July 2017

The Transition from Reaction to Proactivity: The Latest Policy Updates by Facebook and Google concerning the Response to Incitement to Violence and Terror

ByHaim Wismonsky.

Read More
(Hebrew follows)

There has recently been vigorous discussion concerning the extent to which internet companies providing platforms for social networks, such as YouTube (owned by Twitter), Facebook, Google, and others, are responsible for content disseminated on these platforms that incites to violence and terror. This discourse has included demands to impose liability for damages, and even criminal liability, on internet companies that fail to remove content constituting incitement to violence and terror. Some commentators have suggested that internet suppliers should be obliged to monitor and remove such content by themselves. Others emphasize the need for suppliers to obey state judicial orders and to remove publications completely. This implies that the platforms must subjugate themselves to the legal norms of each state. Conversely, the platforms themselves are attempting to protect their autonomy to remove only content that violates their own conditions of use, and to refrain from subjecting themselves to the state standard. This position is motivated by a desire to avoid a negative legal spiral that will ultimate force the platforms to “fall into line” with the most conservative national standard, or that standard that most severely restricts freedom of speech.

Against the background of this debate, it is particularly interesting to examine the statements issued by Facebook and Google (as the owner of YouTube). The two companies issued their statements independently some two weeks ago. Facebook’s statement can be viewed at the following link: https://newsroom.fb.com/news/2017/06/how-we-counter-terrorism/, and Google’s statement can be viewed at: http://blog.google/topics/google-europe/four-steps-were-taking-today-fight-online-terror/).

These statements detail the policy changes the companies have made, or intend to make, regarding their response to content inciting to violence and terror on the platforms they operate. These policy changes raise important legal and technological questions. In essence, the statements by Facebook and Google mark a transition from reaction to proactivity, based on a policy of “notice and take down,” a mechanism that was originally developed for coping with content that violates copyright. The statements also reflect the move toward automation, artificial intelligence, and the automatic and proactive monitoring of content that supports terror and incites to terror or violence.

The companies (separately, as noted) each begin their statements by emphasizing their profound commitment to combating incitement to violence and terror on social networks. Both declared that they believe that they have a role to play in removing such content from the internet, due to the dangers that may be caused through the publication of such violent content.

Facebook officially announced – for the first time, to the best of my knowledge – that it uses artificial intelligence in order to monitor content that supports terrorism in advance. Artificial intelligence is used to match new photographs uploaded to the platform with photographs that have already been identified in the past as inciting or supporting terror (image matching). It is also used for the computerized location of inciting comments through language learning and contextual techniques. In addition, artificial intelligence technologies will help to remove “clusters” of members of terror organizations, in other words – the removal of users related to other users or to a page identified with a terror organization, using computerized means to determine that the users in question are also terror activists. Computerized technologies will also help to prevent users whose accounts have been closed from opening new accounts under an assumed identity.

Google, in its capacity as the operator of YouTube, detailed the latest steps it is taking to combat violent content. These include image matching operations; cooperation with experts, anti-terror agencies, and other technological companies in order to reinforce their joint struggle against terror; and additional steps. The company also detailed four steps it intends to take in the near future on this issue. The first is to increase its use of technology and algorithms in order to identify content that supports terrorism and incites to violence. The second is to increase the number of members of its “Trusted Flagger” program, which allows civil society organizations and governmental agencies to submit reports about violent content in a more efficient manner. The third is to take more moderate action, falling short of the removal of content or of the user, in the case of offensive content that does not explicitly violate the conditions of use of YouTube. An example of this is content that supports White Supremacy, which does not violate the conditions of use but is offensive. In such instances, actions may be taken to restrict the circulation of the content, for example by blocking the possibility to react to the content, refraining from attaching advertisements to it, preventing uses earning money through its publication, or excluding the content from that which is “recommended for viewing” by the platform. The fourth is to increase YouTube’s support for NGOs and organizations working to enhance “counter-speech,” that is presenting a counter-narrative to the narrative of incitement that can acquire sufficient volume to balance the distortion that may be inherent in the inciting content.

As can be seen, both companies have publicly announced that they use artificial intelligence in order to locate and remove inciting and terror-supporting content. Until now, it was officially known the Facebook and Google use artificial intelligence to monitor and remove content that violates copyright, as well as obscene content, including images of minors. Both these instances – copyright and pedophilic content – do not raise the issue of the context of the publication. For example, even a proper account, on a news website for example, of pedophilic content discovered in a given police investigation cannot include the pedophilic content itself. A news website that published the pedophilic content in these circumstances would be suspected of committing the offense of publishing pedophilic content. The same principle applies to copyright. In the case of content constituting incitement to violence and terror or support for terror, however, there may indeed be situations that “permit” publication and render it legitimate, in the circumstances of the case. For example, a news report on an inciting video clip produced by Hamas, and including a link to the clip, might be considered a legitimate publication that does not, in itself, constitute incitement to violence and terror. This explains the particular importance of contextual analysis in the case of content inciting to violence and terror. In addition to the previous example, there are also instances such as irony, satire, and so forth in which the decision as to when a publication is legitimate and when it is not is a particularly complicated task for prosecutors, and even for experienced prosecutors in the field. Taking such decisions by computerized means will be even more difficult. Accordingly, the computerized monitoring and removal of content raises understandable concern at excessive injury to freedom of expression. Leading to the removal by a machine of legitimate content on social networks. A well-known example of the excessive removal of content due to the use of computerized tools, without an understanding of the context of the publication, is the removal of content on Facebook providing recipes for “Negro cake.” The machine failed to recognize the text in its context and assumed that the content constituted prohibited racism prohibited on the Facebook platform.

Nevertheless, there can be no doubt that artificial intelligence will be used to monitor content that potentially constitutes incitement or support for terror. However, the decision to remove such content will continue to be made by humans trained for this purpose by the internet companies. In other words, artificial intelligence may be used for the purpose of collecting information. This also entails a certain measure of injury to freedom of expression and the right to privacy, since the content and those making the expressions will be monitored constantly. However, this injury would appear to be relatively limited in a world where publication is made with the express goal of reaching the widest possible audience, which may already criticize the publication and demand its removal by contacting the platform.

