Public authorities involved in the prevention and investigation of acts of terrorism and potential terrorist conspiracies have shown great interest in ensuring that the records generated by communications service providers (e.g., public and private companies providing telecommunications and Internet services) are available to them for the prevention, investigation and prosecution of serious crime, including terrorism.
An accompanying source of privacy related concern has been the growing practice of some intelligence agencies to gather bulk information about their citizens using telephone and Internet networks as part of their counter-terrorism efforts (Council of Europe, Parliamentary Assembly, 2015(b), paras. 1-3). Such bulk information usually contains descriptive information about other data and is called 'metadata' (Council of Europe, Parliamentary Assembly, 2015(a), para. 18). An example of metadata is the Internet Protocol address associated with a computer from which an individual had sent an email (Council of Europe, Parliamentary Assembly, 2015(b), para.12). Other examples are a list of telephone numbers which an individual dialled on a particular day, or a list of websites which an individual has visited.
The fact that the causes of terrorism include psychological and sociological factors provide a partial explanation as to why intelligence services are often keen to collect metadata as part of their efforts to identify terrorist networks. It is known that terrorists recruit through social networks and social media (Taylor, 2016). If one can monitor individuals who actively expand their networks and post violent ideological messages on social media then one could come closer to identifying individuals who might potentially be involved in recruiting for, or joining terrorist groups. Additionally, social groups use symbols to identify themselves and their cause as part of disseminating propaganda, radicalizing and recruiting individuals around a cause. By gathering metadata associated with symbols associated with terrorist groups or their causes, intelligence agents could locate individuals who support a terrorist cause.
Moreover, one can potentially learn about potential causes of social conflict, and drivers of violent extremism through collecting information about the types of Internet activities individuals engage in. Intelligence and law enforcement agencies could use this information to engage more effectively with local communities as part of broader terrorism prevention strategies. Despite such potential benefits, there is an accompanying nervousness among citizens regarding the potential for any gathered information to be too intrusive or extensive in nature. This is illustrated by a poll conducted in 2017 in the US, which found that three quarters of adults opposed sharing their metadata with the intelligence agency to help thwart terrorist plots (Ruvic, 2017).
Several contemporary issues in terms of tensions existing between privacy rights and national security imperatives were covered thus far, but there are other issues that could have been discussed as well, such as the collection, storage and use of biometric data, or the gathering by CCTV as part of border security (Bustard, 2015).
While some governments argue that metadata collection attracts less protection under the right to privacy than the direct interception of communications because metadata does not contain the content of communications (General Assembly, Human Rights Council report 27/37, para. 19), such assertions are strongly contested by civil society and human rights defenders. Of particular concern has been how to hold governments adequately to account for the data they collect, through what means and how they use as well as share the information. Due to its often 'liquid' nature, being fluid and movable, it can be very difficult to detect where the information goes and how government organs use it (Lyon, 2016). A related concern is where States with strong human rights protections may wish to acquire intelligence from allies with less stringent privacy laws and/or safeguards (Council of Europe, Parliamentary Assembly, 2015(b), para. 30).
Metadata presents a unique challenge for lawyers because a single piece of metadata may reveal little about an individual. For example, some members of civil society have been advocating for the treatment of metadata on the same footing as content under the auspices of the right to privacy (Conley, 2014, p.2). They used the 'mosaic theory', a method of gathering data used by security analysts, to argue that it is misleading to distinguish between data and metadata (Conley, 2014, pp. 17-20). The core of the mosaic theory is that while one may learn little from one piece of information, one can acquire an in-depth understanding about an individual's activities through combining multiple pieces of information contained in metadata ( United States v. Maynard, 2010, paras. 561-563). For instance, computer scientists found that they can determine an individual's ethnicity and relationship status based on the location of that person's mobile telephone (Altshuler et al., 2012, pp. 969-974). The contacts an individual has on social media, such as Facebook, can reveal the individual's interests and his or her social circle. By looking at the locations of mobile telephones of individuals someone associates with, one can predict where the individual in question will travel in the future (Conley, 2014, p. 6). Certainly, the potential for social media data to be misused by any entity (public or private) has been starkly illustrated by the revelation that Cambridge Analytica may have been harvesting the data of an estimated 87 million Facebook users in an attempt to influence the outcome of the US elections in 2016 (Badshah, 2018).
