Week 11
State Surveillance and Data Retention
Overview:
1. The Snowden Revelations
2. The legal framework governing State Surveillance: Europe and the US
3. Metadata Retention for Security and Law Enforcement
- E.g. taking more than just the content of an email- the device, time, location etc.
4. Problems and Perspectives
Defining Surveillance:
- Surveillance is the ‘the focused, systematic and routine attention to personal details for purposes of influence,
management, protection or direction’. - Lyons, Surveillance Studies, 2007
o Surveillance studies- an entire field. More technical.
o Question = is this a problem? If so, why?
- Close observation, especially of a suspected spy or criminal - Oxford English Dictionary
o No longer the case.
The Snowden Revelations:
Timeline- 2013
5 June: Guardian/Washington Post publish s.215 Patriot Act order by NSA to Verizon
6 June: existence of PRISM revealed, acknowledged by NSA Director of PRISM - reliance on s.1881a FISA
- PRISM- metadata retention programme.
- FISA- very broadly worded. Allows for the surveillance of non-US persons for the purpose of US foreign policy.
9 June: Edward Snowden reveals identity
- Contract operator working for national security agency
- He thought that the NSA was engaged in practices that wouldn’t have been transparent to the general public. He
revealed the existence of these programmes.
21 June: Existence of TEMPORA revealed
- UK equivalent of PRISM
4 July: European Parliament resolution on Surveillance
- Right to privacy + data protection rules- should prevent this happening. Hence the resolution.
Programme: ‘Upstream’
- Data is copied from both public and private networks to the NSA from international fibre-optic cables at landing
points, and from central exchanges which switch Internet traffic between the major carriers, through agreements
negotiated with (or legal orders served on) the operating companies and by intercepting cables on the seabed when
necessary.
o Data is transferred through pipes- underground. Different landing points in different countries. This was
intercepted and copied at different landing points. A full take copy of all of the data that was landing in the
US. Happened between interstate communication- exchange points.
Programme: ‘Xkeyscore’:
- Enabled a ‘3 day rolling buffer’ search of ‘full take’ data stored at 150 global sites on 700 database servers. Indexes
e-mail addresses, file names, IP addresses etc.
o Searching the full take data
- ‘The distinctive advantage of the system is that it enables an analyst to discover ‘strong selectors’ (search
parameters which identify or can be used to trigger automatic collection of associated data precisely about a target)
and to look for ‘anomalous events’ such as someone ‘using encryption’ or ‘searching for suspicious stuff’.
o NGOs use encryption- and their use of this technology would be seen as an anomalous event. They were
then targeted
- The analyst pulls content from the site as required.
Programme: ‘Bullrun’:
o Very controversial in computer security industry.
- Codename for an NSA programme for the last decade for an ‘aggressive multi-pronged effort to break into widely
used encryption technologies’.
o Most security analysts argue that they would be weakening the security mechanisms of the target, therefore
making it more vulnerable to general hacking.
o State-endorsed hacking of encrypted programmes.
- This programme caused most shock and efforts were made to assess which systems might be vulnerable and to
upgrade or change keys, ciphers and systems because adversaries in hostile countries would be trying to discover
backdoor mechanisms previously only known to the NSA.
FISA and Constitution allows for distinguishing between US and non-US persons doesn’t protect non-US persons
ECHR: Article 8
- Everyone has the right to respect for his private and family life, his home and his correspondence.
o Doesn’t apply extra territorially
o Applies, but has exceptions- not absolute.
o US was sharing this data with the UK and other nations- so only signatories of the convention [ECHR]
could be sent to Strasbourg
o Meant that direct litigation on behalf of non-US persons = impossible
, - There shall be no interference by a public authority with the exercise of this right except such as is in accordance
with the law and is necessary in a democratic society in the interests of national security, public safety or the
economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or
for the protection of the rights and freedoms of others
o Most discourse around Article [8][2]- can this interference be justified?
Article 8 ECHR Analysis
- Interference: S and Marper v UK:
o Facts:
Case against the UK because the UK was storing samples of people who had been brought in to
the police [arrested], questioned and either released or charged. Samples were stored in a data
base. Justification was that if there was a future crime, they could just use these samples. But a lot
of innocent people in the database.
Govt: this does no harm because if the innocent is good, there would never be a match so it is fine.
No interference.
o Judgement: disagreed with the government, found an interference.
The Court is unable to accept this argument and reiterates that the mere retention and storing of
personal data by public authorities, however obtained, are to be regarded as having direct impact
on the private-life interest of an individual concerned, irrespective of whether subsequent use is
made of the data. Of particular concern in the present context is the risk of stigmatisation,
stemming from the fact that persons in the position of the applicants, who have not been convicted
of any offence and are entitled to the presumption of innocence, are treated in the same way as
convicted persons.
Article 8 ECHR Analysis:
- Is there an interference with the applicant's right to privacy? If so, is it:
- necessary in a democratic society?
- in accordance with the law?
- proportionate?
Necessary in a democratic society:
- Unlike ECJ, ECHR gives states a lot of leeway in deciding what is necessary for them in a democratic society.
- Klass v Germany [1978]:
- As concerns the fixing of the conditions under which the system of surveillance is to be operated, … the
domestic legislature enjoys a certain discretion. It is certainly not for the Court to substitute for the
assessment of the national authorities any other assessment of what might be the best policy in this field.
- But not unlimited:
- The Court, being aware of the danger such a law poses of undermining or even destroying democracy on the
ground of defending it, affirms that the Contracting States may not, in the name of the struggle against
espionage and terrorism, adopt whatever measures they deem appropriate.
- Just because a measure is deemed necessary for a state for national security, doesn’t give them a blank
slate to do what they want.
- Question here is whether they are destroying democracy on the grounds of defending it.
In accordance with the law:
- If someone is going to interfere with your fundamental rights, assumption that it would be transparent and contestable.
- Amnesty International, IPT 2014:
- IPT: specialist tribunal that deals with national security. Hears cases behind closed doors [UK]. These have
been very controversial. It has heard over 1000 cases in this area and only found one interference against the
government.
- Facts: a challenge was made w/ regards to UK Snowden Revelation.
- Court said that in this case, this was in accordance w/ the law as it had been revealed in court.
- A stretch of the meaning in accordance w the law
- Adequate arrangements 'below the waterline’
- Arrangements are sufficiently accessible to the public and subject to oversight
- Scope of the discretion and the manner of its exercise are accessible with sufficient clarity
Proportionate:
- ECHR always concerned w/ indiscriminate retention of data
- S and Marper v UK [2008]:
- The Court is struck by the blanket and indiscriminate nature of the power of retention...
- The material may be retained irrespective of the nature or gravity of the offence with which the
individual was originally suspected or of the age of the suspected offender;
- The retention is not time-limited;
- There exist only limited possibilities for an acquitted individual to have the data removed from the
nationwide database or the materials destroyed.
- The measure was clearly disproportionate and went further than what was clearly necessary.
- Now, people who are in the database have the opportunity to apply to have their data
removed- which is arguably compliant.