Practical considerations would seem to mandate the use of artificial intelligence, at least for the purpose of monitoring content liable to constitute incitement to violence and terror. It should be recalled the Facebook has some two billion users who enter the service at least once a month. YouTube has approximately one billion users who enter at the same minimum frequency. Accordingly, it is obvious that such a quantity of content requires the use of technology in order to overcome the scope of the material to be examined.

Over the coming months we can expect to see how the new technologies of the monitoring and removal of content inciting to violence and terror are implemented. Time will tell whether these steps will actually reduce the presence of such content on social networks, and whether they will lead to the over-removal of content constituting protected expression. It will also be interesting to examine whether these proactive steps by the internet companies may lead to an approach that may enjoy legal support that these companies bear a legal liability whenever they fail to remove content that incites to violence and terror. Such liability would be based on the argument that their self-monitoring activities in themselves constitute a tacit admission of their liability for what happens on their platforms.  

------------------------------------------------------------------------------------

המעבר מתגובה ליוזמה: על עדכוני המדיניות האחרונים של פייסבוק וגוגל בנוגע לטיפול בתכני הסתה לאלימות

כידוע, מזה זמן מתנהל שיח ער סביב מידת אחריותן של חברות האינטרנט, המשמשות פלטפורמות לרשתות חברתיות, כ-Youtube (שבבעלות Google), Facebook, Twitter ואחרות, לתכני הסתה לאלימות ולטרור המופצים בקרבן. שיח זה כולל קריאות להטלת אחריות נזיקית ואף פלילית על חברות האינטרנט, ככל שאלה לא תסרנה תכנים העולים כדי הסתה לאלימות ולטרור. יש הקוראים להטלת חובה על הספקיות לנטר בעצמן תכנים מעין אלה ולהסירם. אחרים מדגישים את הצורך של הספקיות לציית לצווים שיפוטיים מדינתיים ולהסיר את הפרסומים באופן מוחלט, דהיינו שהפלטפורמה תכפיף את עצמה לנורמה המשפטית של כל מדינה ומדינה. הפלטפורמות, מנגד, מנסות לשמר את האוטונומיה שלהן להסיר תכנים הנוגדים את תנאי השימוש שלהן בלבד, ולהימנע מהיכפפות לסטנדרט המדינתי, על מנת למנוע סחרור דינים שלילי שסופו "התיישרות" על פי הסטנדרט של המדינה השמרנית ביותר או המגבילה ביותר את חופש הביטוי.

על רקע דיון זה, מעניין במיוחד לעיין בהודעות שפרסמו חברת Facebook (פייסבוק) וחברת Google (גוגל, כבעליה של פלטפורמת Youtube), כל אחת בנפרד, לפני כשבועיים. מצ"ב קישור להודעה של פייסבוק (https://newsroom.fb.com/news/2017/06/how-we-counter-terrorism/) ומצ"ב קישור להודעה של גוגל (https://blog.google/topics/google-europe/four-steps-were-taking-today-fight-online-terror/).

הודעות אלה מצביעות על שינויי מדיניות שביצעו או שעתידות לבצע בכל הנוגע לטיפול שלהן בתכנים המסיתים לאלימות ולטרור בפלטפורמות שהן מפעילות. שינויים אלה במדיניותן מציבים שאלות משפטיות וטכנולוגיות חשובות. בתמצית, הודעות אלה של פייסבוק וגוגל מסמנות מעבר מתגובה ליוזמה, ומהתבססות על "הודעה והסרה" (notice and take down), מנגנון שפותח במקור ביחס לתכנים הפוגעים בזכויות יוצרים, לעבר התבססות על אוטומציה, בינה מלאכותית וניטור אוטומטי יזום של תכנים תומכי טרור ומסיתים לטרור ולאלימות.

בראשית דבריהן, הדגישו החברות (כאמור, כל אחת בנפרד) את מחויבותן העמוקה למאבק בתכני הסתה לאלימות ולטרור ברשתות החברתיות. שתיהן הצהירו כי רואות עצמן כבעלות תפקיד בצורך להוביל להסרתם של תכנים כאלה מרשת האינטרנט, בשל הסיכונים שעלולים להיגרם כתוצאה מפרסומים של תכנים אלימים כאלה.

חברת פייסבוק הודיעה באופן רשמי, למיטב ידיעתי בפעם הראשונה, כי היא משתמשת בבינה מלאכותית (Artificial Intelligence) לצורך איתור מראש של תוכן תומך-טרור. הבינה המלאכותית משמשת לצורך ביצוע התאמת תמונות חדשות שעולות בפלטפורמה לתמונות שכבר אובחנו בעבר כתמונות מסיתות או תומכות טרור (Image matching). כמו כן, הבינה המלאכותית תשמש לאיתור ממוחשב של תכנים מסיתים, על-ידי טכניקות של לימוד שפה והבנתה על הקשרהּ. בנוסף, טכנולוגיות של בינה מלאכותית תסייענה להסרת "אשכולות" של חברים בארגוני טרור, דהיינו הסרה של משתמשים קשורים למשתמש או לדף מזוהה של ארגון טרור, אשר מתאפשר לזהות באמצעים ממוחשבים שאף הם פעילי טרור. כמו כן, טכנולוגיות ממוחשבות תסייענה למנוע ממשתמשים שחשבונותיהם נסגרו מלפתוח חשבונות חדשים תחת זהות חדשה.