Clearly, such intelligence gathering tools are of considerable benefit to intelligence agencies and law enforcement officials though, interestingly, the Parliamentary Assembly of the Council of Europe has questioned their efficacy in terms of counter-terrorism prevention (Council of Europe, Parliamentary Assembly, 2015(a), para.11). The use of new artificial intelligence technologies enables government officials to learn a great deal from metadata. Such technologies can sift through vast amounts of data and organize it into categories (Coughlin, 2017). For instance, in analysing small bank transactions to identify suspicious money transfers, artificial intelligence software could build a complex snapshot of how account holders manage their money (Lapowsky, 2017) which could facilitate the detection of money laundering or terrorist financing activities. Indeed, the collection of metadata can reveal more information about an individual's behaviour, preferences and social relationships than an interception of the content of a single communication. See Digital Rights Ireland Ltd. v. Ireland (below).
A parallel contemporary issue - not examined in any detail here - relates to the use by law enforcement agencies of any open source intelligence, including but not confined to social media data, and how such data may be turned into evidence admissible in court (de Busser, 2014).
Similar sentiments have been raised within the United Nations and regional human rights frameworks. In December 2013, the General Assembly adopted Resolution 68/167, motivated by concern regarding the potential negative consequences of such mass data surveillance capability and techniques. In addition to urging States to protect the right to privacy of individuals when they are both on and offline, the General Assembly called on all States to review their legislation, procedures and practices governing communications surveillance, the collection of personal data, and the interception of personal communications.
In 2017, the Human Rights Council adopted a resolution in which it exhorted States to respect and protect the right to privacy while countering terrorism, including in the context of digital communication. It encouraged States to adopt procedures, practices and legislation which complies with international human rights standards regarding the surveillance of communications, their interception, and the collection of personal data. Furthermore, the Council called on States to undertake prompt, independent and impartial fact-finding inquiries in cases where there is an indication that a government agent had breached international human rights obligations, and to punish such violations using criminal sanctions (A/HRC/35/L.2, paras. 20 and 24).
Other United Nations entities have expressed concern also regarding such 'dragnet' surveillance measures contravening the right to privacy. Notably, whilst confirming that States could invoke the ground of national security as a legitimate aim to limit the enjoyment of the right to privacy to counter the threat of terrorism, the Office of the United Nations High Commissioner for Human Rights considers mass surveillance programmes, which collect bulk information about individuals to be arbitrary despite this legitimate aim. It regarded the impact of such programmes on the enjoyment of the privacy of the citizens to be greater than the harm being averted (General Assembly, Human Rights Council report 27/37, paras. 15, 23 and 25). Parallel concerns have been expressed by the United Nations Special Rapporteur on the protection of human rights while countering terrorism, (General Assembly, Human Rights Council report 34/61), and by other regional special mandates holders such as the Inter-American Commission's Special Rapporteur for freedom of expression who believed the practice of mass surveillance constitutes an arbitrary collection of personal data (IACommHR, 2013, paras. 150-151).
Similarly, there have been cross-regional human rights system outputs, such as the joint statement issued in June 2013 by the United Nations Special Rapporteur on the protection of freedom of opinion and expression, and the Inter-American Commission on Human Rights (IACommHR) Special Rapporteur for freedom of expression. One notable recommendation that they made was that States should make certain information about surveillance programmes public, such as details regarding their regulatory framework. They were further of the view that any information collection activities of those suspected of involvement with terrorist organizations should be targeted in nature. This has been the view also of the Parliamentary Assembly of the Council of Europe (Council of Europe, Parliamentary Assembly, 2015(c), para.3). On a separate occasion, a Joint Declaration on Freedom of Expression and the Internet was issued by the United Nations and regional special mandate holders on freedom of opinion and expression, seeking to re-iterate basic norms regarding the treatment of Internet data.
A further area of concern that has been raised by some, including the United Nations Special Rapporteur about human rights defenders, is the misuse of digital surveillance by some States as a means of monitoring, collecting data and, in some instances, also intimidating political opponents, human rights defenders and journalists. This can have the effect of not only violating the right to privacy, but also other fundamental rights such as freedom of opinion and expression (Council of Europe, Parliamentary Assembly, Committee on Legal Affairs and Human Rights, 2015). Some such measures are also discriminatory in that they target only non-nationals. In some instances, the surveillance methods employed, which target particular groups, can also serve to deepen existing levels of discriminatory. These and other issues relating to discrimination in a counter-terrorism context are examined in more detail in Module 13.
Both the Court of Justice of the European Union (CJEU) and the European Court of Human Rights (ECtHR) have made determinations regarding interference with privacy attributable to mass data surveillance measures.
In a very important case, the CJEU in the case of Digital Rights Ireland Ltd. v Ireland held that the Data Retention Directive was a disproportionate interference with the right to privacy (para. 69; Maximillian Schrems v. Data Protection Commissioner, 2015). In doing so, it made several observations of wider relevance. One was that metadata about communications in which an individual engaged "taken as a whole may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained" ( Digital Rights Ireland Ltd. v Ireland, 2014, paras. 26-27). Another was that the storage and potential subsequent use of metadata without the user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance (at para. 37). The overall impact of this case would appear to be that individuals have an equal expectation to privacy regarding both communication content and metadata.
