magnify
Home Posts tagged "Surveillance"

ECtHR Judgment in Big Brother Watch v. UK

Published on September 17, 2018        Author: 
Twitter
Facebook
Google+
LinkedIn
Follow by Email

Last week the European Court of Human Rights issued a highly anticipated blockbuster Chamber judgment in Big Brother Watch v. UK, nos. 58170/13, 62322/14, 24960/15.

This is the first mass electronic surveillance case to be decided against the UK after the Edward Snowden revelations, and it touches upon numerous issues. The judgment is nuanced, complex, and long. It addresses key questions such as the proportionality of bulk interception programmes much more directly and with greater sophistication than the recent judgment in Centrum för Rättvisa v. Sweden no. 35252/08, which was decided by a different Chamber while this case was being deliberated, and which also upheld a bulk surveillance programme (see here for Asaf Lubin’s take on Just Security).

The judgment is too rich to summarize easily, so I will only set out some key takeaways (for an extensive discussion on surveillance and privacy in the digital age, see my 2015 Harvard ILJ piece).

First, and most importantly, the judgment is a mixed bag for privacy activists: while the Court finds that the UK’s surveillance programme under the now-defunct Regulation of Investigatory Powers Act (RIPA) was deficient in important respects and in violation of Article 8 and 10 of the Convention, it at the same time normalizes such mass surveillance programmes. In particular, the Court decided that bulk interception programmes are not categorically disproportionate, as privacy activists have argued. Second, in a similar vein, the Court finds that prior judicial authorization is not indispensable for the legality of bulk interception, again contrary to what privacy activists have argued, even if prior judicial authorization could be seen as best practice (note that under the new 2016 Investigatory Powers Act the UK has moved to a double-authorization system which involves both a minister and an independent quasi-judicial commissioner).

Here are the key paragraphs (warning – extracts from the judgment make this a lengthy post):

Read the rest of this entry…

 

How to Bridge the Gap? Corporate and Government Surveillance Examined at the UN

Published on December 7, 2016        Author: 
Twitter
Facebook
Google+
LinkedIn
Follow by Email

On 21 November, the UN General Assembly Third Committee adopted the draft resolution on the right to privacy in the digital age. This came at the same time the UK passed a law (the Investigatory Powers Act) which codified what are arguably the most extreme surveillance powers in the history of any western democracy.

This is the third time the UN General Assembly has adopted a resolution on the topic, and as it did in 2014, the UN has called on all states to review their surveillance legislation, policies, and practices “with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law”.

This comes at a time in which governments around the world are adopting laws that give wider surveillance powers to state security agencies, beyond what is permitted under existing human rights law. Just to name a few, Privacy International had documented this trend in a range of countries, including in China, Colombia, France, Kenya, the Netherlands, Pakistan, Poland, Switzerland, and the United Kingdom.

So, which part of effective implementation of human rights law do governments need explained? Read the rest of this entry…

 
Tags:

English Court of Appeal Decides Al-Saadoon Case on the ECHR’s Application Extraterritorially and in Armed Conflict

Published on September 14, 2016        Author: 
Twitter
Facebook
Google+
LinkedIn
Follow by Email

Last week the Court of Appeal of England and Wales rendered a unanimous judgment in Al-Saadoon & Ors v Secretary of State for Defence [2016] EWCA Civ 811. For extended analysis, see David Hart QC’s post on the UK Human Rights Blog here. Like the judgment of the High Court by Mr Justice Leggatt below, this judgment, written by Lord Justice Lloyd Jones, is exceptionally rigorous and well-argued. In a nutshell, the CoA basically endorsed almost all of the Leggatt J’s reasoning below, with one specific exception: while Leggatt J considered that under the ECtHR’s Al-Skeini judgment the personal conception of Article 1 jurisdiction as authority and control over an individual exercised by a state agent necessarily captures the use of lethal force against that individual, Lloyd Jones LJ held that he did not think that the ECtHR intended the principles articulated in Al-Skeini to go that far, and that it should be for the ECtHR to extended them thusly if it wanted to do so. He nonetheless agreed with Leggatt J in the application of the relevant principles to the facts, with most of the claimants being covered by the ECHR on a different basis.

