ICT companies and human rights

International data privacy: what we need is an industry transparency report

Cross-posted from https://cyberlaw.stanford.edu/blog/2014/05/international-data-privacy-what-we-need-industry-transparency-report  GoogleYahoo!, MicrosoftTwitterAppleDropboxLinkedIn, and Pinterest all publish transparency reports.  Wordpress is the latest company to join the party, recently publishing their first transparency report.   However, it’s difficult to see trends and anomalies when the information is scattered across multiple individual company reports.  In order to get a comprehensive view of what is happening, we need to pull all of these fragments into a comprehensive picture.  We need an internet industry-wide transparency report.

To create a kind of hacked industry transparency report, I have consolidated the July-December 2013 transparency data from the main internet companies.  There is such a wealth of information to pore over and slice and dice in different ways that I will separate the analysis into a series of blog entries.  My interest is the international aspect, so I will focus on requests from foreign law enforcement.  This post will outline some of the key themes emerging from my comparison.Combined law enforcement data table

Only part of the picture

The first thing to note is that the transparency reports only show requests from foreign law enforcement that are made directly to the company.  As I have previously noted, there are at least three main ways in which foreign law enforcement can access user data that is held by a US company:

1.     through the US government via the mutual legal assistance treaty (MLAT) process;

2.     directly asking the company; or

3.     asking the FBI to obtain the data on their behalf.

The transparency reports only show requests made via method (2).  This is not the companies’ fault; by the time an MLAT request filters down to companies’ inhouse lawyers and paralegals, it simply looks like a search warrant issued by the US District Court.  For this reason, any requests that go through the MLAT system show up as US requests.  This has the unfortunate consequence of over inflating the statistics for US government requests and hiding where the requests are really coming from.

Same-same but different

The companies’ reports are similar, but not the same.  As the pioneer in this field, Google has set the template that many of the other companies now use.  The Google-inspired template includes (1) number of requests (2) percentage of requests for which data was provided and (3) number of accounts/users affected.   However, there are subtle differences in layout and content, which make it difficult to draw meaningful comparisons across companies.

For example, Microsoft divides their responses into percentages for content and non-content, which means that you can’t easily do a direct comparison with the percentages listed by companies that use the Google template.  Of course, with some 8th grade algebra, you can overcome this, but it slows down the comparison process.  A couple of other notable anomalies are that Twitter does not give a specific number for countries for which there were fewer than 10 requests.  This could be because when the numbers of requests are small, criminal suspects may be tipped off that they are under suspicion.  Dropbox does not break down their foreign requests by country at all (intriguingly, although 90 foreign requests were made, 0 accounts were affected – I can only imagine that this means that they refused all 90 requests).

There isn’t necessarily anything sinister going on here; it just makes direct comparison across companies difficult.  It would be great to see consistent reporting across the internet companies (or even some consolidating reporting!).

Content vs non-content

One of the differences in the transparency reports that reveals a more substantive issue is that the Yahoo! and Microsoft reports indicate whether content or non-content has been handed over to foreign countries.  This is more than just a question of template consistency; Yahoo! and Microsoft are notable exceptions in that they will accept jurisdiction for data requests in certain countries outside of the US.  The other companies will generally only provide content through their US headquarters, in response to a US court order (eg through the MLAT process) or in emergency situations.

It’s harder to see overseas

There is an increase in the granularity of Google’s data with each year since 2010 and other companies are starting to follow suit. The improved transparency of national security requests is also a new development.  However, when it comes to foreign requests, the level of detail takes a nosedive.  There are at least two areas where this is important:  legal process; and user notification.

Legal process

Google, LinkedIn and Dropbox break down the number of US requests according to which process was used eg subpoena, court order, or search warrant.  This is not possible for foreign requests - as noted above, the only foreign law enforcement requests that are separately shown in the transparency reports are those that are made directly to the companies and this means that there has not been any US legal process.  As I’ve noted [previously], the Electronic Communications Privacy Act does not apply to foreign governments, so they cannot use US legal process and companies have unfettered discretion about whether or not to provide non-content information to them.  Some companies take this responsibility very seriously and apply their own due diligence processes before handing over user records.  However, there is no visibility of what these standards and processes are.  As I will discuss in a later post, there are notable differences between different companies’ compliance rates for requests from the same countries, which suggests that the companies may be exercising this discretion quite differently.

