Recommendations for Government and Industry
Recommendations for Government and Industry
Abstract and Keywords
The chapters in this volume are uniform in their commitment to the proposition that terrorism can be effectively fought and national security interests can be defended within a system of oversight and control that protects both corporate interests and individual privacy. Moreover, they are remarkable in their consistency in describing the components of an effective system of checks and balances. This chapter draws on the work of the contributors to this volume and on the flood of policy developments over the past five years to recommend a coherent framework for collection of private-sector data. The elements of this framework for governments are legality, proportionality, and accountability. For corporations, they are based on adoption of internal policies, internal and external accountability, and transparency, backed up by a willingness to challenge overbroad or unjustified government demands.
The chapters in this volume represent a diversity of voices from around the world, but they are uniform in their commitment to the proposition that terrorism can be effectively fought and national security interests can be defended within a system of oversight and control that protects both corporate interests and individual privacy. Moreover, they are remarkable in their consistency in describing the components of an effective system of checks and balances. It turns out, when it comes to government surveillance, the tools of control and accountability are already known. They are just not comprehensively applied. This chapter draws on the work of the contributors to this volume and on the flood of court opinions, legislative enactments, official reports, academic writings, corporate developments, and NGO advocacy over the past five years, to recommend a coherent framework for the collection of private-sector data. For governments, the elements of this framework can be summarized in three key concepts: legality, proportionality, and accountability. For corporations, they are based on adoption of internal policies, internal and external accountability, and transparency, backed up by a willingness to challenge overbroad or unjustified government demands. The elements of this framework are drawn from long-accepted principles of the rule of law, human rights, and democratic governance. Some of them have even been applied for decades, in at least some democratic countries, to intelligence and national security surveillance. The one new recommendation that emerges from our study, however, is a strong rejection of bulk collection.
When we began this project in 2011, our initial research identified various examples of “systematic access” in a wide range of countries, but it also found a general lack of transparency about the nature of, and legal basis for, data collection practices carried out in the name of national security or foreign intelligence.
Beginning in June 2013, unauthorized and authorized disclosures of intelligence programs in the United States, the UK, and some other European countries partly lifted the shroud of secrecy, at least with respect to some countries. “Bulk surveillance” came to be featured prominently in national and international debates over governmental power, corporate responsibility and individual privacy. Although much of the commentary was exaggerated or misleading, it is undeniable that the disclosures confirmed our core concerns about expansive and lightly regulated government demands for access to data held (or transmitted) by the private sector.
In the ensuing years, there have been a number of remarkable developments:
• The president of the United States issued a directive expressly stating that the United States would respect the privacy rights of all persons “regardless of their nationality or wherever they might reside” and placed limits on the retention and use of signals intelligence collected in bulk by US agencies.1
• The US Congress adopted legislation, signed by the president, that ended a domestic program that had compelled telephone companies to turn over call detail records in bulk. The legislation amended several statutes to make it clear that they could not be used to authorize bulk collection in the future.2
• The US legislation also introduced the possibility of appointing independent advocates to participate in the proceedings of the secret Foreign Intelligence Surveillance Court, which had previously examined programmatic surveillance demands based on the filings and arguments of only the government.3 (p.425)
• The US Privacy and Civil Liberties Oversight Board developed into a fully functioning independent oversight body, issuing detailed reports and recommendations on US surveillance programs.4
• Other countries adopted legislation at least nominally designed to increase oversight of their intelligence services.
• The Court of Justice of the European Union annulled the EU data retention mandate, which had required communications service providers to collect and retain transactional data on all the communications of all their customers.5
• Insisting that strong protections were needed lest technological developments erode the constitutional right to privacy, the US Supreme Court held that police needed a judicial warrant, issued under the Constitution’s highest standard, to conduct prolonged GPS tracking or to examine the contents of a mobile phone seized in the course of arrest.6
• Internet and telecommunications companies published on a regular basis increasingly detailed transparency reports, statistically documenting the number and types of government demands for disclosure of customer data.