חברת גוגל, בכובעה כמפעילה של האתר Youtube, עדכנה על הצעדים שנוקטת כבר היום כדי להיאבק בתכנים אלימים כאמור. בין הצעדים הללו ניתן למנות פעולות של התאמת תמונות (Image matching), שיתופי פעולה עם מומחים, סוכנויות למאבק בטרור וחברות טכנולוגיה אחרות כדי לחזק את המאבק המשותף בטרור וצעדים נוספים. נוסף על האמור, מנתה החברה ארבעה צעדים שעתידה לנקוט בעתיד הקרוב בנושא זה: האחד, הגברת השימוש בטכנולוגיה ואלגוריתמים לצורך איתור של תוכן תומך טרור ומסית לאלימות. השני, הגדלת מספר החברים בתכנית ה-Trusted Flagger (תכנית אשר מאפשרת לארגוני החברה האזרחית ולרשויות ממשלתיות להגיש דיווחים על תוכן אלים בצורה יעיל יותר). השלישי, שימוש בפעולות מתונות יותר, שאינן עולות כדי הסרת התוכן או הרחקת המשתמש, במקרים של פרסום תכנים פוגעניים שאינם מפרים במפורש את תנאי השימוש ב-Youtube. כך הוא למשל במקרה של תכנים המצדדים בעליונות הגזע הלבן (White supremacy), שאז אומנם אין הפרה של תנאי השימוש, אולם מדובר בתוכן מגונה. במקרים מעין אלה, ניתן יהיה לנקוט בצעדים לצמצום התפוצה של התוכן, למשל על-ידי חסימת האפשרות להגיב לתוכן, אי הצמדת פרסומות לתוכן ומתן אפשרות להרוויח כסף ממנו, ואי הצגתו של התוכן כ"מומלץ לצפייה" על-ידי הפלטפורמה. הרביעי, הגברת התמיכה של Youtube בעמותות וארגונים הפועלים להגברת ה"קול המתקן" (Counter-Speech), דהיינו העמדת נרטיב נוגד לנרטיב המסית, אשר יצבור נפח מספק כדי לאזן את הסילוף העשוי להיות מגולם בתוכן המסית.

כפי שניתן לראות, שתי החברות הודיעו באופן פומבי כי עושות שימוש בבינה מלאכותית כדי לאתר ולהביא להסרתו של תוכן מסית ותומך-טרור. עד כה, היה ידוע באופן רשמי שפייסבוק וגוגל משתמשות בבינה מלאכותית לצורך סריקה והסרה של תכנים המפרים זכויות יוצרים ותכנים הכוללים פרסומי תועבה ובהם דמויות של קטינים. בשני סוגי הפרסומים האלה – הפרת זכויות יוצרים ותכנים פדופיליים – לא מתעוררת שאלה של הקשר (קונטקסט) הפרסום. במלים אחרות, גם דיווח הוגן באתר חדשות למשל, על אודות תכנים פדופיליים שהתגלו במסגרת תיק חקירה מסויים – לא יכול לכלול בתוכו את התוכן הפדופילי. אתר חדשות שיפרסם את התוכן הפדופילי בנסיבות אלה, ייחשד בביצוע עברה של פרסום התוכן הפדופילי. הוא הדין ביחס לזכויות יוצרים. ואולם, בכל הנוגע לתכנים העולים כדי הסתה לאלימות ולטרור או תמיכה בארגוני טרור, הרי שבהחלט קיימות נסיבות ה"מתמימות" את הפרסום והופכות אותו ללגיטימי בנסיבות העניין. לדוגמה, דיווח חדשותי על סרטון הסתה חדש מבית היוצר של ארגון החמאס, הכולל הפנייה אל הסרטון – עשוי להיחשב לפרסום לגיטימי, אשר אינו עולה כשלעצמו כדי הסתה לאלימות ולטרור. מכאן, שלניתוח הקונטקסטואלי (ההקשרי) נודעת חשיבות מיוחדת, כשמדובר בתכני הסתה לאלימות ולטרור. מעבר לדוגמה זו, ישנם הקשרים יותר מורכבים, כגון אירוניה, סאטירה וכדומה, שההבחנה אימתי הפרסום לגיטימי ומתי לא, היא משימה מורכבת במיוחד לפרקליטים ואף לפרקליטים מיומנים בתחום, קל וחומר כשהדבר ייעשה באמצעים ממוחשבים. על כן, ניטור והסרה באמצעים ממוחשבים מעורר חשש מובן מפני פגיעה עודפת בחופש הביטוי, מחשש שתכנים לגיטימיים יוסרו מהרשתות החברתיות בידי המכונה. דוגמה מוכרת להסרה עודפת של תכנים בשל שימוש באמצעים ממוחשבים, ללא הבנת ההקשר של הפרסום, היא הדוגמה של הסרת תכנים בפייסבוק שהציגו מתכונים ל"עוגה כושית", והמכונה, שכשלה בלימוד הטקסט במובן ההקשרי שלו, סברה כי מדובר בתוכן גזעני האסור אף הוא לפרסום בפלטפורמה של פייסבוק.

עם זאת, ניתן לקבוע כי הבינה המלאכותית תשמש לצורך ניטור התכנים בעלי הפוטנציאל להיות תכנים מסיתים או תומכי טרור, אולם ההחלטה על הסרת התכנים תיוותר בידי אנשים שיוכשרו לכך במסגרת חברות האינטרנט. במלים אחרות, הבינה המלאכותית יכולה לשמש לצרכי איסוף המידע. גם בכך יש מידה מסוימת של פגיעה בחופש הביטוי ובזכות לפרטיות, שכן התכנים והדוברים ינוטרו כל העת, אולם דומה כי פגיעה זו מצומצמת יחסית בעולם שבו הפרסום נעשה באופן פומבי ובמטרה להגיע לקהל יעד רחב ככל הניתן, אשר ממילא עשוי לבקר את הפרסום ולדרוש, במסגרת פנייה אישית לפלטפורמה, את הסרתו.

דומה כי טעמים פרקטיים מחייבים את השימוש בבינה מלאכותית, לפחות לצורך ניטור תכנים העלולים להיחשב כמסיתים לאלימות ולטרור. יש לזכור, כי לחברת פייסבוק כשני מיליארד משתמשים, הנכנסים לשירות לפחות אחת לחודש, ולחברת יוטיוב כמיליארד משתמשים, הנכנסים לשירות לפחות אחת לחודש. על כן, ברי כי כמות תוכן כזו מחייבת הסתייעות בטכנולוגיה על-מנת להתגבר על היקפי החומר אותו יש לבחון.

