Ian Brown adds to the debate about Internet surveillance by governments and the various legal regimes that apply
Following Edward Snowden's revelations of large-scale Internet surveillance by the US and UK governments, there has been broad discussion of the relative merits of national legal regimes intended to enable necessary and proportionate Internet surveillance by intelligence and law enforcement agencies – including Archer, Maxwell and Wolf's SCL article 'A Global Reality: Governmental Access to Data in the Cloud'.
One important but under-discussed part of such regimes is a statutory requirement for telecommunications companies to make their networks 'wiretap-ready'. This facilitates the interception of communications as traditionally understood – such as e-mail messages – but also the surveillance of any non-encrypted data travelling across communications networks, including that processed and stored by cloud services. This reduces the number of parties that must be made aware of on-going surveillance, since well-placed interception devices will have access to data flowing by that route to any cloud or other online service. It enables much more sweeping surveillance than is possible using judicial or administrative warrants (or Mutual Legal Assistance Treaty requests) targeted at individuals or individual services. And by reducing the marginal cost of surveillance, it encourages greater use of it.
Many governments have passed such lawful intercept capability laws since the mid-1990s, including the following:
National Intelligence Law No. 25.520 Title VI
Telecommunications Act §313
Law for the protection of the private sphere against the acts of eavesdropping, gaining knowledge of and opening private communications and telecommunications
Federal Law No. 9.296
Electronic Communications Act §§112-114
Posts and Telecommunications Code §D.98-1
Telecommunications Act §88 / §110
Information Technology Act, Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules
Communications and Multimedia Act
Telecommunications Act §13
Telecommunications (Interception Capability) Act
Law on Communications §64
Regulation of Interception of Communications and Provision of Communication-related Information Act Chapter 5
Electronic Communications Act
Telecommunications Act §94
Regulation of Investigatory Powers Act §12
Communications Assistance to Law Enforcement Act
FISA Amendments Act §1881a
Protecting Children from Internet Predators Act, Bill C--?30
Draft Bill dropped 2013
Most significantly, given the location of most of the largest Internet services, the United States Communications Assistance to Law Enforcement Act of 1994 [Pub. L. No. 103-414, 108 Stat. 4279] (CALEA) requires telecommunications providers to have the capability to undertake real-time interception of communications carried over their networks, as well as to provide detailed call records. Following the 9/11 attacks, the two largest US international telephony providers (with 39% and 28% of calls into and out of the US) asked the National Security Agency 'what can we do to help?' According to a leaked NSA Inspector General report, they and the third-largest telephony provider (with 14% of international calls) agreed to voluntarily cooperate in an 'extraordinary program' to monitor communications and metadata relating to non-domestic communications.
In 2005 the US Federal Communications Commission expanded the CALEA requirements to broadband Internet providers and certain Voice-over-IP providers. The Department of Justice has continued to promote additional rules requiring ISPs to retain customer communications data. The European Union member states agreed in a (non-binding) Council Resolution on 17 January 1995 to implement similar lawful interception capability measures [Official Journal C 329, 04/11/1996, 1-6].
The UK's Regulation of Investigatory Powers Act 2000 (s 12) gives the Secretary of State the power to impose on public telecommunications services 'such obligations as it appears to him reasonable to impose for the purpose of securing that it is and remains practicable for requirements to provide assistance in relation to interception warrants to be imposed and complied with.' The RIPA 2000, s 8(4) allows the Secretary of State to authorize very broad warrants allowing the interception of any communications that originate or terminate outside the British Isles. This seems to be the basis for the UK's TEMPORA programme run by the Government Communications Headquarters (GCHQ), which apparently stores copies of a large fraction of all Internet traffic crossing the UK's borders for three days, along with communications data from that content for 30 days. The compatibility of these arrangements with the European Convention on Human Rights has been challenged at the UK's Investigatory Powers Tribunal by three UK campaign groups: Privacy International, Big Brother Watch, and Liberty.
In parallel, a number of governments have passed laws – most notably the EU's Data Retention Directive [2006/24/EC] – requiring telecommunications companies to store records about (but not the content of) their customers' communications. This so-called 'communications', 'meta', or 'traffic' data includes details of phone numbers dialed, e-mail senders and recipients, and mobile phone locations. The US Federal Communications Commission similarly requires [47 CFR 42.6] that:
Each carrier that offers or bills toll telephone service shall retain for a period of 18 months such records as are necessary to provide the following billing information about telephone toll calls: the name, address, and telephone number of the caller, telephone number called, date, time and length of the call. Each carrier shall retain this information for toll calls that it bills whether it is billing its own toll service customers for toll calls or billing customers for another carrier.
Google's Global Privacy Counsel wrote on his personal blog on 'How to feign outrage over PRISM':
Europe has the most privacy-invasive government surveillance regime in the world, based on the mandatory data retention of the communications logs (aka, metadata) on every single electronic communication for periods ranging from 6 to 24 months. The US does not have such a data retention regime, because it was deemed too privacy-invasive by the US Congress. But don't talk about that.
The Court of Justice of the EU is currently reviewing the compatibility of the Data Retention Directive with the Charter of Fundamental Rights, which has been questioned by national courts in Ireland, Germany, Bulgaria, Romania and Slovakia [Case C-594/12].