• Device makers and providers of online communications services increasingly incorporated encryption into the default settings of their products and services, protecting data both at rest and in transit. Applications providing strong encryption from one user to another (sometimes called “end-to-end,” although that term can be ambiguous) proliferated.
• US-based providers of Internet services became advocates for the privacy of their customers worldwide, supporting greater transparency of government demands and stronger legislative standards for government access, and strongly opposing bulk collection of communications data.7
• The Privacy Bridges project, launched by then-chair of the Dutch Data Protection Authority Jacob Kohnstamm, identified “Government Access to Private Sector Personal Data” as one of 10 critical areas where transatlantic cooperation is needed, recommending that companies faced with surveillance demands “establish uniform internal practices for handling such [government] requests regardless of jurisdiction, (p.426) citizenship, and data location,” “report on practices relating to government access requests on a regular basis,” and develop “a framework for assessing and responding to requests for data originating outside national territory.”8
Not all developments, however, have been privacy-friendly. While the United States has curtailed some of its programs, other countries have expanded theirs. In response both to the revelations of intrusive US government programs and to the changing communications environment and the growing importance of digital evidence in both criminal and national security matters, a number of countries have adopted laws expanding government surveillance powers or requiring service providers to make data more readily accessible.
III. The Recommendations
The chapters in this volume represent a diversity of voices from around the world, but they are uniform in their commitment to the proposition that terrorism can be effectively fought and national security interests can be defended within a system of oversight and control that protects both corporate interests and individual privacy. Moreover, they are remarkable in their consistency in describing the components of an effective system of checks and balances. It turns out, when it comes to government surveillance, the tools of control and accountability are already known. They are just not comprehensively applied.
In this chapter, we draw on the work of the contributors to this volume and on the flood of court opinions, legislative enactments, official reports, academic writings, corporate developments, and NGO advocacy over the past five years, to recommend a coherent framework of oversight and accountability.
The elements of the framework are really nothing new. They are drawn from long-accepted principles of the rule of law, human rights, and democratic governance. Some of them have even been applied for decades, in at least some democratic countries, to intelligence and national security surveillance. The one new recommendation that emerges from our study, however, is a strong rejection of bulk collection.
Before we present the recommendations, it is first necessary to consider briefly their scope. When we began this research in 2011, we used the term “systematic access” to refer to large-scale government access mainly to data in storage. However, we found that it was often difficult to separate concerns over access to data at rest from concerns about data in transit. Some of the surveillance programs that have attracted the largest attention in recent global policy debates have involved access to data in transit. Also, given the architecture of cloud services, data in storage may move between servers or between the cloud and (p.427) end users, meaning that it can be accessed in transit. One clear difference that exacerbates concerns with data in storage is that it allows retrospective surveillance. Ongoing improvements in storage capacity mean that third-party service providers can and do hold data reaching back to the inception of their services. In terms of oversight and control, however, the mechanisms and standards are in many ways the same. Consequently, our recommendations, and many of the chapters in this compilation, address both access to data in transit and access to data in storage.
Also, we have found it difficult to separate concerns with bulk or mass surveillance—surveillance that sweeps up, for example, data about all individuals using a service—from concerns with surveillance that is targeted (that is, focused on specific individuals or accounts) but that nevertheless is massive in that it collects a large amount of data on a large number of individuals. That said, the distinction between mass, bulk, or indiscriminate collection and massive but targeted collection remains valid and is reflected in our recommendation against bulk collection.
