Legislation governing surveillance powers has appeared on both sides of the Atlantic: the draft Investigatory Powers bill has just been published in the UK while the US senate has voted through a proposed Cybesecurity Information Sharing Act (CISA). Following Edward Snowden’s revelations about the extent of government surveillance and communications interception, these proposed laws reflect the UK and US governments’ attempts to clarify their legal powers and address their citizens’ significant privacy and security concerns.
But what do these powers really allow for? What safeguards do they offer? And to what extend do they conform to privacy protections of the European Convention on Human Rights (for the UK) and the International Covenant of Civil and Political Rights (for the US)?
The aim of the US (CISA) bill is to enable companies and federal agencies to coordinate responses to cyberattacks. It grants sweeping powers to private companies that will allow them to voluntarily share “cybersecurity threat data”, including individuals’ personal information, with the department of homeland security. The department could pass it to other agencies, such as the National Security Agency or Federal Bureau of Investigation. The bill also authorises companies to deploy “defensive measures” that include monitoring information systems to protect their hardware and software from attack.
Critics agree that CISA dresses up government surveillance as cybersecurity. While the bill obliges firms to remove some personal information before sharing data with the government, the definition of what data may be shared is so broad as to allow anything. This means the bill would not only authorise the sharing of vast amounts of personal data without adequate privacy protections, but also for this data to be used by federal and state governments for criminal investigations — including those completely unrelated to cybersecurity. Since all other laws are subordinated to CISA, this provides a mechanism through which due process protections can be circumvented.
Defenders of the bill such as Richard Burr, chairman of the senate select committee, dismiss these worries by pointing to the fact that the data sharing is voluntary. But companies will receive incentives to do so, in the form of government protection from any liability that may arise as a result of sharing data. There’s also the problem of how to vet data in order to remove personal information before it’s shared, while at the same time upholding the government’s duty under Article 17 of the International Covenant of Civil and Political Rights to ensure confidentiality of correspondence.
CISA will do nothing to prevent intrusion into networks or leaks out of them, and so will not help protect personal information from being stolen. The net result of CISA is to give carte blanche to the private sector to collect, vet and pass on personal data to the government, disregarding other laws that would otherwise prevent them from doing so — including human rights protection. It co-opts the private sector into becoming a surveillance trawl net for the intelligence agencies without any independent oversights or remedies.
Ostensibly, the UK Investigatory Powers bill aims to give police and security agencies the tools to keep us safe. In reality, it requires Internet service providers to record every website visited by every individual for 12 months in order for intelligence agencies to access that information when required. Essentially, the bill confirms the continued bulk collection of vast volumes of personal communications data.
The bill allows the interception of communications, such as the content of a telephone call, e-mail or social media message, provided a warrant is obtained from the secretary of state and signed off by a panel of independent judges. Home secretary Theresa May referred to these new powers of oversight as a “double lock”. However, in certain circumstances, the judges will not need to be involved. Communications metadata, which includes very revealing information including website browsing history, will not require a warrant at all. This arguably reinforces indiscriminate mass surveillance, as this type of data is in many cases more telling and valuable than content of communications.
This provision seems especially at odds with the recent European court of justice ruling in favour of Digital Rights Ireland, in which it unequivocally stated that this sort of bulk retention of metadata of all individuals by Internet service providers was a particularly serious infringement of the right to privacy. The bill even gives explicit powers to police and security agencies to hack into and bug computers and phones, and to require companies to assist them in bypassing encrypted information where possible.
The only conclusion to be drawn from the legislation brought forward by the British and US governments is that both nations are pursuing an aggressive path toward entrenching surveillance powers at the cost of citizens’ privacy. Both bills disregard privacy considerations: CISA through its power that subordinates other laws, the Investigatory Powers bill by expressly authorising bulk data collection with very little meaningful independent oversight.
It was only November 2014 that the UN General Assembly passed the resolution, The Right to Privacy in Digital Age, identifying an urgent need to bring current legal frameworks in line with human rights treaties. It is hard to see how either of these bills is even a nod in the right direction. Instead they read like a confirmation that business as usual continues for the likes of the NSA and GCHQ. Will the other members of the Five Eyes — Australia, New Zealand and Canada — follow suit?
- Eliza Watt is a PhD researcher in cyber surveillance and privacy at the University of Westminster
- This article was originally published on The Conversation