While the IETF was meeting in Vancouver this month to discuss (among other things) the technical implications of mass surveillance, the Council of Europe held a ministerial meeting in Belgrade to consider the human rights implications of the same capabilities. One of the things I like best about my job is that it puts me at the intersection of these two communities. As far as I’m aware, I am one of a very small number of people who regularly attends both IETF and CoE sessions (the former as an identity and security geek, the latter as
a privacy geek an observer to the working party on data protection). From that perspective, I thought it might be useful for me to comment on a recent article in the Guardian, which describes the UK delegation’s objection to part of a statement issued by the ministerial meeting as a whole. That said, I should also make clear the following disclaimer: although the views I express below are informed by my professional experience, they are strictly my personal views as a UK citizen, voter and taxpayer, and should not be taken to represent the views or policies of my employer.
To quote from the article, the disputed passage of the statement reads:
“We invited the Council of Europe to … examine closely, in the light of the requirements of the European Convention on Human Rights, the question of gathering vast amounts of electronic communications data on individuals by security agencies, the deliberate building of flaws and ‘backdoors’ in the security system of the internet or otherwise deliberately weakening encryption systems.”
Given the scope and nature of recent revelations, it’s not really plausible to deny that these activities have been going on, nor that the UK has been engaged in some or all of them. That seems to me to lead to the following conclusions: either the UK Government feels there are simply no human rights implications to mass surveillance, or it acknowledges that there are, but declines to have those implications considered by the Council of Europe (of which it is a member, and whose Convention 108 it has ratified).
The first of those would be worrying, but I doubt if it is the case. The second is far more likely, but I think it should still worry us, and here’s why.
First, let’s concede that it’s not really tenable to argue that states should enjoy no exemptions from data protection laws as a whole: there are legitimate functions of the state that require access to data which might otherwise remain confidential. For instance, it would be absurd if, in the process of investigating a crime, the state did not have a legal basis for trying to determine whether or not someone is lying about whether they did it. Conversely, it would be absurd and dangerous if those exemptions were unqualified. The validity (and in many respects also the reliability) of information obtained under these exemptions actually depends on the fact that strict conditions apply to the way in which it is obtained and the ways in which it may be used.
Both Convention 108 and the EU’s Data Protection Directive 1995 contain exemptions for law enforcement and national security access to otherwise protected data. However, in both cases those exemptions are qualified. They specify that the actions taken must be “necessary” to achieve one of the stated goals, and – in the case of Convention 108 – further add the stipulation that they constitute “a necessary measure in a democratic society”.
Article 6 of the Data Protection Directive 1995 also sets out the over-arching proportionality principle, that data processed should be “adequate, relevant and not excessive”.
Article 15 of the Directive on Privacy and Electronic Communications 2002 is also explicit about the qualification of exemptions to data protection, specifying that they must constitute a “necessary, appropriate and proportionate measure within a democratic society”.
Now, the technical community at IETF last week expressed a near-unanimous view that it should take action to revisit the technical means by which the Internet could be protected against mass surveillance – describing interception on that scale as indistinguishable from an attack. Technical protection apart, though, it seems to me that what the NSA/GCHQ disclosures reveal is primarily a failure of governance: elected representatives seem either to have been kept uninformed of what the intelligence services were doing, or to have done their bit to ensure that it was not subject to effective independent accountability. Witness, for instance, the unedifying sight of a US FISC judge issuing a written ruling that “NSA exceeded the scope of authorized acquisition continuously”… before agreeing to expand its authority to collect metadata by “11-24 time”.
At the same time, we have a UK cabinet minister and member of the national security council (NSC) saying that he was given no information at all about GCHQ’s TEMPORA program or the NSA’s PRISM. The same minister notes that, for much of the previous administration’s time in power, the Home Office was pressing for new intercept laws, when in fact it was already doing what it complained that it could not. The British public have also been offered the carefully-choregraphed spectacle of the heads of intelligence services in a televised Q&A session with the committee of MPs nominally responsible for their accountability. As you can see from the video footage, the session was hardly what the BBC, with touching optimism, referred to as a “grilling”. What’s not made clear in the video, by the way, is that all the questions were pre-arranged.
Under those circumstances, I could not blame British citizens for wondering how we are to achieve adequate supervision of communications interception on a mass scale. The “gentleman’s agreement” by which the spies agree not to do anything too beastly, provided MPs are civil enough not to ask impertinent questions, clearly doesn’t cut it. And, in a sense, it’s laughable that it ever did: after all, what use is a gentleman’s agreement with someone whose profession is deceit?
The bottom line is this: the UK clearly signed up to the provisions of European regulations and Convention 108, well aware that they contained national security exemptions, but also well aware that those exemptions are qualified by requirements for democratic necessity and proportionality. It has equally clearly failed to ensure that those requirements are met. It should, therefore, either be honest and indicate that it no longer intends to be bound by any of the statutory instruments in question, or at least be open and endorse an independent examination of whether mass surveillance can be compatible with the human rights laws to which it has signed up.