Module 4: Privacy and Security Online
Government-led digital surveillance
The knowledge, or even the perception, of being surveilled can lead to self-censorship. Online surveillance has been a central issue for human rights activists for years, but following the Snowden revelations about the extent and scope of surveillance activities, it has become a pressing global issue. Communications surveillance encompasses the monitoring, intercepting, collecting, obtaining, analysing, using, preserving, retaining, interfering with, accessing or similar actions taken with regard to information that includes, reflects, arises from or is about a person’s communications in the past, present, or future.(1) This relates to both the content of communications and metadata. In respect of the latter, it has been noted that the aggregation of information – commonly referred to as ‘metadata’ – may give an insight into an individual’s behaviour, social relationships, private preferences and identity. Taken as a whole, it may allow very precise conclusions to be drawn concerning the private life of a person.
African Declaration on Internet Rights and Freedoms
Principle 9 of the African Declaration on Internet Rights and Freedoms (AfDec) — a civil-society led initiative that has been endorsed by the African Commission on Human and Peoples’ Rights — provides that “[u]nlawful surveillance, monitoring and interception of users’ online communications by state or non-state actors fundamentally undermine the security and trustworthiness of the Internet.” The AfDec goes on to explain that:
“Mass or indiscriminate surveillance of individuals or the monitoring of their communications, constitutes a disproportionate interference, and thus a violation, of the right to privacy, freedom of expression and other human rights. Mass surveillance shall be prohibited by law.
The collection, interception and retention of communications data amounts to an interference with the right to privacy and freedom of expression whether or not the data is subsequently examined or used. In order to meet the requirements of international human rights law, targeted surveillance of online communications must be governed by clear and transparent laws which, at a minimum, comply with the following basic principles: first, communications surveillance must be both targeted and based on reasonable suspicion of commission or involvement in the commission of serious crime; second, communications surveillance must be judicially authorised and individuals placed under surveillance must be notified that their communications have been monitored as soon as practicable after the conclusion of the surveillance operation; third, the application of surveillance laws must be subject to strong parliamentary oversight to prevent abuse and ensure the accountability of intelligence services and law enforcement agencies.
It should also be recognised that for the enjoyment of their right to privacy, individuals must be protected from unlawful surveillance by other individuals, private entities or institutions, including in their place of work or study and in public internet access points.”
General Comment No 16 to the ICCPR provides that “[s]urveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited”.(2) Surveillance – both bulk (or mass) collection of data or targeted collection of data – interferes directly with the privacy and security necessary for freedom of opinion and expression, and must be considered against the three-part test to assess the permissibility of the restriction. In the digital age, ICTs have enhanced the capacity of governments, corporations and individuals to conduct surveillance, interception and data collection, and have meant that the effectiveness in conducting such surveillance is no longer limited by scale or duration.
In a resolution adopted by the United Nations General Assembly (UNGA) on the right to privacy in the digital age, the UNGA emphasised that unlawful or arbitrary surveillance and/or interception of communications, as well as the unlawful or arbitrary collection of personal data are highly intrusive acts, violate the right to privacy, can interfere with the right to freedom of expression and may contradict the tenets of a democratic society, including when undertaken on a mass scale.(3) It noted further that surveillance of digital communications must be consistent with international human rights obligations and must be conducted on the basis of a legal framework, which must be publicly accessible, clear, precise, comprehensive and non-discriminatory.(4)
United Nations (UN) Resolution on the Right to Privacy in the Digital Age
The 2016 UN Resolution on the Right to Privacy in the Digital Age calls on states to, among other things:
- Review their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law.
- Establish or maintain existing independent, effective, adequately resourced and impartial judicial, administrative and/or parliamentary domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and the collection of personal data.
- Provide individuals whose right to privacy has been violated by unlawful or arbitrary surveillance with access to an effective remedy, consistent with international human rights obligations.
- Develop or maintain and implement adequate legislation, with effective sanctions and remedies, that protects individuals against violations and abuses of the right to privacy, namely through the unlawful and arbitrary collection, processing, retention or use of personal data by individuals, governments, business enterprises and private organisations.
Surveillance constitutes an obvious interference with the right to privacy. Further, it also constitutes an interference on the right to hold opinions without interference and the right to freedom of expression. With particular reference to the right to hold opinions without interference, surveillance systems, both targeted and mass, may undermine the right to form an opinion, as the fear of unwilling disclosure of online activity, such as search and browsing, likely deters individuals from accessing information, particularly where such surveillance leads to repressive outcomes.
