Module 4: Privacy and Security Online
Government-led digital surveillance
Communications surveillance encompasses the monitoring, intercepting, collecting, analysing, retention, or similar actions, of a person’s communications in the past, present, or future.(1) Online surveillance has been a central issue for human rights activists for years, but the Snowden revelations about the extent and scope of global mass surveillance brought new urgency and awareness to the issue and sparked a wave of policy change and jurisprudence in many jurisdictions.
Surveillance constitutes an obvious interference with the right to privacy. Further, it also infringes on the right to hold opinions without interference and the right to freedom of expression. With particular reference to the right to hold opinions without interference, surveillance systems, both targeted and mass, may undermine the right to form an opinion, as the fear of unwilling disclosure of online activity, such as search and browsing, can create a chilling effect by deterring a person from accessing information, particularly where such surveillance leads to repressive outcomes. The knowledge, or even the perception, of being surveilled can lead to self-censorship. Accordingly, emerging jurisprudence on communications surveillance has also often paid special attention to media freedom considerations:
- In Big Brother Watch and Others v. the United Kingdom (application nos. 58170/13, 62322/14 and 24969/15) the Grand Chamber of the ECtHR found inter alia that the UK’s bulk surveillance regime contravened article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms because it did not adequately protect confidential journalistic material from collection and inspection in the course of bulk monitoring of communications data undertaken by UK intelligence agencies.(2)
- In amaBhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others (discussed in further detail below), the High Court of South Africa found that the need of journalists and their sources for confidential communications required special protections against surveillance abuses, remarking that:
“In a country that is as wracked by corruption in both our public institutions and in our private institutions as ours is, and where the unearthing of wrongdoing is significantly the work of investigative journalists, in an otherwise, seemingly, empty field, it is hypocritical to both laud the press and ignore their special needs to be an effective prop of the democratic process.”(3)
- The Supreme Court of India, in ordering an independent inquiry into allegations that the government deployed the Pegasus spyware against various journalists, politicians and dissidents, similarly found that the free press’s democratic function was at stake, and that “such chilling effect on the freedom of speech is an assault on the vital public watchdog role of the press, which may undermine the ability of the press to provide accurate and reliable information.”(4)
It has been noted that many frameworks create a legal distinction between communications information that is deemed to be ‘content’ and information that is about the communication (communication data or metadata). This second category is often subject to fewer legal and social protections than information deemed to be ‘content’. Yet communication data may give detailed insights into a person’s behaviour, social relationships, private preferences and identity – either when analysed in bulk or in some cases in individual parts.(5) In addition, the two legal distinctions are arbitrary and ill-suited to many types of communication information in the context of the modern digital age, where certain types of data could fall into either legal category.(6)
United Nations (UN) Resolution on the Right to Privacy in the Digital Age
The 2016 UN Resolution on the Right to Privacy in the Digital Age calls on states to, among other things:
- Review their procedures, practices, and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law.
- Establish or maintain existing independent, effective, adequately resourced, and impartial judicial, administrative and/or parliamentary domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception, and the collection of personal data.
- Provide individuals whose right to privacy has been violated by unlawful or arbitrary surveillance with access to an effective remedy, consistent with international human rights obligations.
- Develop or maintain and implement adequate legislation, with effective sanctions and remedies, that protects individuals against violations and abuses of the right to privacy, namely through the unlawful and arbitrary collection, processing, retention, or use of personal data by individuals, governments, business enterprises and private organisations.
General Comment No 16 to the ICCPR provides that “[s]urveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited.”(7) In the digital age, Information and Communications Technologies (ICTs) have enhanced the capacity of governments, corporations and individuals to conduct surveillance, interception, and data collection, and have meant that the effectiveness of conducting such surveillance is no longer limited by scale or duration. Surveillance – both bulk (or mass) collection of data or targeted collection of data – interferes directly with the privacy and security necessary for freedom of opinion and expression. As such, in all its forms surveillance must be considered against the three-part test established in international law to assess the permissibility of a restriction on human rights, namely that the limitation is:
- Provided by law.
- Pursues a legitimate aim.
- Necessary and proportionate to achieving the aim.
