23 October 2014
Ladies and gentlemen.
The central message of the report that I am presenting today is that mass surveillance of the Internet, or bulk access to digital communications traffic, as it is sometimes called, poses a direct challenge to an established norm of international law. States' obligations under article 17 of the International Covenant on Civil and Political Rights include the obligation to respect the privacy and security of digital communications. This implies in principle that individuals have the right to share information and ideas with one another without interference by the State, secure in the knowledge that their communications will reach and be read by the intended recipients alone. Measures that interfere with this right must be authorised by domestic law that is accessible and precise and that conforms with the requirements of the Covenant. They must also pursue a legitimate aim and meet the tests of necessity and proportionality.
The exponential growth in States' technological capacities over the past decade has improved the capacity of intelligence and law enforcement agencies to carry out targeted surveillance of suspected individuals and organisations. The interception of communications provides a valuable source of information by which States can investigate, forestall and prosecute acts of terrorism and other serious crime. Targeted surveillance of this nature depends upon the existence of prior suspicion of the targeted individual or organisation. It is the almost invariable practice of States to require some form of prior authorisation – whether judicial or executive – and in some States there is an additional tier of ex post facto independent review.
The dynamic pace of technological change has, however, enabled some States to secure bulk access to communications and content data without prior suspicion. The authorities in these States are now able to apply automated data mining algorithms to dragnet a potentially limitless universe of communications traffic. By placing taps on fibre-optic cables through which the majority of digital communications travel, these States have been able to conduct mass surveillance of communications content and metadata, providing intelligence and law enforcement agencies with the opportunity to monitor and record not only their own citizens' communications but also the communications of individuals located in other States. This capacity is typically reinforced by mandatory data retention laws that require telecommunications and Internet service providers to preserve communications data for inspection and analysis. The use of scanning software, profiling criteria and specified search terms enables the relevant authorities then to filter vast quantitites of stored information in order to identify patterns of communication between individuals and organisations. Automated data mining algorithms link common identifying names, locations, numbers and Internet protocol addresses and look for correlations, geographical intersections of location data and patterns in online social and other relationships.
In this way, States with high levels of Internet penetration can gain access to the telephone and email content of an effectively unlimited number of users and maintain an overview of Internet activity associated with particular web pages. All of this is possible without any prior suspicion related to a specific individual or organisation. The communications of literally every Internet user are potentially open for inspection by intelligence and law enforcement agencies in the States concerned. This amounts to a systematic interference with the right to respect for the privacy of communications and requires a correspondingly compelling justification.
The prevention, suppression and investigation of acts of terrorism clearly amount to a legitimate aim for interfering with privacy rights under article 17 of the Covenant. Terrorism can destabilise communities threaten social and economic development, fracture the territorial integrity of States and undermine international peace and security. Under article 6 of the Covenant States are subject to a positive obligation to protect citizens and others within their jurisdiction against acts of terrorism. One aspect of this obligation is the duty to establish effective mechanisms for identifying potential terrorist threats before they have materialised. States discharge this duty through the gathering and analysis of information by intelligence and law enforcement agencies.
The enhanced capacity of States to monitor all Internet traffic is said to be of particular significance in the counter-terrorism context because communications via the Internet have played an important part in the financing and perpetration of acts of international terrorism; and because the Internet has been used for the purpose of recruitment to terrorist organisations, and for disseminating propaganda. The prevention and suppression of terrorism is a public interest imperative of the highest importance and may in principle form the basis of an arguable justification for mass surveillance of the Internet.
But the acts of intelligence agencies must still comply with international human rights law. Merely to assert, without evidence or particularisation, that mass surveillance technology can contribute to the suppression of terrorism does not provide an adequate human rights law justification for its use. The fact that something is technically feasible, and that it may sometimes yield useful intelligence, does not by itself mean that it is either reasonable or lawful.
Since there is no target-specific justification for measures of mass surveillance, it is incumbent on relevant States to justify the general practice of seeking bulk access to digital communications. The wholesale interference with the individual and collective privacy rights of all Internet users calls for a competing policy justification of analogical magnitude. As an absolute minimum, article 17 requires States using mass surveillance technology to give a meaningful public account of the tangible benefits that accrue from its use. Without such a justification there is simply no means to measure the compatibility of this practice with the requirements of the Covenant.
An assessment of proportionality in this context involves striking a balance between the societal interest in the protection of online privacy, on the one hand, and the undoubted imperatives of effective counter-terrorism and law enforcement on the other. Determining where that balance is to be struck requires an informed public debate to take place within and between States. The international community needs to squarely confront this revolution in our collective understanding of the relationship between the individual and the State. Any assessment of proportionality must also take full account of the fact that the Internet now represents the ubiquitous means of communication for many millions of people around the world. Anyone who wishes to participate in the exchange of information and ideas in the modern world of global communications is nowadays obliged to use transnational digital communications technology.
The use of mass surveillance technology undoubtedly impinges on the very essence of the right to the privacy of online communications. It is potentially inconsistent with the core principle that States should adopt the least intrusive means available when entrenching on protected human rights; it excludes and individualised proportionality assessment; and it is hedged around by secrecy claims that make any other form of proportionality analysis extremely difficult. There are no limits to the categories of persons who may be subject to surveillance and no limitation on its duration. The States engaging in mass digital surveillance have so far failed to provide a detailed and evidence-based public justification for its necessity, and almost no States have enacted explicit domestic legislation to authorise its use. This comes close to derogating from the right to privacy altogether in relation to digital communications.
For all these reasons mass surveillance of digital content and communications data presents a serious challenge to an established norm of international law. It is incompatible with existing concepts of privacy for States to collect all communications or metadata all the time indiscriminately. The very essence of the right to privacy of communications is that infringements must be exceptional and justified on a case by case basis.
There may be a compelling counter-terrorism justification for the radical re-evaluation of Internet privacy rights that these practices necessitate. But the arguments in favour of a complete abrogation of the right to privacy on the Internet have not been made by the States concerned or subjected to informed scrutiny and debate.
Mr. Chair, Excellencies, Distinguished delegates, the report that I am presenting today makes a number of specific proposals for addressing this problem. I will single out just two of them.
First the report recommends that States should revise and update domestic legislation to ensure consistency with international human rights law. Where the privacy rights of the entire digital community are at stake, nothing short of detailed and explicit primary legislation should suffice. A public legislative process will provide an opportunity for Governments to be transparent about the degree of their Internet penetration and to justify mass surveillance programmes to the public. It will also enable the public to appreciate the balance that is being struck between privacy and security.
Secondly the report recommends that States should establish strong and independent oversight bodies that are adequately resourced and mandated to conduct ex ante review, considering applications for authorisation not only against the requirements of domestic law, but also against the necessity and proportionality requirements of the Covenant.
I look forward to the interactive dialogue and will do my best to address any questions.
Thank you for your attention.