legacy if an effective sustainable such institution could be brought into being.

There were few, if any, more deeply informed, active, passionate and energetic advocates for the privacy cause. Caspar you will be sadly missed. My thoughts and condolences go to your wife Sandi and family.

Update: a truly lovely personal tribute to Caspar by Malavika Jayaram, So long and thanks for all the fish, Caspar Bowden. Other really nice pieces from Natasha Lomas, Chris Soghoian, Robin Wilton, John Leonard, Ben Goldacre, Danny O'Brien, Martin Hoskins, Wendy Grossman, Simon Davies, Joanna Rutkowska, the Open Rights Group, Ind.ie, Sarah Clarke, Phil Booth, EDRi, the Tor Project, here, here, here, here, here, here, here, here, here, here, here, here, here, herehere and here.

Update 2: Guardian Obituary by Ross Anderson and tribute from John Naughton.

Thursday, June 11, 2015

A question of trust: notes on the terror watchdog report

The Terror Watchdog’s Report

The UK government has finally got round to releasing the report of the investigatory powers review by the independent reviewer of terrorism legislation, David Anderson QC and his team. Mr Anderson submitted the report to the Prime Minister on 6 May, just prior to the general election.

As Mr Anderson predicted, the report “won’t please everybody (indeed it may not please anybody)” but it is a substantive piece of work and deserves careful reading and consideration in full. In the press release accompanying the 379 page report he says:

“Modern communications networks can be used by the unscrupulous for purposes ranging from cyber-attack, terrorism and espionage to fraud, kidnap and child sexual exploitation.  A successful response to these threats depends on entrusting public bodies with the powers they need to identify and follow suspects in a borderless online world.

  But trust requires verification.  Each intrusive power must be shown to be necessary, clearly spelled out in law, limited in accordance with international human rights standards and subject to demanding and visible safeguards.

 The current law is fragmented, obscure, under constant challenge and variable in the protections that it affords the innocent.  It is time for a clean slate.  This Report aims to help Parliament achieve a world-class framework for the regulation of these strong and vital powers.”

So far so good. 

The report itself summarises the importance of privacy, threats to the UK, technologies implicated, laws, powers, safeguards and practices and the views from a disparate variety of actors from law enforcement and the intelligence services to service providers and civil society. It closes with a set of 5 governing principles and 124 specific recommendations. It was not limited to counter-terrorism considerations but also included counter-espionage, missing persons investigations, internet enabled crime (fraud, cyber-attacks, child sexual exploitation) and crime in general. 

The purpose of the report is:

a. to inform the public and political debate on these matters, which at its worst can be polarised, intemperate and characterised by technical misunderstandings; and
b. to set out proposals for reform, in the form of five governing principles and 124 specific recommendations. 

I think it’s fair to say it succeeds with both, even if I can’t agree with some of the recommendations.  Mr Anderson has had unrestricted access, at the highest level of security clearance, to the responsible government departments whilst conducting his review.

Key issues arising from the report seem to be:

               The need to start from scratch on a comprehensive and comprehensible, fit-for-purpose legislative framework for investigatory powers – including the retirement of the “incomprehensible to all but a tiny band of initiates” Regulation of Investigatory Powers Act (RIPA) 2000
               Continuation of communications data retention under the Data Retention and Investigatory Powers Act (DRIPA) 2014
               There should be judicial rather than Secretary of State authorisation of communications data warrants – the report itself describes this recommendation as “radical” departure
               The approval of bulk collection of communications data.
               Lack of acceptance of government’s glossy claims for the magic, unimpeachable value of government access to bulk communications data and recommendations for improved oversight of same
               Approval of extraterritorial reach of DRIP Act, for now, until improved international framework for data sharing is in place
               Abolition of existing oversight commissioners and replacement with Independent Intelligence and Surveillance commission
               The power, in Theresa May’s beloved snoopers’ charter, for the retention of internet searches should only apply where “a detailed operational case can be made out and a rigorous assessment has been conducted of the lawfulness, likely effectiveness, intrusiveness and cost”.
               An emphatic rejection of David Cameron & Theresa May’s notion of blanket encryption backdoors for government


Why Theresa and Dave are Glum

Though there is a lot in there, it’s becoming clear why the government delayed publication and both Theresa May and the Prime Minister’s spokeswoman seem to be already distancing themselves from the report.