A. Recommendations for Governments
1. Three Core Principles: Legality, Proportionately, and Accountability
From the various governmental, intergovernmental, corporate, academic, and civil society statements and rulings and reports both before and especially after the Snowden revelations, three core principles emerge for the conduct of government surveillance programs: legality, proportionately, and accountability. These three principles can be described and expanded with further elements. Together, they form a set of standards that we believe can permit responsible, effective government surveillance, while ensuring that it is conducted in a manner that protects privacy as fully as possible. In many instances, the same tools that help protect privacy also help focus surveillance so that it is more likely to be effective. In others, surveillance and privacy may be in tension. But in either case, a growing consensus has emerged from a rich body of international law and norms on the proper conduct of government surveillance. We believe the following principles reflect that consensus:
Legality. The principle of legality has two components. The first focuses on the adoption of the framework defining governmental powers. The authorities and standards for government surveillance (data acquisition) should be spelled out in a publicly accessible law or regulation in terms precise enough to protect against arbitrary application and to inform the public of which entities can conduct surveillance and under what criteria.9
(p.428) The second component of legality focuses on the specific application of a particular power, that is, a particular exercise of that power in carrying out a specific instance or program of access. More intrusive measures should require authorization by an independent judicial officer (with possible exception for emergency circumstances). In all situations, surveillance or data acquisition should require approval of a senior official. For national security matters, approval should be required of both a senior intelligence official and from a senior official outside the security service.
Proportionality. The concept of proportionality has several components. One concerns the purpose of the surveillance or data acquisition. As Special Rapporteur Frank La Rue stated, “Legal frameworks must ensure that communications surveillance measures … [a]re strictly and demonstrably necessary to achieve a legitimate aim.” In the criminal justice context, the purpose of surveillance should be limited to the investigation of specified serious crimes. In the national security context, the topics of surveillance should be narrowly defined and/or limited to specified serious threats or subjects.
Proportionality also concerns scope. (The concept of “necessity” is also relevant to scope.) Bulk surveillance should be disfavored. Surveillance should be limited to a specifically designated person or account.10 “Strategic” or generalized monitoring should be disfavored and, if permitted, should be more closely regulated. The government should be required to ensure that irrelevant data is not recorded or, if collected, is destroyed or is not searched or used. This is sometimes referred to as “minimization.”
Another element of proportionality is justification. Approval of the initiation of surveillance should require a showing of a strong factual basis for believing that the target is engaged in criminal conduct or activities of national security significance. Approval should require a showing that other less intrusive means will not suffice or are unlikely to obtain the needed information. (Again, the concept of “necessity.”) The duration of a surveillance, or the time period covered by stored data, should be limited, subject to renewal.
Proportionality also means that the use and disclosure of data should be limited to the purposes that justified the initial collection. For example, in the criminal investigative context, data collected should be used only for investigation or prosecution of crimes at least as serious as those that justified the surveillance.
Finally, proportionality means that there should be a time limit set on how long the government can retain information it acquires.
Accountability. Accountability has three components: transparency, oversight, and redress. Transparency is closely tied to the first element of legality: not only should the government’s powers be publicly specified, but basic information about the interpretation and use of those powers should be published. Independent oversight bodies (judicial, executive, legislative) should oversee the actual implementation of surveillance procedures to protect against abuse. (p.429) Individuals should be able to obtain redress for violations of the established standards. In order for individuals to claim redress, they must have notice. The target of government data collection should be provided notice of the government’s action. Such notice may be delayed in order not to frustrate the investigation.
We recognize that no country in the world uniformly applies all of these concepts to all forms of surveillance. There are legitimate differences between surveillance for law enforcement purposes as opposed to surveillance for national security purposes, and the administrative purposes of the modern welfare state may justify certain data reporting requirements. Different rules may apply to the content of communications versus metadata. Nevertheless, recognizing all of these caveats, the foregoing factors, discussed in the chapters in this volume by Sarah St.Vincent, by Ashley Deeks, and by Ira Rubinstein, Greg Nojeim, and Ron Lee, provide the source of an effective oversight and accountability system.11
The chapters in this compilation, as well as the research of others, have substantially fleshed out several elements of this framework. We highlight three here.
