To what extent do you believe that the Regulation of Investigatory Powers Act 2000 achieves a balance between upholding the right to privacy while also allowing the State to employ online surveillance techniques in the interests of national security?

Increasing level of surveillance permeates almost all aspects of our lives, leading to consequential reduction of personal privacy. The Information Commissioner warned against the dangers of ‘sleepwalking into a surveillance society’. The Information Commissioner went further in 2006 by introducing a report ‘A surveillance society’ commissioned by his office. In this report he acknowledges the benefits of surveillance in fighting terrorism and serious crime and improving entitlement and access to public and private services. However unseen or excess surveillance can encourage a climate of suspicion and undermine trust.

This essay will analyse the growth of data surveillance in the online world and see whether the Regulation of Investigatory Power 2000 achieves a balance to right of privacy and the States need to employ online surveillance to protect citizens from terrorist’s threats.

The main way in which privacy can be threatened is by placing the individual under surveillance. This surveillance can take a variety of forms. In 1971 Alan Westin identified three forms of surveillance physical, psychological and data.

Physical surveillance is an age old-established method of observing someone. As the name suggests it involves watching or listening to an individual with the aid of technology. However this method is an expensive form of surveillance and can only be applied to a limited number of individuals. Psychological surveillance includes forms of interrogation, again costs of using this method gives it a limited usage in society.

Both the above surveillance techniques involve the watcher to play an active role. Data surveillance involves a more passive approach. Clarke describes dataveillance is the systematic use of personal data systems in the investigation or monitoring of actions of communication one or more person. Computers were originally developed for their high speed capabilities. But the advancement of technology means that data can now be captured, stored and accessed more readily even when their users are dispersed. The information revealed by an individual reveals something about that person. This method involves the collection and retention of this information. With the growth of the internet and the ability to digitise any form of information the distinct boundaries between the types of surveillance are disappearing with technology linking the different methods of surveillance into ‘a near seamless web of surveillance’. Furthermore, the development in data processing means that systems of physical surveillance significantly by the involvement of the computer to digitise and process the information.

Significant difficulties have to be overcome when attempting to give privacy a concrete legal meaning. A number of definitions for privacy had been formulated over the years. The classic definition was given by a United State judge, Judge Cooley who stated that it consists of a ‘right to left alone.’ The essential component as stated by Lloyd is that an individual has the right to control the extent to which their personal information is dispersed to other people. This notion of privacy has two main components. The first is the right to live free from the attention of others in essence to avoid being watched. The second element is to control the use of information once gained.

Whilst surveillance is seen as a stealthy and unwelcome way of collecting personal data, this is not the case. Although members of the public may claim they value privacy, they do very little to protect themselves. Thousands of individuals have applied for supermarket ‘loyalty cards’. These cards provide a link between details of individual transaction and the stock management computer system. Analysis of the information will reveal much about the individual’s habits and lifestyle which may be used as a basis of direct marketing.

Until 1985 the UK had no legislative framework available to deal with interception of communications. So for example phone tapping was only regulated by the police internal code of guidance, which was not made public. This state of affairs was challenged in the ECHR case of Malone v United Kingdom. Here the ECHR held the UK practice of interception was not under adequate legal regulation. The UK citizens could not assess whether their telephone would be tapped, nor could they determine the basis in law for such surveillance.

The UK's response was to pass the Interception of Communications Act which put interceptions by public bodies in a statute and provided some oversight of interception activities.

However, the 1985 Act fell short of a concrete regulatory mechanism as did not apply to telecommunications systems outside the public network, such as internal systems, and there was no other UK legislation to regulate the interception of communications on such systems. So employers engaging in the interception of both telephone calls and email within private networks appeared to be able to do so with relative ease without fear from prosecution under the law.

