Last 21 December, we published a post entitled When Law Isn’t Enough . with a hope that 2014 would be the year that the global community unites to confine the ambit of data collection for national security purposes to those truly exceptional circumstances where the public interest objectively outweighs an individual’s right to privacy.
One year on, it’s time to reflect on the progress that has been made towards this goal.
The potential privacy impact of metadata has been formally acknowledged at the UN level in the resolution The right to privacy in the digital age  adopted by the Third Committee this month. This means that “… respecting and protecting the right to privacy …” (one of the calls upon States contained in the resolution) should include metadata.
The Office of the High Commissioner on Human Rights, in the report on the right to privacy in the digital age  concluded that:
Even the mere possibility of communications information being captured creates an interference with privacy, with a potential chilling effect on rights, including those to free expression and association.
Unfortunately, this conclusion is not specifically reflected in the recent UN resolution. This would have been a very useful addition because a formal recognition by UN members might have finally put an end to one of the arguments made by States in defence of pervasive observation and data collection, namely that privacy only becomes a concern at the point where data is actually “used”.
UN members emphasize in both resolutions that unlawful or arbitrary surveillance or interception of communications violates the right to privacy. However, they stop short of saying what is or is not unlawful or arbitrary. Consequently, we have to ask, are we actually any closer to achieving the objective? Or, is it business as usual because States interpret lawful and not arbitrary as it suits their national security needs? Given the inherent covert nature of pervasive surveillance, its probably going to be impossible to gauge whether pervasive surveillance practices have materially changed.
In Europe, where data protection is a fundamental right, the EU Article 29 Working Party goes further in its recent declaration , stating that:
Secret, massive and indiscriminate surveillance of individuals in Europe, whether by public or private players acting in an EU Member State or from elsewhere, is neither lawful with regard to the EU Treaties and legislations nor ethically acceptable.
This is a significant statement for two reasons. First, it is a declaration that pervasive surveillance is not lawful. Second, it purposefully raises the ethical dimension. This important aspect is reinforced in the third paragraph of the declaration:
Technology is a medium that must remain at the service of man. The fact that something is technically feasible, and that data processing may sometimes yield useful intelligence or enable the development of new services, does not necessarily mean that it is also socially acceptable, ethical, reasonable or lawful.
The Internet Society has been arguing for some time now that the standard the international community should apply with respect to surveillance, and data governance in general, is not one of strict legality, but rather what is ethical.
While diplomatic and policy communities have been considering the legal and ethical dimensions of surveillance, other communities have been exploring their own attitudes regarding pervasive surveillances and what action (if any) they would take. We’ve already discussed many of these initiatives in earlier blog posts, so I’ll just mention a growing recognition among some groups of the societal value in offering Internet users (from all sectors) the option of protecting the confidentiality of their online communications through encryption. For example, the Internet Architecture Board recently issued a statement  that encryption should be the norm for Internet traffic.
So, in summary, where do we stand one year on?
Pervasive surveillance of online communications is probably still a reality for many Internet users. Even if the position of the Article 29 Working Party were to be held unanimously internationally, there would still be a spectrum of views as to what constitutes massive or indiscriminate surveillance. The situation is unlikely to change appreciably unless states, of their own volition, wind back their mass surveillance programs in favour of a more case-by-case targeted approach. The question then is, what would persuade states to move on from the status quo.
If we, as a global community, are to make any meaningful progress towards protecting the privacy rights and expectations of individuals on the Internet, in the context of surveillance in pursuit of national security objectives, we face hard questions about what is and is not acceptable. We will not only have to understand and face up to those questions, but also find answers which persuade policymakers that change is both necessary and in their longer term interest for a trusted global Internet.