You can understand why Theresa and Dave might be a bit miffed that Mr Anderson disapproves of blanket encryption backdoors (pointing out the agencies don’t want it and it would undermine security for everyone), has the nerve to suggest judicial rather than Executive oversight of interception warrants might be appropriate, kneecaps the snoopers’ charter and notes some of the claims about the value of communications data in the investigation of nefarious actors might be somewhat overblown.

You would expect them, however, to be positively dancing in the aisles as a result of his apparent support for the continuation of the bulk collection and retention of communications data and the continuation of the extra territorial reach of DRIPA beyond its sunset at the end of 2016.

I have to admit I share Privacy International’s disappointment that Mr Anderson didn't condemn bulk interception. However, whatever cheer the government’s senior Cabinet members derive from the nominal support for bulk collection will be tempered by Mr Anderson’s qualification of this approval by saying   "Though I seek to place the debate in a legal context, it is not part of my role to offer a legal opinion (for example, as to whether the bulk collection of data as practiced by GCHQ is proportionate). A number of such questions are currently before the courts..." [1.12].  

This continual emphasis in the report that he and the government should respect the courts as the requisite arbiters in determining the proportionality of indiscriminate bulk collection, within the framework of the European Convention on Human Rights (ECHR), is interesting. Even as he approves, also, of blanket data retention under DRIPA, he insists that retention would have to comply with the ECHR and the European Court of Justice decision in Digital Rights Ireland case in 2014, which banned indiscriminate data retention.

On the approval of the extra territorial DRIPA powers Mr Anderson is again careful to note:

"I understand those who argue that extraterritorial application sets a bad example to other countries, and who question whether it will ever or could ever be successfully enforced. It is certainly an unsatisfactory substitute for a multilateral arrangement under which partner countries would agree to honour each others’ properly warranted requests, which must surely be the long-term goal.”

So Mr Anderson’s report has turned out to be nothing like the useful excuse for pushing through the snoopers’ charter that the Home Secretary must have hoped it would be.


Why the report might not please anybody

It’s a real pity that, even within the constraints within which he was working, and the reasonable set of 5 principles outlined for underpinning investigatory powers, laid out in Part IV of the report, Mr Anderson did not condemn bulk collection of communications data. I accept it is not part of his role to offer a legal opinion on whether bulk collection is proportionate. 

Yet I find the justification for supporting bulk collection is rather weak and not commensurate with the deeper consideration of the rest of the report. It is linked to a principle of minimising no go areas for law enforcement as far as possible, whether in the physical or the digital world and justified on the grounds of 6 sample cases briefly outlined in Annex 9 of the report. None of these 6 cases provide the detail to demonstrate that bulk collection was the primary source leading to the identification of these criminals in the first instance.  

It is not in dispute that if law enforcement or the intelligence services have just cause to suspect some person/group of involvement in criminal activity, the availability of bulk data which includes the data of the suspect/s, will enable data mining that may be useful in an investigation. Bulk collection facilitates the significant discovery of multiple details about anyone once they become a suspect or a person of interest. Authorities simply do not have the resources to engage deep data mining the lives of everyone even if they have that data available.

Since the turn of the century, time and again from the 9/11 attacks to the murders of Fusilier Rigby and people at the Charlie Hebdo offices in Paris,  information overload caused by bulk data collection has been a primary factor in the failure to prevent terrorist attacks by known dangerous individuals. It is simply not proportionate to engage in bulk data collection in the hope that it will be useful when the authorities decides to look into someone they disapprove of. It actually actively impedes already over stretched investigatory authorities, who would be better served by putting the resources apparently available for such bulk collection, into recruiting more and better trained investigators and analysts.

Mrs May and Mr Cameron would do well to note that the opportunity costs of engaging in the security theatre that is bulk data collection and data retention, undermines security for everyone by making the jobs of those tasked with protecting us more difficult, whilst simultaneously denying them the resources to be more effective.

Update: the airline worker example from Annex 9, according to Joshua Rozenberg is Rajib Karim, who was convicted in 2011 and jailed for 30 years.