בחודשים הקרובים אנו צפויים לחזות באופן שבו תיושמנה הטכנולוגיות החדשות של ניטור והסרה של תכנים מסיתים לאלימות ולטרור. ימים יגידו האם צעדים אלה יביאו בפועל להפחתת התוכן המסית לאלימות ולטרור ברשתות החברתיות, ואם צעדים אלה לא יגרמו לעלייה בהסרת-היתר של התכנים מוגני-הביטוי. עוד מעניין יהיה לבחון האם צעדים יזומים אלה של חברות האינטרנט לא יובילו לתפישה, שתקבל אף גיבוי משפטי, כי לחברות אלה קמה אחריות משפטית כל אימת שהן לא יצליחו להביא להסרה של תכנים מסיתים לאלימות ולטרור, זאת בטענה שפעולת הניטור העצמי שלהן מהווה מעין הודאה שלהן באחריותן לנעשה על גבי הפלטפורמה שלהן.

Read Less

On-Line Surveillance in the case-law of the UN Human Rights Committee

ByYuval Shany.

Read More
The Human Rights Committee is the principal UN treaty body entrusted with monitoring the implementation of civil and political rights, including the right to privacy. In its capacity as custodian of the ICCPR – the International Covenant for Civil and Political Rights – it reviews State reports and individual communications (complaints) relating to excessive use of governmental powers, which potentially include the use of such powers in the field of on-line surveillance.

So far, the Committee has not received any individual communication alleging violation of the Covenant by reason of misuse of surveillance powers by national security authorities. This is not very surprising since the secretive nature of on-line surveillance is often such that renders it difficult for individuals to establish that they were placed under surveillance and thus qualify as ‘victims’ entitles to submit a communication to the Committee. Still, the Committee does have a mechanism for review of legislation in abstracto without establishing its specific application to any particular individual: the process of review of periodic states reports on the implementation of the Covenant. This is a process which encourages stakeholders, including national and international NGOs, to raise concerns both in relation to the actual and potential application of governmental power in the field of on-line surveillance. Indeed, review of the recent practice of the Committee in the field suggests a sharp rise in the handling of questions relating to the application of on-line surveillance powers. Whereas questions relating to such issues were raised with respect to two states between 2007-2014, since 2014 they have been addressed with respect to 15 different states (representing more than 25% of the states reviewed by the Committee during this period). This sharp rise is suggestive both of the growing resort to on-line surveillance powers by governments due to advances in available technology, and of growing awareness to their human rights implications by the Committee.  

The legal framework under which the Committee discusses questions relating to the legality and propriety of surveillance measures is article 17 of the ICCPR, which provides that “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence...” The key term in this formulation is arbitrary – a term which provides a normative benchmark to assess relevant on-line surveillance activity. The term ‘arbitrariness’ has been recently redefined by the Committee in its general comment 35(2014) (albeit in a different context, with relation to “arbitrary detention“), in the following manner:

The notion of “arbitrariness” is not to be equated with “against the law”, but must be interpreted more broadly to include elements of inappropriateness, injustice, lack of predictability and due process of law, as well as elements of reasonableness, necessity and proportionality. 

Applying this legal standard when reviewing the ‘arbitrariness’ of on-line surveillance, would appear to invite an evaluation of the predictability of the application of surveillance powers, the fairness of the procedure governing their application, the potential for excessive use of such powers and the availability of safeguards against abuse. Indeed, the 17 periodic reviews in which questions relating to on-line surveillance were considered, have raised concerns, broadly corresponding to the following evaluative criteria:

  • Lack of Predictability - No legal basis for the application of surveillance power,[1] or lack of specificity and transparency of the governing legal framework;[2]
  • Procedural fairness – The inconsistent application of privacy standards;[3]
  • Excessive Use – Laws affording sweeping data or metadata collection powers,[4] and indications of de-facto abuse of surveillance powers;[5]   
  • Lack of adequate safeguards – Shortcomings in the existing institutional and normative right protecting mechanisms.[6]

It should be noted that the Committee does not only identify problems (referred to in its jargon as ‘concerns’); it also recommends changes in existing laws and policies. Sometime such recommendations are very general. For example, it made the following recommendation for South Africa in 2016:

The State party should take all measures necessary to ensure that its surveillance activities conform to its obligations under the Covenant, including article 17, and that any interference with the right to privacy complies with the principles of legality, necessity and proportionality

However, some of the Committee’s recommendations are more specific, aimed at ensuring the equal application of protections to national and foreigners,[7] enhancing the specificity and transparency of surveillance laws,[8] narrowing surveillance powers, so as to ensure close tailoring of powers to needs,[9] and the development of effective safeguards, which include, when appropriate, judicial involvement, remedies for individuals subject to unlawful surveillance operations, and independent monitoring over the application of all on-line surveillance powers.[10] One specific element that had been raised in the context of the some review processes had been the need to limit mandatory retention by third parties.[11] 

 

The upshot of this survey is that the HRC is currently in the process of establishing specific legal standards that would enable review of the arbitrariness of on-line surveillance. Much emphasis has been put in its work, so far, on evaluative criteria, such as the level of precision of legal definitions of on-surveillance powers, breadth of triggers for the application of such powers, institutional safeguards, including the need for judicial authorization and individual remedies, data retention periods and equal protection of all individuals who were subject to on-line surveillance. Future developments may include the emergence of a duty for ex post facto notification of persons who were under surveillance, closer attention by the Committee to specific safeguards in the authorization procedures, regulation of technology development and transfers, and intelligence sharing.[12] 

The author is a member of the UN Human Rights Committee, but the views expressed here do not necessarily represent the views of the Committee. No emphases were used in the original texts cited below.

