A Letter from the UK: Our Surveillance Debate
Commentary, 27 November 2013
By Lucy Purdon, Policy Officer, Privacy International; Research Fellow, IHRB
This commentary was originally published by the Center for Global Communication Studies
I was recently invited to the Annenberg School for Communication at the University of Pennsylvania to present IHRB’s Digital Dangers project on the ICT sector and human rights, and to discuss with students our recent study on how Safaricom addressed the issue of hate speech during the recent elections in Kenya.
While visiting the US, I was struck by the Atlantic-sized difference in the level of public debate in the US and UK following the publication of a cache of documents leaked by Edward Snowden, which revealed mass data gathering practices by the US National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ).
It has been almost six months since The Guardian began publishing documents in the UK. More information has emerged regarding massive state surveillance and data sharing practices in a number of countries, followed by outrage in Europe, South America and the United States. Even though, as Snowden said, “the UK has a big dog in this fight,” protest and discussion in the UK to date has been minimal. There has been a lack of political debate, perhaps due to the complexity of the issue, and general apathy from the public. A few other British newspapers went so far as to condemn The Guardian for acting in a way that threatens national security.
Documents outlining the NSA programme Prism showed how the UK intelligence agency GCHQ could also, from the Prism programme, access data on UK citizens and possibly beyond, raising questions about whether this process allowed GCHQ to circumvent existing UK law designed to protect privacy. Shortly after the story was published, the UK Foreign Secretary, William Hague, maintained in a speech to Parliament that innocent people had nothing to fear. He rightly explained that for intelligence agencies to access the content of private communications, a warrant is needed, signed by the Foreign Secretary, the Home Secretary, or another Secretary of State. Experts contend that the key issue concerns metadata rather than content. Metadata, information generated by technology use, reveals a lot about our movements through who we contact, the websites we visit, and our location where we made these enquiries.
A short inquiry by the UK government’s Intelligence and Surveillance Committee (ISC) in July cleared GCHQ of circumventing UK law. The inquiry, however, concentrated on information GCHQ requested from the US regarding particular warranted suspects rather than the legality of sharing information on British citizens with the US. The inquiry also only focused on the content of private communications intercepted and not metadata. Laws on the interception of metadata and internet traffic, which can determine patterns of communication from metadata, are not the same as content, as outlined in the Regulatory and Investigatory Powers Act (RIPA). Metadata can be shared with a wider group of public authorities than content and interception authorised by a senior official in that public authority. As information and communication technology (ICTs) develop, more metadata exists and intercepting it can be as powerful as listening to a phone call. The absence of a focus on this in the inquiry suggests that, at that time, there was a lack of knowledge about the power of metadata.
In the following months, The Guardian published additional documents revealing GCHQ’s programme Tempora, in which probes were placed on trans-Atlantic fibre optic cables. Probes enabled the gathering and storing huge amounts of internet traffic and metadata, allowing mass surveillance of communications flowing in from North America and onto Western Europe in one easily searchable database.
GCHQ was not acting alone. Companies seem to have helped in the process. Companies in the UK (including BT and Vodafone) allowing GCHQ to access their network of undersea cables as part of the Tempora programme, have remained silent on the issue so far. UK based NGO Privacy International wrote to the six companies implicated in the Tempora programme asking the companies to outline company policies for assessing the lawfulness of government requests, describe any requests they received from authorities to intercept information, any steps taken to oppose or resist such orders, and the amount they have been paid for their cooperation with governments. They received no response.
In the US, companies implicated in the Prism programme (including Google, Facebook, Yahoo! and Microsoft) were quick to demand transparency. Companies have petitioned the US government to allow all government requests, including those from secret court orders, to be aggregated in their “transparency reports”.
The UK government has done little to address fears that as technology develops, so does the opportunity for unchecked surveillance and raise questions as to whether our current laws lack the protections needed. In fact, they have moved to block such enquiries. For example, the UK moved to delay a Council of Europe declaration calling for an investigation into whether the gathering of data by intelligence agencies is consistent with the European Convention on Human Rights. The UK was the only country to object out of 47 member states. Such actions risk damaging the UK’s standing as a country that promotes and protects freedom of expression and privacy.
Frustration at the lack of response from the government and companies has compelled civil society in the UK to act, using any and all mechanisms available to push forward the debate and call for greater accountability. In an attempt to break the silence of companies implicated in the Tempora programme, Privacy International has nowfiled six complaints with the Organisation of Economic Cooperation and Development (OECD), alleging there are grounds to investigate whether the corporate responsibility to respect human rights has been breached under theOECD Guidelines for Multinational Enterprises.
A group of civil society organisations have filed papers at the European Court of Human Rights alleging that GCHQ’s data gathering practices infringes on the right to privacy. Their justification for going straight to the European Court is the lack of sufficient domestic mechanisms to address the issue.
While intelligence agencies must conduct secret operations when appropriate, and GCHQ, like the NSA, undoubtedly acts as per its mandate, there is a growing sense that many, including the government, have been kept in the dark about the extent of surveillance as technological capabilities grew over the years. Some Members of Parliament (MPs) have started to ask difficult questions and we must keep encouraging them to do so. Many questions remain unanswered, such as whether existing laws need to be amended to limit the potential for mass, untargeted and disproportionate surveillance, and whether further controls are needed on collecting and sharing metadata.
To move forward, governments will have to be more transparent, but companies too will have to take a hard look at their own policies. They will have to challenge more, and civil society will have to become more vigilant to ensure that human rights are not sacrificed at the altar of national security. The Guardian continues to publish documents handed to them by Snowden, despite many threats against them, including a visit by government officials who told them to destroy hard drives and a laptop containing the Snowden documents. Officials told the journalists that there had already been “enough debate.” The debate has in fact just begun; the time has come for action.