In order to meet the condition of legality, many states have taken steps to reform their surveillance laws to allow for the powers required to conduct surveillance activities. For instance, in the judgment of amaBhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others, the Constitutional Court of South Africa upheld a ruling of the High Court that the exercise of bulk surveillance in South Africa was unlawful because of the absence of any empowering legal framework to authorise such surveillance to take place.(8)
Necessary and proportionate
The Necessary and Proportionate Principles are a set of 13 international principles on the application of human rights to communications surveillance, especially in the context of the ever-advancing mass surveillance capabilities shown by states and private-sector operators in the modern digital era.(9) The principles advise among other things that all powers of communications surveillance must be prescribed and regulated by law, be necessary and proportionate and pursue a legitimate aim, and be subject to certain safeguards, including that the powers are subject to a competent judicial authority, and necessary transparency and public oversight measures.
Principle 3 establishes necessity, explaining that surveillance laws, regulations, activities, powers, or authorities must be limited to those which are strictly and demonstrably necessary to achieve a legitimate aim. As such, surveillance should only be conducted when it is the only means of achieving a legitimate aim, or, when there are multiple means, it is the means least likely to infringe upon human rights. The onus of establishing this justification rests on the state. Principle 5 establishes proportionality: surveillance should be regarded as a highly intrusive act, and in order to meet the threshold of proportionality, the state should be required at a minimum to establish the following information to a competent judicial authority prior to conducting any communications surveillance:(10)
- There is a high degree of probability that a serious crime or specific threat to a legitimate aim has been or will be carried out.
- There is a high degree of probability that evidence relevant and material to such a serious crime or specific threat to a legitimate aim would be obtained by accessing the protected information sought.
- Other less invasive techniques have been exhausted or would be futile, such that the technique used is the least invasive option.
- Information accessed will be confined to that which is relevant and material to the serious crime or specific threat to a legitimate aim alleged.
- Any excess information collected will not be retained but instead will be promptly destroyed or returned.
- Information will be accessed only by the specified authority and used only for the purpose and duration for which authorisation was given.
- The surveillance activities requested, and techniques proposed do not undermine the essence of the right to privacy or of fundamental freedoms.
African Declaration on INternet Rights and Freedoms
Principle 9 of the African Declaration on Internet Rights and Freedoms (AfDec) – a civil-society-led initiative that has been endorsed by the African Commission on Human and Peoples’ Rights – provides that “[u]nlawful surveillance, monitoring and interception of users’ online communications by state or non-state actors fundamentally undermine the security and trustworthiness of the Internet.” The AfDec goes on to explain that:
- Mass or indiscriminate surveillance of individuals or the monitoring of their communications, constitutes a disproportionate interference, and thus a violation, of the right to privacy, freedom of expression and other human rights, and shall be prohibited by law.
- The collection, interception and retention of communications data amounts to an interference with the right to privacy and freedom of expression whether or not the data is subsequently examined or used.
- Targeted surveillance of online communications must be governed by clear and transparent laws which comply with the following basic principles:
- Communications surveillance must be both targeted and based on reasonable suspicion of commission or involvement in the commission of serious crime;
- Communications surveillance must be judicially authorised and individuals placed under surveillance must be notified that their communications have been monitored as soon as practicable after the conclusion of the surveillance operation
- The application of surveillance laws must be subject to strong parliamentary oversight to prevent abuse and ensure the accountability of intelligence services and law enforcement agencies.
- Individuals must be protected from unlawful surveillance by other individuals, private entities or institutions, including in their place of work or study and in public internet access points.
Safeguards and oversight
Privacy International sets out the following ten safeguards that should be implemented for any government hacking or surveillance regime:(11)
- Legality: Government hacking powers must be explicitly prescribed by law and limited to those strictly and demonstrably necessary to achieve a legitimate aim. That law must be accessible to the public and sufficiently clear and precise to enable persons to foresee its application and the extent of the interference. It should be subject to periodic review by means of a participatory legislative process.
- Security and integrity of systems: Prior to carrying out a hacking measure, government authorities must assess the potential risks and damage to the security and integrity of the target system and systems generally, as well as of data on the target system and systems generally, and how those risks and/or damage will be mitigated or corrected. Government authorities must include this assessment in any application in support of a proposed hacking measure. Government authorities must not compel hardware or software manufacturers or service providers to facilitate government hacking, including by compromising the security and integrity of their products and services.
