Zakharov v Russia: A refresher on how far Europe has come
Sometimes it takes an unexpected stranger to remind you what you have, and what you are at risk of losing. Roman Zakharov, a Russian publisher who challenged Russia’s surveillance legislation, is that stranger for many Brits and Europeans. The Grand Chamber of the European Court of Human Rights judgement on Friday 4 December 2015 was remarkable, not because it tore up the rule book on the jurisprudence surrounding state surveillance in the Council of Europe, but because it followed that rule book, applied it to a modern surveillance framework, and came out with a damning assessment of that framework.
The judgement revealed three things that should kept in mind by any government gearing up for a reform of its communications surveillance laws:
1) Requests for interception authorisations of individuals that lack specific details such as a specific person, telephone number or premises to be surveilled (either by person, telephone number) are not capable of ensuring due and proper consideration.
2) Authorisation and oversight are not just about who is involved in the authorisation, but include the standards used to scrutinise the request for authorisation and practice of scrutiny.
3) Direct access to telecommunications networks by law enforcement or intelligence agencies does not provide adequate and effective guarantees against abuse.
Roman Zakharov is the editor-in-chief of both a publishing company and of an aviation magazine, as well as the Chairperson the St Petersburg branch of Glasnost Defence Foundation, an NGO that monitors the state of media freedom in the Russian regions. In December 2003 Zakharov began proceedings in Russia against Order no. 70 of the State Committee for Communications and Information Technologies. The Order required telecommunication providers to install equipment on their networks that would allow for, among other things, direct access to the network without involving specific requests to providers.
In 2014 Vodafone released a worldwide law enforcement disclosure report that revealed that in some jurisdictions, providers were required to provide “direct access” to their communications networks. The report explained that direct access gave authorities access to information and bypassed any form of operational control over the interception on the part of the provider. Direct access is a deeply concerning method of surveillance that Privacy International has strongly spoken out against in the past. The operation of direct access in the System of Operative Investigative Measures (SORM) Framework - the surveillance infrastructure used by Russia and many Central Asian states - has been exposed by Privacy International in the past.
What news for the IP Bill in the UK?
The implications of this judgment go beyond Russia. Other European countries have introduced laws or are considering legislation that do not pass the tests of legality, necessity and proportionality set out by the European Court. In the UK, the review of the Investigatory Powers Bill would benefit from considering the Zakharov judgement. Particular attention should be paid to the Court’s decision on authorisation procedures, the practical realities of oversight, and the operation of technology that allows for direct access to telecommunications networks.
The Court’s judgement does not break new ground, and the decision is littered with familiar cases to those who have followed surveillance and privacy in Europe over the last 10 years: Weber and Saravia , Klass and Others , Kennedy , Liberty and Others , all of which are landmark judgements that have had telling influence on the decision of the Court.
The Court distilled the body of its case law to summarise the requirements of an interception authorisation, which “must clearly identify a specific person to be placed under surveillance or a set of premises as the premises in respect of which the authorisation is order.”For example, Part 6 of the Investigatory Powers Bill contains the powers for Bulk interception warrants. The warrants require little more than showing that the communications to be intercepted are “overseas-related communications” meaning communications sent or received by individuals outside the British Islands. That's it. No specific individuals or specific groups, no specific telephone numbers, no specific premises. Similarly, very broad powers are included for other “Bulk” powers, including bulk Government hacking. Part 6 of the IP Bill would struggle against the clear standard communicated by the Court for interception authorisations. This goes to the broader point too: the Zakharov judgement has reinforced this current standard demonstrating that surveillance powers must remain necessary and proportionate.
As Marko Milanovic had said in his blog earlier the week, it is noteworthy that the Court looked at both the provisions of Russian law and the practice of the oversight of surveillance in Russia. This led to the Court calling out the lame Russian practice of District Courts who “never request the interception agency to submit [supporting] materials and that a mere reference to the existence of information about a criminal offence or activities endangering national, military, economic or ecological security is considered to be sufficient for the authorisation to be granted.” In the UK, the challenge with IP Bill is that it is leaving judges ham strung in their ability to approve the authorisations for interception or other surveillance powers by having them only apply the principles of judicial review.
Judicial authorisation is not satisfied merely at the level of the principle of some kind of involvement. Judges must be sufficiently empowered to verify the existence of reasonable suspicion against a person concerned by the proposed surveillance as well as the capacity to assess the lawfulness, necessity and proportionality of the request for authorisation of surveillance.
By mandating judicial commissioners to apply the principles of judicial review, commissioners would only be empowered to assess whether the correct procedure had been followed by the Secretary of State. In practice, the judge's question would not be “Is the request authorisation necessary and proportionate?” but “Has the Home Secretary considered the necessity and proportionality of the request for authorisation?”. That is a significantly less empowering question that is being presented to the public as part of a “gold standard” of surveillance legislation. At the moment, it is barely basic standard.
All of this together points to the broader conclusion, mentioned by the European Court of Human Rights, that direct access by law enforcement or intelligence agencies to telecommunications networks risks arbitrary searches and seizures and abuse, all being undertaken in a secret surveillance framework. The Court was unequivocal: inadequate and ineffective regulation of secret surveillance risks destroying democracy.
While the risk is particularly high in Russia, these principles also exist in the EU and the Zakharov judgement should be used to reinforce the importance of such principles as the UK debates the IP Bill. The case restates that a system of surveillance cannot operate without oversight that meaningfully restricts the risks of abuse. The case also acts as a reminder that as modern surveillance technologies allow greater intrusion into our private lives online, the level of oversight must increase equally to ensure vigilance in protecting against such abuse. This was always the case, Zakharov just helped to remind all of us of that.