Spotlighting surveillance: Where states can lead on transparency reporting

Between 15th-19th of September, 2014, in the week leading up the first year anniversary of the International Principles on the Application of Human Rights to Communications Surveillance, Access and the coalition behind the 13 Principles will be participating in a Week of Action to help explain the foundation for the principles. Every day, we’ll take on a different part of the principles, exploring what’s at stake and what we need to do to bring intelligence agencies and the police back under the rule of law.

You can read the complete set of posts at: https://necessaryandproportionate.org/anniversary.

Surveillance laws can no longer ignore our human rights. Follow our discussion on twitter with the hashtag: #privacyisaright

At their best, “transparency reports” can reveal the scope and scale of surveillance online. Generally, they include aggregate statistics of requests that governments issue for user data, giving details like the type of request, why it was issued, and whether the recipient complied. They’re one of the proactive ways that companies, governments — really any entity dealing with user data — can speak directly to users about privacy and free expression online. To date, however, States have lagged far behind when it comes to reporting on their surveillance activity.

States and service providers both have rights and responsibilities regarding transparency. Governments play both a positive role — affirmatively providing users with information on the processing and transfer of their data, as well as any disruptions to networks — and a negative role — namely staying out of the way of service providers who seek to better inform users. Unfortunately, parties do not always live up to their obligations. For example, providers often say that “transparency is the government’s responsibility.” On surveillance, they maintain, governments are better positioned to disclose surveillance practices than the businesses processing their requests.

One year after the release of the International Principles on the Application of Human Rights to Government Surveillance, though, it’s becoming more clear that companies must exercise their ability to disclose requests for user data and interception to the fullest extent legally possible, while all stakeholders push governments to loosen restrictions and provide data of their own. Because, while many private sector businesses have taken steps toward transparency, government secrecy — especially on national security data — enforced through gag orders and threats of retaliation continues to leave users in the dark.

Beyond the numbers

To commit to transparency requires respect for other stakeholders, specifically a respect for users. When put into action, transparency can engender increased trust and accountability. Fundamentally, transparency reporting seeks to measure interference with privacy and free expression, so transparency reporting began with and still revolves around numbers. Increasingly, though, we see legal, political, and even social contexts taken into consideration in the struggle for accurate and meaningful reporting.

A good example of the depth that a transparency report can achieve is found in the massive report published by UK-based service provider Vodafone in June 2014. Out of 29 countries where Vodafone does business, governments in 8 either bar disclosure of surveillance requests, or were, at the time of the report, too unstable to even approach with the question, according to the company. In 10 countries, though, Vodafone’s report marked the first time any entity, either provider or government, had published surveillance data. In many countries, Vodafone explained, no one had simply even asked whether the reporting was allowed.

The Vodafone report, which civil society groups like Access had called for since 2012, inspired similar actions by providers worldwide. Vodafone’s approach to the transparency report stands as a high water mark for providers and demonstrates how governments can be pressured to allow more transparency. The company issued recommendations, some mirroring the Transparency Principle, requesting that governments issue reports that are subject to third-party certification: “independently scrutinised, challenged and verified prior to publication.” Where they do not, governments must give clear explanations of why numbers must be kept secret.

Vodafone’s report also utilized the time-tested responsibility-shifting argument, namely that governments know more than privately-owned providers and owe users more transparency. In some respects, this is true. Government officials are the only ones in a position to know when agents bypass providers to capture communications directly from networks, an insidious practice that circumvents due process. Of course, they also issue gag orders along with many demands for information issued to companies. However, none of this relieves other stakeholders, providers, and even NGOs, from the responsibility to reveal how they receive and process requests affecting the human rights of users.

Bars on disclosure of national security & metadata requests

Even governments that do allow disclosure of some police or law enforcement requests exempt “national security” requests, thereby covering up invasive surveillance activities.  Australian telcos are barred from disclosing national security data by the Telecommunications (Interception and Access) Act 1979, and UK telcos are similarly bound to secrecy. South Africa is rejecting more civil society requests for public information, and does not release numbers on metadata surveillance, only those requests that require a warrant, like wiretaps.

Some progress has been made. Earlier this year, the U.S. government reached a settlement with major internet platforms allowing them to release aggregate data on certain national security requests. However, the bulk of communications metadata collected — er, “acquired” — fell into a legal black hole. Section 215 orders requiring telecom providers to deliver all daily call records weren’t covered by the settlement, and are not revealed by the aggregate numbers companies or the government releases. The U.S. intelligence directorate’s own transparency report similarly lacked rigor and clarity on the scale and scope of government surveillance.

Sometimes, governments even retaliate against transparency. The junta that has ruled Thailand since May has led a crackdown on expression, and required operators to shut down access to Facebook briefly on May 27. When the parent company of operator DTAC revealed information about that shutdown request, the junta angrily responded by threatening the company’s investments and access to spectrum in the country.

A way forward

Until users have a complete picture — independently verified — of how their data is processed, they will not be able to freely exercise their human rights online. Questions will remain as to whether unnamed national security entities, or metadata programs, are scooping up information on their private lives.

Governments can and should lead with more disclosures on national security and metadata programs. Meanwhile, we’ll continue pushing providers to speak up — and give up — the context and numbers that inform us on the state of our rights online.