- Necessity and proportionality: Prior to carrying out a hacking measure, government authorities must, at a minimum, establish a high degree of probability that: (i) serious crime or act(s) amounting to a specific, serious threat to national security has been or will be carried out; (ii) the system used by the person suspected of committing the serious crime or act(s) amounting to a specific, serious threat to national security contains evidence relevant and material to the serious crime or act(s) amounting to a specific, serious threat to national security interest alleged; and (iii) evidence relevant and material to the serious crime or act(s) amounting to a specific, serious threat to national security alleged will be obtained by hacking the target system.
- Judicial authorisation: Prior to carrying out a hacking measure, government authorities must make an application, setting forth the necessity and proportionality of the proposed measure to an impartial and independent judicial authority, who shall determine whether to approve such measure and oversee its implementation. The judicial authority must be able to consult persons with technical expertise in the relevant technologies, who may assist the judicial authority in understanding how the proposed measure will affect the target system and systems generally, as well as data on the target system and systems generally. The judicial authority must also be able to consult persons with expertise in privacy and human rights, who may assist the judicial authority in understanding how the proposed measure will interfere with the rights of the target person and other persons.
- Integrity of information: Government authorities must not add, alter or delete data on the target system, except to the extent technically necessary to carry out the authorised hacking measure. They must maintain an independently verifiable audit trail to record their hacking activities, including any necessary additions, alterations or deletions. Where government authorities rely on data obtained through an authorised hacking measure, they must disclose the method, extent and duration of the hacking measure and their audit trail so that the target person can understand the nature of the data obtained and investigate additions, alterations or deletions to information or breaches of the chain of custody, as appropriate.
- Notification: Government authorities must notify the person(s) whose system(s) have been subject to interference pursuant to an authorised hacking measure, regardless of where the person(s) reside, that the authorities have interfered with such system(s). Government authorities must also notify affected software and hardware manufacturers and service providers, with details regarding the method, extent and duration of the hacking measure, including the specific configurations of the target system. Delay in notification is only justified where notification would seriously jeopardise the purpose for which the hacking measure was authorised or there is an imminent risk of danger to human life and authorisation to delay notification is granted by an impartial and independent judicial authority.
- Destruction and return of data: Government authorities must immediately destroy any irrelevant or immaterial data that is obtained pursuant to an authorised hacking measure. That destruction must be recorded in the independently verifiable audit trail of hacking activities. After government authorities have used data obtained through an authorised hacking measure for the purpose for which authorisation was given, they must return this data to the target person and destroy any other copies of the data.
- Oversight and transparency: Government authorities must be transparent about the scope and use of their hacking powers and activities and subject those powers and activities to independent oversight. They should regularly publish, at a minimum, information on the number of applications to authorise hacking approved and rejected; the identity of the applying government authorities; the offences specified in the applications; and the method, extent and duration of authorised hacking measures, including the specific configurations of target systems.
- Extraterritoriality: When conducting an extraterritorial hacking measure, government authorities must always comply with their international legal obligations, including the principles of sovereignty and non-intervention, which express limitations on the exercise of extraterritorial jurisdiction. Government authorities must not use hacking to circumvent other legal mechanisms – such as mutual legal assistance treaties or other consent-based mechanisms – for obtaining data located outside their territory. These mechanisms must be clearly documented, publicly available, and subject to guarantees of procedural and substantive fairness.
- Effective remedy: Persons who have been subject to unlawful government hacking, regardless of where they reside, must have access to an effective remedy.
Impugned provisions of the Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (RICA) declared unconstitutional
In the case of amaBhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others, the Constitutional Court of South Africa considered a challenge to South Africa’s interception law, RICA, brought by an investigative journalism outfit whose co-founder had been subject to communications surveillance by the intelligence services. The Court declared various provisions of RICA to be unconstitutional, on the grounds that the law:In the case of Amabhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others, the High Court of South Africa declared various provisions of RICA to be unconstitutional for its failure to provide for appropriate safeguards. The order included the following:
- Fails to provide safeguards to ensure the independence of a judge designated to oversee interception requests;
- Fails to provide for “post-surveillance notification” of people whose communications are intercepted.
- Does not adequately provide safeguards to address the fact that interception directions are sought and obtained ex parte (i.e. necessarily without the knowledge and participation of the person whose communications would be intercepted);
- Does not detail procedures to ensure that data obtained in the interception of communications is managed lawfully, including steps to be followed for examining, sharing, storing, or destroying the data; and
- Does not provide adequate safeguards where the subject of surveillance is a practising lawyer or journalist. For example, RICA fails to prescribe an appointment mechanism and terms for a designated judge (any judge mandated to oversee interception requests), which ensures the judge’s independence.