In order to meet the condition of legality, many states have taken steps to reform their surveillance laws to allow for the powers required to conduct the surveillance activities. For instance, in the judgment of Amabhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others, the High Court of South Africa held that the exercise of bulk surveillance in South Africa was unlawful because of the absence of any empowering legal framework to authorise such surveillance to take place.(5)
Necessary and proportionate
The Necessary and Proportionate Principles are a set of international principles on the application of human rights to communications surveillance.(6) As explained in the preamble:
“Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and information, and freedom of association, and is recognised under international human rights law. Communications Surveillance interferes with the right to privacy among a number of other human rights. As a result, it may only be justified when it is prescribed by law, necessary to achieve a legitimate aim, and proportionate to the aim pursued.
Before public adoption of the Internet, well-established legal principles and logistical burdens inherent in monitoring communications created limits to Communications Surveillance by States. In recent decades, those logistical barriers to surveillance have decreased and the application of legal principles in new technological contexts has become unclear … Meanwhile, conceptualisations of existing human rights law have not kept up with the modern and changing Communications Surveillance technologies and techniques of the State, the ability of the State to combine and organize information gained from different surveillance technologies and techniques, or the increased sensitivity of the information available to be accessed.
The frequency with which States are seeking access to both communications content and metadata is rising dramatically, without adequate scrutiny. Communications metadata may create a profile of an individual’s life, including medical conditions, political and religious viewpoints, associations, interactions and interests, disclosing as much detail as, or even greater detail than would be discernible from the content of communications. Despite the vast potential for intrusion into an individual’s life and the chilling effect on political and other associations, laws, regulations activities, powers, or authorities often afford communications metadata a lower level of protection and do not place sufficient restrictions on how they can be subsequently used by States.”
In terms of the principle of necessity, principle 3 explains that surveillance laws, regulations, activities, powers, or authorities must be limited to those which are strictly and demonstrably necessary to achieve a legitimate aim. As such, surveillance should only be conducted when it is the only means of achieving a legitimate aim, or, when there are multiple means, it is the means least likely to infringe upon human rights. The onus of establishing this justification rests on the state.
According to principle 5, surveillance should be regarded as a highly intrusive act, and in order to meet the threshold of proportionality, the state should be required at a minimum to establish the following information to a competent judicial authority prior to conducting any communications surveillance:(7)
- There is a high degree of probability that a serious crime or specific threat to a legitimate aim has been or will be carried out.
- There is a high degree of probability that evidence relevant and material to such a serious crime or specific threat to a legitimate aim would be obtained by accessing the protected information sought.
- Other less invasive techniques have been exhausted or would be futile, such that the technique used is the least invasive option.
- Information accessed will be confined to that which is relevant and material to the serious crime or specific threat to a legitimate aim alleged.
- Any excess information collected will not be retained, but instead will be promptly destroyed or returned.
- Information will be accessed only by the specified authority and used only for the purpose and duration for which authorisation was given.
- The surveillance activities requested and techniques proposed do not undermine the essence of the right to privacy or of fundamental freedoms.
Safeguards and oversight
Privacy International sets out the following ten safeguards that should be implemented for any government hacking or surveillance regime:(8)
- Legality: Government hacking powers must be explicitly prescribed by law and limited to those strictly and demonstrably necessary to achieve a legitimate aim. That law must be accessible to the public and sufficiently clear and precise to enable persons to foresee its application and the extent of the interference. It should be subject to periodic review by means of a participatory legislative process.
- Security and integrity of systems: Prior to carrying out a hacking measure, government authorities must assess the potential risks and damage to the security and integrity of the target system and systems generally, as well as of data on the target system and systems generally, and how those risks and/or damage will be mitigated or corrected. Government authorities must include this assessment in any application in support of a proposed hacking measure. Government authorities must not compel hardware or software manufacturers or service providers to facilitate government hacking, including by compromising the security and integrity of their products and services.
- Necessity and proportionality: Prior to carrying out a hacking measure, government authorities must, at a minimum, establish a high degree of probability that: (i) serious crime or act(s) amounting to a specific, serious threat to national security has been or will be carried out; (ii) the system used by the person suspected of committing the serious crime or act(s) amounting to a specific, serious threat to national security contains evidence relevant and material to the serious crime or act(s) amounting to a specific, serious threat to national security interest alleged; and (iii) evidence relevant and material to the serious crime or act(s) amounting to a specific, serious threat to national security alleged will be obtained by hacking the target system.