User notification

In the domestic context, Dropbox and Pinterest show whether they notified the user that their records had been accessed by US law enforcement.  Apple, Google, Microsoft, and Facebook are all apparently updating their policies to increase their rate of user notification.  Depending on the legal process used, ECPA establishes different obligations with respect to notification for access by law enforcement.  This is quite an interesting statistic but it would arguably be more important to see the statistics for foreign requests.  The fact that ECPA does not apply to foreign governments means that there is no obligation on companies to notify users if foreign law enforcement accesses their records.  Since there is no legal obligation on companies, it is entirely a matter of policy as to whether or not they notify users and we have no visibility of how this plays out in practice.

I have attached the raw data from my unified industry transparency report, but will be sharing charts and diagrams that break up the data into more intelligible chunks over the next week or so.

Whistleblowing about government surveillance: political offense or serious crime?

[cross-posted from http://cyberlaw.stanford.edu/blog] It seems like the world has been turned upside down when a US citizen flees to China seeking political asylum.  And yet Edward Snowden is apparently hiding out in a secret location in Hong Kong after revealing that he is responsible for the leaked information on the US government’s PRISM program of surveillance.  He explains his choice of refuge as being based on Hong Kong’s reputation for defending freedom of speech.  He is also apparently considering Iceland as another potential refuge.  But if the US chooses to prosecute him, will he be able to avoid being sent home to face charges?  A key part of the answer lies in whether his leaking of official secrets qualifies as a ‘political offense’.

The two parallel processes by which Edward Snowden could legally be returned to the US against his will are extradition or immigration removal.  Extradition is the government-to-government process for transferring an individual to another country to face criminal prosecution.  Immigration removal (including deportation) occurs when a non-citizen is no longer legally entitled to remain in a country and is forced to leave.  Often, the individual returns to their country of citizenship, but this is not always the case.  Both of these processes have protections under international law when the person is being sought for prosecution of a ‘political offense’.

Protections for ‘political criminals’

The first thing to note about the protection under refugee law is that in order to get to the point of considering whether Snowden’s alleged offence is ‘political’, he would first need to demonstrate that he is entitled to protection under the Convention on the Status of Refugees.  This requires that there be a ‘wellfounded fear of being persecuted for reasons of race, religion, nationality, membership of a particular social group or political opinion’.  As other commentators have already noted, it may be a tall order to show that Snowden is being persecuted (rather than just prosecuted) and that this ‘persecution’ is because of his membership of a particular group or political opinion.  If, and only if, he can show that he meets this test under the Convention on the Status of Refugees, article 1(F)(b) of the Convention would mean that Snowden could not be denied refugee status on the basis of his alleged crime IF it is a ‘political crime’.

If Snowden does not qualify for protection as a refugee, he could be subject to extradition under the extradition treaty between the US and Hong Kong.  The extradition treaty protects ‘political criminals’ by allowing the requested country to refuse to extradite an individual if the alleged offence is a ‘political offence’.  It is important to note that this is entirely discretionary; it would be up to Hong Kong as to whether it considers the offense to be ‘political’ and, if it does, whether it wants to refuse extradition on that basis.  Extradition can be a very sensitive matter between countries and decisions about whether or not to invoke a discretionary provision in a treaty fall into the realm of foreign relations, not black letter law.

But what exactly is a ‘political offense’?

The protections under extradition and refugee law share some terminology and there is definitely an overlap.  However, international human rights lawyers can pass many an hour debating the exact nature of the relationship and reasonable minds could certainly differ about the scope of the protections.

Extradition law

It is generally accepted in extradition law that political offenses can be either absolute (a purely political crime such as treason) or relative (a common crime that is given a political flavor by its context or purpose).  The challenge is to differentiate common crimes from ‘relative political crimes’.  There are two key approaches that can be identified from the cases:  the incidence test; and the predominance test.  Under the ‘incidence’ test, the act must be ‘done in furtherance of, done with the intention of assistance, as a sort of overt act in the course of acting in a political matter, a political rising, or a dispute between two parties in the state as to which is to have the government in its hands’ (as defined in the 1891 case of Re Castioni).  Snowden would have a tough time claiming that his act of leaking information was done as part of a political uprising or dispute about government.  He would therefore need to argue that the ‘predominance test’ should apply.