[1] HRC Concluding Observations: Namibia (2016)(“The Committee notes with concern that interception centres seem operational despite the fact that their legal basis, part 6 of the Communications Act (Act No. 8 of 2009), is not yet in force”);  HRC Concluding Observations: Republic of Korea (2015)(“It is also concerned about the use and insufficient regulation in practice of base station investigations of mobile telephone signals picked up near the site of demonstrations in order to identify participants, and about the extensive use and insufficient regulation in practice of wiretapping, in particular by the National Intelligence Service”); HRC Concluding Observations: Italy (2017)(“The Committee is concerned about reports that intelligence agencies are intercepting personal communications and employing hacking techniques without explicit statutory authorization or clearly defined safeguards from abuse”); HRC Concluding Observations: Turkmenistan (2017)(“The Committee is concerned about the lack of a clear legal framework regulating surveillance activities, including by the intelligence services”).

[2]  HRC Concluding Observations: USA (2014)(“The Committee is concerned that, until recently, judicial interpretations of FISA and rulings of the Foreign Intelligence Surveillance Court (FISC) had largely been kept secret, thus not allowing affected persons to know the law with sufficient precision”); HRC Concluding Observations: France (2015)(“The Committee is particularly concerned about the fact that the law on intelligence adopted on 24 June 2015 (submitted to the Constitutional Court) gives the intelligence agencies excessively broad, highly intrusive surveillance powers on the basis of broad and insufficiently defined objectives, without the prior authorization of a judge and without an adequate and independent oversight mechanism”); HRC Concluding Observations: Namibia (2016)(“While noting the indication by the delegation that all interceptions must be authorized by a magistrate, and that no private information is kept, the Committee is concerned about the lack of clarity regarding the reach of legal interception possibilities, as well as about the safeguards to ensure respect of the right to privacy in line with the Covenant”); HRC Concluding Observations: New Zealand (2016)(“The Committee is also concerned about the absence of a clear definition of the terms “national security” and “private communication” in the Telecommunications (Interception Capability and Security) Act 2013”); HRC Concluding Observations: Sweden (2016)(“While acknowledging the number of safeguards in place to prevent abuse in the application of the Signals Intelligence Act (2008:717), the Committee remains concerned about the limited degree of transparency with regard to the scope of such surveillance powers and the safeguards on their application”); HRC Concluding Observations: Morocco (2016)(“The Committee is also concerned by the lack of clarity with regard to the legal provisions which authorize and govern surveillance activities”).

[3] HRC Concluding Observations: UK (2015)(“The Committee is concerned: (a) that the Regulation of Investigatory Powers Act 2000 (RIPA), that makes a distinction between “internal” and “external” communications, provides for untargeted warrants for the interception of external private communication and communication data which are sent or received outside the United Kingdom without affording the same safeguards as in the case of interception of internal communications”); HRC Concluding Observations: New Zealand (2016)(“The Committee is further concerned about the limited judicial authorization process for the interception of communications of New Zealanders and the total absence of such authorization for the interception of communications of non-New Zealanders”).  

[4]  HRC Concluding Observations: Sweden (2009)(“While understanding that security requirements may be aimed at preventing violence and terrorism, the Committee takes note that the Law on Signals Intelligence in Defence Operations (2008:717), will apparently provide the executive with wide powers of surveillance in respect of electronic communications”); HRC Concluding Observations: USA (2014)(The Committee is concerned about the surveillance of communications in the interest of protecting national security, conducted by the National Security Agency (NSA) both within and outside the United States, through the bulk phone metadata surveillance programme (Section 215 of the USA PATRIOT Act) and, in particular, surveillance under Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendment Act, conducted through PRISM (collection of communications content from United States-based Internet companies) and UPSTREAM (collection of communications metadata and content by tapping fiber-optic cables carrying Internet traffic) and the adverse impact on individuals’ right to privacy”); HRC Concluding Observations: UK (2015)(“The Committee is concerned that the State party’s current legal regime governing the interception of communications and communication data allows for mass interception of communications… The Committee is further concerned that the 2014 Data Retention Investigatory Powers Act provides for wide powers of retention of communication data and access to such data does not appear to be limited to the most serious crimes”); HRC Concluding Observations: Canada (2015)(“ However, the Committee is concerned about information according to which (a) Bill C-51’s amendments to the Canadian Security Intelligence Act confer a broad mandate and powers on the Canadian Security Intelligence Service to act domestically and abroad, thus potentially resulting in mass surveillance and targeting activities that are protected under the Covenant without sufficient and clear legal safeguards; (b) Bill C-51 creates, under the Security of Canada Information Sharing Act, an increased sharing of information among federal government agencies on the basis of a very broad definition of activities that undermine the security of Canada, which does not fully prevent that inaccurate or irrelevant information is shared”); HRC Concluding Observations: France (2015) (“The Committee is particularly concerned about the fact that the law on intelligence adopted on 24 June 2015 (submitted to the Constitutional Court) gives the intelligence agencies excessively broad, highly intrusive surveillance powers on the basis of broad and insufficiently defined objectives, without the prior authorization of a judge and without an adequate and independent oversight mechanism”); HRC Concluding Observations: South Africa (2016) (“The Committee is concerned about the relatively low threshold for conducting surveillance in the State party and the relatively weak safeguards, oversight and remedies against unlawful interference with the right to privacy contained in the 2002 Regulation of Interception of Communications and Provision of Communication-Related Information Act. It is also concerned about the wide scope of the data retention regime under the Act”); HRC Concluding Observations: Denmark (2016) (“In particular, the Committee is concerned about: […] (b) section 780 of the Administration of Justice Act, which allows interception of communication by the police domestically and which may result in mass surveillance, despite the legal guarantees provided in sections 781 and 783 of the same Act”); HRC Concluding Observations: Colombia (2016)  (“It is also concerned by the fact that the new Police Code that is to enter into force in 2017 defines the concept of “public areas” in a very broad sense that includes the electromagnetic spectrum, and by the fact that all the information and data gathered in public areas are considered to be in the public domain and to be freely accessible”); HRC Concluding Observations: Poland (2016) (“The Committee is concerned about the surveillance and interception powers of the Polish intelligence and law enforcement authorities, as reflected in the law on counter-terrorism of June 2016 and the act amending the Police Act and certain other acts of January 2016. The Committee is particularly concerned about: (a) the unlimited and indiscriminate surveillance of communications and collection of metadata”); HRC Concluding Observations: Italy (2016) (“It is also concerned that the anti-terrorism decree and Law No. 21/2016 compel telecommunications service providers to retain data beyond the period allowed by article 132 of the personal data protection code, and that the authorities can access such data without authorization from a judicial authority”).

