Towards international principles on communications surveillance
Communications surveillance is one of the most significant threats to personal privacy posed by the state. This is why many statements of fundamental rights across the world give special regard to the privacy of communications. For example, the Universal Declaration of Human Rights states in Article 12:
No one should be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honour or reputation. Everyone has the right to the protection of the law against such interferences or attacks.
The International Covenant on Civil and Political Rights makes a similar statement in Article 17, and also grants everyone the right to the protection of the law against surveillance. Article 10 of the African Charter on Rights of the Child, Article 11 of the American Convention on Human Rights, Article 17 of the Arab Charter on Human Rights and Article 8 of the European Convention on Human Rights contain similar provisions. We have also identified over 60 countries that have similar statements in their national constitutions.1
Yet as innovations in surveillance techniques and new, more invasive, government policies continue to emerge, 2 we need to ask ourselves how these statements can be applied and enforced in reality.
Why we need lawful access principles
PI has worked to protect human rights from encroaching and increasing surveillance powers for over 20 years. Our work has included:
- campaigning for individuals' rights to secure their own communications using cryptography during the so-called 'crypto wars'
- fighting ambitious communications surveillance laws, including the Regulation of Investigatory Powers Act in the UK and the EU Data Retention Directive
- pressuring companies to build privacy and security into their communications services
- pushing back against unlawful surveillance by governments and companies
Throughout these campaigns, we always felt that there were certain unanswered questions that rendered the foundations of any fight against communications surveillance a little shaky. What safeguards were we actually seeking? How do we qualify a good practice and a bad practice? These questions have arisen again and again, whether we're comparing communications surveillance practices around the world, working with partners in developing countries who are seeking to clarify vague colonial-era laws, or trying to figure out the legal basis for the use of new surveillance technologies, such as trojans and IMSI catchers, identified during our Big Brother Inc. project. As a result, we were driven by an interest to clarify when and how governments may access individuals' data. In our efforts to answer these questions, to pin down precisely what we wanted from legislators, regulators and policy-makers, we approached Google.
PI and Google
PI and Google have not agreed on much over the years. We've disagreed over Gmail advertising, search data retention periods on searches, and Streetview. We've disagreed on legal frameworks. But one area in which our interests and beliefs have more or less aligned are the Google Transparency Reports, particularly their presentation of statistics on the number of user data requests it receives from government agencies and courts. While we don't feel that Google should have all this data in the first place, in that Google could design their systems and policies to reduce the collection of information and reduce retention periods, we tend to agree that greater transparency about how and when governments try to obtain access to this data usefully informs the public debate over modern surveillance powers.
We have been working with Google since the launch of the first Transparency Reports in 2010, but it wasn't until the spring of 2012 that we decided to meet to discuss what kinds of laws around the world were enabling government access to individuals' data and communications. Then, in April 2012, news emerged that the British government was planning on reintroducing highly-invasive domestic mass surveillance plans that had been floated by the previous government in 2006 but shelved in 2009 before the election. Both Google and PI felt that the time was right to have a deeper conversation about where communications surveillance laws were heading, and we quickly realised that we needed more people to take part in that conversation. We needed to understand the technologies of surveillance, the legal protections available under charters and constitutions, and the political realities in various different countries - thus what began as a small meeting between PI and Google quickly turned into a co-hosted workshop.
[Note, we do not accept donations from Google or any other company. We received special approval from our Trustees to engage in this relationship with Google, particularly as Google was paying for our travel and accommodation, and that of other participants who needed financial support.]
This workshop was held in Brussels in October 2012, and consisted of over 40 experts in technology and law with backgrounds in industry, academia, the legal sector and, of course, civil society. We all spent two days pinning down the technical details of observing modern surveillance techniques and discussing possible policy responses. It would have been easy to replicate the Digital Due Process model, an American coalition of civil society and industry that has agreed a set of US-specific principles. In fact, we even used those principles as a starting point, but quickly realised that much more was needed. I hesitantly circulated some preliminary principles - very much in draft form - to the participants.
We weren't entirely sure what we wanted to get out of the workshop. PI's approach is often to bring together the best and brightest people we can identify within our networks and see what happens. We knew we didn't want to repeat the great work already done by others - the Digital Due Process Coalition being the first to spring to mind, but also the excellent Global Network Initiative (which is working to inform and influence the conduct of industry). We were also aware that many advocates are currently working to ensure that the EU's review of European data protection law will ultimately limit data processing by companies and grant stronger rights to individuals. What we wanted to know was whether there was anything we could do about legal frameworks around government access powers specifically, at national, regional and perhaps even global levels.