The predominance test weighs the common law criminal elements of the crime against the political elements of the crime in order to determine whether it is predominantly political.  Factors to consider in making this assessment include the existence of an underlying political struggle, the offender’s motive, the nature of the act and the efficacy of the act in achieving its goals.  Snowden would have some good arguments to make using this approach.  He asserts that he was motivated by the belief that the government’s surveillance program breaches the US Constitution and undermines important democratic rights.  There is no violence or direct loss of life caused by his actions but they have been highly effective in generating political debate and public scrutiny.  He would certainly have good case to make that his acts are predominantly political and therefore Hong Kong should not be obliged to extradite him to the US.

Refugee law

There is no definition of ‘political crime’ in the Refugee Convention.  The UN Office of the High Commissioner for Refugees’ guidelines suggest that the following factors should be taken into account:

  1. the crime’s ‘nature and purpose ie whether it has been committed out of genuine political motives and not merely for personal reasons or gain’;
  2. whether there is ‘a close and direct causal link between the crime committed and its alleged political purpose and object’; and
  3. whether the political element of the offence ‘outweighs its common-law character’, which would not be the case ‘if the acts committed are grossly out of proportion to the alleged objective’.

These factors are similar to the factors that are considered in extradition in the context of the incidence test and the proportionality test.  When applying article 1(F)(b), courts have drawn heavily on extradition jurisprudence.

So what does this all actually mean?

In a politically-charged situation like this, the legal framework is important but the outcome will likely be determined by political pressures and careful diplomatic footwork.  The main take-homes of this discussion are that it is not a foregone conclusion that Snowden’s acts will be considered ‘political’, nor that this will prevent him from being either extradited or deported to the US.

Extradition is a very formal process, which can be slow and costly.  Moreover, it can put the two countries in a very awkward situation.  Seeking Snowden’s extradition from Hong Kong would raise the possibility that Hong Kong would have the discretion to refuse on the basis that it is a political offense.  This kind of decision can have a damaging effect on the broader bilateral relationship and both countries would likely prefer to avoid being put in this situation.

Since Snowden is a US citizen, the government may prefer to find a solution through immigration channels rather than seek extradition.  This would mean that Snowden would have to meet the more difficult test of qualifying as a ‘refugee’ before Hong Kong would need to make any decisions about ‘political offenses’.  While this is perhaps an arena in which the countries would feel more comfortable, the case of Julian Assange shows that it certainly does not necessarily remove all controversy.  Whatever happens, we can be sure that it will not be an easy case and the world will be watching very closely.

One heck of a timely UN report on government surveillance of communications

If it had happened on House of Cards, you’d have enjoyed the theater of it, but figured that the writers had taken some artistic license in the timing.  I mean, it just doesn’t happen in real life that the UN releases a report on the dangers of government surveillance on the internet immediately before the news breaks that the US Government has been conducting internet surveillance of previously unimagined proportions.  Critics could unkindly say this is because the UN is never ahead of the game, but in this case, you have to hand it to Frank La Rue – he has clearly authored an exceptionally timely report: 4 June 2013 – “Freedom of expression cannot be ensured without respect to privacy in communications,” United Nations Special Rapporteur Frank La Rue said today, calling for more global attention to the widespread use of surveillance technologies by States in violation of the human rights to privacy and freedom of expression.

5 June 2013 - The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America's largest telecoms providers, under a top secret court order issued in April.

6 June 2013 - The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants …. The NSA access is part of a previously undisclosed program called PRISM, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says. 

The right to privacy is a fundamental freedom in its own right (pardon the pun), but also as an important enabler for other rights such as the freedom of speech.  And yet, the right to privacy is a qualified right.  La Rue’s report notes that international human rights law is not sufficiently nuanced to provide clear guidance for countries and individuals when trying to understand what (if any) government intrusions into an individual’s electronic communications are acceptable.  In general terms, the right to privacy can be limited if the restrictions:

  1. are provided by the law;
  2. do not go to ‘the essence’ of the human right
  3. are necessary in a democratic society;
  4. are not subject to unfettered discretion;
  5. are necessary for reaching an enumerated legitimate aim; and
  6. are proportionate (ie the least intrusive instrument to achieve the desired result, and the restrictions are proportionate to the interest to be protected).

