Last Monday, eight of the largest Internet companies took the unprecedented step of publicly calling for an end to bulk collection of communications data. Then on Tuesday, a coalition of over 550 of the world’s leading authors (including 5 Nobel prize winners) issued a statement calling for a reassertion of our digital privacy. In the next few days, the United Nations General Assembly is expected to pass a key privacy resolution.
While all of these are heartening steps, the time is coming to fill in the details of the more general international calls for reform. Luckily, EFF and several other NGOs and legal scholars around the world have already developed a set of robust principles, called the 13 International Principles for the Application of Human Rights to Communications Surveillance—or more commonly, the Necessary and Proportionate Principles. These can be used by people around the world to push for stronger local legal protections, as well as by the United Nations and other international bodies. The Principles have so far been endorsed by over 329 organizations, 43 experts and elected officials, and thousands of individuals from around the world. It's also open for signature by companies. If you haven't already signed it, you can do so today.
The Principles look beyond the current set of revelations to take a broad look at how modern communications surveillance technologies can be addressed consistent with human rights and the rule of law. Some of the key factors are:
Protect Critical Internet Infrastructure: No law should impose security holes in our technology in order to facilitate surveillance. Dumbing down the security of hundreds of millions innocent people who rely on secure technologies in order to ensure surveillance capabilities against the very few bad guys is both overbroad and short-sighted. Yet one of the most significant revelations this year has been the extent to which NSA, GCHQ and others have done just that—they have secretly undermined the global communications infrastructure and services. They have obtained private encryption keys for commercial services relied on by individuals and companies alike and have put backdoors into and generally undermined security tools and even key cryptographic standards relied upon by millions around the world. The assumption underlying such efforts—that no communication can be truly secure—is inherently dangerous, leaving people at the mercy of good guys and bad guys alike. It must be rejected.
Protect Metadata: It’s time to move beyond the fallacy that information about communications is not as privacy invasive as communications themselves. Information about communications, also called metadata or non-content, can include the location of your cell phone, clickstream data, and search logs, and is just as invasive as reading your email or listening to your phone calls—if not more so. What is important is not the kind of data is collected, but its effect on the privacy of the individual. Thus, the law must require high standards for government access -- for criminal prosecutions this means the equivalent of a probable cause warrant issued by a court (or other impartial judicial authority)—whenever that access reveals previously nonpublic information about individual communications. This includes revealing a speaker’s identity if it is not public; the websites or social media one has encountered; the people one has communicated with; and when, from where, and for how long. In the pre-Internet age, the much more limited amount and kind of “metadata” available to law enforcement was treated as less sensitive than content, but given current communications surveillance capabilities, this can no longer be the case. Our metadata needs to be treated with the same level of privacy as our content.
Monitoring Equals Surveillance: Much of the expansive state surveillance revealed in the past year depends on confusion over whether actual "surveillance" has occurred and thus whether human rights obligations apply. Some have suggested that if information is merely collected and kept but not looked at by humans, no privacy invasion has occurred. Others argue that computers analyzing all communications in real-time for key words and other selectors is not "surveillance" for purposes of triggering legal protections. These differences in interpretation can mean the difference between targeted and mass surveillance of communications.
Definitions matter. This is why one of the crucial points in our principles is the definition of “Communications surveillance", which encompasses the monitoring, interception, collection, analysis, use, preservation and retention of, interference with, or access to information that includes, reflects, or arises from or a person’s communications in the past, present or future. States should not be able to bypass privacy protections on the basis of arbitrary definitions.
Mission Creep: Contrary to many official statements, the modern reality is that state intelligence agencies are involved in a much broader scope of activities than simply those related to national security or counterterrorism. The NSA and its partners, for example, have used the expansive powers granted to them for political and even economic spying—things that have little to do with the safety of the state and its citizens. Worse, the information collected by foreign intelligence agencies, it turns out, is routinely (and secretly!) re-used by domestic agencies such as the Drug Enforcement Agency, effectively bypassing the checks and balances imposed on such domestic agencies.
