A very insightful article in the Economist regarding on line privacy and regulation of the net.
December 12, 2012 |
The Economist has written a very interesting story on recent developments in on line privacy in Difference Engine: Nobbling the internet .
It provides:
TWO measures affecting the privacy internet users can expect in years ahead are currently under discussion on opposite sides of the globe. The first hails from a Senate committee’s determination to make America’s online privacy laws even more robust. The second concerns efforts by the International Telecommunications Union (ITU), an intergovernmental body under the auspices of the United Nations, to rewrite its treaty for regulating telecommunications around the world, which dates from 1988, so as to bring the internet into its fief.
Many fear the ITU’s moves would curtail the internet’s freedom from government meddling, its end-to-end anonymity and its openness to all comers—to say nothing of the surge in commerce and innovation it has stimulated. Neither measure is yet set in concrete. Both have the potential to change the status quo considerably: in Washington, unquestionably for the better; in Dubai, assuredly for the worse.
The good news first. The congressional measure, approved overwhelmingly by the Senate Judiciary Committee on November 29th, would require criminal investigators to obtain a search warrant from a judge before being able to coerce internet service providers (ISPs) to hand over a person’s e-mail. The measure would also extend this protection to the rest of a person’s online content, including videos, photographs and documents stored in the “cloud”—ie, on servers operated by ISPs, social-network sites and other online providers.
Updating the Electronic Communications Privacy Act of 1986 in this way would grant an individual’s online content the same protection under the Fourth Amendment of the Constitution (freedom from unreasonable search and seizure) that has long been afforded to postal mail, phone calls and documents within a person’s home.
At present, a warrant is needed only for unread e-mail less than six months old. If it has already been opened, or is more than six months old, all that law-enforcement officials need is a subpoena. In America, a subpoena does not need court approval and can be issued by a prosecutor. Similarly, a subpoena is sufficient to force ISPs to hand over their routing data, which can then be used to identify a sender’s various e-mails and to whom they were sent. That is how the FBI stumbled on a sex scandal involving David Petraeus, the now-ex director of the CIA, and his biographer.
The six-month criterion came about because, back in the 1980s, legislators never expected e-mail to become such a dominant form of communication. Data storage was then hugely expensive, so what little e-mail traffic existed at the time tended to be downloaded and read immediately. No-one imagined that ISPs would one day offer gigabytes of online storage free—as Google, Yahoo!, Hotmail and other e-mail providers do today. The assumption back then was that if someone had not bothered to download and delete online messages within six months, such messages could reasonably be considered to be abandoned—and therefore not in need of strict protection.
Cheap storage, wholesale access to the internet, powerful mobile phones and ubiquitous social networking have dramatically increased the amount of private data kept online. In the process, traditional thinking about online security has been rendered obsolete. For instance, more and more people nowadays keep their e-mail messages on third-party servers elsewhere, rather than on their own hard-drives or mobile phones. Many put their personal details, contacts, photographs, locations, likes, dislikes and inner thoughts on Google, Facebook, Twitter, Flickr, Dropbox and a host of other destinations. Bringing online privacy requirements into an age of cloud computing is only fit and proper, and long overdue.
The Justice Department claims that moves to reform the 1986 act would impede criminal and national security investigations. That is not necessarily true. Federal agents will still be able to rifle through a person’s online inbox, social-network posts and other data stored on cloud-based services if they have good reason to believe a crime has been committed. That is certainly the case in Ohio, Michigan, Kentucky and Tennessee, which adopted warrant requirements in 2010 after an appeals court ruled warrentless access to people’s e-mail unconstitutional. Many believe that updating the law will clear the “murky legal landscape” for companies and consumers alike—and provide proper safeguards for the vast amount of personal information currently stored in server farms.
With little time left, the bill applying the Fourth Amendment to the internet is unlikely to be put to a full vote in the Senate before the end of the year. But it is likely to be taken up early in 2013. Given the strong bipartisan support in committee, it could well be on the statute book later next year.
Contrast that with the ITU’s attempt to regulate the internet, currently underway at the World Conference on International Telecommunications in Dubai. When drafted in 1988, the ITU’s regulations covering cross-border telecommunications contained no reference to the internet—which, at the time, was a rudimentary set of network interconnections used by researchers in America, where the technology was invented.