The key paras of Lloyd Jones LJ’s reasoning are below the fold. In any event, in my view both of the judges have it right: limiting the personal principle so that it does not cover uses of lethal force (e.g. by a drone) would indeed be arbitrary, but in Al-Skeini the Court did in fact try to preserve the result of Bankovic and vaguely create a limitation of precisely this kind (see more here). And I can fully see why an English judge would think that this conceptual mess is one for Strasbourg to sort out – note, in that regard, the impact that cases that do not concern armed conflict (e.g. on extraterritorial surveillance) will inevitably have on this jurisprudence. What will ultimately happen in this regard is unclear, and will depend on the wider political context and the readiness of Strasbourg to find and follow the moral logic of Article 1 ECHR – but it’s clear that this case is headed first to the UK Supreme Court and then on to Strasbourg.

Read the rest of this entry…

 
Tags:

ECHR Jurisdiction and Mass Surveillance: Scrutinising the UK Investigatory Power Tribunal’s Recent Ruling

Published on June 9, 2016        Author: 
Twitter
Facebook
Google+
LinkedIn
Follow by Email

Last week, as discussed in a post by Marko Milanovic, the UK Investigatory Powers Tribunal (IPT) ruled that it lacked jurisdiction under the European Convention of Human Rights (ECHR) to adjudicate Article 8 and 10 claims brought by persons “situated outside” of the UK (para. 60). The IPT is a specialised judicial body that hears complaints about surveillance by public bodies, including British security and intelligence agencies. IPT decisions are not subject to direct appeal in the UK. We are therefore likely to see this ruling quickly challenged before the European Court of Human Rights (ECtHR).

Background

The backdrop to this litigation is convoluted. I sketch out the context in this post as I believe it will enrich discussion of the jurisdictional issues which are at the heart of this dispute. In 2013, following the Snowden disclosures, Privacy International, together with nine other NGOs, filed a case before the IPT challenging two aspects of the UK’s surveillance regime. First, the claimants challenged UK access to the communications of persons located within the UK collected by the US National Security Agency (NSA) under PRISM and Upstream. Under PRISM, the NSA collected data from US companies including Yahoo and Google. Under Upstream, the NSA intercepted data in bulk from hundreds of undersea fibre optic cables. Second, the claimants challenged Tempora, the British counterpart to Upstream, under which the Government Communications Headquarters (GCHQ) intercepted data in bulk from over 200 cables landing in the UK.

In February 2015, the IPT found that US-UK intelligence sharing – pursuant to PRISM and Upstream – was unlawful prior to 5 December 2014 because the legal framework governing it was hidden from the public (according to the IPT, that framework was sufficiently disclosed over the course of the proceedings so as to render the sharing of intelligence legal from that point forward). Read the rest of this entry…

 

UK Investigatory Powers Tribunal Rules that Non-UK Residents Have No Right to Privacy under the ECHR

Published on May 18, 2016        Author: 
Twitter
Facebook
Google+
LinkedIn
Follow by Email

In another major development on the surveillance/privacy front, on Tuesday the UK specialized surveillance court, the Investigatory Powers Tribunal, ruled that persons not present within the United Kingdom are not within the jurisdiction of the UK in the sense of Article 1 of the European Convention on Human Rights, and accordingly do not have any of the rights under that Convention (para. 49 et seq). In other words, a person in say France or the United States subjected to surveillance by GCHQ does not have an ECHR right to privacy vis-a-vis the UK, which accordingly has no Convention claim to answer. This is I think the first time that a British court has expressly dealt with extraterritoriality in the surveillance context. The IPT’s reasoning essentially rests on a Bankovic analogy – if you are in say Serbia and the UK drops a bomb on you, the Strasbourg Court has said that you don’t have the right to life. How could you then have the right to privacy if all the UK did was to simply read your email while you were in Serbia?

I have extensively argued elsewhere why that analogy is wrong (as is Bankovic itself), so I won’t belabour that point further (see here and here). It was entirely predictable that the IPT would adopt this restrictive position, which is perfectly plausible under Strasbourg case law (even if fundamentally mistaken). The IPT was correct in ruling, however, that distinctions as to the Convention’s applicability can’t really be made on the basis of whether the person is present is some other Council of Europe state, or is outside the ECHR’s espace juridique altogether. Anyway, the issue of the Convention’s extraterritorial applicability to mass electronic surveillance abroad is one for Strasbourg to decide and (hopefully) fix, and it will have the opportunity to do so in these cases and others. What the Court will do is of course anyone’s guess, because its decision will inevitable have ripple effects on other scenarios, such as extraterritorial uses of lethal force, e.g. drone strikes.