The Constitutional Court also upheld an order of the High Court that bulk surveillance activities and foreign signals interception undertaken by the South African government were unlawful and invalid, in that they were not subject to any enabling law.
There are various domestic laws and international standards that require that individuals be notified of covert recordings, including video surveillance.(12) However, there is no consistent position on this issue. There are two key recent decisions of the Grand Chamber of the ECtHR that are relevant in this regard:(13)
- Antović and Mirković v Montenegro:(14) This case concerned an invasion of privacy complaint by two professors at the University of Montenegro’s School of Mathematics after video surveillance had been installed in areas where they taught. They stated that they had no effective control over the information collected and that the surveillance had been unlawful. The domestic courts rejected a compensation claim, finding that the question of private life had not been at issue as the auditoriums where the applicants taught were public areas. The ECtHR made the following findings:
- It held that there had been a violation of article 8 of the European Convention, finding that the camera surveillance had not been in accordance with the law.
- The ECtHR rejected the government’s argument that the case was inadmissible because no privacy issue had been at stake as the area under surveillance had been a public, working area, noting that it had previously found that private life might include professional activities and considered this to apply to the applicants’ situation. Article 8 of the European Convention was therefore applicable.
- On the merits of the case, the ECtHR found that the camera surveillance had amounted to an interference with the applicants’ right to privacy and that the evidence showed that the surveillance had violated the provisions of domestic law. According to the ECtHR, the domestic courts had not considered any legal justification for the surveillance because they had decided from the outset that there had been no invasion of privacy.
- Ribalda and Others v Spain:(15) This case concerned covert video surveillance of a group of employees at a supermarket, which led to their dismissal. The applicants complained about the covert video surveillance and about the Spanish courts’ use of the footage to find that their dismissals had been fair. Several applicants who had signed settlement agreements also complained that the agreements had been made under duress owing to the video material and should not have been accepted as evidence that their dismissals had been fair. The Grand Chamber made the following findings:
- It held that there had been no violation of article 8 of the European Convention in respect of the five applicants. It found in particular that the Spanish courts had carefully balanced the rights of the applicants – who had been suspected of theft by their employer – and those of the employer and thoroughly examined the justification for the video surveillance.
- A key argument by the applicants was that they had not been given prior notice of the surveillance, despite such a legal requirement, but the ECtHR found that the measure was justified owing to a reasonable suspicion of serious misconduct and to the losses involved, taking account of the extent and the consequences of the measure.
- The ECtHR concluded that, in the present case, the domestic courts had not exceeded their power of discretion or margin of appreciation in finding that the covert video surveillance was proportionate and legitimate.
In respect of the media, considerations of public interest and the public status of individuals are key in determining whether information should be published. This was affirmed, for instance, in Radio Twist v Slovakia,(16) where the ECtHR had cause to consider the unlawful recording of a telephone call that had been broadcast on the radio. The recording was of a conversation among several senior government officials about the privatisation of an insurance company. The recording had been shared anonymously with the radio station. The ECtHR had particular regard to the context and content of the conversation being clearly political in nature, and the subject matter of the conversation being of general interest.(17) As to whether the recording was illegal, the ECtHR stated that it was not convinced that the mere fact that the recording had been obtained by a third party contrary to the law justified the applicant’s being deprived of its right to freedom of expression.(18) The ECtHR, therefore, held that the radio station had not violated the rights of the persons who were recorded.
Principle 12(a) of the Global Principles lists the following factors to consider in balancing the rights to freedom of expression and privacy, in situations concerning the publication of personal information:
- The extent to which the publication contributes to a debate of public interest; the degree of notoriety or vulnerability of the person affected;
- The subject covered by the publication and the extent of the private nature of the information at issue;
- The prior conduct of the person concerned;
- The content, form, and consequences of the publication;
- The way in which the information was obtained;
- The intent of the individual or entity disseminating the information at issue, and in particular whether it was malicious; and
- The extent to which the individual whose privacy is at issue is a public figure.(19)
Furthermore, Principle 12 provides that when dealing with the publication of photographs, video footage, or sound recordings, there should be consideration of whether the recording was made voluntarily and with consent. The use of privacy-invasive techniques, such as hidden cameras or undercover reporting, should only be permitted where there is an overriding public interest in the dissemination of the information sought or discovered which could not have been obtained by less invasive means, and where efforts have been made to address or minimise any privacy implications.(20)