Sunday reading: The government's Interception Modernisation Programme — the costs of security
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.— Benjamin Franklin, 1775
News across Europe has been reporting for months on the government's Interception Modernisation Programme. It is every bit as Orwellian as it sounds. As part of a European Commission directive, beginning on March 15th, all internet service providers in the UK will be required by law to collect records on all internet traffic and every e-mail, to be stored in a national central database.
According to the Office of Security & Counter-Terrorism at the Home Office in its 2007 Strategy, the Interception Modernisation Programme is critical for building intelligence to respond to terrorism and protect national interests. “Our ability to intercept communications and obtain communications data lawfully is critical to combating the threat posed by terrorism and tackling serious crime,” the Secretary of State reported to Parliament last year.
A spokesperson with the Home Office told BBC News that monitoring internet activity “will allow investigators to identify suspects, examine their contacts, establish relationships between conspirators and place them in a specific location at a certain time.” While purportedly for national security, the information will be required to be made available to any public body that requests it, which could include law enforcement, local councils and health agencies.
Concerns are being widely raised, such as those of a chief IT security officer, that a centralized database magnifies security and privacy risks and that even the safety net of court permission will no longer be required. The track record of not just security breaches, but abuses of data by government agencies, supported concerns raised in the Daily Mail:
The powers always end up being used for something beyond what was originally intended. They told us the Regulation of Investigatory Powers Act was for 'defeating terrorism'. Then we found out Cambridgeshire Council was using it to check if newsagents were employing paper boys without the correct permits having been filled in. Other councils have used anti-terrorist legislation to spy on householders who overfill their dustbins.
Even greater potentials for abuses come with the Interception Modernisation Programme.
Softpedia editor, Lucian Constantin, raised especially troubling issues with a plan reportedly adopted by UK’s Home Office that will allow police and secret service agents to hack into computers and monitor traffic without the need of warrants, as well as give law enforcement agencies from other countries the power to request the installation of spyware on computers of any UK residents suspected of a serious crime. Such remote searches have been allowed in Britain with an amendment to the Computer Misuse Act, which until now it had been tightly restricted and controlled. According to the new proposal, Constantin reported, “police forces or MI5 agents will be able to conduct such intrusive surveillance based merely on the decision of a senior officer that it is ‘proportionate’ and necessary to the investigation of an offense that is punishable with a minimum sentence of three years in jail.”
The open-ended, poorly controlled powers have caught the attention of numerous civil liberties groups and IT security researchers. Currently, there are no safeguards in place to protect the public from the high risks for abuses. A spokesperson for the Home Office said details are still being worked out.
This spying will not come cheaply, the Daily Mail reported. Between 25 to 75 million pounds [approximately $115 million U.S. dollars] of taxpayers’ money will be spent every year on the program. Many question if the money is being well-spend or if a national database will actually keep anyone safer. Small ISPs, for instance, will be exempt, so what’s to prevent terrorists from simply switching their accounts to small providers. “That’s assuming those terrorists haven’t already dreamt up infinitely more sophisticated ways of communicating electronically.”
The greatest objections have been the invasion of privacy by the state and that the “presumption of innocence is being tossed out like an old sock.” It’s an attack on civil liberties and a step on the road to Big Brotherism, wrote Harry Phibbs. As the BBC reported:
The Earl of Northesk, a Conservative peer on the House of Lords science and technology committee, said it meant anyone's movements could be traced 24 hours a day. "This degree of storage is equivalent to having access to every second, every minute, every hour of your life," he said. "People have to worry about the scale, the virtuality of your life being exposed to about 500 public authorities.
Described as measures to ward off 'Communist acts of violence endangering the state,' these decrees suspended all fundamental freedoms of speech, assembly, freedom from invasion of privacy (mail, telephone, telegram) and from house search without warrant.
As it turns out, the government’s Interception Modernisation Programme marks the most significant departure from the privacy protections put into place in Europe after the human rights abuses of the Nazi Regime, partly attributable to the massive collection and monitoring of personal data by Hitler’s administration.