As a consequence, the international telecoms treaty that emerged focused on how telephone traffic flows across borders, the rules governing the quality of service and the means operators could adopt to bill one another for facilitating international calls. As such, the regulations applied strictly to telecoms providers, the majority of which were state owned.
That is what the ITU wants to change. The main objective of the conference in Dubai is to broaden the definition of “telecommunications” to include the internet—in the name of bridging the digital divide and bringing the full benefits of the web to the poor of the world.
But do not be overly swayed by the professed ideals. The goal of certain factions is to grant governments the authority to charge content providers like Amazon, Google, Facebook and Twitter for allowing their data to flow over national borders. If enacted, such proposals would most certainly deter investment in network infrastructure, raise costs for consumers, and hinder online access for precisely those people the ITU claims it wants to help.
More ominously, granting the ITU jurisdiction over the internet would allow tyrants to legitimise their actions when silencing online critics. As it is, the governments of China, Russia, North Korea, Iran and now Syria already censor their citizens’ use of the internet. When threatened by popular uprisings, some have taken to hitting the “kill switch” to shut down the internet within their borders altogether—as happened recently when Syria went offline for several days. Some governments are also keen to ban anonymity on the internet, making it easier to find and arrest dissidents, notes Vint Cerf, one of the fathers of the internet and currently Google’s chief internet evangelist.
Going a step further, Russia has submitted a proposal to the ITU conference in Dubai that would shift oversight of the internet, including the allocation of domain names and numbers, to an international body. Were that to happen, it would effectively grant those in power the authority, under international law, to prevent web addresses from being assigned to political opponents—curtailing their ability to use the internet to address the public directly. At present, the allocation of domain names is handled by the Internet Corporation for Assigned Names and Numbers, a non-profit organisation based in Los Angeles that is protected by the full weight of the American constitution.
So far, a proposal sponsored by the United States and Canada to restrict the debate in Dubai strictly to conventional telecoms has met with a modicum of success, despite stiff opposition from Russia plus some African and Middle-Eastern countries. Behind closed doors, the conference has agreed not to alter the ITU’s current definition of “telecommunications” and to leave the introductory text concerning the existing treaty’s scope intact.
The sticking point has been what kind of organisations the treaty should apply to. Here, one word can make a huge difference. In ITU jargon, the current treaty relates only to “recognised operating agencies”—in other words, conventional telecoms operators. The ITU wants to change that to simply “operating agencies”. Were that to happen, not only would Google, Facebook and other website operators fall under the ITU’s jurisdiction, but so too would all government and business networks. It seems the stakes really are as high as the ITU’s critics have long maintained.
The interesting aspect of the article is it highlights the fact that in America Fourth Amendment concerns about privacy are quite alive and well.
In January 2012 the United States Supreme Court in United States v Jones held unanimously that the placement of a GPS device on a vehicle and then using it to monitor the vehicles movements constituted a search under the Fourth Amendment and required a warrant, which the Government did not obtain during the relevant period. The headnote relevantly provides:
(a) The Fourth Amendment protects the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” Here, the Government’s physical in- trusion on an “effect” for the purpose of obtaining information constitutes a “search.” This type of encroachment on an area enumerated in the Amendment would have been considered a search within the meaning of the Amendment at the time it was adopted. Pp. 3–4.
(b) This conclusion is consistent with this Court’s Fourth Amendment jurisprudence, which until the latter half of the 20th century was tied to common-law trespass. Later cases, which have deviated from that exclusively property-based approach, have applied the analysis of Justice Harlan’s concurrence in Katz v. United States, 389 U. S. 347, which said that the Fourth Amendment protects a person’s “reasonable expectation of privacy,” id., at 360. Here, the Court need not address the Government’s contention that Jones had no “reason- able expectation of privacy,” because Jones’s Fourth Amendment rights do not rise or fall with the Katz formulation. At bottom, the Court must “assur[e] preservation of that degree of privacy against government that existed when the Fourth Amendment was adopted.” Kyllo v. United States, 533 U. S. 27, 34. Katz did not repudiate the understanding that the Fourth Amendment embodies a particular concern for government trespass upon the areas it enumerates. The Katz reasonable-expectation-of-privacy test has been added to, but not substituted for, the common-law trespassory test. See Alderman v. United States, 394 U. S. 165, 176; Soldal v. Cook County, 506 U. S. 56, 64. United States v. Knotts, 460 U. S. 276, and United States v. Karo, 468 U. S. 705—post-Katz cases rejecting Fourth Amendment challenges to “beepers,” electronic tracking devices representing another form of electronic monitoring—do not foreclose the conclusion that a search occurred here. New York v. Class, 475 U. S. 106, and Oliver v. United States, 466 U. S. 170, also do not support the Gov- ernment’s position. Pp. 4–12.