With that ambitious yet hesitant approach, I opened the workshop with a talk about why we were all here. I asked the people in the room whether they could help us understand what differentiates good law from bad, and then identify meaningful safeguards that would allow anyone, anywhere in the world, to identify and promote the former and combat the latter.
To my surprise, the idea of a set of principles gained momentum during the two-day workshop. There were so many ideas about the principles that it took four more days of drafting and redrafting to capture the nuances of the discussions we'd had. Many people hadn't been able to join us for the workshop, so we conducted a further consultation process by email. The principles quickly turned into an extremely long document consisting of highly prescriptive statements that were often specific to the situations of the consultees.
With colleagues at various organisations, including EFF, CIPPIC and Google, we then spent almost a month editing, consulting, redrafting, consulting and deleting in order to produce a shorter, more accessible document. We wanted to produce a set of high-level principles that would be, as far as possible, generally applicable in different jurisdictions around the world, and that would allow people to expand on the elements of each principle according to their various needs.
In late October, we finally posted a version of the principles (available at http://necessaryandproportionate.net) for the workshop participants, so that they could flag up points they felt we had missed or improperly included. We then circulated it to other partners and advisors around the world to check that the principles stood the test of international scrutiny. We continued to update the document, and established a steering committee to review the suggestions we received. We've had amazing feedback from people across dozens of sectors and countries, with particularly helpful comments from experts and organisations in Canada, Chile, Germany, India, the Netherlands, the Philippines, Senegal, and Zimbabwe.
However, we also had some feedback about a lack of transparency around the early stages of the process. Our failings in this respect were primarily a result of not knowing where this was all going until relatively late in the day. Back in spring, we weren't in a position to declare: "PI will develop an international framework for the protection of communications privacy in the modern era!". We hoped that we would get something tangible out of the workshop, but we didn't want to predict the outcome or constrict the discussion. We didn't want to develop something that was solely a PI-branded document. Ultimately, PI will be only a signatory to the principles - they don't 'belong' to us any more than they belong to Google, or to the Electronic Frontier Foundation, or to any one of the other participants.
I've written this blog in an effort to clarify some aspects of the principles and the process by which we arrived at them. There's still a long way to go. But I'd also like to take the opportunity to celebrate a significant achievement. The principles may not be "all things to all men", but I hope they will eventually prove an incredibly useful tool for advocates and activists fighting for the right to privacy and combatting invasive state surveillance anywhere in the world. I would also love to see the principles become part of the language of the debate, allowing people in government, legislatures, academia, and industry to articulate concerns and interests around surveillance.
We look forward to spending the next few weeks in further consultation with people from across the world, to, again, get the best and brightest minds focused on this most important challenge.
UPDATE February 4 2013: Since our Brussels workshop, the Electronic Frontier Foundation led a workshop about the principles in Rio de Janeiro in December 2012, and together we launched a global consultation that ended in January 2013, and we have since been working on revising the text. We hope to publish the finalised principles in March 2013.
- 1. Countries with explicit statements about communications privacy in their constitutions include: Bolivia, Brazil, Bulgaria, Burkina Faso, Burundi, Cameroon, Chad, China, Colombia, Costa Rica, Croatia, Cyprus, Czech Republic, Denmark, Dominican Republic, East Timor, Ecuador, Estonia, Ethiopia, Fiji, Finland, Georgia, Germany, Greece, Guatemala, Haiti, Iran, Italy, Kazakhstan, North Korea, South Korea, Kosovo, Kyrgyzstan, Latvia, Liberia, Lithuania, Luxembourg, Mali, Moldova, Monaco, Mongolia, Nepal, Netherlands, Nicaragua, Nigeria, Paraguay, Peru, Philippines, Romania, Russia, Rwanda, Serbia, Slovakia, Slovenia, South Africa, Spain, Sudan, Suriname, Sweden, Switzerland, Syria, Taiwan, Thailand, Turkey, Turkmenistan, Ukraine, Uruguay,Venezuela, Vietnam.
- 2. See for example, the UK Government's draft Communications Data Bill.