Privacy has become a human rights issue for the digital age
Lawyer Elizabeth Knight is fighting for user protection but fears new European laws won’t go far enough
Whistleblower Edward Snowden: disclosures of large scale, secretive state surveillance. Photograph: Frederick Florin/AFP/Getty Images
When Edward Snowden’s disclosures of large scale, secretive state surveillance began to emerge via the Guardian newspaper nearly two years ago, human rights lawyer Elizabeth Knight saw her perspective shift.
“With Snowden’s revelations, I realised the biggest human rights issue, in the UK certainly – and more broadly – was privacy. That’s really what attracted me to Open Rights Group,” says the solicitor, who a year ago became the legal director of the UK digital rights and civil liberties advocacy organisation.
She describes Open Rights Group (ORG) as “an organisation that promotes human rights in the digital age”, with a particular focus on privacy and freedom of expression.
In that role, the group has been to the forefront of confronting the UK government over Snowden’s disclosures of mass communications surveillance by Government Communications Headquarters (GCHQ). Some of the 200,000-plus documents handed over by Snowden indicated GCHQ had been routinely tapping all data running over major fibreoptic cables running in and out of Britain, including subsea cables to Ireland.
“The reason those disclosures are so important is they were the first revelation of the failure of our own oversight mechanisms,” she says.
UK politicians and designated oversight bodies, such as the parliamentary Intelligence and Security Committee, were unaware of the scale of spying and the sheer volume of data-gathering, done wholesale and without any particular target in mind, she says. The UK’s intelligence services can process 21 petabytes – 39 billion pieces of data – a day, according to the Open Rights website.
“We had to learn about this from a foreign whistleblower, rather than our own mechanisms,” Knight says.
In response, one of ORG’s biggest campaigns right now, called Don’t Spy On Us, demands a detailed government inquiry into how and why existing laws failed, and systematic reform of the legal framework under which GCHQ operates.
The campaign is a joint one between some of the UK’s most prominent civil rights groups, and includes Privacy International, Article 19, Liberty, English PEN, and Big Brother Watch.
“One of the main problems is the legislation governing surveillance – RIPA (Regulation of Investigatory Powers Act of 2000) – is completely outdated and opaque. That’s one of the reasons GCHQ is able to get away with what they do, by creating very complicated interpretations of the law. So we are calling for reform.”
All surveillance should be directed at specific, legitimate targets, not wholesale data gathering, she says. Under current law, GCHQ can name an entire communications cable as a target, she notes.
Knight is also concerned that what few protections are provided, are given only to the content of communications but not the metadata. That’s the potentially revealing information about a communication, such as a phonecall or email.
Metadata discloses the date, time, duration, and recipient of a phonecall – detail which could disclose sensitive personal information, such as linking an individual to a call to Alcoholics Anonymous. Metadata is especially revealing when it is aggregated from many sources, such as website visits, call data, and emails, she notes. “And with metadata, there’s no limits to what [GCHQ]can do.”
The UK needs tighter, more transparent laws on data gathering, better oversight, and more effective redress for people or organisations who feel they have been improperly subjected to surveillance, she says.
Open Rights is also taking what they are calling the “Privacy not Prism” case to the European Court of Human Rights. The complaint, about NSA and GCHQ spying, asserts that the programmes Tempora (GCHQ’s cable tapping) and Prism (the NSA’s gathering of user data from US technology and social media corporations such as Microsoft and Facebook) violated rights to privacy and freedom of expression guaranteed in the European Convention on Human Rights, which is part of UK human rights law.
ORG’s case follows on the heels of a related, formal complaint by Liberty, Amnesty International, Privacy International and Pakistan’s Bytes For All last year. They took their complaint to the UK’s Investigatory Powers Tribunal – the body that investigates surveillance complaints against the intelligence services, police and public authorities. This resulted in a report that ruled that while some of GCHQ’s activities had been improper, they were now, at least in principle, acceptable as secret policies existed to permit them.
Knight says their ECHR case was placed on hold, pending the IPT decision. Now that the judgment has been rendered, she expects their ECHR case to proceed, as it had been prioritised by the ECHR. In addition, unhappy with the judgment in the IPT case, the coalition of groups that filed that complaint also plan to appeal it to the ECHR, and Knight expects it to be taken together with their own.
If so, the joint case will be one of several top-level cases brought to the ECHR or the European Court of Justice in 2014 and 2015, in which Snowden’s disclosures are playing a significant role. These include Austrian law graduate Max Schrems’s case against Facebook’s handling of his data and a subsequent judgment made by the Irish Data Protection Commissioner, heard recently by the ECJ.
“That’s going to be a big one,” she notes.
Much else is also on the European privacy agenda, too. Knight says a new Data Protection Regulation is expected sometime soon, but she notes with dismay that indications are the authorities will push to have it be less protective than the existing Data Protection Directive, even though the opposite was the original intention.
She also notes the judgement on data retention last year by the ECJ, in a case brought by privacy advocates Digital Rights Ireland, has been “hugely influential” for privacy rights. Agreeing with pro-privacy arguments, the ECJ threw out the long-standing EU Data Retention Directive on the basis that it was too open-ended, had weak oversight and constituted mass surveillance. ORG is challenging the UK’s response to the case, in which the government rapidly brought in primary legislation with little debate. ORG contends the new legislation is also in violation of the ECJ ruling.
But Open Rights Group doesn’t just focus on national policy issues. The organisation also has taken issue with how businesses utilise the increasing streams of data generated by customers and users.
However, says Knight, “We’re not pro- or anti-business. We’re pro- and anti- privacy” issues. “On surveillance, we probably align with business,” she argues.
For example, providers of internet services and communications do not want to be the ones required to retain and manage large volumes of user data on behalf of intelligence agencies, she notes.
“But in other areas, such as data protection, we’re more critical. For example, we’d object to Facebook’s policies not being sufficiently clear and transparent to users.”
ORG would also be concerned about apps that upload location data, without users being sufficiently aware, she says.
She also notes growing concern at mobile phone companies using data for secondary analytics purposes and selling user data on. “Probably, customers are not aware of this and not given an opt-out.
“It really depends on whether the consumer thinks it’s a fair bargain or not. It’s really the lack of transparency.”
Elizabeth Knight will speak at Digital Rights Europe in Dublin on April 15th. The event is Digital Rights Ireland’s inaugural conference on digital privacy, digital security and data protection. More information: digitalrights.ie/digital-rights-europe-dri-conference/