On International Data Privacy Day - who is reading your emails?
On International Data Privacy Day, it is important that we all ask ourselves: who has access to our personal information? Who can find out where we’ve been and who we’ve called, who can read our emails and our text messages? Who can find which websites we access and which files we download?
Statistics released by Google and Twitter over the past week are a sobering reminder that it is not only the corporations to which we consensually provide this information which are able to access it. Governments regularly these and other internet companies seeking the opportunity to delve into our personal lives. In the last six months of 2012, Google received 21,389 applications for access to user data, encompassing everything from identity information to search histories and IP addresses. The US government made more requests than any other country with 8,438 applications for user data. And such requests are being made by governments with accelerating frequency – government requests have increased by 70% in the past three years. Twitter received 1009 requests for user information in the second half of 2012, 160 more than in the first half of the year.
Today, Google released information about the procedure it claims to follow when responding to such requests. Reassuringly for Google users, these processes – assuming they are followed – are as rigorous as one could hope for, considering the pressure put on internet companies like Google to facilitate law enforcement activities. Google requires that governments keep requests discreet in scope, and demands that respective appropriate legal processes are followed. In order to be able to read your emails and see your Google Documents or photos, governments will have to produce a warrant.
The problem is, the respective appropriate legal processes differ considerably from country to country. While many countries require that a judge authorise access to personal information, some countries, such as the United Kingdom, allow police to authorize requests and sign orders, eliminating any judicial scrutiny of who gets access to your personal information. US legal processes stipulate that police must only obtain a subpoena, rather than a judge-issued warrant, to access users' email addresses and IP logs; Twitter's statistics reveal that 60% of the requests they received from US authorities in the second half of 2012 were accompanied by a subpoena. In countries where judicial independence is an afterthought or where corruption is rife, the appropriate legal process might be little more than a rubber stamp for the whims of a police force. Raids on reformist newspapers and arrests of journalists in Iran over the weekend – no more than thinly-veiled acts of intimidation designed to silence media criticism – were authorized by a judicial search warrant.
Although internet companies reject a great many requests because they do not meet the applicable criteria (only 1% of Russia’s 97 requests made to Google between July and December 2012 were accepted; only 5% of Japan's requests to Twitter in the same time period were accepted) they cannot be expected to judge the legitimacy of every request, particularly when such requests are often cast as urgent and essential to the prevention of a crime. Moreover, Google applies their approval process voluntarily; in the absence of any global regulatory regime on access requests, we must confirm that other internet companies are rigorous when deciding whether to hand over over your personal information to police.
Privacy International is determined to convince governments to change their legal processes to ensure that protecting the individual’s right to privacy is prioritised when it comes to accessing personal data. Which is why we’re working with other NGOs to draft a set of International Principles on Surveillance and Human Rights that set out what international human rights obligations demand of governments when they are thinking about accessing an individual’s personal information. Human rights require governments to weigh the sensitivity of the information they want against the reason they want it, and to access peoples’ information and read their emails only in the most serious and exceptional circumstances. Only where human rights are at the heart of any legal process regulating access to information can individuals be assured that their personal information is safe from prying eyes, including those of their governments.