In an interview, Joseph A Cannataci, the UN’s special rapporteur on the right to privacy, speaks about increased reach of governments into private lives – and about Aadhaar
Joseph A Cannataci is the UN’s first and current special rapporteur for the right to privacy appointed by the Human Rights Council (HRC) in July 2015. His appointment came with growing global concerns about threats to privacy in the digital age where governments and big corporations collect mass data, with increasing threats of cyber warfare and with the majority of countries looking on helplessly as the more technologically-advanced nations treat the internet “as their own backyard”.
Cannataci presented his latest report to the 34th session of the HRC on March 14 where he recommends the creation of a legal instrument that could grant the equivalent of an international surveillance warrant to tackle the problem of thousands of requests for access to data that tech giants like Google, Facebook, Microsoft, Apple and Twitter get from governments across the world. The privacy-rights expert asks for creating an international body with a pool of independent judges that will review and authorise states’ requests for data access to multinationals by granting an equivalent of an international surveillance warrant or international data access warrant (IDAW) – on grounds of reasonable suspicion under clear international law – that would be enforceable in cyberspace.
Also, in the 34th session of the HRC, a historic privacy resolution was adopted. An extract from the text says: “Emphasising that unlawful or arbitrary surveillance and/or interception of communications, as well as the unlawful or arbitrary collection of personal data, as highly intrusive acts, violate the right to privacy, can interfere with other human rights, including the right to freedom of expression and to hold opinions without interference, and the right to freedom of peaceful assembly and association, and may contradict the tenets of a democratic society, including when undertaken extraterritorially or on a mass scale.”
The UN expert is also a professor holding the chair of European information policy and technology law at the University of Groningen in The Netherlands and the head of department of information policy & governance at the University of Malta. Previously, he has served as an expert on privacy, data protection, the internet and cybercrime for the Council of Europe, the European Commission and UNESCO.
Cannataci spoke to Shreerupa Mitra-Jha on his report to the HRC and discussed various facets of the right to privacy. Edited excerpts from the interview:
What should privacy in the digital age mean?
As you know, traditionally, in the privacy discourse, it has been difficult to come up with a universal discourse on privacy. You see, countries signing up to privacy as a right – unfortunately, either they did not have enough lawyers with them or they had too many lawyers and they forgot to put in a definition of privacy.
I am all for privacy as a universal right and in my last report I am encouraging states, specifically the US, to do all it can to ensure it remains a universal right. One of the things that really upsets me is this tendency by some governments to say ‘Okay, so for German citizens or EU citizens, we have one set of rights, but if you don’t have a German or an EU passport then we can treat you in a different way’. The Americans do the same. My contention is: it [right to privacy] is a fundamental human right and everybody deserves that right. And if you are a government operating wherever it is, whether it is law enforcement or national security, that you protect that right unless there is a reasonable suspicion. You should not be in a position where that person’s rights can be infringed willy-nilly.
I am quoting [JB] Young here when I say privacy, like an elephant, is far more readily recognised than described.
Secondly, are there differences between cultural appreciations of what privacy may be. Yes, there may be cultural differences on what we understand by privacy, but this does not in any way subtract from the universality of the right to privacy. And it’s important to get that straight.
We are also looking very much at the internet in the so-called information age, so from an information point of view, I tend also to use the definition for informational privacy, which is to say, it has to do with personal data and personal data is any data which can be linked to an identified or identifiable individual – which is the standard definition in most data protection laws in the world.
The third thing that I wish to explore, even in places like India, is how privacy is important for the development of our personality. Privacy is an intrinsic, enabling right – so your and my right to free, unhindered development of personality. Who is Shreerupa? How did she become what she is today? Is she going to become what she wants to be tomorrow? In order to take those decisions, you need to be able to explore things – you have to be able to explore things in your mind and when you are able to explore things in your mind, you need to be able to realise what options there are for you and for that you need to be able to receive information. Then what is your right: to be able to read that information in private but also to express it in private. And it is that right to access the information and how to deal with it privately that also helps to discover yourself sexually.
So to answer your question, privacy, while really a standalone right – clearly a fundamental right in its own league – is to me principally an enabling right. In reality, what we are looking at more than surveillance is all dimensions of privacy.
How effective is the strategy of bulk acquisition of data from telecommunication providers to address valid security concerns?
It’s actually in many cases not carried out by telecommunications providers but it is carried out by the security services themselves. So what we are talking about technically here are four major forms of bulk acquisition of data.
First, it’s the interception of communications. It’s typically intercepting communications internationally over a fibre optic cable, put that in storage for a few days or a few months and then apply selectors to that storage. So essentially that is very intrusive because – this was typically what was reported during the Snowden affair – every single transaction over internet fibre optic cable has been intercepted, anything from this very innocent interview that we are carrying out to anything which is more sinister.
