The UN High Commissioner for Human Rights has released an excellent report today on the right to privacy in the digital age, blasting the digital mass surveillance that has been taking place, unchecked, by the U.S., the U.K, and other world governments. The report is issued in response to a resolution passed with unanimous approval by the United Nations General Assembly in November 2013. That resolution was introduced by Brazil and Germany and sponsored by 57 member states.

This report turns the tide in the privacy debate at the United Nations and opens the door for more substantive scrutiny of states’ surveillance practices and their compliance with international human rights law. The report elaborates on issues EFF has long championed, and which are deeply integrated into our 13 Principles and its legal background paper, which have been signed by more than 400 organizations and 350,000 individuals. The report has also supported the five recommendations EFF, Access, Privacy International along with APC, Article 19, Human Rights Watch, WebWeWant submitted to the Office of the High Commissioner for Human Rights.

We’ve pulled out some highlights from today’s publication that merit further analysis, but the main point is this: With respect to privacy in the digital age, an interference with an individual’s right to privacy is only permissible under international human rights law if its necessary and proportionate.

Forget The “Haystack”

The report issues a powerful condemnation of the “collect-it-all” justification that an infinitely large “haystack” of personal data must be accumulated in order to find the needles. The report points out that few "needles" that have been uncovered, and that in any event:

Mass or “bulk” surveillance programmes may thus be deemed to be arbitrary, even if they serve a legitimate aim and have been adopted on the basis of an accessible legal regime. In other words, it will not be enough that the measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the haystack, relative to the harm threatened; namely, whether the measure is necessary and proportionate.

The second part of that passage, emphasis added, is critical: it gives guidance that the proper measure of a mass surveillance program is not its effectiveness in a vacuum, but whether the surveillance is both necessary and proportionate.

Metadata Matters

EFF has long called for moving beyond the fallacy that information about communications is somehow inherently less privacy-sensitive than the communications themselves. Information about communications, also called metadata or non-content, can include the location of your cell phone, clickstream data, and search logs, and its collection can be just as invasive as reading your email or listening to your phone calls—and sometimes more so. What is important is not the kind of data collected, but the effect on the privacy of the individual.

The report agrees, debunking the argument that “interception or collection of data about a communication, as opposed to the content of the communication, does not on its own constitute an interference with privacy.” It argues, “From the perspective of the right to privacy, this distinction is not persuasive" The aggregation of information commonly referred to as 'metadata' may give an insight into an individual’s behaviour, social relationships, private preferences and identity that go beyond even that conveyed by accessing the content of a private communication.”

Monitoring Equals Surveillance

Much of the expansive state surveillance revealed in the past year depends on confusion over whether actual "surveillance" has occurred and thus whether human rights obligations apply. Some suggest that if information is merely collected and kept but not looked at by humans, no privacy invasion has occurred. Others argue that computers analyzing all communications in real-time for key words and other selectors is not "surveillance" for purposes of triggering legal protections again, unless the analysis is by human eye. These interpretations are used to give a pass to the mass collection and monitoring of communications, enabling governments to engage in broad dragnet collection where the law only supports narrowly targeted investigation.

The report cited the European Court of Justice on data retention to dispel those interpretations. The report makes clear that:

“any capture of communications data is potentially an interference with privacy and, further, that the collection and retention of communications data amounts to an interference with privacy whether or not those data are subsequently consulted or used. Even the mere possibility of communications information being captured creates an interference with privacy, with a potential chilling effect on rights, including those to free expression and association.”

(Again, emphasis added.)

Mandatory Data Retention Is Unnecessary and Disproportionate

EFF has long held that government mandated data retention impacts millions of ordinary users, compromising the online anonymity that is crucial for whistle-blowers, investigative journalists, and others engaging in political speech.

The report calls data retention mandates unlawful, saying:

Mandatory third party data retention, a recurring feature of surveillance regimes in many States, where Governments require telephone companies and Internet service providers to store metadata about their customers’ communications and location for subsequent law enforcement and intelligence agency access appears neither necessary nor proportionate.”

Shut the Backdoor: Re-use of Data

As EFF has noted here, here and in the legal background to the 13 Principles , many national frameworks lack “use limitations,” allowing data collected for one legitimate aim, to be subsequently used for others.

The report also emphasized that point. The report explained that the absence of effective use limitations has been exacerbated since September 11, 2001, with the line between criminal justice and protection of national security blurring significantly. The resultant sharing of data between law enforcement agencies, intelligence bodies and other State organs risks violating Article 17 of the Covenant on Civil and Political Rights, because surveillance measures that may be necessary and proportionate for one legitimate aim may not be so for the purposes of another.