Tuesday, May 26, 2015

Open letter to MPs on surveillance

I'm a signatory of an open letter, coordinated by Andrew Murray at the London School of Economics and Paul Bernal at the University of East Anglia, calling for MPs to ensure further expansions of surveillance powers are fully and transparently vetted by Parliament, and open to consultation from the public and all relevant stakeholders.

Those who have happened across this blog in the past will be aware of my serious concerns at the expansion of our surveillance society and surveillance state over the past 15 years. Signatories of this open letter, however, have a wide spectrum of opinions on these issues, from those who believe that increased powers are a reasonable response to an emerging threat to those who think them an unjustified extension of state interference. What we are all agreed on is the requirement for full, evidence based and transparent Parliamentary scrutiny of proposed further expansions of surveillance powers.

These powers are far too important to continue to allow the Executive to get away with the abuse of parliamentary process, for example, that accompanied the unconscionable fast tracking of the Data Retention and Investigatory Powers Act in the summer of 2014.

Copy of the open letter below.

An open letter to all members of the House of Commons,

Dear Parliamentarian,

Ensuring the Rule of Law and the democratic process is respected as UK surveillance law is revised

Actions Taken Under the Previous Government

During the past two years, the United Kingdom’s surveillance laws and policies have come under scrutiny as the increasingly expansive and intrusive powers of the state have been revealed and questioned in the media. Such introspection is healthy for any democracy. However, despite a need for transparency in all areas of lawmaking, and in particular in areas of controversy, the previous Government repeatedly resisted calls for an open and transparent assessment and critique of UK surveillance powers. Instead, in response to legal challenges, it extended the powers of the state in the guise of draft Codes of Practice and “clarifying amendments.” As we welcome a new Government we expect another round of revisions to UK surveillance laws, with the likelihood that the Queen’s Speech will signal a revival of the Communications Data Bill. At this time we call on the new Government, and the members of the House, to ensure that any changes in the law, and especially any expansions of power, are fully and transparently vetted by Parliament, and open to consultation from the public and all relevant stakeholders.

Last year, in response to the introduction of the Data Retention and Investigatory Powers Bill (“DRIP”), a number of leading academics in the field – including many of the signatories to this letter – called for full and proper parliamentary scrutiny of the Bill to ensure Parliamentarians were not misled as to what powers it truly contained. Our concern emanated from the Home Secretary’s attempt to characterize the Bill, which substantially expanded investigatory powers, as merely a re-affirmation of the pre-existing data retention regime.[i]

Since that letter was written, it has become apparent that the introduction of the DRIP Bill was not the only time an expansion of surveillance powers was presented in a way seemingly designed to stifle robust democratic consideration. In February 2015, the Home Office published the draft Equipment Interference Code of Practice.[ii] The draft Code was the first time the intelligence services openly sought specific authorisation to hack computers both within and outside the UK. Hacking is a much more intrusive form of surveillance than any previously authorised by Parliament. It also threatens the security of all internet services as the tools intelligence services use to hack can create or maintain security vulnerabilities that may be used by criminals to commit criminal acts and other governments to invade our privacy. The Government, though, sought to authorise its hacking, not through primary legislation and full Parliamentary consideration, but via a Code of Practice.

The previous Government also introduced an amendment via the Serious Crimes Act 2015, described in the explanatory notes to the Bill as a ‘clarifying amendment’.[iii] The amendment effectively exempts the police and intelligence services from criminal liability for hacking. This has had an immediate impact on the ongoing litigation of several organisations who are suing the Government based in part on the law amended, the Computer Misuse Act 1990.[iv]

The Way Ahead

The new Conservative Government has announced its intention to propose new surveillance powers through a resurrection of the Communications Data Bill. This will require internet and mobile phone companies to keep records of customers’ browsing activity, social media use, emails, voice calls, online gaming and text messages for a year, and to make that information available to the government and security services. We also anticipate this Parliament will see a review of the Regulation of Investigatory Powers Act 2000, which currently regulates much of the Government’s surveillance powers. The Independent Reviewer of Terrorism Legislation, David Anderson QC, has conducted an independent review of the operation and regulation of investigatory powers, with specific reference to the interception of communications and communications data. The report of that review has been submitted to the Prime Minister, but has yet to be made public: when it is made public, parliamentary scrutiny of the report and any recommendations made following it will be essential.

