Privacy 21 December 2014

Surveillance: Is this the beginning of the end of data trawlers?

By Christine RunnegarSenior Director, Internet Trust

Last 21 December, we published a post entitled When Law Isn’t Enough [1]. with a hope that 2014 would be the year that the global community unites to confine the ambit of data collection for national security purposes to those truly exceptional circumstances where the public interest objectively outweighs an individual’s right to privacy.

One year on, it’s time to reflect on the progress that has been made towards this goal.

The potential privacy impact of metadata has been formally acknowledged at the UN level in the resolution The right to privacy in the digital age [2] adopted by the Third Committee this month. This means that “… respecting and protecting the right to privacy …” (one of the calls upon States contained in the resolution) should include metadata.

The Office of the High Commissioner on Human Rights, in the report on the right to privacy in the digital age [3] concluded that:

Even the mere possibility of communications information being captured creates an interference with privacy, with a potential chilling effect on rights, including those to free expression and association.

Unfortunately, this conclusion is not specifically reflected in the recent UN resolution. This would have been a very useful addition because a formal recognition by UN members might have finally put an end to one of the arguments made by States in defence of pervasive observation and data collection, namely that privacy only becomes a concern at the point where data is actually “used”.

UN members emphasize in both resolutions that unlawful or arbitrary surveillance or interception of communications violates the right to privacy. However, they stop short of saying what is or is not unlawful or arbitrary. Consequently, we have to ask, are we actually any closer to achieving the objective? Or, is it business as usual because States interpret lawful and not arbitrary as it suits their national security needs? Given the inherent covert nature of pervasive surveillance, its probably going to be impossible to gauge whether pervasive surveillance practices have materially changed.

In Europe, where data protection is a fundamental right, the EU Article 29 Working Party goes further in its recent declaration [4], stating that:

Secret, massive and indiscriminate surveillance of individuals in Europe, whether by public or private players acting in an EU Member State or from elsewhere, is neither lawful with regard to the EU Treaties and legislations nor ethically acceptable.

This is a significant statement for two reasons. First, it is a declaration that pervasive surveillance is not lawful. Second, it purposefully raises the ethical dimension. This important aspect is reinforced in the third paragraph of the declaration:

Technology is a medium that must remain at the service of man. The fact that something is technically feasible, and that data processing may sometimes yield useful intelligence or enable the development of new services, does not necessarily mean that it is also socially acceptable, ethical, reasonable or lawful.

The Internet Society has been arguing for some time now that the standard the international community should apply with respect to surveillance, and data governance in general, is not one of strict legality, but rather what is ethical.

While diplomatic and policy communities have been considering the legal and ethical dimensions of surveillance, other communities have been exploring their own attitudes regarding pervasive surveillances and what action (if any) they would take. We’ve already discussed many of these initiatives in earlier blog posts, so I’ll just mention a growing recognition among some groups of the societal value in offering Internet users (from all sectors) the option of protecting the confidentiality of their online communications through encryption. For example, the Internet Architecture Board recently issued a statement [5] that encryption should be the norm for Internet traffic.

So, in summary, where do we stand one year on?

Pervasive surveillance of online communications is probably still a reality for many Internet users. Even if the position of the Article 29 Working Party were to be held unanimously internationally, there would still be a spectrum of views as to what constitutes massive or indiscriminate surveillance. The situation is unlikely to change appreciably unless states, of their own volition, wind back their mass surveillance programs in favour of a more case-by-case targeted approach. The question then is, what would persuade states to move on from the status quo.

If we, as a global community, are to make any meaningful progress towards protecting the privacy rights and expectations of individuals on the Internet, in the context of surveillance in pursuit of national security objectives, we face hard questions about what is and is not acceptable. We will not only have to understand and face up to those questions, but also find answers which persuade policymakers that change is both necessary and in their longer term interest for a trusted global Internet.

[1] Blog: When Law Isn’t Enough

[2] United Nations General Assembly: The right to privacy in the digital age (Document)

[3] The right to privacy in the digital age, Report of the Office of the United Nations High Commissioner for Human Rights (PDF)

[4] Joint statement of the European Data Protection Authorities Assembled in the Article29 working party

[5] IAB Statement on Internet Confidentiality

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

10 March 2021

Internet Society Joins Leading Internet Advocates to Call on ISPs to Commit to Basic User Privacy Protections

Mozilla, the Electronic Frontier Foundation, and the Internet Society call on AT&T, T-Mobile, and Verizon to commit to limiting...

Strengthening the Internet 22 February 2021

The Best and the Brightest Security and Privacy Experts Are Gathering Virtually at NDSS 2021

NDSS 2021 will be one of the biggest NDSS symposia yet, featuring two keynotes, 90 peer-reviewed academic papers, six...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...