It may well be that the US government’s electronic surveillance activities are permissible restrictions on the right to privacy under international human rights law.  The answer is in the detail of whether the restrictions are ‘necessary’, ‘proportionate’ and sufficiently fettered.  To satisfy this test, the government would certainly need to make some pretty convincing arguments.  President Obama’s brief defence of the program focuses on the fact that the surveillance only looks at ‘meta-data’, in order to identify patterns. This type of pattern can be invaluable in identifying potential security threats, and national security is clearly a legitimate aim in a democratic society.  However, the intrusion on privacy is only acceptable if the level of discretion, oversight and proportionality are adequate, and this can by no means be assumed in the current circumstances.

La Rue’s report concludes by making 17 recommendations.  Many of these recommendations relate to transparency, accountability and public awareness.  For example, he states that laws governing electronic surveillance should meet ‘a standard of clarity and precision that is sufficient to ensure that individuals have advance notice of and can foresee their application’.  In essence, his recommendations capture a sense that reasonable citizens should not be alarmed to learn of the type of surveillance that occurs, should acknowledge that the surveillance is of value and should be reassured that there are adequate oversight mechanisms in place.  Once again, his report is right on the money; the level of outcry in the US media and around water coolers this morning indicates that the current surveillance policies are not meeting the public 'sniff test'.  Something smells decidedly off.

So often, UN reports end with a plea for increased public awareness and further discussion about the issues, but any resulting debate is limited to the international law nerds and human rights nuts amongst us.  However, the freakishly good timing of La Rue’s report may just mean that the issues that he has raised capture mainstream attention and generate some real public debate.

 

Trust us, we're the Government - sharing evidence internationally

It’s the nature of academic articles that by the time they’re published you’ve almost forgotten that you wrote them, particularly if the journal is an annual.  It is therefore pleasantly surprising that as my article on ‘Sharing Evidence Across Borders:  the human rights challenge’ is published ((2012) 30 Aust YBIL 161), I find that the topic is still very much current and the questions raised are still relevant, possibly even more so than when I wrote it a couple of years ago. Being able to transfer evidence between countries is essential for cross-border investigations and prosecutions.  Even aside from crime types that are obviously transnational in nature such as drug trafficking or international money laundering, everyday crimes are easily given a ‘transnational’ aspect if the criminals use international email providers, have a foreign bank account or if a key witness lives in another country.  Clearly, public policy dictates that investigations and prosecutions can’t be allowed to stop at the border.  To fill this gap Mutual Legal Assistance Treaties (MLATs), law enforcement cooperation and letters rogatory have developed.  However, transferring evidence into another jurisdiction can have significant human rights implications.

After authorities in one country hand evidence over to another country, they may lose control and visibility of how that evidence is used.  And yet, instinctively, it seems like a country should not be able to wash its hands of all responsibility after handing over evidence.  When legal cooperation is used to move people rather than evidence (ie extradition), there are very clear human rights protections.  An abolitionist country cannot extradite or deport a person to a country if there is a real risk that he or she may be subject to the death penalty.  Similar obligations arise if a country wishes to extradite a person to a country where there is a real risk of a person being subject to torture or to cruel, inhuman or degrading treatment or punishment.  However, there is no such obligation if one country provides evidence to another country and that country then uses the information to impose the death penalty, torture or other cruel, inhuman or degrading treatment or punishment on an individual.

Many see this as unjust and there is a temptation to extend the international law that applies to extradition to MLATs and law enforcement cooperation.  After all, the consequences for individuals can be just as dire when countries share evidence as when they cooperate for extradition.  However, if you carefully analyse the extradition jurisprudence and try to apply it to evidence-sharing, you encounter a number of significant logical and legal problems.