Similarly the FTC has highlighted the lack of privacy protections and potential breaches of privacy laws. This was reported on in the Guardian’s Most children’s apps are failing on privacy, FTC finds. That said while there are both state and federal statutes protection privacy and some constitutional protection under the Fourth Amendment the width and breadth of that protection is inconsistent and usually inadequate. In the media sphere the First Amendment tending to trump privacy rights are well known. But, notwithstanding the focus of the debate being freedom of expression v privacy that is only one small part of the issue though the most publicly ventilated in debate. It has never been only about privacy and the media. There are tensions between freedom of speech and privacy but not all, or even the majority of, privacy issues relate to the operation of the media. Intrusions by government and other citizens into the private space of a person has been at the core of the issue since privacy was first the subject of jurisprudence in the fourteenth century. As both Lord Justice Leveson (not the darling of the media at the moment courtesy of the Leveson Report) in a speech to the Communications Law Centre, University of Technology last week (post here) and Lord Neuberger, in a speech on 28 November 2012 (post here), observed that privacy can complement, and is criticial for the existence of, freedom of expression in certain circumstances.
Interestingly a UK parliamentary committee report has been highly critical of the draft Communications Data Bill which expands power for law enforcement to collect web, email and call data according the ZDNet in U.K. Web, email snooping draft law dead, at least for now. It provides:
The U.K. government is to go back to the drawing board with its plans to monitor U.K. Web, email and call traffic, after the leader of the government’s coalition partner called for a “rethink” to the bill.
The move was expected after reports surfaced earlier late last month that the Liberal Democrat leader and U.K. deputy prime minister Nick Clegg was gearing up to block the bill if necessary, according to sources speaking to the BBC.
Clegg’s comments today follows a U.K. parliamentary committee criticized the bill after months of scrutiny, and warned that the law — if passed by Parliament — would be able to demand “potentially limitless categories of data.”
Downing Street said that it “accepts” the criticisms of the bill by members of parliament (MPs) and the bill would be re-written. A Home Office spokesperson said that there can “be no delay to this legislation,” adding that it is “needed by law enforcement agencies now.”
It’s not yet clear how long it will take for the bill to be re-written, but it is unlikely that a future draft bill will not be presented before Parliament before mid-to-late 2013 at the very earliest.
The joint committee of MPs, who wrote a 101-page report into the draft law, said the bill was too wide-ranging. The report was published this morning.
“Our overall conclusion is that there is a case for legislation which will provide the law enforcement authorities with some further access to communications data, but that the current draft bill is too sweeping, and goes much further than it need or should,” the committee concluded.
“We will take account of what the committee said,” said a Downing Street spokesperson speaking to the BBC News.
The draft bill, dubbed the “snoopers’ charter,” but officially called the Communications Data Bill, would give the police, intelligence services and other U.K. government departments to have access to data relating to citizens Web, email and phone traffic in a bid to prevent terrorism and disrupt major crime.
It would see “communications data” — such as which Web sites were being visited, where an email is going, and who is at the other end of a phone call — recorded for later inspection, if someone is suspected of a serious crime. This would be open to the aforementioned authorities without a court-ordered search warrant.
However, the contents of such data — including emails and phone conversation transcripts — would still require a court order before U.K. authorities have it handed to them.
The U.K.’s data and privacy chief, Sir Christopher Graham, warned in October that the bill would be ineffective to catch major criminals, and would only help authorities catch “incompetent criminals and accidental anarchists.”
The £1.8 billion ($2.9bn) budget set aside for implementing the bill was also criticized by one Freedom of Information campaigner, which the U.K. Home Office has not disclosed why the figure is so steep or what the budget will be spent on.
The report is found here. See also the ZDNet article Lib Dems challenge ‘snooper’s charter’ over claims bill ‘must be substantially rewritten’.