Visiting Fellow, Department of Information Systems, the London School of Economics and Political Science
and Senior Fellow, Privacy International
November 5, 2002
The following recounts the general themes that I presented at the November 4-5 2002 Mediterranean Seminar of the Organization for Security and Cooperation in Europe, held in Rhodes, Greece. This document is also available at http://is.lse.ac.uk/staff/hosein/osce_statement.html. There are some live links within this document that can be accessed if this file is loaded within a browser.
My presentation builds from the research I have conducted over the past few years involving surveillance policies, and my co-operation with civil society organizations in Europe and North America. I have conducted this work at the London School of Economics where I am a Visiting Fellow in the Department of Information Systems; at Privacy International; and most recently at Columbia University as a Visiting Scholar and as a Senior Markle Fellow at the Programme in Comparative Media Law and Policy at the University of Oxford.
My presentation involved four trends that have arisen in the past year, as reported within the Privacy and Human Rights Survey 2002. I then followed with four implications regarding these trends, and concluded with three challenges for civil society.
The issues surrounding jurisdiction and globalisation are confusing and sometimes quite constrictive to governments and other actors. A solution is to foster and generate co-operative regimes and structures. Sometimes this co-operation occurs under Mutual Legal Assistance Treaties, other times it occurs under quasi-rules; either way problems may arise. There are two examples of international co-operation conundrums.
The first involved Zacharias Moussaoui, the suspected 20th hijacker. When the U.S. Federal Bureau of Investigation arrested him in August 2001 on a visa violation, the FBI found that Moussaoui also had a laptop computer. According to congressional testimony, the FBI agents believed erroneously that existing law would not permit them to gain access to the data on the laptop. As a result they devised a plan to send Moussaoui to France where French officials could gain access more readily to the computer and send the information back to the U.S. for review. In this sense, the FBI was planning to circumvent its perception of U.S. law by using international co-operation through France.
The second example involves a declaration by Germany in late August 2002, as reported by the BBC, that German authorities would withhold evidence against Moussaoui from the United States unless they can be assured that it will not be used to secure a death penalty. Around this time, it emerged that the U.S. and the EU were negotiating in secret a co-operation scheme that would deal with such situations.
The current landscape for international co-operation involves, generally, bi-lateral treaties amongst countries. In recent years we have seen the emergence of some multilateral instruments negotiated at Intergovernmental Organisations and other international fora, that since 2001, have seen increasing adoption. However, all countries have different legal systems; how co-operation is to occur within these varying legal systems remains to be investigated in sufficient detail.
National policy discourses before September 2001 at best involved a very rich set of discussions, and a number of problematic policies were laid to rest. The Council of Europe convention on cybercrime had been criticised heavily by both industry and civil society; industry and government negotiations at the G-8 had suffered from a lack of agreement; and a number of privacy invasive technologies had been set aside as their risks were exposed.
In the policy environment in the past year, a number of these policies have re-emerged. The G8 and the Council of Europe policies and instruments are now moving forward with greater momentum; the former released new policy instruments at the 2002 G-8 summit in Canada, and the latter's instrument was signed in November 2001 by over 30 countries. ID cards are proposed in countries despite previous resistance; biometrics and face recognition technologies implemented regardless of reports of their risks and faults; and profiling is re-introduced as a solution to preventing and pursuing criminal and terrorist activity despite known legal problems.
The most alarming policy is that of data retention. This is a situation where privacy and data protection laws are turned on their heads: previous legal requirements that data controllers delete personal information once it is no longer of use are transformed into retention requirements for the purpose of law enforcement and other state interests. Policies have emerged at the EU, within the United Kingdom, Spain, and the Netherlands regarding the retention of communications traffic data at communications service providers; while in Canada proposals have emerged regarding the retention of travel habits.
A common trend to the new legislation emerging from September 2001 onwards is the reduction of authorisation and oversight requirements prior to the use surveillance. A number of countries allowed for ministerial warrants for the interception of communications, or reduced the conditions to the use of invasive investigative methods. Some countries are finding that international instruments are useful for this purpose; one such method will be seen in the fourth trend.
A common articulation for governments that are making changes to their surveillance regimes is that new technology has forced the 'updating' of older laws. For example, the interception of communications laws in a number of countries speak of postal and telephone systems; updates are presumably required to include mobile and internet communications.
One policy strategy used in this updating is technology-neutral policy. Rather than having to create new laws for each new technology that comes about, technology-neutral laws attempt to deal with all technologies equivalently under law. The problem arises, however, that all technologies are eventually treated like the telephone system or some other older infrastructure, despite large differences.
In the U.S., laws previously protected the privacy of an individual's cable television viewing habits because their viewing habits were considered sensitive information. Telephone traffic data, however, is often treated differently: records of who you call and for how long you spoke for are considered less invasive, and thus protected minimally under law. In the USA-PATRIOT Act, passed into law in October 2001, the U.S. government reduced the protection of internet traffic data to the level of telephone traffic data, arguing that technology-neutral law was ideal; despite obvious differences in the sensitivity of this data. Traffic data involving internet devices can include location data, domain names and Universal Resource Locators (i.e.. www.computer.tld/file.html), search parameters, telephone numbers, etc.
