Extraterritoriality and digital surveillance – time for the lawyers and the advocates to bring the dialogue together

This weekend, as an ex-bureaucrat, I felt for the folk at the State Department.  It must have been a ridiculously busy weekend for those preparing for this week’s Human Rights Committee Hearing in Geneva.  On Friday, the New York Times leaked Harold Koh’s legal advice acknowledging that the US obligations under the International Covenant on Civil and Political Rights do not stop at the border.  The NYT article would have meant that the briefing folders that had been merrily making their way up the clearance chain in time to be packed into the delegation’s suitcases would have been discarded (or at least the sections on extraterritoriality would have been yanked out) and all the talking points would have needed to be rewritten. This is not just an important moment for bureaucrats or international human rights law junkies; it is potentially powerful for digital rights activists pushing for reform of global surveillance practices.  Digital rights advocates have been calling for the US government to end global mass suspicionless surveillance and to adhere to their international human rights law obligations.  There may be a strong moral case to support them, but when it comes to the NSA’s overseas activities, the discourse has often lacked a strong legal underpinning.  In order to push governmental policy on this issue, the dialogue needs to mature to the point where it is built on solid legal underpinnings.  The next couple of months bring an unprecedented opportunity to do just that.

The current state of the digital rights dialogue

Up until now, civil society dialogue has pushed the idea that States owe an obligation to respect privacy online for both citizens and non-citizens.  In an open letter to the UN High Commissioner for Human Rights, the Global Network Initiative “has urged the United States to recognize the right to privacy of non-U.S. persons and to strengthen reforms to effectively protect this right”.  The NGO-led International Principles on the Application of Human Rights to Communications Surveillance state that “In order for States to actually meet their international human rights obligations in relation to communications surveillance, they must comply with the principles set out below. These principles apply to surveillance conducted within a State or extraterritorially.”

But it’s hard to find anything in the digital rights sphere that actually specifies the nature and source of an extraterritorial international obligation.  You can’t really blame them.  While you may have a gut instinct that the “right” thing to do is to extend the article 17 right to privacy beyond a country’s borders, it’s actually really tough to make out the technical legal argument supporting this.  The issue goes to heart of what “control” means and whether the scope of a right can be determined by the ability of a State to impact it.  Tricky stuff.

The emerging ideas for a legal basis

One of the few academic articles to specifically tackle the issue of extraterritorial application of article 17 of the ICCPR to digital surveillance is by Peter Margulies.  This argues that the “effective control” test of jurisdiction is inadequate for the online context.  Instead, he posits a test of “virtual control” under which the ICCPR is “applicable when a state can assert control over an individual’s communications, even though it lacks control over the territory in which the individual is located, or over the physical person of that individual”.  I’m not sure that this argument is nuanced enough yet to be able to adopt it in legal cases (and indeed, digital rights groups may be unhappy with Margulies’ conclusion that US surveillance abroad actually complies with article 17).  However, it does go some way towards breaking down the issues and applying international legal reasoning to the issue.

Marko Milanovic has an excellent series of blog posts on the international human rights law implications of surveillance.  He argues that the best way of understanding jurisdiction and international surveillance is to treat rights differently according to whether they are “negative” or “positive”.  Accordingly, “The reason why the Convention would apply is because it should apply to all potential violations of negative obligations, e.g. the one to refrain from interfering with my privacy”.  This argument has a lot of force and makes sense of some of the confusing jurisdictional cases in international human rights law jurisprudence.  However, it is still early days and it is yet to be seen whether a court (or treaty body) would adopt this approach.

The NYT article has prompted a stream of shorter blog posts over the last couple of days, including a great “mini-forum” on Just Security (see especially Jennifer Daskal, Martin Scheinin and Manfred Nowak.  This does not really go into the same depth as Margulies' and Milanovic's analyses, but does go some way towards bringing the legal issue of extraterritoriality and surveillance to a slightly broader audience.

There has been some high-quality legal thinking on this issue but it is still at a fairly early stage of development, and discussion remains confined to international human rights law circles.

The opportunities for change

The best way to effect change to international digital surveillance is through powerful advocacy that speaks to the public but is also supported by strong legal reasoning that speaks to the government and bureaucrats.  Now is the moment to bring these dialogues together.

The Human Rights Committee tends to listen very closely to NGO input (partly in recognition of their valuable contribution, but also because the committee just does not have the resources to conduct extensive research on all the issues covered by the ICCPR in each State).  This means that the NGO community needs to be in the Committee’s ear over the coming week with helpful, informed and well-reasoned views on extraterritoriality and surveillance.

Another key opportunity will be the UN High Commissioner for Human Rights’ forthcoming report.  At the end of last year, the UN General Assembly passed a resolution recognizing the right to privacy in the digital age.  It backed away from any reference to extraterritorial obligations in the text of the resolution.  However, the resolution:

Requests the United Nations High Commissioner for Human Rights to present a report on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale to the Human Rights Council, at its twenty-seventh session, and to the General Assembly at its sixty-ninth session, with views and recommendations, to be considered by Member States;

This means that there is now an opportunity for a UN report to directly tackle the issue of extraterritorial application of the right to privacy to online surveillance.  Again, it will be important for civil society to make submissions that are well-reasoned, pragmatic and legally-robust.