As the law requires that surveillance powers must be employed proportionate to any harm to privacy caused (as required by Article 8 of the European Convention on Human Rights and Article 12 of the Universal Declaration of Human Rights) we believe that any expansion or change to the UK’s surveillance powers should be proposed in primary legislation and clearly and accurately described in the explanatory notes of any Bill. The Bill and its consequences must then be fully and frankly debated in Parliament. When reaching an assessment of the proportionality, of any measure that restricts rights, both our domestic courts and the European Court of Human Rights place great stock on the degree and quality of Parliamentary involvement prior to any measure being adopted. If the matter ever came to before the courts one issue examined would be the nature of any “exacting review” undertaken by MPs into the necessity of extending these powers. The Government should not be permitted to surreptitiously change the law whenever it so desires, especially where such changes put our privacy and security at risk.

This letter has been prepared and signed by 35 academic researchers. We are comprised of people from both sides of this issue - those who believe that increased powers are a reasonable response to an emerging threat, and those who think them an unjustified extension of state interference. Our common goal is to see the Rule of Law applied and Parliamentary oversight reasserted. We are calling on all members of the House of Commons, new and returning, and of all political persuasions to support us in this by ensuring Parliamentary scrutiny is applied to all developments in UK surveillance laws and powers as proposed by the current Government.  


Andrew Murray (contact signatory)
Paul Bernal (contact signatory)
Professor of Law
London School of Economics
Lecturer in Information Technology, Intellectual Property and Media Law University of East Anglia

Subhajit Basu
Associate Professor
University of Leeds

Sally Broughton Micova
Deputy Director LSE Media Policy Project, Department of Media and Communications
London School of Economics and Political Science

Abbe E.L. Brown
Senior Lecturer
School of Law
University of Aberdeen

Ian Brown
Professor of Information Security and Privacy
Oxford Internet Institute
Ray Corrigan
Senior Lecturer in Maths, Computing and Technology
Open University

Angela Daly
Postdoctoral Research Fellow
Swinburne Institute for Social Research
Swinburne University of Technology
Richard Danbury
Postdoctoral Research Fellow
Faculty of Law
University of Cambridge

Catherine Easton
Lancaster University School of Law

Lilian Edwards
Professor of E-Governance
Strathclyde University
Andres Guadamuz
Senior Lecturer in Intellectual Property Law
University of Sussex

Edina Harbinja
Lecturer in Law
University of Hertfordshire

Julia Hörnle
Professor in Internet Law
Queen Mary University of London
Theodore Konstadinides
Senior Lecturer in Law
University of Surrey

Douwe Korff
Professor of International Law
London Metropolitan University

Mark Leiser
Postgraduate Researcher
Strathclyde University

Orla Lynskey
Assistant Professor of Law
London School of Economics

David Mead
Professor of UK Human Rights Law
UEA Law School
University of East Anglia

Robin Mansell
Professor, Department of Media and Communication
London School of Economics

Chris Marsden
Professor of Law
University of Sussex

Steve Peers
Professor of Law
University of Essex

Gavin Phillipson
Professor, Law School
University of Durham
Julia Powels
Faculty of Law
University of Cambridge

Andrew Puddephatt
Executive Director
Global Partners Digital
Judith Rauhofer
Lecturer in IT Law
University of Edinburgh

Chris Reed
Professor of Electronic Commerce Law
Queen Mary University of London

Burkhard Schafer
Professor of Computational Legal Theory
University of Edinburgh

Joseph Savirimuthu
Senior Lecturer in Law
University of Liverpool

Andrew Scott
Associate Professor of Law
London School of Economics

Peter Sommer
Visiting Professor
Cyber Security Centre, De Montfort University

Gavin Sutter
Senior Lecturer in Media Law
Queen Mary University of London

Judith Townend
Director of the Centre for Law and Information Policy
Institute of Advanced Legal Studies
University of London

Asma Vranaki
Post-Doctoral Researcher in Cloud Computing
Queen Mary University of London

Lorna Woods
Professor of Law
University of Essex