Can the law control Digital Leviathan?


Published on

My presentation at the Tunis Online Freedom Conference, 17 June 2013. Updated for Asia Privacy Scholars Network conference, 9 July 2013, Hong Kong University, and significantly updated for the SCL Policy Forum, 12 Sep 2013, and presentations at Deutsche Bank and Amberhawk (May 2014)

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Comment at American Constitution Society’s national convention, 14 June 2013
  • Intelligence protocol to CoE Convention 108, or interpretations of ICCPR/regional human rights treaties? MLATs? UKUSA amendment?
  • Can the law control Digital Leviathan?

    1. 1. Can the law control Digital Leviathan? Ian Brown (Oxford University) @IanBrownOII ―Since you can’t connect dots you don’t have…we fundamentally try to collect everything and hang on to it forever‖ – Greg Hunt, CIA CTO
    2. 2. TEMPORA
    3. 3. NSA/CIA/FBI/DoD Trusted Partners  Bloomberg 14/6/13: ―Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence‖  ―Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S.‖
    4. 4. The domestic rule of law? UK has ―one of the strongest systems of checks and balances and democratic accountability for secret intelligence anywhere in the world‖ ―Although we have concluded that GCHQ has not circumvented or attempted to circumvent UK law, it is proper to consider further whether the current statutory framework governing access to private communications
    5. 5. Regulation of Investigatory Powers Act 2000 8 Contents of warrants. (4) Subsections (1) and (2) shall not apply to an interception warrant if— (a) the description of communications to which the warrant relates confines the conduct authorised or required by the warrant to conduct falling within subsection (5); and (b) at the time of the issue of the warrant, a certificate applicable to the warrant has been issued by the Secretary of State certifying— (i) the descriptions of intercepted material the examination of which he considers necessary; and (ii) that he considers the examination of material of those descriptions necessary as mentioned in section 5(3)(a), (b) or (c).… 12 Maintenance of interception capability. (1) The Secretary of State may by order provide for the imposition by him on persons who— (a) are providing public postal services or public telecommunications services, or (b) are proposing to do so, of such obligations as it appears to him reasonable to impose for the purpose of securing that it is and remains practicable for requirements to provide assistance in relation to interception warrants to be imposed and complied with. (2) The Secretary of State’s power to impose the obligations provided for by an order under this section shall be exercisable by the giving, in accordance with the order, of a notice requiring the person who is to be subject to the obligations to take all such steps as may be specified or described in the notice…
    6. 6. Telecommunications Act 1984 94 Directions in the interests of national security etc. (1) The Secretary of State may, after consultation with a person to whom this section applies, give to that person such directions of a general character as appear to the Secretary of State to be necessary in the interests of national security or relations with the government of a country or territory outside the United Kingdom… (5) A person shall not disclose, or be required by virtue of any enactment or otherwise to disclose, anything done by virtue of this section if the Secretary of State has notified him that the Secretary of State is of the opinion that disclosure of that thing is against the interests of national security or relations with the government of a country or territory outside the United Kingdom, or the commercial interests of some other person… (8) This section applies to OFCOM and to providers of public electronic communications networks.
    7. 7. Intelligence Services Act 1994 7 Authorisation of acts outside the British Islands. (1) If, apart from this section, a person would be liable in the United Kingdom for any act done outside the British Islands, he shall not be so liable if the act is one which is authorised to be done by virtue of an authorisation given by the Secretary of State… (9) For the purposes of this section the reference in subsection (1) to an act done outside the British Islands includes a reference to any act which— (a) is done in the British Islands; but (b) is or is intended to be done in relation to apparatus that is believed to be outside the British Islands, or in relation to anything appearing to originate from such apparatus…
    8. 8. • “As a former Article III judge, I can tell you that your faith in the FISA Court is dramatically misplaced... • The Fourth Amendment frameworks have been substantially diluted in the ordinary police case. One can only imagine what the dilution is in a national security setting… • It’s an anointment process. It’s not a selection process. But you know, it’s not boat rockers. So you have a [federal] bench which is way more conservative than before. This is a subset of that. And it’s a subset of that who are operating under privacy, confidentiality, and national U.S. District Judge Nancy Gertner (Ret.) Judicial review?
    9. 9. Congressional oversight?  ―When the American people find out how their government has secretly interpreted the Patriot Act, they will be stunned and they will be angry‖ –Senator Ron Wyden, 26/5/11  ―the technology and technical policy is far outpacing the background and expertise of most elected members of Congress or their staffs‖ – Jacob Olcott, former cybersecurity assistant to Senator JD Rockefeller IV  ―one thing that won't have changed in the 50-odd years since I left the secret world, and never will, is the gullibility of the uninitiated when faced with real-life spies. In a flash, all rational standards of human judgment fall away.‖ –John Le Carré
    10. 10. ―(They said) don’t worry, we’re not spying on any Americans. Wonderful, that’s really helpful for companies trying to work with people around the world.‖
    11. 11. Preserving the rule of law  Hobbesian state of intelligence international law?  How to implement meaningful checks and balances? Minimisation, warrants, over sight, transparency  Technical options? ◦ German interior minister: ―whoever fears their communication is being intercepted in any way should use services that don't go through American servers.‖ ◦ Snowden: ―you should never
    12. 12. CJEU on Data Retention Dir.  ―Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.‖  Retention ―constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter… the access of the competent national authorities to the data constitutes a further interference with that fundamental right‖  ―the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.‖  Directive does not ―adversely affect the essence of those rights‖, but ―the fight against serious crime…does not, in itself, justify a retention measure‖  Broad scope ―entails an interference with the fundamental rights of practically the entire European population… it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.‖ Joined cases: Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Ors C- 293/12 and Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and others, C 594/12
    13. 13. Data Retention judgment  ―the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data‖  ―does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured.‖  ―Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.‖