Meanwhile, the United Kingdom in its Regulation of Investigatory Powers Act 2000 acknowledged the differences in traffic data, and recognised after a rich discourse that some data may in fact be sensitive. Canada is currently considering updating its own laws on lawful access to data, while proposing to ratify the Council of Europe convention on cybercrime. In its current proposals, the Canadian government is arguing that all traffic data should be treated similar to existing law on telephone traffic. Canada is also considering treating all communications service providers the same, whether they are internet service providers, mobile phone service providers, and telephone service providers. It may be said that technology-neutral law, therefore, reflects the interests of the policy-makers.
As countries move to ratify the Council of Europe convention on cybercrime and implement the G-8 policies on high-tech crime, it is important to note that the majority of the substance within the convention and the policy instruments do not deal with cybercrime. Generally they deal with ensuring surveillance capabilities and other procedural powers, and ensuring for international application of these powers. The cybercrime content of these instruments is actually quite low.
One may hazard to say that anti-terrorism laws are not necessarily about terrorism either. The substance of many proposed laws around the world have included the creation of new powers that are not limited to terrorist matters. In the United States, for example, an oversight court filed a complaint in May 2002 against the Department of Justice finding that the DoJ previously used anti-terrorism powers previously to investigate criminal activity; benefitting unjustly from greater powers and reduced oversight requirements.
Just as every legal system has differences amongst one another, as countries adopt international instruments to harmonise their national laws and legal procedures, they will all interpret these instruments differently. Canada's interpretation of the CoE convention is quite different to the content of the convention itself; and surely different to the powers already established within the UK, and even within the U.S. From differing definitions of the technologies, to differences in penalties, oversight and authorisation requirements; these differences create an uncertain landscape for the safeguarding of civil liberties.
Technology is not separate from society: the internet is not something that is separate from us, it is, at least to some extent, part of our daily lives. Treating it as a unique space that must be regulated may be problematic; but at the same time ignoring its constitution and its interaction with law may be hazardous. In fact, doing so may meet the interests of the policy makers. Technology-neutral policies on lawful access to traffic data, for example, increase the powers of law enforcement by expanding the breadth of application of this power, while access to this data will increase the intrusion into the private life of the individual with only minimal protections and safeguards. As a result, technology policy must be specific in the forms of data collected and accessed, and how it is used.
Just because a problem is international, such as the regulation of global data flows or the pursuing of criminal activity across borders, does not mean that every international solution that appears is ideal. The G-8 and the Council of Europe policies have serious problems including their general lack of regard to the interests of other actors including civil society and industry; as a result I would caution against the blind implementation of these instruments into national policy. These also suffered from insufficient discourse with non-state actors such as industry, law societies, technological experts, and so forth; we must now foster appropriate dialogue with these actors at this very late stage, even if little change can be effected.
The challenges presented here all surround the nature and quality of the policy discourse: as we must question whether it is sincere, informed, and wonder about its richness.
As countries move to ratify and implement policies agreed at international governmental organisations like the OSCE, CoE, and G8, the role of national NGOs comes into question. NGOs are for the most part focused on national policy developments, and are busy enough at that level. Now they have to monitor the processes and outputs of IGOs that do not always operate openly. The Council of Europe, during the formulation of the cybercrime convention, argued that consultation is ideally a national process, and not the duty of the CoE itself; while this may be true with respect to its current mandate, the national policy discourses at times of ratification may not be the ideal time to discuss serious problems with the convention once there is already a felt-need to adjust national law accordingly. IGOs must change their mandates to include consultation, perhaps through requiring national consultation prior to the negotiation of charters, agreements, and treaties; otherwise the sincerity of the political discourse is highly questionable.
Even as the CoE convention is not really about cybercrime, many within civil society have been ignoring the convention because of its apparent focus on technology and high-tech crime. Governments need to reach out to civil society to interact with and educate them on the implications of the policy changes, as the policy discourse is conducted in a technology-specific way; or otherwise governments may need to reach out to more technology-aware NGOs that may have a more specific mandate but less of a constituency.
In previous policy discourses, industry representatives and other actors played large roles. They seem to be disappearing from the discussions, however, as they may not be as willing to raise their concerns. Governments and IGOs need to reach out to other actors such as epistemic communities (law societies, engineering associations and task forces, scientists and researchers) as well as industry organisations.
The current discourses are framed as balances between civil liberties and public security; the very notion of a balance is a myth, a false dichotomy. The more actors that are included within the discourse the more the notion of balance will disappear as a fuller set of ideas and idealogies are presented, and more interests arise, and more possible alternative solutions may emerge. Otherwise, the policy discourse will suffer, and the policy outcome will be surely problematic.
November 5, 2002