- Judicial authorisation: Prior to carrying out a hacking measure, government authorities must make an application, setting forth the necessity and proportionality of the proposed measure to an impartial and independent judicial authority, who shall determine whether to approve such measure and oversee its implementation. The judicial authority must be able to consult persons with technical expertise in the relevant technologies, who may assist the judicial authority in understanding how the proposed measure will affect the target system and systems generally, as well as data on the target system and systems generally. The judicial authority must also be able to consult persons with expertise in privacy and human rights, who may assist the judicial authority in understanding how the proposed measure will interfere with the rights of the target person and other persons.
- Integrity of information: Government authorities must not add, alter or delete data on the target system, except to the extent technically necessary to carry out the authorised hacking measure. They must maintain an independently verifiable audit trail to record their hacking activities, including any necessary additions, alterations or deletions. Where government authorities rely on data obtained through an authorised hacking measure, they must disclose the method, extent and duration of the hacking measure and their audit trail so that the target person can understand the nature of the data obtained and investigate additions, alterations or deletions to information or breaches of the chain of custody, as appropriate.
- Notification: Government authorities must notify the person(s) whose system(s) have been subject to interference pursuant to an authorised hacking measure, regardless of where the person(s) reside, that the authorities have interfered with such system(s). Government authorities must also notify affected software and hardware manufacturers and service providers, with details regarding the method, extent and duration of the hacking measure, including the specific configurations of the target system. Delay in notification is only justified where notification would seriously jeopardise the purpose for which the hacking measure was authorised or there is an imminent risk of danger to human life and authorisation to delay notification is granted by an impartial and independent judicial authority.
- Destruction and return of data: Government authorities must immediately destroy any irrelevant or immaterial data that is obtained pursuant to an authorised hacking measure. That destruction must be recorded in the independently verifiable audit trail of hacking activities. After government authorities have used data obtained through an authorised hacking measure for the purpose for which authorisation was given, they must return this data to the target person and destroy any other copies of the data.
- Oversight and transparency: Government authorities must be transparent about the scope and use of their hacking powers and activities, and subject those powers and activities to independent oversight. They should regularly publish, at a minimum, information on the number of applications to authorise hacking approved and rejected; the identity of the applying government authorities; the offences specified in the applications; and the method, extent and duration of authorised hacking measures, including the specific configurations of target systems.
- Extraterritoriality: When conducting an extraterritorial hacking measure, government authorities must always comply with their international legal obligations, including the principles of sovereignty and non-intervention, which express limitations on the exercise of extraterritorial jurisdiction. Government authorities must not use hacking to circumvent other legal mechanisms – such as mutual legal assistance treaties or other consent-based mechanisms – for obtaining data located outside their territory. These mechanisms must be clearly documented, publicly available, and subject to guarantees of procedural and substantive fairness.
- Effective remedy: Persons who have been subject to unlawful government hacking, regardless of where they reside, must have access to an effective remedy.
Impugned provisions of the Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (RICA) declared unconstitutional
In the case of Amabhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others, the High Court of South Africa declared various provisions of RICA to be unconstitutional for its failure to provide for appropriate safeguards. The order included the following:
- RICA, including sections 16(7), 17(6), 18(3)(a), 19(6), 20(6), 21(6) and 22(7) thereof, is inconsistent with the Constitution and accordingly invalid to the extent that it fails to prescribe procedure for notifying the subject of the interception.
- RICA, including the definition of ‘designated judge’ in section 1, is inconsistent with the Constitution and accordingly invalid to the extent that it fails to prescribe an appointment mechanism and terms for the designated judge which ensure the designated judge’s independence.
- RICA, including sections 16(7) thereof, is inconsistent with the Constitution and accordingly invalid to the extent that it fails to adequately provide for a system with appropriate safeguards to deal with the fact that the orders in question are granted ex parte.
- RICA, especially sections 35 and 37, are inconsistent with the Constitution and accordingly invalid to the extent that the statute itself fails to prescribe proper procedures to be followed when state officials are examining, copying, sharing, sorting through, using, destroying and/or storing the data obtained from interceptions.
- Sections 16(5), 17(4), 19(4), 21 (4) (a), and 22(4) (b) of RICA are inconsistent with the Constitution and accordingly invalid to the extent that they fail to address expressly the circumstances where a subject of surveillance is either a practising lawyer or a journalist.