In order to be practical and politically-palatable, there must be limits on a country’s human rights obligations.  International human rights law obligations are therefore generally limited to persons within that country’s jurisdiction.  When evidence is provided to foreign countries, it usually affects individuals in the foreign country.  It is difficult to find a logical way to argue that those individuals are within the ‘jurisdiction’ of the country providing evidence.  There are a couple of unique situations in which international human rights law has been found to apply to individuals extraterritorially.  These include where an individual is under that country’s effective control (eg prisons operated in Iraq by allied forces) or for particular rights such as the issuing of a passport or the enforcement of a judgment in absentia.  When you analyse these extraterritorial situations, they seem to be fundamentally different from a person about whom a foreign country facilitates providing evidence.

I therefore argue that international human rights law does not create any obligations with respect to law enforcement cooperation or mutual legal assistance.  This is not to say that there should not be legal obligations, just that they do not currently exist under international human rights law.  Any attempt to create obligations needs to engage with the complexity of the issue, not just assume that the same rules that apply to extradition can be applied to evidence-sharing.

The treaties that create evidence-sharing relationships provide some protections by specifying situations in which the requested country may refuse to provide evidence.  Such situations include where the death penalty would be imposed or there is a real risk of torture.  However, this is permissive rather than mandatory.  Moreover, MLATs and agreements on law enforcement cooperation are negotiated on an ad hoc basis and there is no uniformity in approach.  In the end, it all comes down to the particular policies of the administration that negotiated the treaty and the policies in place at the time that it is asked to provide the evidence.

The government makes decisions about which countries it is appropriate to enter into evidence-sharing relationships with and on what terms.  There is also scope to make decisions about specific requests.  For example, the requested country may specify that evidence will only be provided if the other country gives certain assurances (eg not to impose the death penalty).  Enforcement of such undertakings is a diplomatic matter.  In this way, the responsibility to make the right decisions about who to do business with and on what terms is largely a matter for the executive.

The system is further complicated when third parties hold the requested evidence, and these parties have their own relationship with the owner of the information.  The most pressing current example is online records.  Companies such as Google and Facebook hold large amounts of user data and many of their users reside in foreign jurisdictions.  The relationship of trust between these companies and their users is a valuable part of their business.  Being a good corporate citizen and cooperating with law enforcement to combat crime may also be important, but the priorities are not necessarily always compatible.

This somewhat changes the assumption that evidence-sharing can be handled adequately on a purely diplomatic basis because you have an additional party with a different set of interests.  This is not a new problem; for many years, countries have been sharing bank and telephone records.  However, the scale of the issue has certainly grown, with users storing more and more personal data online and increasing numbers of these users being in different jurisdictions from the tech companies.

These companies can scrutinize the requests that flow through from the Department of Justice or law enforcement to ensure that the legal requirements have been met.  However, where the discretion is a matter for the executive, the companies have limited options.  It is for the government to decide whether the other country’s justice system is adequate or undertakings are sufficient.  Provided that the other legal requirements are met, the company is obliged to hand over their user’s information.  Essentially, the system is based on trust that governments will do the right thing.

The increasing role of third party holders of information brings another dimension to the question of civil liberties protections in international evidence sharing.  It means that there is a new voice in the debate.  While governments have tended to keep evidence sharing confidential, tech companies are increasingly going public about government requests for user data.  Companies may challenge government requests in the courts on behalf of their users and raise public awareness about any perceived deficiencies in the laws.  What has tended to be an obscure area of government practice where the lack of legal protections has gone largely unnoticed now has the potential to become an issue of public discussion and concern.

Transparency – but what are we seeing?

Now that Microsoft has come to the party and is publishing a regular transparency report, there is a meaningful amount of publicly-available data about government requests for online records.  Looking at the data from Google, Twitter, Dropbox and Microsoft side-by-side raises some interesting questions. The trend towards publishing transparency reports is a welcome one.  It raises awareness and encourages users to think about what protections they’re entitled to and how private their online activities really are.  There are still some very noticeable gaps in the information available.  Facebook and Yahoo! store large amounts of personal data but are noticeably silent on the issue of transparency reports.  Perhaps they will follow in Microsoft’s footsteps and finally succumb to the pressure for transparency.