The most in-depth examination of the legal and historical aspects of the recent mandates across Europe calling for increasingly more monitoring by the State was recently published in The Jurist, a legal news and research publication of the University of Pittsburgh School of Law. It was by Virginia Keyder, instructor of European Union law at Bogazici University and Sabanci University in Istanbul, Turkey. As she noted, this trend threatens to limit fundamental individual rights in the name of every-widening definitions of state security. [Her long, intensive report is available here.]
She begins by writing:
The European media has recently been awash with horror stories of government excess in the area of electronic surveillance and retention (and loss) of personal data… And yet, the European Commission, aided most recently by the Advocate General of the European Court of Justice, has set its sights on not only assisting such excesses, but mandating them.
She chronicles in detail how Advocate General Bot upheld the competence of the EC Council to enact Directive 2006/24, which harmonizes States’ rules obligating all providers of public communication networks to retain certain data to ensure that it is available to the state for the investigation, detection and prosecution of serious crimes. Each member state in the EU can define a “serious crime” however it chooses.
“Article 5 of the Directive sets out the data to be retained, which include whatever is necessary to trace and identify the source and destination of all communication; the date, time and duration of the communication; the users communication equipment and even to identify the location of mobile communications. Article 8 then specifies that the data be retained so that it “can be transmitted upon request to the competent authorities without undue delay.”
“To the untrained eye,” she wrote, “it would be hard to imagine a more straightforward attempt to legislate for the purpose of collecting and retaining data for the purpose of police cooperation among member states.”
Protection of one’s personal data is a critical part of the fundamental right of privacy enacted at the Council of Europe European Convention on Human Rights, the International Covenant on Civil and Political Rights, and the EU Charter of Fundamental Rights, she said. Its roots are deeply in the post-WWII constitutions and legislation among EU member states, particularly Germany and France. As she explained:
As a human right, it is important to remember that privacy, along with other human rights, is a right that protects individuals from the State. The concept of ‘privacy’, as an instinct that drives us to walk off into a corner to talk on our cell phones or close the curtains when we are having sex has diluted the idea of privacy as a human right and made most of us associate it with our neighbors rather than the state. To understand the threat of having personal data lose the protection of the law requires that privacy be repositioned as a fundamental human right against actions by the state.
Concern for personal data protection was initially the result of a long-standing belief in Germany, where such protection began, that the facility with which pre-war abuses of human rights and personal dignity were carried out, was at least partly attributable to the excessive accumulation of personal data by the Nazi regime (made possible a purpose-built census designed for the regime by IBM in 1933).
In the 1990s, the rapid growth of the internet, with its potential for instantaneous and universal dissemination of data, advanced telecommunications, and the new genetic and biometric technologies accentuated the need to protect the fundamental right of privacy in general, and the right to the protection of personal data in particular.
In 1995, the European Community set out to protect personal data by enacting a series of Directives which limit access and use of personal data to legitimate purposes for reasonable periods of time, she said. These protections were put to the test after the events of September 11, 2001 and the U.S. war on terror and “overriding claims of national security,” she explained.
Here’s where the United States came to play a role in what is now going on in Europe and the UK. The U.S. enacted legislation requiring all airlines to provide U.S. customs authorities with extensive electronic data on all passengers entering or leaving the U.S. — information that could essentially be retained and circulated forever, she said. The EC Commission objected, stating it violated its protection laws, especially since the United States has no data protection laws. But the U.S. pressured Brussels and the airlines were threatened with $6,000 fines per passenger entering the U.S. without turning over the requested electronic data, resulting in the EC Commission agreeing to provide the information for all European travelers entering the U.S. No such data for U.S. passengers entering Europe was requested, however. She emphasized:
Again, it is important to note that the U.S. effectively has no data protection legislation. Nor does it claim to have such protection. Quite the opposite: data is seen as a valuable commodity which is readily transferred, bought and sold… The U.S. made no claims that the data would not be distributed among relevant agencies, and stored by private companies under the all-pervasive ‘privatization’ policies of the current US government. Opposition to this arrangement was widespread among data protection activists in Europe…
Finally in early March, 2004, trying to alleviate the uncertainty for airlines and passengers in the absence of any concrete agreements, a court battle ensued between the European Commission and the European Parliament over guaranteeing the fundamental right of passengers of protection of their personal data. The Court found that the EC Treaty did not legally give the European Commission the right to make an agreement with the U.S. to transmit personal data. “The EU remained under pressure from the U.S., however, and proceeded to assure the U.S. that it would comply with its requests,” she said. The European Union then signed an agreement with the U.S. (even though it lacked the legal authority), agreeing to provide the U.S. the information. A week later, the U.S. Dept. of Homeland Security “requested that all negotiation documents related to the PNR Agreement be kept secret for ten years.”