The Necessary and Proportionate Principles state that communications surveillance (including the collection of information or any interference with access to our data) must be proportionate to the objective they are intended to address. And equally importantly, even where surveillance is justified by one agency for one purpose, the Principles prohibit the unrestricted reuse of this information by other agencies for other purposes.
No Voluntary Cooperation: As we've learned about extralegal and voluntary deals between tech companies and intelligence agencies, it's become increasingly clear that the terms of cooperation between governments and private entities must be made public. The Necessary and Proportionate principles clarify that there is no scope for voluntary cooperation from companies unless a warrant has met the proportionality test.
Combat a Culture of Secret Law: The basis and interpretation of surveillance powers must be on the public record, and rigorous reporting and individual notification (with proper safeguards) must be required. The absence of transparency in surveillance laws and practices reflects a lack of compliance with human rights and the rule of law. Secret laws—whether about surveillance or anything else—are unacceptable. The state must not adopt or implement a surveillance practice without public law defining its limits. Moreover, the law must meet a standard of clarity and precision that is sufficient to ensure that individuals have advance notice of, and can foresee, its application. When citizens are unaware of a law, its interpretation, or its application, it is effectively secret. A secret law is not a legal law.
Notification: Notification must be the norm, not the exception. Individuals should be notified of authorization of communications surveillance with enough time and information to enable them to appeal the decision, except when doing so would endanger the investigation at issue. Individuals should also have access to the materials presented in support of the application for authorization. The notification principle has become essential in fighting illegal or overreaching surveillance. Before the Internet, the police would knock on a suspect’s door, show their warrant, and provide the individual a reason for entering the suspect’s home. The person searched could watch the search occur and see whether the information gathered went beyond the scope of the warrant.
Electronic surveillance, however, is much more surreptitious. Data can be intercepted or acquired directly from a third party such as Facebook or Twitter without the individual knowing. Therefore, it is often impossible to know that one has been under surveillance, unless the evidence leads to criminal charges. As a result the innocent are the least likely to discover their privacy has been invaded. Indeed, new technologies have even enabled covert remote searches of personal computers. Any delay in notification has to be based upon a showing to a court, and tied to an actual danger to the investigation at issue or harm to a person.
Restore Proportionality: Authorities must have prior authorization by an independent and impartial judicial entity in order to determine that a certain act of surveillance has a sufficiently high likelihood to provide evidence that will address a serious harm. Any decisions about surveillance must weigh the benefits against the costs of violating an individual's privacy and freedom of expression. Respect for due process also requires that any interference with fundamental rights must be properly enumerated in law that is consistently practiced and available to the public. A judge must ensure that freedoms are respected and limitations are appropriately applied.
Cross-Border Access Protection: Privacy protections must be consistent across borders at home and abroad. Governments should not bypass national privacy protections by relying on secretive informal data sharing agreements with foreign states or private international companies. Individuals should not be denied privacy rights simply because they live in another country from the one that is surveilling them. Where data is flowing across borders, the law of the jurisdiction with the greatest privacy protections should apply.
More To Be Done: The Necessary and Proportionate Principles provide a basic framework for governments to ensure the rule of law, oversight and safeguards. They also call for accountability, with penalties for unlawful access and strong and effective protections for whistleblowers. They are starting to serve as a model for reform around the world and we urge governments, companies NGOs and activists around the world to use them to structure necessary change. The technology companies’ statement last week is a welcome addition and a good start. It also highlights the conspicuous silence of the telecommunications companies, which appear to have a much bigger and deeper role in mass surveillance.
But while the Principles are aimed at governments, government action isn’t the only way to combat surveillance overreach. All of the communications companies, Internet and telecommunications alike, can help by securing their networks and limiting the information they collect. EFF has long recommended that online service providers collect the minimum amount of information for the minimum time that is necessary to perform their operations, and to effectively obfuscate, aggregate and delete unneeded user information. This helps them in their compliance burdens as well: if they collect less data, there is less data to hand over to the government.
Working together, legal efforts like the Necessary and Proportionate Principles serving as a basis for international and national reforms, plus technical efforts like deploying encryption and limiting information collected, can serve as a foundation for a new era of private and secure digital communications.