Consumer and privacy advocacy groups are alarmed at the increased volume of government data requests.  Back in January, EFF reported on the ‘troubling trend’ of the rise in government surveillance because there had been a 70% increase in requests for data since Google started releasing numbers in 2010.  Forums are awash with comments about government snooping and conspiracy theories.  Meanwhile, at last week’s Committee on the Judiciary Hearing, Richard Littlehale from the Tennessee Bureau of Investigation argued for calm in considering the increase in government requests.  He analysed the statistics as demonstrating that ‘just a tiny fraction of one percent of Google’s accounts were affected by government demands’.

Comparing the transparency reports of the different companies shows that Microsoft/Skype and Google are inundated with requests for data.  As you would expect, relative newcomers Dropbox and Twitter receive far fewer requests.  In 2012, there were 122,015 requests relating to Microsoft accounts, 15,409 requests relating to Skype accounts, 68,249 Google accounts, 2,614 Twitter accounts and 164 Dropbox accounts. Each of these statistics relates to the number of accounts affected.  As each user could have multiple accounts, this does not directly equate to the number of individuals affected but nonetheless gives a sense of the scale of the issue.

These are some pretty impressive numbers and they’re on the rise.  The volume of requests to Google has grown significantly even during the short 3 years that they have been publishing their transparency report.  Although the data is not available, it seems reasonable to assume that the other companies are also experiencing significant increases.  Just what do these statistics mean?  Is it time to sound the Orwellian alarm bells?

Of course, more users have been sending, posting and storing information online.  This comes not only from more users engaging with online products, but also through the expanded type of products being offered.  The growth in cloud computing and cloud product offerings such as Google Drive mean that there is more information being held by third parties.  Higher penetration of online products not only means more cute cats and emails home to Mom, but also more use by criminal elements.  This naturally piques the interest of law enforcement officers.

As law enforcement becomes more familiar with the use of online records as evidence, more officers appreciate its value and employ it as one of their investigative tools.  The process has also been simplified and demystified.  Only a few years ago, it was an impenetrable maze to try to work out how to request online records for most of the providers.  Now, many of the companies have publicly accessible guides for law enforcement.  This means that it’s not just the high-tech crime units that are aware of the ability and value in accessing online records, but also the local county sheriffs.

Upward trends in law enforcement requests for records from particular online products can also reveal that some applications are particularly attractive to criminal elements.  For example, in the past, certain messaging applications became havens for child pornography rings to the extent that the product was discontinued.  Criminals will always look for weaknesses in the system and loopholes where they feel that they can communicate with impunity.  Police will naturally want to follow these trends and pursue criminals by accessing these records.  At the same time, innocent users have a valid expectation of privacy over their communications.

This all means that more users are putting more information online and it’s being accessed by a wider range of law enforcement officers.  I don’t think this is necessarily alarming in itself – we are no longer in a society where people (innocent or criminal) handwrite their private documents and store them under lock and key in their filing cabinet and investigative techniques have to adjust accordingly.  However, it does mean that it is increasingly important to ensure that there are adequate systems in place for the way in which this information is stored, accessed and used.

The discussion of this issue is hardly in its infancy; reform of ECPA has been on and off the cards for years (culminating in the last-minute failure to pursue the legislative amendments at the end of last year).  At last week’s committee hearing, there was a new level of consensus that access to users’ content should only be through showing of probable cause.  However, underneath this veneer of agreement, each of the witnesses revealed important differences of opinion.  The Department of Justice advocated substantial carve-outs from the probable cause standard should be afforded for civil litigation.  The law enforcement representative had a wish list including access to SMS messages and mandatory time limits on compliance with government requests.  Questioning by committee members revealed that there was confusion about the difference between traffic data and content and a troubling lack of understanding about how services such as targeted advertising on Gmail accounts affects privacy.  As with most legislative reform, the devil is in the detail and there is a lot of work ahead before there can be agreement on a Bill.

Access to online records needs to be addressed now.  The uncertainties between different jurisdictions and the growing agreement that aspects of ECPA infringe the fourth amendment of the Constitution are unacceptable both from a user’s perspective and also from the commercial perspective of companies that have to navigate this legal minefield on a daily basis.  The law is certainly in need of reform and the problem is only going to get worse.  However, the statistics do not necessarily mean that we are in the grip of a government conspiracy.  While we are no longer in the 1986 world of the original ECPA, we are also a long way from George Orwell’s 1984.