Last November, the EU decided it needed a reciprocal document and issued its own passenger information intelligence directive for people entering Europe, which claimed “to need a tool to carry out risk assessments of people, or obtaining intelligence and making associations between known and unknown people.”
The proposal provides for retention of the data for 15 years and the only restrictions placed on transfer to third countries is that “(a) the authorities of the third country shall only use the data for the purpose of preventing and fighting terrorist offences and organized crime and (b) such third countries shall not transfer the data to another third country without express consent of the Member State. Thus every member state would collect data on all passengers, and such data could be shared with third countries subject only to these restrictions. This is a far cry from the recognition, a mere 15 years ago, that entities, including states, collecting too much data have tended to abuse the data at the expense of individuals and fundamental rights. It is a far cry from Directive 95/46, which allocates competence to collect data for the purpose of state security, etc. to the full sovereignty of the member states.
She questioned the Advocate General’s support of EC oversight, rather than the European Union’s, saying that totally absent is any mention of the importance of the protection of personal data and human rights that’s been part of the legal structure of the European community since 1995.
Meanwhile, the EC passed a directive in 2002 which limited the scope of the protection of personal data and gave member states the right to restrict privacy rights “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defense, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system.” This is notable for its expansion of state powers from doing what is necessary in the pursuit of terrorists to other unrelated acts, including mere ‘criminal offences’ and unauthorized use of electronic communication systems, she emphasized.
Issues of privacy and the decline in the protection of individuals from the prying eyes of the state have been precipitous throughout Europe in recent years, she said. “This decline in the right to privacy is particularly marked in the UK, where a database containing information on all individuals within the UK, ranging from DNA and biometrics to data contained in various government databases, was recently proposed.” The European Union is itself about to enact similar projects. “The fact that measures to limit data protection rights are now being taken at the European level, and thus subject to neither national constitutional nor electoral challenges, is doubly worrying,” she wrote. “Such measures are unchallengeable once treaty competence to enact them is established.”
This recent Directive mandating data retention by internet service providers, combined with the extensive personal data on Europeans to be transferred to the US under the PNR and thereby set free to roam along the free market highways of North America do not paint a happy picture of personal data protection under European law.
In an era where EU member states, most notably but not exclusively, the UK, are taking measures that invade the privacy of individuals to a degree inconceivable even two decades ago (including a national closed-circuit TV system estimated to photograph each UK inhabitant at least 300 times a day, with the suggestion that microphones be added in the near future, and the… proposed national database under which data is acquired without suspicion of wrong-doing or even the knowledge of the subject), individuals across Europe would be justified in expecting that their unelected officials in Brussels would at least make a show of protecting their rights, if only by refraining from duplicating these measures... But the forces, internal as well as external, in favor of reducing personal data protection are formidable.
“Government access to individuals’ private records and documents has taken a great leap forward on both sides of the Atlantic,” she notes, adding:
National security” and the “War on Terror” have taken the entire western legal order into dangerous territory in terms of reversing advances human rights law has made since its inception after WWII. Even in the United Kingdom, which all agree has the most pervasive system of privacy-invading technology on the planet, no reduction in criminal activity has been noted since these measures were instituted. Initially designed to weed out ‘terrorists’, this movement now feels justified to undertake full-scale surveillance over all individuals. And it is not just the chilling effect of ubiquitous state surveillance that is at issue in these developments. Corporate economic interests, including but not limited to intellectual property holders, have ‘caught the coattails’ of this onslaught on privacy. Once the state has full access to our personal data, communicated or stored in our hard disks or held by internet service providers, no one is safe and given what we have seen over the past few weeks in terms of states’ ability or will to guard the basic interests of their citizenry, there is no reason to believe that good faith will prevail.