The Snowden revelations on mass surveillance practices, especially by
the US and UK, have triggered a global struggle over the right to privacy—
and a report by the outgoing UN human-rights commissioner has set the
terrain for the next phase.
Resistant to scrutiny: the NSA headquarters in Maryland. Amonbelial / Wikimedia. Creative
Commons.
What have the US and UK done in the past year to rein in mass surveillance?
For the millions of global internet users, the answer is: not much. Despite
worldwide outrage and debate, US talk of safeguards and reform has brought
half-measures at best. The UK government has refused to answer the most
basic questions about its intelligence gathering practices—and, in an
astounding act of hubris, rushed through a law last week which extends
surveillance powers.
The actions of the US and UK stand in stark contrast to a groundbreaking and
forceful report released last week by the UN high commissioner for human
rights, Navi Pillay, about privacy in the digital age. Many of her findings directly
challenge US and UK arguments defending secret, mass surveillance.
Pillay found that mass surveillance was “emerging as a dangerous habit rather
than an exceptional measure”. She said unchecked snooping could harm a
range of human rights, including freedom of expression and association. The
onus was on governments, she said, to demonstrate that their practices were
Home About Team Supporters What they say Donate Submit Contact Jobs Login or Register
openIndia civilResistance Beyond the Squares Digital Commons openSecurity openMovements
necessary and proportionate. In other words, spying on everyone because you
can doesn’t mean you should.
Pillay’s report followed sustained action from privacy advocates and a group of
countries, led by Germany and Brazil, to press the US and UK to stop mass
surveillance and safeguard the privacy of people around the world. Germany
and Brazil, along with Austria, Liechtenstein, Mexico, Norway, and Switzerland,
had led the drafting of the December 2013 UN General Assembly resolution
calling for the high commissioner’s report—a resolution which the US and UK
pushed, somewhat successfully, to water down.
Germany and Brazil’s continued leadership is crucial for keeping digital privacy
on the UN human-rights agenda and driving real reform at the national level.
The report will only strengthen their hand if they pursue a UN resolution on
privacy later in 2014. Privacy advocates also need to scrutinise the practices of
individual governments for conformity with the high commissioner’s
recommendations. This is vital, not only in the face of US and UK inaction but
also because many other countries are expanding their own electronicsurveillance
capabilities. Unless mass surveillance becomes a global outlier,
rather than the norm, privacy will disappear in the digital age.
A human-rights scorecard
Pillay’s report provides the clearest and most authoritative account to date of
what the right to privacy requires—and an implicit rebuke of the US and UK’s
deeply flawed defences. Privacy advocates and governments should use it as a
scorecard for assessing protection of the right to privacy in all countries, starting
with the US and UK.
Surveillance must be proportionate and necessary for a legitimate aim
The report applies the basic standards of international human rights law, which
apply to interference with the right to privacy as with other rights: any intrusion
must be necessary and proportionate to a legitimate aim, such as protecting
national security or a similarly compelling state interest.
The revelations of the past year raise serious, unanswered questions about the
necessity and proportionality of the US and UK surveillance practices.
According to documents released by the former US National Security Agency
contractor Edward Snowden, the US and UK have been intercepting the
information of potentially millions of people, the vast majority of whom have no
connection to terrorism or wrongdoing, as data flow along transatlantic fibreoptic
cables.
In a recent analysis of a sample of intercepted communications, the Washington
Post found that 90% of accounts swept up in NSA surveillance were not
intended targets. Notably, US law allows the collection without a warrant of
foreign communications which merely “relate to the foreign affairs of the US”—
an extremely broad category. A recent opinion by the former internet-freedom
director in the State Department, John Napier Tye, points out that US
surveillance occurring outside its territory is subject to even fewer restrictions on
the scale of collection, supporting concerns that US practices are excessively
broad.
The US and UK governments contend that to find a needle in a haystack
security agencies must collect the haystack. This approach seems in direct
conflict with the principle of proportionality articulated by the high commissioner.
The US has taken almost no steps to curtail the scale and scope of information
which the NSA can acquire about non-US persons outside the country. In
January, in response to global outrage, the president, Barack Obama,
announced new limitations on retention and use of information gathered
through surveillance but did little to limit what could be gathered to begin with.
The UK has refused to answer questions about the scale of its data-collection
practices but what has been disclosed confirms what many had feared: not only
is snooping happening on a mass scale but existing laws do little to protect
privacy rights.
The onus is on governments to show their surveillance practices are not
disproportionate—and so far the US and UK have failed.
Governments must respect everyone’s right to privacy
The high commissioner made clear that countries should respect the right to
privacy, regardless of the nationality or location of those affected.
The US however denies it has any human-rights obligations to internet users
beyond its borders, despite calls as recently as March from the UN Human
Rights Committee to respect the privacy rights of all, at home and abroad.
While it has adopted some safeguards for non-US persons as a matter of
policy, these don’t go far enough to limit the scale of information collected
abroad.
The UK Regulation of Investigatory Powers Act 2000 (RIPA) allows for
government surveillance on broad grounds, with no independent scrutiny, and
provides scant safeguards for people outside the country. In the new law hastily
passed last week the UK actually extended the reach of its interception powers
under RIPA to foreign internet and telecommunications companies which
service UK customers. The changes meanwhile do nothing to address the lack
of safeguards for people outside the UK.
Shifts in digital communications have made it especially easy for the US and
UK to conduct broad, systematic surveillance of people beyond their borders.
One internet company can hold the data of hundreds of millions of people
worldwide and its home government may attempt to assert legal control over
those data. The internet’s infrastructure often results in email being routed
through several, unrelated countries—particularly the US—before it reaches the
recipient.