I have also argued, however, that there is particular scenario in which the applicability of the Convention becomes more attractive (or less dangerous as a matter of policy) – when the surveillance actually takes place within the surveilling state’s territory, even if the affected individual is outside it. Imagine, for example, if the UK police searched my flat in Nottingham while I was visiting family in Serbia – surely I would have Article 8 rights, even though I would not be on UK territory when the search took place. Why then should I not have these rights if an email I send while I am in Serbia is routed through my university server in Nottingham and intercepted by GCHQ there? In both cases the intrusion into privacy happens on the UK’s territory, even if I am outside it. In fact, in its judgment the IPT briefly addresses this scenario, if all too briefly and less than convincingly, although I’m not sure that the point was extensively argued.

In any case, the main paragraphs on the jurisdiction issue are below the fold. The judgment also deals with the very important question of standing/victim status, finding that all but six of the 600+ claimants lacked locus standi even under a very low threshold of showing that they are ‘potentially at risk’ from surveillance measures (applying the European Court’s recent Zakharov judgment, para. 171).

Read the rest of this entry…

 

Silencing the Canary: the lawfulness of the U.K. Investigatory Powers Bill’s secrecy provisions under the ECHR

Published on May 17, 2016        Author: 
Twitter
Facebook
Google+
LinkedIn
Follow by Email

Following the Snowden revelations in 2013 concerning the complicity of the tech industry in widespread electronic government surveillance in the U.S., tech companies have individually and collectively become increasingly active as advocates of privacy and free speech rights, culminating in legal challenges to government electronic surveillance.

Since the dropping by the U.S. Department of Justice (DOJ) of its much publicised writ against Apple, which sought to compel Apple to hack the security key code system of the Apple iPhone 5, the battle between tech companies and the DOJ over privacy and encryption in the U.S. has taken another turn.  In April, Microsoft filed a suit in the District Court of Seattle against the DOJ challenging the ‘secrecy order’ provisions (a range of anti-tipping off and gagging powers) under the Electronic Communications Privacy Act (ECPA).

With the Investigatory Powers Bill (IPB), which contains similar secrecy requirements, currently being debated before the U.K. Parliament, the U.S. case provides fair warning of possible human rights challenges tech companies may bring against the U.K. government. This post will consider the implications of the Bill’s secrecy provisions in light of the rights of tech companies under the European Convention on Human Rights (ECHR).

The Microsoft – DOJ claim                                                 

In short, the ECPA allows a U.S. government agency to apply to the Court for a warrant requiring Microsoft, or any other internet company, to hand over their customers’ private data. In addition, an order can be made by the court preventing the company from publicising the fact that they have been required to disclose the data. Read the rest of this entry…

 
Comments Off on Silencing the Canary: the lawfulness of the U.K. Investigatory Powers Bill’s secrecy provisions under the ECHR

First Report of the UN Special Rapporteur on the Right to Privacy to the Human Rights Council

Published on March 18, 2016        Author: 
Twitter
Facebook
Google+
LinkedIn
Follow by Email

In March 2015, the United Nations Human Rights Council created a new special procedure on the right to privacy, appointing its first Special Rapporteur on the topic, Professor Joseph Cannataci, in July 2015. Last week, the Special Rapporteur presented the Human Rights Council with his first report and engaged in an interactive dialogue with the Council. He also provided an outline of the main features of his report at a side event at the Council organised by Austria, Brazil, Germany, Liechtenstein, Mexico, Norway, Switzerland and the Geneva Academy of International Humanitarian Law and Human Rights with former US Ambassador to the Human Rights Council, Eileen Donahoe as the chair and myself, Carly Nyst and Faiza Patel as panellists (report forthcoming). As a first report, the Special Rapporteur acknowledges that it is still very much ‘preliminary’ (para. 3). At the same time, he provides a detailed outline of the themes he proposes to focus on during his mandate. In this blog, I reflect on the scope of the mandate, the choice of themes and suggest ways in which the Special Rapporteur might develop some of the themes during his mandate.

The Scope of the Mandate

  1. Privacy and Personality across cultures
  2. Corporate on-line business models and personal data use
  3. Security, surveillance, proportionality and cyberpeace
  4. Open data and Big Data analytics: the impact on privacy
  5. Genetics and privacy
  6. Privacy, dignity and reputation
  7. Biometrics and privacy

The number and range of themes identified is ambitious. However, in my view, the Special Rapporteur’s selection strikes a good balance between continuing to prioritise the risks to the right to privacy posed by security and surveillance and taking a wider view of the impact of big data and new technologies on human rights outside of the security context which has not received adequate attention to date. Read the rest of this entry…

 
Tags:
Comments Off on First Report of the UN Special Rapporteur on the Right to Privacy to the Human Rights Council

Blockbuster Strasbourg Judgment on Surveillance in Russia

Published on December 7, 2015        Author: 
Twitter
Facebook
Google+
LinkedIn
Follow by Email

Last Friday a unanimous Grand Chamber of the European Court delivered a hugely important judgment in Roman Zakharov v. Russia, no. 47143/06, in which it found serious and systematic faults with the Russian legislative framework regulating the surveillance of mobile communications. This is set to be a leading Strasbourg authority on assessing the compliance of surveillance measures with human rights law, a topic we’ve already extensively discussed on the blog. This judgment important for a number of reasons.