[5]  HRC Concluding Observations: UK (2015) (“It notes, inter alia, reports that Amnesty International’s email communication had been intercepted by the government under a general warrant”); [5]  HRC Concluding Observations: Republic of Korea (2015)(“It is also concerned about the use and insufficient regulation in practice of base station investigations of mobile telephone signals picked up near the site of demonstrations in order to identify participants, and about the extensive use and insufficient regulation in practice of wiretapping, in particular by the National Intelligence Service”); HRC Concluding Observations: South Africa (2016)(“The Committee is further concerned at reports of unlawful surveillance practices, including mass interception of communications carried out by the National Communications Centre”); HRC Concluding Observations: Morocco (2016) (“The Committee is concerned by reports of illegal infringements of the right to privacy in the course of surveillance operations conducted by law enforcement and intelligence agencies targeting journalists, human rights defenders and perceived opponents of the Government, particularly those located in Western Sahara”).

[6] HRC Concluding Observations: USA (2014)(“The Committee is concerned that the current oversight system of the activities of the NSA fails to effectively protect the rights of the persons affected; Finally, the Committee is concerned that the persons affected have no access to effective remedies in case of abuse”); HRC Concluding Observations: UK (2015)(“The Committee is concerned that the State party’s current legal regime governing the interception of communications and communication data… lacks sufficient safeguards against arbitrary interference with the right to privacy… The Committee is concerned: … (b) about the lack of sufficient safeguards for obtaining private communications from foreign security agencies and for sharing personal communications data with such agencies”); HRC Concluding Observations: Canada (2015)(“However, the Committee is concerned about information according to which (a) Bill C-51’s amendments to the Canadian Security Intelligence Act confer a broad mandate and powers on the Canadian Security Intelligence Service to act domestically and abroad, thus potentially resulting in mass surveillance and targeting activities that are protected under the Covenant without sufficient and clear legal safeguards; The Committee is also concerned about the lack of adequate and effective oversight mechanisms to review activities of security and intelligence agencies, and the lack of resources and power of existing mechanisms to monitor such activities”); HRC Concluding Observations: France (2015)(“The Committee is particularly concerned about the fact that the law on intelligence adopted on 24 June 2015 (submitted to the Constitutional Court) gives the intelligence agencies excessively broad, highly intrusive surveillance powers on the basis of broad and insufficiently defined objectives, without the prior authorization of a judge and without an adequate and independent oversight mechanism”); HRC Concluding Observations: Republic of Korea (2015)(“The Committee notes with concern that, under article 83 (3) of the Telecommunications Business Act, subscriber information may be requested without a warrant by any telecommunications operator for investigatory purposes”); HRC Concluding Observations: Namibia (2016)(“While noting the indication by the delegation that all interceptions must be authorized by a magistrate, and that no private information is kept, the Committee is concerned about the lack of clarity regarding the reach of legal interception possibilities, as well as about the safeguards to ensure respect of the right to privacy in line with the Covenant”); HRC Concluding Observations: New Zealand (2016)(“The Committee is further concerned about the limited judicial authorization process for the interception of communications of New Zealanders and the total absence of such authorization for the interception of communications of non-New Zealanders”); HRC Concluding Observations: Rwanda (2016)(“The Committee is concerned that Law No. 60/2013 permits the interception of communications without prior authorization of a judge”); HRC Concluding Observations: Sweden (2016)(“While acknowledging the number of safeguards in place to prevent abuse in the application of the Signals Intelligence Act (2008:717), the Committee remains concerned about the limited degree of transparency with regard to the scope of such surveillance powers and the safeguards on their application”); HRC Concluding Observations: South Africa (2016)(“The Committee is concerned about the relatively low threshold for conducting surveillance in the State party and the relatively weak safeguards, oversight and remedies against unlawful interference with the right to privacy contained in the 2002 Regulation of Interception of Communications and Provision of Communication-Related Information Act… The Committee is further concerned at…  delays in fully operationalizing the Protection of Personal Information Act, 2013, due in particular to delays in the establishment of an information regulator”); HRC Concluding Observations: Colombia (2016)(“The Committee is also concerned that the “electromagnetic spectrum monitoring” provided for in article 17 of Act No. 1621 of 2013 could result in instances in which private communications conveyed via the electromagnetic spectrum are intercepted without the benefit of a rigorous assessment of the legality, necessity and proportionality of such interceptions”); HRC Concluding Observations: Morocco (2016) (“The Committee is also concerned by the lack of clarity with regard to the legal provisions which authorize and govern surveillance activities and the lack of oversight of those activities by an independent authority”); HRC Concluding Observations: Italy (2017)(“The Committee is concerned about reports that intelligence agencies are intercepting personal communications and employing hacking techniques without explicit statutory authorization or clearly defined safeguards from abuse. It is also concerned that the anti-terrorism decree and Law No. 21/2016 compel telecommunications service providers to retain data beyond the period allowed by article 132 of the personal data protection code, and that the authorities can access such data without authorization from a judicial authority”).

[7] HRC Concluding Observations: USA (2014)(“measures should be taken to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity, regardless of the nationality or location of the individuals whose communications are under direct surveillance”); HRC Concluding Observations: UK (2015)(“In particular, measures should be taken to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity, regardless of the nationality or location of the individuals whose communications are under direct surveillance”); HRC Concluding Observations: New Zealand (2016)(“Sufficient judicial safeguards are implemented, regardless of the nationality or location of affected persons, in terms of interception of communications and metadata collection, processing and sharing”).