- It is declared that the bulk surveillance activities and foreign signals interception undertaken by the National Communications Centre are unlawful and invalid.
On 25 February 2020, the Constitutional Court of South Africa heard an application for confirmation of the High Court order, as well as an application for leave to appeal by the state. At the time of writing, the Constitutional Court has not yet handed down its judgment.
There are various domestic law and international standards that require that individuals be notified of covert recordings, including video surveillance.(9) However, there is no consistent position on this issue. There are two key recent decisions of the Grand Chamber of the ECtHR that are relevant in this regard:(10)
- Antović and Mirković v Montenegro:(11) This case concerned an invasion of privacy complaint by two professors at the University of Montenegro’s School of Mathematics after video surveillance had been installed in areas where they taught. They stated that they had had no effective control over the information collected and that the surveillance had been unlawful. The domestic courts rejected a compensation claim however, finding that the question of private life had not been at issue as the auditoriums where the applicants taught were public areas. The ECtHR held that there had been a violation of article 8 of the European Convention, finding that the camera surveillance had not been in accordance with the law. It first rejected the government’s argument that the case was inadmissible because no privacy issue had been at stake as the area under surveillance had been a public, working area. In this regard, the ECtHR noted in particular that it had previously found that private life might include professional activities and considered that was also the case with the applicants. Article 8 of the European Convention was therefore applicable. On the merits of the case, the ECtHR then found that the camera surveillance had amounted to an interference with the applicants’ right to privacy and that the evidence showed that that surveillance had violated the provisions of domestic law. According to the ECtHR, the domestic courts had never even considered any legal justification for the surveillance because they had decided from the outset that there had been no invasion of privacy.
- Ribalda and Others v Spain:(12) This case concerned the covert video-surveillance of employees which led to their dismissal. The applicants complained about the covert video-surveillance and the Spanish courts’ use of the data obtained to find that their dismissals had been fair. The applicants who signed settlement agreements also complained that the agreements had been made under duress owing to the video material and should not have been accepted as evidence that their dismissals had been fair. The Grand Chamber held that there had been no violation of article 8 of the European Convention in respect of the five applicants. It found in particular that the Spanish courts had carefully balanced the rights of the applicants — supermarket employees suspected of theft — and those of the employer, and had carried out a thorough examination of the justification for the video-surveillance. A key argument made by the applicants was that they had not been given prior notification of the surveillance, despite such a legal requirement, but the ECtHR found that there had been a clear justification for such a measure owing to a reasonable suspicion of serious misconduct and to the losses involved, taking account of the extent and the consequences of the measure. The ECtHR concluded that, in the present case, the domestic courts had thus not exceeded their power of discretion or margin of appreciation in finding the monitoring proportionate and legitimate.
In respect of the media, considerations of public interest and the public status of individuals are key determinants in whether information should be published. This was affirmed, for instance, in the case Radio Twist v Slovakia,(13) where the ECtHR had cause to consider the unlawful recording of a telephone call that had been broadcast on the radio. The recording was of a conversation amongst several senior members of government discussing issues around the privatisation of an insurance company. The recording had not been made by the radio station, but had been dropped in its mailbox. The ECtHR had particular regard to the context and content of the conversation being clearly political in nature, and the subject-matter of the conversation being on a matter of general interest.(14) As to whether the recording was illegal, the ECtHR stated that it was not convinced that the mere fact that the recording had been obtained by a third party contrary to the law justified the applicant being deprived of its right to freedom of expression.(15) The ECtHR therefore held that the radio station had not violated the rights of the persons who were recorded.
Principle 12(a) of the Global Principles lists the following factors to take into consideration in balancing the rights to freedom of expression and privacy, relevant in determining whether to publish: the extent to which the publication at issue contributes to a debate of public interest; the degree of notoriety or vulnerability of the person affected; the subject covered by the publication and the extent of the private nature of the information at issue; the prior conduct of the person concerned; the content, form, and consequences of the publication; the way in which the information was obtained; the intent of the individual or entity disseminating the information at issue, and in particular whether it was malicious; and the extent to which the individual whose privacy is at issue is a public figure.(16)
Furthermore, when dealing with photographs, video footage or sound recordings, regard should also be had to whether this was taken voluntarily and with consent. It has been suggested that privacy-invasive techniques, such as hidden cameras or undercover reporting, should only be permitted where there is an overriding public interest in the dissemination of the information sought or discovered which could not have been obtained by less invasive means, and efforts have been made to address the privacy concerns to minimise the interference.(17)