The interpretation of the right to privacy of CJEU is wider than that adopted by ECtHR. This is illustrated by the case of Szabó and Vissy v. Hungary in which the claimants argued that the authorities could interpret the legislation as allowing them to intercept the communications of any citizen in Hungary (2016, para. 69). ECtHR held that States enjoy "a certain margin of appreciation" in accommodating the right to privacy and the legitimate aim of protecting national security against the terrorist threat. Since surveillance measures may undermine democracy in the guise of defending it, it is important that States adopt adequate and effective guarantees when they authorize interferences with the right to privacy. In reviewing the lawfulness of the interference, a Court has to determine whether the procedures for supervising the ordering and implementation of the restrictive measures are such as to keep the "interference" to what is "necessary in a democratic society" (2016, para. 57).
In assessing the necessity of the measure, the Court considers the nature of the measure interfering with the right to privacy, its scope and duration, the grounds required for ordering the measure, the authorities competent to authorize the interference, what mechanisms of supervision are employed over the relevant bodies, and what remedies are available. The Court focuses on whether the State adopted sufficient safeguards rather than on whether a particular measure was disproportionate ( Szabó and Vissy v. Hungary, 2016, paras 57-77). For example, although the conduct of surveillance over citizens without their knowledge and the interception of their communications may be necessary in exceptional circumstances, the legislation should give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities can resort to such measures. By focusing on whether the interference with the right to privacy was necessary in a democratic society to achieve a legitimate aim and on whether the State adopted adequate procedural safeguards, the court did not fully engage with all issues regarding the practice of mass surveillance of citizens.
Computer scientists are developing new protocols to enable law enforcement officials to access metadata possessed by communication companies to investigate crimes without interfering with the right to privacy of individuals. The implementation of such protocols will create a situation where law enforcement officials will be able to have partial access to metadata without the requirement to obtain a court order. They will have greater freedom to use metadata during investigating crimes, such as terrorist bombings.
An example of such a protocol would be where law enforcement agencies can locate the suspect of a crime by establishing that that individual was at particular locations at particular points in time through intersecting information. An illustration is a telephone number located in locations A and B between 3pm and 4pm on a particular date. Mobile telephone data can yield such information. Multiple independent agents should be involved so that each one would have only partial access to the information and therefore would be unable to associate the data with any particular individual. The agents would then share their findings. In cases where the cumulative information satisfies the requisite evidentiary requirement and a judge issues a warrant authorizing the interception of mobile telephone information, the agents can decrypt the information to identify the user of the telephone number in question (Segal, Ford, Feigenbaum, 2014).
Some argue that selective searches enhance national security while strengthening the protection of civil liberties. What is important is not the quantity of information. Rather the quality of the data and its analysis matter for identifying terrorists. Agencies should have partial access to metadata. They should search for associations between individuals and particular subject-based queries, such as locations or should analyse metadata to identify "suspicious" patterns of activity (Popp and Pindexter, 2006, pp. 23 and 24).
A potential shortcoming of privacy-preserving protocols is that they are harder to use to detect the planning of terrorist offences. Law enforcement and intelligence officials need to know what kind of information to look for as well as the type of association which exists between the suspect and the information in order to know what sample of metadata to sweep through.
Similarly, the gathering of global positioning system (GPS) surveillance information (whether through the surreptitious placement of a GPS device in a suspect's car, or by obtaining location information through the metadata generated by a mobile phone) has the potential to interfere seriously with the right to privacy, as well as rights to freedom of expression and association. As pointed out in a 2012 judgment of the United States Supreme Court:
GPS monitoring generates a precise, comprehensive record of a person's public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations … The Government can store such records and efficiently mine them for information years into the future. … And because GPS monitoring is cheap in comparison to conventional surveillance techniques and, by design, proceeds surreptitiously, it evades the ordinary checks that constrain abusive law enforcement practices: 'limited police resources and community hostility ...'. ( United States v. Jones, 2012; Concurring Opinion of Justice Sotomayor, para. 955).
Awareness that a government may be watching can impact negatively upon associational and expressive freedoms, especially due to any accompanying potential for data assembled to be misused. The net result is that GPS monitoring - by making available at a relatively low cost such a substantial quantum of intimate information about any person whom the government, in its unfettered discretion, chooses to track - may "alter the relationship between citizen and government in a way that is inimical to democratic society" ( United States v. Jones, 2012, para. 956).
This and other technologies can commonly pose rule of law concerns in the domains of privacy and intelligence-gathering more generally, especially since the speed at which new and emerging technologies develop are often much faster than it is possible for the relevant legal instruments to respond to.