[8] HRC Concluding Observations: USA (2014)(“Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that : ( i ) are publicly accessible;… (iii) are sufficiently precise and specify in detail the precise circumstances in which any such interference may be permitted , the procedures for authorization , the categories of persons who may be placed under surveillance , the limit on the duration of surveillance; procedures for the use and storage of data collected”);  HRC Concluding Observations: UK (2015)(“Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that: (i) are publicly accessible… (iii) are sufficiently precise and specify in detail the precise circumstances in which any such interference may be permitted, the procedures for authorization, the categories of persons who may be placed under surveillance, the limit on the duration of surveillance; procedures for the use and storage of data collected”); HRC Concluding Observations: France (2015)(“The State party should ensure that the collection and use of data on communications take place on the basis of specific and legitimate objectives and that the exact circumstances in which such interference may be authorized and the categories of persons likely to be placed under surveillance are set out in detail”); HRC Concluding Observations: South Africa (2016)(“It should also ensure that interception of communications by law enforcement and security services is carried out only according to the law and under judicial supervision”); HRC Concluding Observations: Sweden (2016)(“The State party should increase the transparency of the powers of and safeguards on the National Defence Radio Establishment, the Foreign Intelligence Court and the Data Inspection Board, by considering to make their policy guidelines and decisions public, in full or in part, subject to national security considerations and the privacy interests of individuals concerned by those decisions”); HRC Concluding Observations: Turkmenistan (2017)(“The State party should ensure that: (a) all types of surveillance activities and interference with privacy, including online surveillance for the purposes of State security, are governed by appropriate legislation that is in full conformity with the Covenant, in particular article 17, including with the principles of legality, proportionality and necessity, and that State practice conforms thereto”).

[9] HRC Concluding Observations: UK (2015)(“Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that:… (ii) contain provisions that ensure that collection of, access to and use of communications data are tailored to specific legitimate aims; Revise the 2014 Data Retention Investigatory Powers Act with a view to ensuring that access to communication data is limited to the extent strictly necessary for the prosecution of the most serious crimes and dependent upon prior judicial authorization”); HRC Concluding Observations: France (2015)(“The State party should ensure that the collection and use of data on communications take place on the basis of specific and legitimate objectives and that the exact circumstances in which such interference may be authorized and the categories of persons likely to be placed under surveillance are set out in detail”); . HRC Concluding Observations: Rwanda (2016)(“ It should also ensure that communications are intercepted and data are used to achieve specific and legitimate objectives and that the categories of circumstances in which such interference may be authorized and the categories of persons whose communications are likely to be intercepted are set out in detail”); HRC Concluding Observations: Namibia (2016)(“The State party should ensure that the interception of telecommunications may only be justified under limited circumstances authorized by law with the necessary procedural and judicial safeguards against abuse, and supervised by the courts when in full conformity with the Covenant”).

[10] HRC Concluding Observations: Sweden (2009) (“The State party should take all appropriate measures to ensure that the gathering, storage and use of personal data not be subject to any abuses, not be used for purposes contrary to the Covenant, and be consistent with obligations under article 17 of the Covenant. To that effect, the State party should guarantee that the processing and gathering of information be subject to review and supervision by an independent body with the necessary guarantees of impartiality and effectiveness”); HRC Concluding Observations: USA (2014)(“Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that:… (iv) provide for effective safeguards against abuse; (c) Reform the current oversight system of surveillance activities to ensure its effectiveness, including by providing for judicial involvement in the authorization or monitoring of surveillance measures, and considering the establishment of strong and independent oversight mandates with a view to preventing abuses;… (e) Ensure that affected persons have access to effective remedies in cases of abuse”); HRC Concluding Observations: UK (2015)(“Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that:… (iv) provide for effective safeguards against abuse; Ensure that robust oversight systems over surveillance, interception and intelligence-sharing of personal communications activities are in place, including by providing for judicial involvement in the authorization of such measures in all cases, and considering the establishment of strong and independent oversight mandates with a view to preventing abuses; Ensure that affected persons have access to effective remedies in cases of abuse”); HRC Concluding Observations: France (2015)(“It should also ensure the effectiveness and independence of a monitoring system for surveillance activities, in particular by making provision for the judiciary to take part in the authorization and monitoring of surveillance measures”); HRC Concluding Observations: Canada (2015)(“establish oversight mechanisms over security and intelligence agencies that are effective and adequate, and provide them with appropriate powers as well as sufficient resources to carry out their mandate; provide for judicial involvement in the authorization of surveillance measures”); HRC Concluding Observations: Republic of Korea (2015)(“It should, inter alia, ensure that subscriber information may be issued with a warrant only, introduce a mechanism to monitor the communication investigations of the National Intelligence Service, and increase the safeguards to prevent the arbitrary operation of base station investigations”); HRC Concluding Observations: Sweden (2016)(“It should ensure:… (b) that effective and independent oversight mechanisms over intelligence-sharing of personal data are put in place; and (c) that affected persons have proper access to effective remedies in cases of abuse”); HRC Concluding Observations: Rwanda (2016)(“It should also ensure the effectiveness and independence of a monitoring system for such interception , in particular by providing for the judiciary to take part in the authorization and monitoring of the interception”); HRC Concluding Observations: Namibia (2016)(“The State party should ensure that the interception of telecommunications may only be justified under limited circumstances authorized by law with the necessary procedural and judicial safeguards against abuse, and supervised by the courts when in full conformity with the Covenant”); HRC Concluding Observations: New Zealand (2016)(“Sufficient judicial safeguards are implemented, regardless of the nationality or location of affected persons, in terms of interception of communications and metadata collection, processing and sharing”); HRC Concluding Observations: South Africa (2016)(“The State party should refrain from engaging in mass surveillance of private communications without prior judicial authorization… It should also ensure that interception of communications by law enforcement and security services is carried out only according to the law and under judicial supervision”); HRC Concluding Observations: Morocco (2016)(“The State party should also establish independent oversight mechanisms in order to prevent abuses”); HRC Concluding Observations: Italy (2017)(“The State party should review the regime regulating the interception of personal communications, the hacking of digital devices and the retention of communications data with a view to ensuring: … (b) that robust, independent oversight systems are in place regarding surveillance, interception and hacking, including by ensuring that the judiciary is involved in the authorization of such measures, in all cases, and by affording persons affected with effective remedies in cases of abuse, including, where possible, an ex post notification that they were placed under surveillance or that their data was hacked”); HRC Concluding Observations: Turkmenistan (2017)(“The State party should ensure that: … (b) surveillance is subject to judicial authorization as well as effective and independent oversight mechanisms; and (c) affected persons have proper access to effective remedies in cases of abuse”).