First, because a unanimous Grand Chamber reaffirmed much of relatively older or Chamber-based case law, and applied the principles it identified robustly. This provides an important indication that the Court remains acutely aware of the dangers surveillance programs possibly pose to democratic societies, and that it will also scrutinize such programs robustly in the cases shortly coming before it, e.g. against the United Kingdom. I must say that I was particularly struck by how the Russian judge in the Court, Judge Dedov, concluded his concurring opinion with a quote from Edward Snowden – with the added irony of Snowden still continuing his sojourn in Russia, the very country whose regulatory system of surveillance the Court exposed as so sorely inadequate.

Read the rest of this entry…

 
Tags:

Human Rights Treaties and Foreign Surveillance

Published on September 28, 2015        Author: 
Twitter
Facebook
Google+
LinkedIn
Follow by Email

A quick heads-up that the final version of my article on Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age, is now available on the website of the Harvard International Law Journal. The article grew from a series of posts I did here on this topic. The published version also contains a postscript addressing some of the recent developments after the piece was accepted for publication; see here generally for the blog’s coverage of surveillance issues.

In the meantime the UN Human Rights Council has appointed Prof. Joseph Cannataci of the University of Malta as the first special rapporteur on privacy. His candidacy enjoyed significant support from privacy organizations, while his election took no small amount of politicking, with the German president of the Council overruling a proposal made by a five-state consultative group, which favoured Estonian Prof. Katrin Nyman-Metcalf, who was perceived as not being sufficiently critical of mass surveillance practices. Prof. Cannataci, on the other hand, has already come out with harsh criticisms of digital surveillance programmes; he inter alia “described British surveillance oversight as being “a joke”, and said the situation is worse than anything George Orwell could have foreseen.”

Hyperbole aside, Prof. Cannataci has also called for the adoption of a “Geneva Convention” for the Internet “to safeguard data and combat the threat of massive clandestine digital surveillance.” And a couple of days ago Edward Snowden and a group of activists came out with one such proposal, labelled the “International Treaty on the Right to Privacy, Protection Against Improper Surveillance and Protection of Whistleblowers,” or the “Snowden Treaty” for short. Only a short and uninformative summary seems to be publicly available at this time.

I must say that I have grave misgivings about such proposals (with the caveat that the proposed draft has not yet been published). First of all, proposing such a new treaty implies that the existing legal framework is incapable of meaningfully regulating surveillance practices, despite the relevant privacy provisions in the ICCPR, the ECHR and the ACHR, and despite existing case law and materials (especially from the Strasbourg Court). In other words, proposing a binding gap-filling instrument assumes that a regulatory gap exists. Secondly, politically it seems exceptionally unlikely that any of the major players in the surveillance sphere (e.g. the US, UK, Russia, China), not to mention authoritarian regimes in many smaller states, would agree to any binding multilateral treaty in the foreseeable future, let alone to a comprehensive “Geneva Convention for the Internet.” Nor will the “Snowden Treaty” label make this proposed agreement any more politically palatable. So it’s just completely unclear to me what a feel-good, pie in the sky proposal such as this one is actually going to achieve, except needlessly waste precious political energy and undermine efforts to regulate surveillance and other intrusive cyber practices under the existing legal framework.

But let’s wait and see. In the meantime, Jessup competitors this year will have a nice, fat surveillance case to litigate before a fictional ICJ, and best of luck to them.

 
Tags:

UN Human Rights Council Adopts Resolution on a Special Rapporteur for Privacy

Published on March 26, 2015        Author: 
Twitter
Facebook
Google+
LinkedIn
Follow by Email

The Council today adopted by consensus the resolution on privacy in the digital age, which includes the creation of a new special procedure. Bearing in mind the wide scope of the right to privacy, this SR is sure to be a mega-mandate. The resolution is available here; Privacy International press release here.

 
Tags: