The Draft Communications Data Bill was published on the 14th June. It had been much anticipated, particularly by privacy advocates, and dubbed the ‘snooper’s charter’, a nickname that seems eminently appropriate. That it could pose a threat to privacy has already been discussed at some length. That it poses a threat to other human rights may not be quite so obvious: that is the subject of this blog.
A ‘Snoopers’ Charter’?
The Bill grants powers to the Home Secretary (or another cabinet minister) to order the gathering and retaining of any ‘communications data’ by ‘telecommunication operators’. The key point here is that the intention is to gather and retain all the data: this is universal surveillance, with the limitations and controls only over access to the data. The data will be required to be held for 12 months, and access will be controlled through a system of safeguards which effectively mean that ‘designated senior officers’ will need to approve requests for data – though precisely what constitutes as ‘designated senior officer’ remains unclear. Much is made of the fact that the ‘contents’ of communications are not to be gathered and retained, but only the ‘traffic data’ – who you are communicating with, how, when and so forth – but as shall be discussed below, this is not nearly as significant an exclusion as it might seem.
The terms ‘communications data’ and ‘telecommunication operators’ are defined very broadly – and therein lies the fundamental challenge of the bill. It could cover conventional telecommunications – anything from pigeon-post to email – but, as it is written and intended, it could also cover almost any activity on the internet. When you visit a web page, for example, you send a ‘communication’, via your internet service provider (‘ISP’) to the server where the web page is held, and a ‘communication’ is sent back to you: the contents of the web page itself.
The idea behind this very broad definition is that it will not just cover conventional emails and so forth, but all the other varied forms of communications used on the internet – from instant messaging to Twitter and Facebook messages, commenting on blogs and so forth, and indeed any new forms of communication that arise. The implications, however, are immense: it means that all of our online life can and will be recorded and potentially made available for scrutiny and use.
This has human rights implications beyond the obvious-seeming intrusions into our private correspondence – one part of Article 8 of the European Convention on Human Rights (ECHR) – into our private lives themselves, and further, upon Articles 9, 10, 11 and 14 of the convention.
Article 8: Respect for Private and Family Life, Home and Correspondence
On the surface, it might appear that ‘communications data’ relates to the ‘correspondence’ part of this Article – and indeed communications like telephone calls, emails, text messages, tweets and so forth do fit into this category – but internet communications data has a much broader impact upon the ‘private life’ part of the Article. Web-browsing data, for example, can reveal far more intimate, important and personal information than might be immediately obvious. It reveals which websites are visited, which search terms are used, which links are followed, which files are downloaded – and also when, and how long sites are perused, using what kind of computer, phone or other device and so forth. When all the other data that is being gathered under the terms of the Bill – from traditional communications data like email, text messages and phone calls to music listened to on Smartphones, geo-location data etc – is added to this mix, aggregated and analysed, the potential becomes even greater.
This data can reveal habits, preferences and tastes – and can uncover, to a reasonable probability, religion, sexual preferences, political leanings etc. It can dig deep into our personal lives. We use the internet to establish and support personal relationships, to find jobs, to bank, to shop, to gather the news, to decide where to go on holiday, to concerts, museums – or football matches. Some use it for education and for religious observance – checking the times and dates of festivals and so forth, or details of dietary requirements. There are few areas of our lives that remain untouched by the internet – and those areas are reducing all the time.
Analysis and profiling
What is more, analytical methods through which more personal and private data can be derived from browsing habits have already been developed, and are continuing to be refined and extended, most directly by those involved in the behavioural advertising industry. Significant amounts of money and effort are being spent in this direction by those in the internet industry – it is a key part of the business models of Google, Facebook and others. It is already advanced – but we can expect the profiling and predictive capabilities to develop further both in scope and in accuracy in the future.
This is not profiling in the conventional ‘psychological’ form, based on educated guesses and theoretical associations: it is mathematical profiling, based on correlations determined by comparisons of massive amounts of data. Profiling like this doesn’t make judgments – and as a consequence has the potential to be far more accurate than the more conventional kind. And, importantly, the techniques and technologies developed to profile for advertising can be applied just as easily to other forms of profiling, whether they be political, religious, ethnic, or any other kind.
What this means is that by gathering, automatically and for all people, ‘communications data’, we would be gathering the most personal and intimate information about everyone. The Bill is not about gathering a small amount of technical data that might help in combating terrorism or other crime – it is about universal surveillance and ultimately profiling. That ‘content’ data is not gathered is of far less significance – and that focusing on it is an old fashioned argument, based on a world of pen and paper that is to a great extent one of the past. The surveillance and profiling enabled by the Bill is something new, and something that impacts not only on our private lives, but on many other aspects of our human rights.
Article 9 – Freedom of thought, conscience and religion
This kind of profiling is what brings Article 9 into play: it can be possible to determine (to a reasonable probability) individuals’ religions and philosophies, their languages used and even their ethnic origins, and then use that information to monitor them both online and offline.
Although it would certainly be a stretch to suggest that such profiling might allow a profiler to know what someone’s thinking, that, effectively, is its aim, and it may well get significantly closer to achieving that aim than we realise. What is more, the profiling techniques – and the databases upon which those profiling techniques are based – are improving all the time. From the perspective of the profiler, precise accuracy may not be crucial: a reasonable probability may be all that is needed. From the perspective of those being profiled, the situation is very different – and problems may arise from both accurate and inaccurate profiling. A real ‘dissident’, for example, may be located and imprisoned by an accurate profile, while an ‘innocent’ may be unfairly punished by an inaccurate profile. Either way, the consequences can be disastrous.
Article 10 – Freedom of Expression
Though the connection between freedom of expression and privacy may not be obvious – indeed, the two may appear at times to be in conflict – for freedom of expression to function properly there must be a degree of privacy.
Two examples demonstrate how works. The first is the Nightjack saga. Nightjack was a blogger, a police ‘insider’ – and in order to get his stories out into the world, he needed to be able to protect his identity. He needed to be able to control who knew what about him – and the kind of surveillance envisaged by the Communications Data Bill could have put that at risk. When his identity was revealed – through a sorry tale of computer hacking and mismanagement at the Times – it meant that Nightjack effectively ceased to exist. Freedom of expression was curtailed through a lack of privacy.
The second, more gruesome example, comes from Mexico. Over the last few years at least four Mexican bloggers have been brutally killed by the drug cartels about whom they have been writing. Precisely how they were discovered and their identities revealed is not clear, but the kind of tools that the Communications Data Bill could provide would have made it possible – and the idea that giving such tools to the Mexican police would mean that they wouldn’t get into the hands of the drugs cartels would be naïve to say the least.
It is not just in these kinds of situations that privacy is crucial for free expression: there are many more, from those dissenting against oppression to those threatened by abusive spouses, to whistleblowers and so forth. Without a reasonable expectation of privacy, many of these would simply choose not to speak out – as Jo Glanville of Index on Censorship has argued, privacy is essential for free speech to thrive.
Article 11 – Freedom of Assembly and Association
The internet offers previously unimaginable tools for groups – and for ‘assembly’ and ‘association’ of all kinds. Online communities have developed – using services like social networking, instant messaging, message boards and so forth – and ‘real world’ groups have used the same tools to facilitate their ‘real world’ meetings and communications. In this way, the internet can often be seen as a force for ‘good’, for ‘democracy’ and so forth. Many commentators have suggested that the internet played a key role in the Arab Spring – and though its role has probably been exaggerated, the internet was certainly used by many of those organising the resistance in Tunisia and Egypt in particular.
However, when communications (and in particular the internet) are used to organise meetings, to communicate as groups, to assemble both offline and online, internet surveillance can become significant and potentially dangerous. Meetings can be monitored or even prevented from occurring, groups can be targeted and so forth. Oppressive regimes throughout the world have recognised and indeed used this ability – in Tunisia, for example the former regime hacked into both Facebook and Twitter to attempt to monitor the activities of potential rebels.
It is not, however, just in extreme situations like that of a political uprising that internet surveillance comes into play. Authorities in the UK, for example, might argue that it would be right to monitor social media during a riot – and with some justification. But what about a peaceful protest? And then what about those organising a protest, before the event? How about a trade union? It is easy to make a decision on an extreme case – but the grey areas come into play much more easily than might be obvious, and the temptation for authorities to use tools once they’re there might well be too hard to resist. When newer technologies like geo-location data – knowing where people are in real time, through their mobile phones’ GPS systems – are taken into account, they might become irresistible.
Article 14 – Prohibition of Discrimination
Not only can surveillance and profiling enable discrimination – it can even potentially automate it. As discussed above, it may be possible to determine almost any kind of detail about a person online through profiling – their age, religion, nationality, ethnic origin and so forth. A key difference about the internet from ‘real world’ situations, however, is that decisions and options available to a person may be automatically controlled on the basis of that profiling – and the person involved may never even know what is happening. A website could be set to assess the profile of the person visiting and change the options displayed dependent on any aspect of that profile – this kind of ‘personalisation’ is one of the ideas being most actively developed by the big players on the internet at the moment. The downside is that this ‘personalisation’ could easily be used in discriminatory ways – offering different prices to people of different religions, for example, or making certain options simply not appear if the profile suggests a user is of a particular race. The idea of a ‘whites-only website’ becomes at least a theoretical possibility.
This may seem like an Orwellian nightmare – but it is becoming a practical proposition. A recent exposé of the Orbitz hotel-booking website showed that their system was filtering out those who use Apple Macintosh computers and offering them more expensive hotels to book. Discrimination according to the computer used may be legal – and even acceptable – but it indicates what is possible, and the potential for misuse is clear.
‘Necessary in a democratic society’?
Of course the Articles referred to above are subject to the usual qualifications – that they can be interfered with as ‘necessary in a democratic society’ for national security, economic well-being, prevention of disorder and crime, health, morals etc. That, ultimately, is the rub. In what way, and to what extent, is internet surveillance ‘necessary’ in a democratic society?
That is the question that needs to be answered. Internet surveillance can interfere significantly with the rights of individuals – not just with their privacy but with freedom of expression, with freedom of assembly and association and with freedom from discrimination. Given this, the bar should be very high in terms of the ‘need’ for that surveillance – and proper evidence needs to be presented and scrutinised before that ‘need’ is accepted. To date, the evidence provided has been scanty at best.
Dr. Paul Bernal is a lecturer in the UEA Law School and a member of media@UEA. He blogs at: http://paulbernal.wordpress.com/ and tweets as @paulbernalUK.
Suggested citation: P. Bernal, ‘The Draft Communications Bill and the ECHR’ UK Const. L. Blog (11 July 2012) (available at http://ukconstitutionallaw.org).