Extraterritoriality and digital surveillance – time for the lawyers and the advocates to bring the dialogue together

This weekend, as an ex-bureaucrat, I felt for the folk at the State Department.  It must have been a ridiculously busy weekend for those preparing for this week’s Human Rights Committee Hearing in Geneva.  On Friday, the New York Times leaked Harold Koh’s legal advice acknowledging that the US obligations under the International Covenant on Civil and Political Rights do not stop at the border.  The NYT article would have meant that the briefing folders that had been merrily making their way up the clearance chain in time to be packed into the delegation’s suitcases would have been discarded (or at least the sections on extraterritoriality would have been yanked out) and all the talking points would have needed to be rewritten.

This is not just an important moment for bureaucrats or international human rights law junkies; it is potentially powerful for digital rights activists pushing for reform of global surveillance practices.  Digital rights advocates have been calling for the US government to end global mass suspicionless surveillance and to adhere to their international human rights law obligations.  There may be a strong moral case to support them, but when it comes to the NSA’s overseas activities, the discourse has often lacked a strong legal underpinning.  In order to push governmental policy on this issue, the dialogue needs to mature to the point where it is built on solid legal underpinnings.  The next couple of months bring an unprecedented opportunity to do just that. Continue reading Extraterritoriality and digital surveillance – time for the lawyers and the advocates to bring the dialogue together

One heck of a timely UN report on government surveillance of communications

If it had happened on House of Cards, you’d have enjoyed the theater of it, but figured that the writers had taken some artistic license in the timing.  I mean, it just doesn’t happen in real life that the UN releases a report on the dangers of government surveillance on the internet immediately before the news breaks that the US Government has been conducting internet surveillance of previously unimagined proportions.  Critics could unkindly say this is because the UN is never ahead of the game, but in this case, you have to hand it to Frank La Rue – he has clearly authored an exceptionally timely report: Continue reading One heck of a timely UN report on government surveillance of communications

Transparency – but what are we seeing?

Now that Microsoft has come to the party and is publishing a regular transparency report, there is a meaningful amount of publicly-available data about government requests for online records.  Looking at the data from Google, Twitter, Dropbox and Microsoft side-by-side raises some interesting questions.

The trend towards publishing transparency reports is a welcome one.  It raises awareness and encourages users to think about what protections they’re entitled to and how private their online activities really are.  There are still some very noticeable gaps in the information available.  Facebook and Yahoo! store large amounts of personal data but are noticeably silent on the issue of transparency reports.  Perhaps they will follow in Microsoft’s footsteps and finally succumb to the pressure for transparency.

Consumer and privacy advocacy groups are alarmed at the increased volume of government data requests.  Back in January, EFF reported on the ‘troubling trend’ of the rise in government surveillance because there had been a 70% increase in requests for data since Google started releasing numbers in 2010.  Forums are awash with comments about government snooping and conspiracy theories.  Meanwhile, at last week’s Committee on the Judiciary Hearing, Richard Littlehale from the Tennessee Bureau of Investigation argued for calm in considering the increase in government requests.  He analysed the statistics as demonstrating that ‘just a tiny fraction of one percent of Google’s accounts were affected by government demands’.

Comparing the transparency reports of the different companies shows that Microsoft/Skype and Google are inundated with requests for data.  As you would expect, relative newcomers Dropbox and Twitter receive far fewer requests.  In 2012, there were 122,015 requests relating to Microsoft accounts, 15,409 requests relating to Skype accounts, 68,249 Google accounts, 2,614 Twitter accounts and 164 Dropbox accounts. Each of these statistics relates to the number of accounts affected.  As each user could have multiple accounts, this does not directly equate to the number of individuals affected but nonetheless gives a sense of the scale of the issue.

These are some pretty impressive numbers and they’re on the rise.  The volume of requests to Google has grown significantly even during the short 3 years that they have been publishing their transparency report.  Although the data is not available, it seems reasonable to assume that the other companies are also experiencing significant increases.  Just what do these statistics mean?  Is it time to sound the Orwellian alarm bells?

Of course, more users have been sending, posting and storing information online.  This comes not only from more users engaging with online products, but also through the expanded type of products being offered.  The growth in cloud computing and cloud product offerings such as Google Drive mean that there is more information being held by third parties.  Higher penetration of online products not only means more cute cats and emails home to Mom, but also more use by criminal elements.  This naturally piques the interest of law enforcement officers.