Much of the advocacy and legal groundwork has been done – the challenge is in making sure that the two dialogues come together.

Transparency – but what are we seeing?

Now that Microsoft has come to the party and is publishing a regular transparency report, there is a meaningful amount of publicly-available data about government requests for online records.  Looking at the data from Google, Twitter, Dropbox and Microsoft side-by-side raises some interesting questions. The trend towards publishing transparency reports is a welcome one.  It raises awareness and encourages users to think about what protections they’re entitled to and how private their online activities really are.  There are still some very noticeable gaps in the information available.  Facebook and Yahoo! store large amounts of personal data but are noticeably silent on the issue of transparency reports.  Perhaps they will follow in Microsoft’s footsteps and finally succumb to the pressure for transparency.

Consumer and privacy advocacy groups are alarmed at the increased volume of government data requests.  Back in January, EFF reported on the ‘troubling trend’ of the rise in government surveillance because there had been a 70% increase in requests for data since Google started releasing numbers in 2010.  Forums are awash with comments about government snooping and conspiracy theories.  Meanwhile, at last week’s Committee on the Judiciary Hearing, Richard Littlehale from the Tennessee Bureau of Investigation argued for calm in considering the increase in government requests.  He analysed the statistics as demonstrating that ‘just a tiny fraction of one percent of Google’s accounts were affected by government demands’.

Comparing the transparency reports of the different companies shows that Microsoft/Skype and Google are inundated with requests for data.  As you would expect, relative newcomers Dropbox and Twitter receive far fewer requests.  In 2012, there were 122,015 requests relating to Microsoft accounts, 15,409 requests relating to Skype accounts, 68,249 Google accounts, 2,614 Twitter accounts and 164 Dropbox accounts. Each of these statistics relates to the number of accounts affected.  As each user could have multiple accounts, this does not directly equate to the number of individuals affected but nonetheless gives a sense of the scale of the issue.

These are some pretty impressive numbers and they’re on the rise.  The volume of requests to Google has grown significantly even during the short 3 years that they have been publishing their transparency report.  Although the data is not available, it seems reasonable to assume that the other companies are also experiencing significant increases.  Just what do these statistics mean?  Is it time to sound the Orwellian alarm bells?

Of course, more users have been sending, posting and storing information online.  This comes not only from more users engaging with online products, but also through the expanded type of products being offered.  The growth in cloud computing and cloud product offerings such as Google Drive mean that there is more information being held by third parties.  Higher penetration of online products not only means more cute cats and emails home to Mom, but also more use by criminal elements.  This naturally piques the interest of law enforcement officers.

As law enforcement becomes more familiar with the use of online records as evidence, more officers appreciate its value and employ it as one of their investigative tools.  The process has also been simplified and demystified.  Only a few years ago, it was an impenetrable maze to try to work out how to request online records for most of the providers.  Now, many of the companies have publicly accessible guides for law enforcement.  This means that it’s not just the high-tech crime units that are aware of the ability and value in accessing online records, but also the local county sheriffs.

Upward trends in law enforcement requests for records from particular online products can also reveal that some applications are particularly attractive to criminal elements.  For example, in the past, certain messaging applications became havens for child pornography rings to the extent that the product was discontinued.  Criminals will always look for weaknesses in the system and loopholes where they feel that they can communicate with impunity.  Police will naturally want to follow these trends and pursue criminals by accessing these records.  At the same time, innocent users have a valid expectation of privacy over their communications.

This all means that more users are putting more information online and it’s being accessed by a wider range of law enforcement officers.  I don’t think this is necessarily alarming in itself – we are no longer in a society where people (innocent or criminal) handwrite their private documents and store them under lock and key in their filing cabinet and investigative techniques have to adjust accordingly.  However, it does mean that it is increasingly important to ensure that there are adequate systems in place for the way in which this information is stored, accessed and used.

The discussion of this issue is hardly in its infancy; reform of ECPA has been on and off the cards for years (culminating in the last-minute failure to pursue the legislative amendments at the end of last year).  At last week’s committee hearing, there was a new level of consensus that access to users’ content should only be through showing of probable cause.  However, underneath this veneer of agreement, each of the witnesses revealed important differences of opinion.  The Department of Justice advocated substantial carve-outs from the probable cause standard should be afforded for civil litigation.  The law enforcement representative had a wish list including access to SMS messages and mandatory time limits on compliance with government requests.  Questioning by committee members revealed that there was confusion about the difference between traffic data and content and a troubling lack of understanding about how services such as targeted advertising on Gmail accounts affects privacy.  As with most legislative reform, the devil is in the detail and there is a lot of work ahead before there can be agreement on a Bill.

Access to online records needs to be addressed now.  The uncertainties between different jurisdictions and the growing agreement that aspects of ECPA infringe the fourth amendment of the Constitution are unacceptable both from a user’s perspective and also from the commercial perspective of companies that have to navigate this legal minefield on a daily basis.  The law is certainly in need of reform and the problem is only going to get worse.  However, the statistics do not necessarily mean that we are in the grip of a government conspiracy.  While we are no longer in the 1986 world of the original ECPA, we are also a long way from George Orwell’s 1984.