Cyber101x Cyberwar, Surveillance and Security - Week 4 - Public justification in context of metadata

WHAT DOES PUBLIC JUSTIFICATION IN THE CONTEXT OF METADATA MEAN?



 REBECCA LAFORGIA: This right to privacy is, of course, not absolute. But it does encompass mandatory requirements that the state is required to publicly justify its actions in the area of metadata and surveillance, and provide independent review. And let's consider in more detail the right to privacy itself. It's contained in Article 17, of the International Covenant on Civil and Political Rights, "that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home and correspondence ..." And it proceeds, "Everyone has the right to the protection of the law against such interference or attacks." Article 17 is described in the Special Rapporteur Mr Emmerson QC's report: "Article 17 of the International Covenant on Civil and Political Rights is the most important legally binding treaty provision guaranteeing the right to privacy at the universal level." The special rapporteur notes that among other requirements, Article 17 requires a lawful reason, or a legitimate aim for interference. It needs to be lawful, it needs to be proportionate. Each of these has their own meanings, and the report elaborates on this. I want to centre on two ideas. One, of the legitimate aim to interfere with privacy, and secondly the requirement that even if there is a legitimate aim, the state still has a requirement to justify its surveillance actions. Firstly, legitimate aim. The special rapporteur notes that "Terrorism can destabilise communities, threaten social and economic development, fracture the territorial integrity of states, and undermine international peace and security." And it is a legitimate aim to form a justification for the interference of the right to privacy, metadata and surveillance. However, even if collection of metadata and surveillance is for this legitimate aim, nevertheless, there are requirements on the state that come from Article 17. This comes from the fact that the collection of information is so wide. And given its breadth, and the fact it operates not on suspicion, but preemptively, then the state must justify why it is collecting the information. This need for justification, given the breadth of the reach, is a significant legal requirement. It arises from proportionality. It is not an optional aspect where the state shares information or not. The justification is a central requirement of privacy itself. And I want to reiterate, this is because in the context of metadata and surveillance, it has moved from what the special rapporteur calls the small or the micro level, where an individual was under suspicion, to this macro level, in which there's a whole system, in which there is quote "wholesale interference with individual and collective privacy rights of all internet users", end quote. He suggests that because of this magnitude, then justification must be equally rigorous. It must be equally factually based, public. Without such justification, then a state is not in compliance with Article 17 of the international covenant. Let's think about it. Privacy was once small. It was about the state having perhaps a search warrant, judicial review. Privacy exceptions are now large. Preemptive collection across, in some cases, the world, of everyone's data. So, surveillance operates in an internal and an external mode. It's not limited to state borders. That is, it's extraterritorial. It requires justifications that are equally broad and encompassing. Justifications are a significant aspect of complying with the right to privacy under Article 17. They would need to be ongoing, clear, detailed, public. You may have had a visual imagery of privacy. Perhaps somebody sitting alone, somebody not intruding. But what we're increasingly seeing in privacy in the context of metadata and surveillance is it creates an obligation on the state to have a dialogue, to justify its surveillance to the citizen in ongoing, rational basis. And also to have independent review. So what is the core element of this justification? What would you be looking for from the state? In Australia, there was a committee which was looking at changes to a bill or a future law. And they made suggestions which are, I think, concrete and helpful for thinking about the notion of justification and what it might look like. And I'm just sort of paraphrasing here. There were suggestions that the cost of the scheme, that the implementation plan, should be made public. There should be categories, there should be breakdown of offences, there should be a clear indication of number of requests, there should be continual briefing. There should be an ability to have any potential improvements. Essentially, dialogue which relates to how the scheme is actually working. And an openness to mistakes, an openness to revisit it. It's important to reiterate that justification is not a luxury, it is a requirement of privacy. It will be ongoing, it'll be reflective. It will enable enough information for citizens to make a considered assessment. And it will document mistakes. Perhaps we can think about justification in another way. That was sort of pragmatic, and it was drawn from a committee. Think about justification as moving from what we might call 'security theatre' to actually justifying, rationally, public outcomes of metadata and surveillance. This idea of 'security theatre' is posited in a blog by Bruce Schneier. He starts with a story, and I'm paraphrasing somewhat here from the blog. He was visiting his friends. They had a baby. He noticed something interesting. He noticed that the infants had, essentially, tags attached to their ankles. And these were sensors. And if they would be abducted, then the alarm would go off. He then goes on to note that "Infant abduction is rare." He quotes a statistic. There have been in the last 22 years about 233 such abductions. About four million babies are born each year. And he says that the baby has a one in 375,000 chance of being abducted. He then goes on to compare this with the mortality rate in the US, which is one in 145. Quote, "and it becomes clear where the real risks are." He goes on, so why are hospitals bothering with our FID bracelets? I think they're primarily there to reassure the mothers. Quote, "Security is both a reality and a feeling." “The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures.” He goes on to say that the tags are clearly a reassurance measure. He's not questioning this, he's observing. And he says, "Security is both a reality and a feeling." And importantly, this is further quoting from his site, "Of course, too much security theater and our feeling of security becomes greater than the reality, which is also bad. And others, politicians, corporations, and so on, can use security theater to make us feel more secure without doing the hard work of actually making us secure." End of quote. So justifications for the purposes of Article 17 are this hard work. If someone is reassuring you, speaking in authoritative tones, before a national symbol, whatever that may be, then chances are they're performing security theatre rather than the hard work of justification. Justification is detailed work, actually explaining the detailed, ongoing way the effects of extensive and, at times, limitless surveillance. It's explained to the public, and the public has an opportunity to question. It is a justificatory style dialogue. It is required under Article 17, the right to privacy. This is the constant and stable demand Article 17, the right to privacy, makes of the state.