As law enforcement becomes more familiar with the use of online records as evidence, more officers appreciate its value and employ it as one of their investigative tools.  The process has also been simplified and demystified.  Only a few years ago, it was an impenetrable maze to try to work out how to request online records for most of the providers.  Now, many of the companies have publicly accessible guides for law enforcement.  This means that it’s not just the high-tech crime units that are aware of the ability and value in accessing online records, but also the local county sheriffs.

Upward trends in law enforcement requests for records from particular online products can also reveal that some applications are particularly attractive to criminal elements.  For example, in the past, certain messaging applications became havens for child pornography rings to the extent that the product was discontinued.  Criminals will always look for weaknesses in the system and loopholes where they feel that they can communicate with impunity.  Police will naturally want to follow these trends and pursue criminals by accessing these records.  At the same time, innocent users have a valid expectation of privacy over their communications.

This all means that more users are putting more information online and it’s being accessed by a wider range of law enforcement officers.  I don’t think this is necessarily alarming in itself – we are no longer in a society where people (innocent or criminal) handwrite their private documents and store them under lock and key in their filing cabinet and investigative techniques have to adjust accordingly.  However, it does mean that it is increasingly important to ensure that there are adequate systems in place for the way in which this information is stored, accessed and used.

The discussion of this issue is hardly in its infancy; reform of ECPA has been on and off the cards for years (culminating in the last-minute failure to pursue the legislative amendments at the end of last year).  At last week’s committee hearing, there was a new level of consensus that access to users’ content should only be through showing of probable cause.  However, underneath this veneer of agreement, each of the witnesses revealed important differences of opinion.  The Department of Justice advocated substantial carve-outs from the probable cause standard should be afforded for civil litigation.  The law enforcement representative had a wish list including access to SMS messages and mandatory time limits on compliance with government requests.  Questioning by committee members revealed that there was confusion about the difference between traffic data and content and a troubling lack of understanding about how services such as targeted advertising on Gmail accounts affects privacy.  As with most legislative reform, the devil is in the detail and there is a lot of work ahead before there can be agreement on a Bill.

Access to online records needs to be addressed now.  The uncertainties between different jurisdictions and the growing agreement that aspects of ECPA infringe the fourth amendment of the Constitution are unacceptable both from a user’s perspective and also from the commercial perspective of companies that have to navigate this legal minefield on a daily basis.  The law is certainly in need of reform and the problem is only going to get worse.  However, the statistics do not necessarily mean that we are in the grip of a government conspiracy.  While we are no longer in the 1986 world of the original ECPA, we are also a long way from George Orwell’s 1984.

Going beyond the guidelines – legal and moral responsibilities on ICT companies

YouTube this week introduced a face-blurring tool to protect activists from being recognised by their online activities.  Human rights groups will no doubt welcome the initiative as it comes in response to calls from groups such as Witness.  Some web companies demonstrate a commitment to not only reducing the negative human rights impacts of their activities, but also to actively improving the positive impacts that they may have.  The uptake of some of the voluntary guidelines on corporate social responsibility and human rights demonstrates a willingness to go beyond the minimum requirements.  But what responsibilities do tech companies really owe to users in other countries?  Is this solely a question of moral responsibility and ethics, or is there a legal obligation?  And should moral responsibility be reflected in a legally-binding regime? Continue reading Going beyond the guidelines – legal and moral responsibilities on ICT companies

Guide to the guidelines – human rights, business and the ICT sector

Complex and interesting areas of international legal policy can be difficult to navigate.  Once an issue gains a profile in policy circles, everyone with an interest in the topic rushes to develop guidelines to help others navigate the area.  While the issue of human rights and web companies is still comparatively new, there are guidelines from the field of corporate social responsibility that can be drawn upon.  ICT-specific guidelines are also mushrooming at the moment.  In light of this, I thought it timely to develop a quick guide to the guidelines.

There is an abundance of material on corporate social responsibility, with some of it approaching human rights more broadly and some creating sector specific guidance.  I will outline a couple of the key general CSR guideline initiatives and the guidelines that are specific to the ICT sector.  Once you start delving into specific issues such as environmental sustainability, fair trade or bribery or markets with particular vulnerabilities such as conflict zones, you find a whole host of additional stakeholders and reference materials.  Some notable examples include the OECD Risk Awareness Tool for Weak Governance Zones, the ILO Tripartite Declaration of Principles concerning Multinational Enterprises and Social Policy and the Extractive Industries Transparency Initiative. Continue reading Guide to the guidelines – human rights, business and the ICT sector

In defence of law enforcement cooperation

One of the aspects of Brown and Korff’s report on Digital Freedoms in International Law that warrants further discussion and analysis is their recommendations about mutual legal assistance.  The report recommends that companies and States should insist that MLA arrangements are the only appropriate means of cross-border data access.  While I understand the authors’ logic in recommending MLA as a structured system with comparatively well-defined legal boundaries and safeguards, this approach overlooks the valuable role that police-to-police cooperation plays in international crime cooperation.