If all governments followed the US and UK approach, they would have limited
ability to protect the privacy of their own citizens against extraterritorial
snooping by other countries. There would be nothing left of the right to privacy
online.
Mere collection has impacts on privacy
US and UK intelligence officials contend there is no harm to privacy if personal
information is gathered but not examined. The high commissioner made clear,
however, that merely collecting information could interfere with privacy,
regardless of whether it was ever viewed or used. Even the possibility that
information in communications would be captured interfered with privacy
because of the “potential chilling effect on rights”, including those of freedom of
expression and association.
The report went further to recognise that metadata—data about
communications—can reveal highly sensitive information, especially when
digitised on a large scale. Because metadata enjoy less protection than the
content of communications under many countries’ laws, including those of the
US and UK, stronger safeguards are needed.
Mandatory data retention is neither necessary nor proportionate
The high commissioner confirmed that mandatory data-retention requirements
for technology companies are neither necessary nor proportionate.
The European Court of Justice ruled in April that the EU’s blanket data-retention
mandate breached the right to privacy, making the UK’s implementing
regulations unenforceable. Such mandates require internet and mobile service
providers to retain all customers’ communications data for a set period. The
court said the EU mandate flouted proportionality by invading everyone’s
privacy, regardless of whether they were suspected of any wrongdoing.
Yet the UK’s new emergency regulations preserve the government’s ability to
compel telecommunications firms to retain personal data about all users in the
country, ignoring the European court’s concerns.
Transparency, oversight and remedy
The high commissioner cited a “disturbing lack of governmental transparency”
around surveillance laws, policies and practices, hindering accountability for
unlawful snooping. She called for much greater transparency and emphasised
The US and UK governments
contend that to find a needle in a
haystack security agencies must
collect the haystack.
that surveillance could not be justified by secret laws or policies which granted
authorities too much discretion. The report also called for greater oversight by
all branches of government, including the judiciary, as a check against abuse.
Intelligence officials in the US cite multiple layers of oversight in the executive,
legislative, and judicial branches to protect against privacy violations. Yet its
secretive foreign-intelligence court, by design, plays a very limited role in
safeguarding the rights of people outside the US who may be swept up in NSA
surveillance. Members of congressional committees set up to oversee nationalsecurity
surveillance have also admitted to being surprised by some aspects of
the programmes Snowden revealed.
In 2008, Human Rights Watch
joined Amnesty International and
other human-rights and labour
organisations to challenge the
constitutionality of one NSA
programme. HRW was denied
standing because it could not prove
that it was under surveillance, effectively shielding US national-security
surveillance policies from judicial review. The Snowden revelations may now
prompt the court to reconsider its conclusion.
In the UK, oversight and accountability mechanisms have also proved
inadequate to prevent abuse of surveillance powers. A person who believes one
of the intelligence agencies has breached their right to privacy can file a
complaint before the Investigatory Powers Tribunal, a judicial body. But if the
tribunal does not uphold the claim it does not reveal whether the person’s
communications were intercepted—and its decisions cannot be appealed.
The UK’s new surveillance law provides for an independent review of this entire
area by May 2015, including issues of oversight, transparency and privacy. But
parts of the independent reviewer’s report which the prime minister considered
“contrary to the public interest or prejudicial to national security” might be
excluded from the version presented to Parliament. While this review may be
helpful, it should have been completed before the UK passed the new law—not
afterwards.
Responsibilities of technology companies
The high commissioner said that technology companies which complied with
government requests for surveillance assistance without adequate safeguards
risked complicity in any resulting human-rights abuses. She said internet and
telecommunications companies should assess whether their own datacollection
and privacy practices could bring human-rights harm to their users,
implicitly drawing a connection between company data-collection practices and
government access to data which companies hold.
In response to the Snowden revelations, technology companies have begun to
reveal information about how governments are asking them to assist with
surveillance. But much more scrutiny is needed to ensure that companies
minimise the amount of data they collect from users in the first place, as a
critical safeguard against government access to personal data.
Next steps
The high commissioner is expected to discuss the report’s findings during the
UN Human Rights Council session in September and to formally present the
report at the coming session of the General Assembly.
The report has armed Brazil, Germany and privacy activists worldwide with the
ammunition to counter the flawed US and UK defences of mass surveillance.
Brazil, Germany and their allies should ensure that any UN resolution they
pursue directly incorporates the report’s recommendations and findings in the
strongest language possible. They should resist any efforts to weaken the
standards the report so soundly articulates and should reinforce the high
commissioner’s call to countries to review immediately their national law and
practice to ensure full conformity with international human-rights law.
Another resolution, however is just a first step.
The Snowden revelations focused on the surveillance practices of only a
handful of countries. While many governments expressed outrage about
snooping by the NSA and its British counterpart, GCHQ, many also may have
privately responded with envy. Though few can match the resources of the NSA
or the GCHQ, governments worldwide are expanding their own digitalsurveillance
capabilities.
In just one example, Human Rights Watch documented how the Ethiopian
government had acquired mass-surveillance equipment, enjoying thereby
nearly unfettered access to intercepted mobile calls. The government has used
surveillance, under the pretense of anti-terrorism efforts, to silence political
dissent and harass critics.
Digital surveillance is also going to get cheaper and more efficient. Protecting
the right to privacy online requires sustained scrutiny of government
surveillance practices worldwide.
International human-rights bodies have paid insufficient attention to the impact
of surveillance on human rights. The Human Rights Council should create a
dedicated special procedure—an independent expert for the right to privacy—to
take the report’s recommendations forward. The expert should examine
national surveillance programmes, identify best practices to protect privacy and
make recommendations for meaningful national reforms.