This is a preview of the whole essay

This was illustrated in the case of Halford v United Kingdom. In this case Ms Halfords telephone conversations were tapped by her employer to obtain information detrimental to her. The office was part of a private internal network, so fell outside the scope of the ICA 1985. As she could not challenge the alleged tap in court, she brought an action against the UK government alleging a breach of the ECHR Article 8. The ECHR held that calls intercepted from her office telephone could fall within the scope of ‘private life’ in Article 8(1) ECHR, and that her employers had not informed her that her calls may be liable to interception. However Article 8(2) requires that the interference by a public authority must be ‘in accordance with the law’. Since there was no UK law relating to regulation of interception of calls made on telecommunication systems outside the public network, the Court held that the interference could not be ‘in accordance with the law’.

No statutory system of regulating the use of surveillance devices by the police was available until the enactment of the Regulation of Investigatory Powers Act 2000 (RIPA). RIPA is the government’s response to the finding the ECHR in Halford case where the UK did not comply with Article 8. It was primarily designed to ensure compliance with the Convention to ensure that powers to intercept telecommunication and investigate surveillance of individuals are used in accordance to Article 8 of the European Convention.

With regards to internet surveillance RIPA sets out guidance to a partial defence of surveillance as including monitoring, observing or listening to persons, recording anything monitored and surveillance by or with the assistance of a surveillance device. The Home Office argues that RIPA is capable of responding to current and future needs, but whether traditional definitions of surveillance remain appropriate for the modern world is a moot point. These concerns are based on technological advancement meaning individuals can now be monitored in ways not included within traditional understanding of surveillance. The concept of web surveillance falls into this category as it was not directly considered when the regulatory regime was created. In the absence of strict electronic surveillance regulation, it is necessary to consider where web surveillance falls under in the existing regulatory framework.

It is clear that surveillance requires authorisation where it interferes with Article 8, so would a person using the web have legitimate expectation to privacy. If they do then an Article 8(1) right is established and then accordingly a reason under Article 8(2) will be required for surveillance to be authorised.

McArthur suggests that there can be no expectation of privacy on the internet. He believes that the internet is a public space and only situations where measures have been taken to conceal a person’s identity or block tracking software should there be any suggestion of privacy. Gillespie questions McArthur’s view and states ‘Does the mere fact that something occurs in public mean that there can be no expectation of privacy?’ The answer to this is ‘no’ and support for Gillespie’s view can be seen through the decisions made by the European Court of Human Rights.

In Von Hannover v Germany the Court upheld a complaint by Princess Caroline of Monaco who had been photographed by paparazzi whilst engaged in ordinary activities such as horse riding and eating in a restaurant. The Court stated that Article 8(1) ensures that persons are allowed to proceed with their ordinary life without outside interference and that Article 8(1) protects someone even in public places if there is a legitimate expectation of privacy.

The decision in Von Hannover only applies to a right to privacy in a public setting when an expectation of privacy arises. The fact a person is in a public place will not prevent a right under Article 8(1).

Where someone merely acts in a public place the observance and recording of that act will not give rise to an expectation of privacy. This is illustrated in the case of Peck v United Kingdom where the applicant was recorded on CCTV after attempting to commit suicide. The footage was released to several media companies. The ECHR upheld a breach of Article 8 but on the basis that the footage being released interfered with the applicant’s private life rather than the original recording of the incident. In PG v United Kingdom the Court upheld a claim under Article 8(1) that the recording of two suspects voices whilst in custody amounts to a breach in respect to family life. The Court rejected the argument that a police cell was a public space and stated that an expectation of privacy could arise here.

So can this apply to the online world? McArthur firmly believes that the internet is a public space and therefore no expectation of privacy can arise. However this ‘broad’ approach is contrary to the decisions laid down in case law by the European Court of Human Rights as seen above. So if something occurs in a public area it does not mean that there is no expectation of privacy. Gillespie believes that while blog entries are likely to be considered as public there are ways of restricting access. Extreme measures do not have to used to restrict access like social networking sites where users make a profile and choose to restrict it to people who are their ‘friends’ meaning the user has control to people who view his profile.