[11] HRC Concluding Observations: USA (2014) (“Refrain from imposing mandatory retention of data by third parties”); HRC Concluding Observations: South Africa (2016) (“The State party should…  consider revoking or limiting the requirement for mandatory retention of data by third parties”).

[12] HRC Concluding Observations: Sweden (2016) (“It should ensure: (a) that all laws and policies regulating the intelligence-sharing of personal data are in full conformity with its obligations under the Covenant; that effective and independent oversight mechanisms over intelligence-sharing of personal data are put in place”).

 

Read Less

Regulating Surveillance in the UK

By: Daragh Murray.

Read More
The surveillance practices of intelligence agencies, and in particular large scale or bulk monitoring, have received increased human rights-based scrutiny in recent years. While intelligence agencies engage in surveillance in order to protect national security and the right to life, among other purposes, concerns have been raised regarding the impact of surveillance on rights such as the right to privacy and the right to freedom of expression, and the consequent impact of surveillance practices on the effective functioning of democracy itself.

A key objective underpinning human rights law is protection against arbitrary rights interference, and so it is essential that the activities of intelligence agencies have a clear legal basis. Importantly, this legal basis can also promote rights protection by establishing rules relating to the collection of data, access to that data, oversight, and so forth. The Investigatory Powers Act (IPA, 2016) establishes the legal basis for surveillance activities in the UK, and is particularly interesting from a human rights perspective. The IPA establishes wide-ranging surveillance powers while incorporating measures intended to protect rights and introducing an innovative ‘double lock’ oversight regime. This post will provide a brief overview of the powers established by the IPA, and will then highlight a few initial human rights considerations.

The Powers

Due to space limitations, our discussion here will be confined solely to those powers relating to communications interception and communications data (often referred to as ”metadata.”) The IPA allows for both targeted and bulk interception of communications. This allows intelligence agencies to access the content of communications, as well as any associated data. Authorization for these activities is subject to the ”double lock” (discussed further below), and is evaluated in relation to necessity and proportionality considerations. Bulk interception powers are restricted to overseas-related communications. It should be noted, however, that targeted interception powers include thematic warrants that relate to groups of persons or groups of organizations (etc.) These thematic powers occupy a space somewhere between traditionally-understood targeted operations focused on a specific individual or premises, and bulk powers.

The IPA also allows for the collection of communications data. This includes data that is used to identify or assist in identifying:

  • Sender or recipient (whether or not a person)
  • Time or duration of communication
  • Type, method or pattern, or fact, of communication
  • The telecommunications system (or part) through which a communication is transmitted
  • Location of any such system
     

Significantly, however, communications data is also defined as including machine-to-machine communications – thereby bringing the ‘Internet of Things’ into play – and Internet Connections Records, thus incorporating browsing histories, and so on.

Communications data may be obtained in a number of ways. Bulk communications data powers are restricted to the intelligence agencies, and subject to the ‘double lock’. Although not defined as bulk, other communications data related powers are quite broad. For example, to facilitate communications data requests, Internet Service Providers (ISPs) may be required to retain data, for a period of up to 12 months. This power is subject to the double lock, and necessity and proportionality considerations are included. However, the grounds on which retention orders may be issued are significantly broader than those required for other IPA powers (discussed further below), and this power is now on shaky grounds following the decision of the European Court of Justice in Watson and Others. Access to communications data may also be authorized on a targeted basis. Those agents that may request such powers are considerably broad, and the necessity basis is also very wide. Significantly, this power is not subject to a ‘double lock’, but instead requests may be approved by a senior ‘authorized officer’, and should include consultation with a ‘single point of contact’. The IPA also allows for the creation of a – as yet unclear – ‘filtering system’, that appears to allow for the effective amalgamation of multiple datasets through a unified search.

Human rights considerations

Necessity and proportionality requirements – key human rights law considerations – are built into the operation of the IPA. However, two issues may be briefly highlighted. First, human rights law typically restricts large scale surveillance measures to those that are “strictly necessary, as a general consideration, for the safeguarding of democratic institutions and, moreover, if it is strictly necessary, as a particular consideration, for the obtaining of vital intelligence in an individual operation.” This is a strict test, but one that arguably corresponds to most of the necessity grounds established under the IPA: i.e. national security, serious crime, and the economic well-being of the UK (as linked to national security). However, the non-bulk communications data necessity grounds are significantly broader, and include for example, preventing or detecting crime (not restricted to “serious” crime), exercising functions related to the regulation of financial markets, and “assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department” (section 61, IPA). From a human rights law standpoint these grounds raise eyebrows, and may be subject to legal challenge. Second, in relation to proportionality, human rights law requires that the utility of the measure be proportionate to the human rights harm of the interference. This is markedly different to the proportionality test established by the IPA which establishes that the test is whether the conduct is proportionate to what is to be achieved by that conduct. This does not establish proportionality in relation to the human rights harm, but rather considers proportionality in relation to the objective. This operationally focused proportionality test appears to focus on least intrusive means. Again, this may be subject to scrutiny before human rights courts.

Finally, a quick note on oversight. A unique feature of the IPA is the “double lock,” whereby authorization of certain surveillance activities must be first authorized by the Secretary of State, and then reviewed by a Judicial Commissioner. The IPA establishes that a Judicial Commissioner must “apply the same principles as would be applied by a court on an application for judicial review” (see, e.g. s.89). However, the specific requirements imposed in this regard are currently subject to debate. The ‘double lock’ is an innovative measure, and one that has the potential to be exceptionally important. However, its effectiveness will depend on the standard of review applied by the Commissioners in practice, and in particular whether this review engages with the substantive issues underlying the request for authorization, or is restricted to reviewing the Secretary of State’s decision making process.

 

Read Less