The second form of bulk acquisition is what they call bulk equipment interference, which is code for ‘bulk hacking’. Basically, the concept means we think there is a terrorist or two in New Delhi. In order to find those terrorists, we justify hacking into every single mobile device in New Delhi even if it’s 40 million of them and try to find out which is the one – which means planting stuff on your mobile devices, computers or tablets. So that is really the most intrusive form of surveillance that you can imagine. I am not saying that if Joe and Shreerupa are terrorists, you should not hack into their device but you hack into their device and not everyone’s device. And when you do so, you make sure you have the warrant to carry out the hack and that warrant is given by somebody who is preferably of independent judicial standing.
The next form of bulk acquisition is bulk communication data that is done rather than by intercepting, by going to a telecom provider and asking them, ‘Vodafone, can I have all your comms data for the last three months?’
And then the fourth form of data acquisition is bulk personal datasets where you go to a government department and convey to them that ‘I would like to have all your social security data for transactions for New Delhi for the past three years’.
The intelligence services claim that they are effective. I have not seen the evidence that proves that they are effective. Very few people have seen any evidence that this is effective. One person who claims to have seen evidence is the independent reviewer of terrorism legislation in the UK, David Anderson. However, even if they are effective, the issues of proportionality have not been tackled. The measures are disproportionate to the risks that exist and they are disproportionate to the benefits they give you. When you create such a huge database, vacuuming up everybody’s data, you are creating a really nice honeypot for both organised crime and individual hackers and hostile nations to attack the data. And it’s a huge risk. We have seen so many hacks in so many systems around the world that clearly the risk exists. When you have a country as powerful as the US, then you have powerful apparatus and you have a new president who isn’t too finicky about democratic checks and balances and then decides to abuse the data – it’s a huge problem of abuse.
If you see the number of attacks carried out in Europe, for example, and even in the US, most of the attacks were carried out by people already known to the security services and to the police. To my mind, it would be a far more proportionate response if you get people to follow them around rather than hacking through everybody’s device. Privacy is the foundation of what makes life worth living.
Are you concerned that the increased reach of government surveillance into private lives would disproportionately affect certain categories of people like immigrants and minorities given the current rise of xenophobic nationalism in many parts of the world?
I am concerned, yes, that’s the short answer. Taking an example from history, we don’t need computers for data gathered to be used against minorities. If you go back to the second world war, Hitler didn’t have any computers, but he had an army of clerks and he got the clerks to go through the social security records in the Netherlands to find out who the Jews were. Of course, the surveillance powers of the state can be used to discriminate against minorities and those minorities could be human rights activists, could include journalists – basically, they could be used against anybody. Whether they are majority or minority does not make that much of a difference because modern computing technology makes it possible to profile each and every one of us.
So if you are profiled – and this is the scariest part of the story – today, unlike Hitler’s [time], you do not need an army of clerks. You don’t even need an army at all. You barely need a platoon of programmers. And if you have a good technical team, you can set up your machines in such a way so as to profile a whole load of people. And I think it is important to remember how easy it has become to profile people. And follow them around.
Twenty years ago, you wouldn’t be carrying your smartphone around, a tablet around, you wouldn’t be connected to Wi-Fi. In this lifestyle, ‘every step you take, every move you make, I’ll be watching you’, to quote Sting. Because you are using this technology and every single click you make is being recorded somewhere – which means everything you look at online, all your online shopping, all your browsing, all your reading, somebody out there is profiling you on the basis of your online choices. Which means, if somebody gets into your phone, or if somebody gets into your browsing history, they can tell so much about you. So if you think Shree is becoming a pain, follow her electronically, knock on her door and say ‘shut up, or else I will publish these details about you’.
You have called for an international law to monitor government requests to global corporations like Apple, Microsoft, Facebook and Twitter by issuing IDAW. How realistic do you think is such a recommendation?
It is realistic. The warrant to the companies is just one example. At this moment of time, the companies receive literally tens of thousands of requests [from governments] for access to data and metadata every year. So you can find out from the Transparency International reports how many requests the Indian government makes, how many requests the Maltese government makes, etc. The US government had 17,000 requests to Facebook alone, to give you an example. I would say, from the top of my head, that more than 90 percent of those requests are perfectly legitimate. Let’s say for the sake of argument that 10 percent are vexatious ones – ones that are made by a government far more intent on harassing its citizens than protecting them from terrorism.
The three main things that are used to sell surveillance are terrorism, organised crime and paedophilia. If you and me were international judges on a panel and somebody came to us and said that Mr X is up to no good [and] these are the reasons why we would like to have an IDAW concerning this person. If you and me were persuaded, we would easily grant the warrant. It is an effective mechanism because it would do away with all the problems we are currently seeing where justice is being delayed. The current mechanism of mutual legal assistance is very slow and takes for its conclusion between 11 to 13 months.