Independent Oversight: As Nico van Eijk effectively argues, oversight, broadly defined, must be comprehensive, independent, and adequately resourced. Effective oversight can be achieved only with a web of checks and balances, implemented by multiple bodies of varying competencies, reinforcing each other. A lesson of the past four years is that no one body or structure can be relied on to provide adequate control of government surveillance. Courts, no matter how independent, can approve programs that seem unreasonable in the light of day. Parliamentary bodies may grant broad powers. An effective system of controls will include the legislature, the judiciary, the executive (through internal compliance, auditing and inspection), and some form of special commission or reviewer. Effective oversight must encompass prior authorization, post hoc review, and a meaningful complaint and redress system. It should encompass all stages of the intelligence cycle: collection, querying and analysis, retention, dissemination, and use. At least somewhere in the process, there should be an adversarial function, representing the interests of affected individuals and challenging the claims of the government.
Transparency: There must be transparency both as to what the authorities of the government are and as to how those authorities are exercised. This can be done without jeopardizing sources and methods. At the most fundamental level, all authorities exercised by the state should be specified in statute. Companies should be able to publish statistical reports on the number and types of government demands received.
Much of the criticism of the bulk surveillance program of telephone metadata, initially disclosed by Edward Snowden, that the United States was conducting under section 215 of the USA PATRIOT Act reflected the importance (p.430) of transparency and the impact on public trust when it is absent. The bulk surveillance was based on a series of secret court orders that offered a sweeping new interpretation of section 215 that was not in any way suggested by the text of the statute. Finally, after unauthorized disclosures, the US government officially acknowledged the interpretation, and Congress moved to amend the statute to prohibit its use for bulk collection.
Accountability: Courts, including regional human rights courts, play a crucial role. This has been demonstrated most clearly by the jurisprudence of the European Court of Human Rights and more recently by the Court of Justice of the European Union. Claims of secrecy should not be used to bar access to the courts.
B. Recommendations for Companies
Although the work TPP has supported on systematic government access to private-sector data initially focused on government activities, in its later stages it included greater attention to the activities of private-sector targets of government surveillance demands. As we explain in our chapter on accountability, the responsibility of companies as data stewards extends both to their own processing of data and to processing by their vendors and partners to whom data is disclosed. However, when a government entity demands that a company disclose data in its possession or control, that introduces a gap in the accountability structure if the governmental entity itself is not acting within a structure of accountability. This gap—the inability of a company to assure its regulators and its customers that information will be disclosed to governments only under a system of legality, proportionality, and accountability—is what led to the Schrems decision striking down the system for data flows from Europe to the United States. A company cannot meet its privacy obligations to its customers if it is subject to government demands that are not themselves compliant with core human rights norms. In this regard, there is a direct link between human rights protections and corporate self-interest.
There is of course a further linkage, which is trust. Even if companies were not lawfully obligated to adopt accountable data governance practices, the market creates incentives to establish and maintain the trust of their customers. Especially with the unprecedented growth of cloud services, as individuals, corporations, and other entities turn over vast amounts of highly sensitive data to third parties for storage and processing, it is literally existential that companies holding the data can assure their customers that it is secure.
A core group of Internet companies has made progress in addressing this challenge of accountability and trust, through the Global Network Initiative. Under the GNI implementation guidelines, it is not sufficient for companies merely to say, “We only comply with lawful demands.” The GNI guidelines specify that companies should have in place procedures to carefully assess not only whether a government demand is lawful but also whether it is overbroad or inconsistent with international human rights standards. The guidelines state that, when (p.431) required to provide personal information to governmental authorities, participating companies will:
• Narrowly interpret and implement government demands that compromise privacy.
• Seek clarification or modification from authorized officials when government demands appear overbroad, unlawful, not required by applicable law or inconsistent with international human rights laws and standards on privacy.
• Request clear communications, preferably in writing, that explain the legal basis for government demands for personal information, including the name of the requesting government entity and the name, title and signature of the authorized official.