No Secret Law

EFF has long held that the basis and interpretation of surveillance powers must be on the public record, and that rigorous reporting and individual notification (with proper safeguards) must be required. The absence of transparency in surveillance laws and practices reflects a lack of compliance with human rights and the rule of law. Secret laws—whether about surveillance or anything else—are unacceptable. The state must not adopt or implement a surveillance practice without public law defining its limits. The report agreed:

Secret rules and secret interpretations even secret judicial interpretations of law do not have the necessary qualities of “law”. Neither do laws or rules that give the executive authorities, such as security and intelligence services, excessive discretion; the scope and manner of exercise of authoritative discretion granted must be indicated (in the law itself, or in binding, published guidelines) with reasonable clarity. A law that is accessible, but that does not have foreseeable effects, will not be adequate. The secret nature of specific surveillance powers brings with it a greater risk of arbitrary exercise of discretion which, in turn, demands greater precision in the rule governing the exercise of discretion, and additional oversight.

Human Rights Law Does Not Discriminate For “Foreigners”

This new report underscore the value that the UN places on “measures to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity regardless of the nationality or location of individuals whose communications are under direct surveillance.”

Again this position is supported by our previous submissions, available here and here and here. In the words of the report:

If a country seeks to assert jurisdiction over the data of private companies as a result of the incorporation of those companies in that country, then human rights protections must be extended to those whose privacy is being interfered with, whether in the country of incorporation or beyond. This holds whether or not such an exercise of jurisdiction is lawful in the first place, or in fact violates another State’s sovereignty.

We have seen precisely these questions raised, and not always answered satisfactorily, in cases like the demands to Twitter for information on Wikileaks supporters or Chevron’s demands for email data to Twitter, Google and Yahoo.

This conclusion is equally important in the light of ongoing discussions on whether “foreigners” and “citizens” should have equal access to privacy protections within national security surveillance oversight regimes. if there is uncertainty around whether data are foreign or domestic, intelligence agencies will often treat the data as foreign (since digital communications regularly pass “off-shore” at some point) and thus allow them to be collected and retained. The result is significantly weaker—or even non-existent—privacy protection for foreigners and non-citizens, as compared with those of citizens.

In another passage, which we quote here at length, the report echoes arguments we made with Article 19 in our legal analysis of the Necessary and Proportionate Principles, that everybody is entitled to equal protection before the law.

International human rights law is explicit with regard to the principle of non-discrimination. Article 26 of the International Covenant on Civil and Political Rights provides that “all persons are equal before the law and are entitled without any discrimination to the equal protection of the law” and, further, that “in this respect, the law shall prohibit any discrimination and guarantee to all persons equal and effective protection against discrimination on any ground such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.” In this regard, the Human Rights Committee has underscored the importance of “measures to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity regardless of the nationality or location of individuals whose communications are under direct surveillance.

Right to an Effective Remedy and Notification

Quite impressively, the report lays out four characteristics that effective remedies for surveillance-related privacy violations must display. Those remedies must be “known and accessible to anyone with an arguable claim.” This means that notice is critically important, and that people must be to challenge the legality of the surveillance program without having to prove that their particular communication was monitored or collected.

EFF has always said that the notification principle is essential in fighting illegal or overreaching surveillance. Individuals should be notified of authorization of communications surveillance with enough time and information to enable them to appeal the decision, except when doing so would endanger the investigation at issue.

The report continues, stressing the importance of a “prompt, thorough and impartial investigation”; a need for remedies to actually be “capable of ending ongoing violations”; and noting that “where human rights violations rise to the level of gross violations...as criminal prosecution will be required”.

No Tech Backdoors

EFF has said no law should impose security holes in our technology in order to facilitate surveillance. Diminishing the security of hundreds of millions of innocent people who rely on secure technologies in order to ensure surveillance capabilities against the very few bad guys is both overbroad and short-sighted.

The report supports that conclusion, stating that: “The enactment of statutory requirements for companies to make their networks “wiretap-ready” is a particular concern, not least because it creates an environment that facilitates sweeping surveillance measures.”

Company Complicity

Finally, the report addresses the issue of when companies should and should not assist states with technology or with access to user data—and what obligations those companies have when there is an overreach.

The Guiding Principles clarify that, where enterprises identify that they have caused or contributed to an adverse human rights impact, they have a responsibility to ensure remediation by providing remedy directly or cooperating with legitimate remedy processes. The responsibility to respect human rights applies throughout a company’s global operations regardless of where its users are located, and exists independently of whether the State meets its own human rights obligations.

***

In conclusion, this new report constitutes an impressive and thorough new addition to the global debate about privacy and mass surveillance. It stresses the applicability of human rights law to areas where overreaching governments have tried to claim no law applies, and pushes for greater accountability and transparency for the institutions engaging in wholesale privacy violations. From the report:

International human rights law provides a clear and universal framework for the promotion and protection of the right to privacy, including in the context of domestic and extraterritorial surveillance, the interception of digital communications and the collection of personal data. There is a clear and pressing need for vigilance in ensuring the compliance of any surveillance policy or practice with international human rights law, including the right to privacy, through the development of effective safeguards against abuses. Steps should be taken to ensure that effective and independent oversight regimes and practices are in place, with attention to the right of victims to an effective remedy.

The full report is available online, as are the opening remarks by High Commissioner Navi Pillay at the press conference held in Geneva Wednesday.

For more information, visit the OHCHR page on the Right to Privacy in the Digital Age.