Let’s make a case in point of the problems you will avoid. So on the 14th of July last year, Microsoft won a case in a court in New York when the US government was asking for access to data held by Microsoft in Ireland. At that stage, Microsoft resisted that on the grounds of jurisdiction and you can understand why – if you are a global company like Microsoft, Amazon, Google, you want to retain your business globally and you don’t want to give your clients the impression that you are going to give their data away willy-nilly. So in that case, if Microsoft had search warrants, then it can say that this is subject to international law. Remember at this moment in time, if a genuine investigation wishes to target Shree’s data on Facebook [FB], it goes to both FB and Google, who would go through a three-step procedure: First, is this request valid under Californian law, second, is it valid under US federal law, and third, if it goes pass these two hurdles, then FB would say ‘Oh, she’s from Geneva’, so is it valid under Swiss law? It’s an incredibly costly process and an inefficient one too.
Then there is another dimension to that – the political dimension. By getting countries to agree by what I have called the appropriate state behaviour in cyber space, we would be moving towards a much more reasonable and civilised way of sorting out this kind of question.
That being said, it’s as realistic as every other problem in international law where people have something at stake. Today, people are talking of the internet being a common good (like they talk of the oceans), they are talking of the internet as a common heritage of mankind. So are we going to deal with it as a separate space. If so, are we going to regulate the space in the same way as under international law as we do the other four spaces: land, sea, air and space? And now, the funny thing is, as of June 2016, it’s official, we now have the fifth space – NATO considers cyberspace to be an independent space and it considers acts of war carried out in cyberspace. So, hang on, cyberspace can be a war zone, but we haven’t yet thought out an international law approach to it?
Is it difficult? Of course, it’s difficult because at this moment in time, out of the 195 member states of the UN, we have 175 of them who do not have the technology and who do not apply themselves to carry out large-scale cyber war. But we do have 20-25 states, and India is one of them – it may not be as leading a culprit as the US, Russia, China the UK or France – and all five permanent members of the [UN] Security Council have the technology [to carry out cyber warfare]. But basically, what I have accused them of doing in a rather polite way is that they treat cyberspace as their own backyard and they squabble over the spoils where the other countries look on helpless.
I haven’t met a single big corporation or civil society who doesn’t believe that we should have an international law in cyberspace. The only pushback I have received is from a tiny minority of governments who have vested interests.
Any surveillance law must meet three tests: is it a necessary measure, is it a proportionate measure, and is it a necessary and proportionate measure in a democratic society? They need to be under strict laws that articulate such oversight and what I am proposing, and I don’t have the exact form in mind now for the simple reason that there are many ongoing discussions that I have mentioned in my report.
Your report, submitted before WikiLeaks published ‘Vault 7’, doesn’t analyse this latest document dumping, which purportedly show that even smart TVs have been converted to surveillance tools by secret services. Your thoughts?
I am not in the least surprised by that report. In fact, I am not in the least surprised that the CIA would have such tools. I would have been surprised had they not had such tools. Frankly, it is not only the CIA, every single intelligence agency I know – and I know a few dozen – has those kind of tools. So we should presume intelligence agencies have those kind of tools. What is news is not that they have the tools but that somebody managed to hack into something that has given the public access to these tools. Which kind of goes back to my argument saying that this is too much of a risk, we can’t even trust the intelligence agencies to keep their own data secure. So why on earth do you insist on carrying out bulk collection of data? It’s not secure, you cannot guarantee its security anymore than you can guarantee the security of your hacking tools. So please don’t go that way.
When you take those tools and couple them with bulk acquisition then we are in a situation which is worse than 1984. We are always connected, so the fact that they can even get into smart TVs, big deal. Anything, which depends on an operating system, you can bet that the security services or a talented hacker can get into. If you want maximum privacy, my advice is very simple: take all your electronic devices and switch them off. It’s not necessarily the secret services [who could be tracking you], it could be a jilted lover – very often it is [that] (Laughs).
In India, activists have raised privacy concerns of submitting biometric details to the government through the Aadhaar number system — especially voicing concerns around vulnerable sections such as women rescued from trafficking, young children and the disabled — as well as highlighting the possibility of data leakages from the system. Is that a concern for you?
It is a concern. When you are gathering biometric data, you are actually going past a very dangerous zone because you have created the possibility of the biometric data being stolen, which then defeats the whole purpose of it having been collected in the first place. I understand the motivation of the previous government and this government in India going towards such a system. The Indian government actually has a significant problem in how to effectively make sure, for example, that the assistance it plans to give various minority groups in India actually gets to those people. This is what we have seen in the past. The problems in the banking system in rural India compound that.
You need to come up with a scheme to make sure that if you want to transfer something to help a person then you need a secure identification system and the question which arises is: is biometrics proportionate? Is it a proportionate response? I think it is a complex question. I don’t think the issue has been finally settled. I would be very happy to carry out a discussion together with the activists and the government of India to explore it further. Because you have to see also what the risks are. And the risk is that if biometric data is stolen then the genie really is out of the bottle. I can understand the activists who raise concerns. I can understand why the government did it.