• Require that governments follow established domestic legal processes when they are seeking access to personal information.
• Adopt policies and procedures to address how the company will respond when government demands do not include a written directive or fail to adhere to established legal procedure. These policies and procedures shall include a consideration of when to challenge such government demands.
• Narrowly interpret the governmental authority’s jurisdiction to access personal information, such as limiting compliance to users within that country.
• Challenge the government in domestic courts or seek the assistance of relevant authorities, international human rights bodies or non-governmental organizations when faced with a government demand that appears inconsistent with domestic law or procedures or international human rights laws and standards on privacy.12
In our chapter on accountability, we also discuss how transparency plays as critical a role in private-sector responses to government demands for personal data as it does with respect to government surveillance activities. Transparency in this context concerns both legal authorities and the scope of the government’s exercise of those authorities: what types of information are being disclosed to government agencies and under what legal authorities and for what purposes; and how much data, affecting how many customers, is disclosed? Companies are largely at the mercy of national laws and government policy in terms of what they can disclose. Companies in the United States and elsewhere have made huge strides in developing transparency reports in which they publish statistical information about the number of government disclosure demands they receive and/or the number of accounts affected, although they remain constrained by some government-imposed limits.
An increasingly broad consensus is emerging around the key requirements that should guide and constrain both government and industry when governments seek broad access to personal data held by the private sector. The work supported by TPP for more than five years has helped to inform and support that consensus. The country reports in this volume amply demonstrate the prevalence of bulk or large-scale surveillance, the importance of the need for ensuring that it is conducted subject to appropriate controls, the inadequacy of many of the controls already in place, and the growing consistency about the necessary components of an effective system of checks and balances. The findings of this project and many others have also highlighted the need for action. The tools for ensuring accountability when governments engage in systematic surveillance of private-sector data, and when industry is confronted with government demands for data, are well known. They just need to be implemented.
(1.) Presidential Policy Directive/PPD-28, “Signals Intelligence Activities” (January 17, 2014).
(2.) USA FREEDOM Act, Pub. L. 114-23 (June 2, 2015). In addition to amending Section 215 of the PATRIOT Act to prohibit is use for bulk collection, the Act also amended various provisions authorizing issuance of National Security Letters, making it clear that they could not be used for bulk collection.
(3.) The FISA Court has since taken advantage of the special advocates role, publicly appointing an independent advocate in one case dealing with the final stages of the bulk telephone records program and designating a pool of five qualified lawyers that can be drawn upon in the future.
(4.) Of the 22 recommendations issued by the Board so far, all have been implemented in whole or in part, including in the legislation ending the bulk telephony metadata program.
(5.) Digital Rights Ireland ECLI:EU:C:2014:238 (2014). See also S and Marper v. UK,  ECtHR 1581(UK DNA collection/retention).
(6.) Riley v. California, 573 U.S. 783 (2014) (mobile phone searches); United States v. Jones, 565 U.S. 400 (2012) (GPS tracking).
(8.) “Privacy Bridges: EU and US Privacy Experts in Search of Transatlantic Privacy Solutions,” (2015) at 6, https://privacybridges.mit.edu/sites/default/files/documents/PrivacyBridges-FINAL.pdf.
(9.) Several human rights instruments use the phrases “in accordance with law” and “necessary in a democratic society.” The core principle is that the law authorizing government data acquisition “must not only be accessible and foreseeable in its application, it must also ensure that secret surveillance measures are applied only when necessary in a democratic society, in particular by providing for adequate and effective safeguards against abuse.” Szabó and Vissy v. Hungary, ECtHR, App. no. 37138/14, Judgment, January 12, 2016, ¶ 59.
(10.) This is sometimes referred to as “particularity.”
(11.) See also D. Korff, “Note on European and International Law on Transnational Surveillance prepared for the Civil Liberties Committee of the European Parliament” (August 23, 2013), http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/note_korff_/note_korff_en.pdf.