We also now know that the US National Security Agency is using powers from the Patriot Act of 2001 [50 USC 1861] and the Foreign Intelligence Surveillance Act of 1978 (FISA) Amendments Act of 2008 [50 USC 1881a] (and previously using a highly-contested interpretation of the 2001 Congressional Authorization for the Use of Military Force against the 9/11 attackers) to gain access to large quantities of communications data from US telecommunications companies, as well as to compel the production of 'foreign intelligence' from 'remote computing services' run by companies including Microsoft, Google and Apple, and conduct large-scale surveillance of international data traffic. It seems the US government had no need for data retention laws, given the FCC regulation cited above and the NSA's ability to access and retain a comprehensive set of communications data for itself (with limited oversight from the secret Foreign Intelligence Surveillance Court established by FISA). Nor are US companies under any compulsion to limit the data they collect about their customers, or to delete such data once no longer needed for business purposes – both requirements for companies in state parties to the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data [ETS no. 108].
The US and EU member states have extensive constitutional protections for individual privacy that limit the use of interception powers by government agencies. However, Snowden's revelations have demonstrated the difficulty of enforcing such limits on secret government programmes. This is particularly the case in the US for two reasons. The Bush and Obama administrations have aggressively asserted a 'state secrets' privilege obstacle to judicial review. And the Supreme Court rejected a Fourth Amendment challenge to the FISA Amendments Act from Amnesty International on behalf of a number of lawyers, journalists and human rights advocates, because those individuals could not prove that injury from surveillance was 'certainly impending' [Clapper v Amnesty International, Case 11-1025, 2013]. (We shall soon find out whether the US courts are more willing to act following the concrete evidence of surveillance revealed by Snowden).
In contrast, the European Court of Human Rights held in Klass and others v Germany [Application no. 5029/71] that:
[A]n individual may, under certain conditions, claim to be the victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures, without having to allege that such measures were in fact applied to him. The relevant conditions are to be determined in each case according to the Convention right or rights alleged to have been infringed, the secret character of the measures objected to, and the connection between the applicant and those measures.
This is one of the key differences between the US and European legal regimes that may better protect privacy of Internet communications. A second is that communications data and other 'third-party' records are not protected in the US by the Fourth Amendment [Smith v Maryland, 442 U.S. 735, 1979] whereas in Malone v UK, the European Court held that: 'The records of [telephone] metering contain information, in particular the numbers dialled, which is an integral element in the communications made by telephone. Consequently, release of that information to the police without the consent of the subscriber also amounts…to an interference with a right guaranteed by Article 8' [Application no. 8691/79].
Thirdly, the Strasbourg court has explicitly rejected the idea that it is only the use, not the collection, of data that triggers a potential intrusion into privacy rights. Senior US officials have tied themselves in knots over the meaning of words such as 'collection', using that to mean only the 'intentional tasking or selection of identified non-public communications for subsequent processing' [USSID 18] rather than the plain English meaning. But in S. and Marper v UK, the European Court reiterated: 'The mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8' [Applications nos. 30562/04 and 30566/04 §67]. These definitional issues will be key if the US courts choose to hear challenges to the NSA surveillance programmes (such as that filed with the Supreme Court by the Electronic Privacy Information Center on 8 July 2013).
Therefore, while it is fair to say that the US is not alone in requiring telecommunications companies to facilitate interception on their networks, there are significant differences in the constitutional limits placed on government use of that facility. As Judith Rauhofer pointed outin her response to Archer et al., judicial enforcement of these limits may take time. But the European Court of Human Rights has not previously shied away from dealing with intelligence issues, commenting in Leander v Sweden on 'the risk that a system of secret surveillance for the protection of national security poses of undermining or even destroying democracy on the ground of defending it' [Application no. 9248/81]. It is not inconceivable that the UK's sweeping Internet surveillance activities will be found, as the Court did in S. and Marper with the UK's National DNA Database, to 'constitute… a disproportionate interference' with privacy that 'cannot be regarded as necessary in a democratic society'.
Dr Ian Brown is Associate Director of Oxford University's Cyber Security Centre, and Senior Research Fellow at the OII. He is to give the keynote lecture at the SCL Policy Forum on Thursday 12 September. His most recent books are Regulating Code: Good Governance and Better Regulation in the Information Age (with Christopher T. Marsden) and Research Handbook on Governance of the Internet.
The Ready Guide to Intercept Legislation 2, SS8 Networks, 2008. Protecting the Public in a Changing Communications Environment, UK Home Office (Cm 7586), 2009, p.8.
The use of the Internet for terrorist purposes, United Nations Office on Drugs and Crime, 2012, pp.47-50.
International Data Privacy Law special issue on law enforcement access to private sector data, Oxford University Press, 2012.
How to feign outrage over PRISM, P. Fleischer, 2 August 2013 [http://peterfleischer.blogspot.co.uk/2013/08/how-to-feign-outrage-over-prism.html]
NSA Office of the Inspector General Review of the President's Surveillance Program, Working Draft ST-09-0002, 2009 [http://www.scribd.com/doc/150401523/NSA-inspector-general-report]