The scope and role of law enforcement cooperation

Law enforcement cooperation is less formal than MLA, with information being shared directly between law enforcement agencies, rather than through ‘Central Authorities’ under cover of formal Government-to-Government requests.  Law enforcement cooperation is governed by informal arrangements or by instruments of less-than-treaty-status (such as memoranda of understanding).  It is less transparent than MLA, with the terms of international agreements often not being publicly available (this issue came up in the Australian case of Rush and others v Commissioner of Police (2006) 229 ALR 383, where the memorandum of understanding between Australian and Indonesia was not produced due to public interest privilege).  The scope of information that can be provided on an agency-to-agency basis is often described in these confidential MOUs, but is delimited by the domestic law of each individual country.

There is a further level of complexity in investigations that relate to criminal activity across international borders.  Information that may not be able to be obtained directly on behalf of a foreign country can sometimes be obtained by the police in the host country for a domestic investigation and then shared with the foreign country as part of a joint investigation.

It is not just police forces that share information on an agency-to-agency basis; customs or immigration authorities also have extensive international cooperation networks.  The value of law enforcement cooperation is recognised in multilateral treaties such as the UN Convention on Transnational Organized Crime (art 27), the UN Convention against Corruption (art 48) and the Convention on the Prevention of Terrorist Bombings (art 10).  International organisations such as Interpol and the World Customs Organization facilitate interagency cooperation on a range of areas.  These international networks can move quickly in situations where the time involved in making an MLAT request could thwart an operation.

As noted in a previous post, MLA can be slow.  It is heavy on the paperwork and, because it involves a large number of stakeholders and formal processes, is resource-intensive.  There has been a trend towards looking for more streamlined alternatives to MLA.  The most ambitious of these is the European Evidence Warrant (EEW), which represents a sort of half-way point between law enforcement cooperation and MLA.  A designated judicial authority in one member State can issue an EEW for certain objects, data and documents that are in another jurisdiction and are required for criminal proceedings.  The EEW is transmitted to the State in which the evidence is located and that State is obliged to recognise and execute the warrant, subject to limited grounds for refusal.  The EEW replaces much of the existing MLA system within the EU and coexists with the system of law enforcement cooperation through mechanisms such as Europol.

Where to from here?

It is not just the fact that law enforcement cooperation is an entrenched part of the system that leads me to advocate its retention (at least in some form).  The existing MLA system is not appropriate for the wide range of circumstances in which online information needs to be shared.  Requiring MLA for the sharing of all data evidence could be akin to the proverbial nut and a sledgehammer.  The existing system of international information sharing is complex and confusing.  However, there were valid reasons behind the decisions to create many of these different processes and they should not be dismissed out of hand.

Instinctively, there seems to be a difference between an ICT company divulging a user’s name and e-mail address to a foreign country compared with handing over the content of their personal e-mails.  And it is another step again to grant ongoing access to a user’s e-mails into the future.  The European Convention on Cybercrime recognises this by creating different obligations for each of these circumstances.  Many countries’ domestic laws take a similar approach.  For example, the US Electronic Communications Privacy Act requires different processes for content or traffic data and separately regulates surveillance.

It is also relevant to consider the destination of the information that is being shared.  The EEW is premised on the idea that a more streamlined approach is appropriate for cooperation between States with a shared standard of human rights protections and criminal justice.  Where the State requesting the information has a radically different justice system, a more comprehensive MLAT process is necessary.

I agree with Brown and Korff that there needs to be better controls on the way in which information is shared across borders.  However, requiring all information sharing about online records to go through the MLA process is not the answer.  Instead, there needs to be analysis of all the ways in which information is currently shared through MLA and law enforcement cooperation.  A new framework for international information sharing for criminal matters should take into account:

  • The nature of the information sought – is it basic subscriber information, e-mail content or ongoing access to an individual’s communications?
  • The purpose for which it is sought and any need for urgency – is it an emergency situation where an individual’s life is at immediate risk or is it a long-term criminal investigation?
  • The State to which the information is being provided – is it a trusted partner country with shared criminal justice and human rights standards or a State with more divergent legal practices?