McArthur further argues that restricting the access does not change the inherent public nature of the internet because it is possible to avoid access using electronic measures. Coleman disagrees with this notion and believes that we should focus on the essential part of the right to privacy is the ability to control access to one’s information. This would seem to be fit well with the decisions of the ECHR. Applying this view to the internet would mean that posting information on a password controlled sites does give rise to an expectation of privacy and the use of measures to avoid access controls would amount to surveillance.

Some aspects of online surveillance can amount to an interference of privacy; therefore authorisation is required to a reason why Article 8(2) may be pleaded. This means authority must be granted under RIPA 2000. There are three types of covert surveillance stated in Part two of the Act. They are directed surveillance, intrusive surveillance and a covert human intelligence source.

Applying these types of surveillance to the web it may be necessary to examine what sites a person has accessed. Such information would be of valuable interest to law enforcement agencies in the context of terrorism. However this cannot be done covertly as the physical possession of the computer is needed. By using Trojan software the police can covertly follow what sites are being accessed and access communication data.

An issue here would be would be gathering evidence as to the sites visited amount to surveillance or interfere with Article 8(1)? The ECHR held in Friedl v Austria that the systematic recording of a person’s activities interferes with their rights under Article 8(1). So if Trojan software was used to detect websites a person has accessed then this can be regarded as a systematic recording of a person’s activity. This principle was applied in the case of Copland v United Kingdom where an employee had her telephone, internet activity and email monitored. Here the court found a violation of Article 8 and stated that interception of email is analogous to that of telephone calls.

Another way in which information on the use of the internet can be obtained is through communications data. Under RIPA this can be put into three forms of data traffic, service-use data and subscriber information.Communications data will be useful to law enforcement agencies if they are conducting surveillance in respect of someone accessing the internet. It would allow them to build up a picture of the offender. However, the gathering and use of data would infringe Article 8. Therefore Part 1 of RIPA may come to aid here by providing a legal framework meaning as long as the information being sought is necessary and proportionate, surveillance would be allowed to occur without breaching Article 8 of the ECHR.

With internet crimes can occur globally rather than in a particular jurisdiction so it can only be policed if the perpetrators are brought to justice. Surveillance can be used as a procedure in policing internet crimes. But in order for the policing to effective the evidence obtained in the course of detection of the crime and the perpetrator of it must be admissible in court. European case law has shown that admissibility is a matter of regulation by national courts.

The Birkett Report recognised the need for statutory regulation of evidential rather than intelligence uses of the interception product. It recommended that such material could be used as evidence in appropriate cases.

Sections 15 to 18 of RIPA also seek to govern the revelation at trial of the material obtained during interception. The sections provide another illustration of RIPA's lack of clarity and its inadequacy in respecting privacy rights. The provisions under ss.17 and 18 of RIPA seek to limit the use of material gathered from telephone intercepts to and ‘intelligence’ rather than an ‘evidential’ role.

On one view, there is something odd in a system which seeks to authorise an activity (ss.1-9), then recognises that that activity leads to material which will be relevant at trial (s.18), and yet seeks to suppress that material and even the fact of its existence (s.17). The policy of allowing the police to maximise their use of surveillance mechanisms sits well alongside the State's interest in maximising the chances of subsequent conviction and maximising policing efficiency. This view is controversial as the refusal to allow the intercepted product to be used as evidence for the prosecution can hardly be in favour crime control and maximising convictions. Furthermore, a difficult concept to understand here is how the policy of secrecy is greater than the fundamental right to a fair trial.

The potential flaws in the execution of the existing system were one reason change was needed. The Chilcot Report investigated ‘... whether a regime to allow the use of intercepted material in court can be devised that facilitates bringing cases to trial while meeting the overriding imperative to safeguard national security.’

It was directed by two principles. In relation to the “overriding imperative to safeguard national security” it, concluded that “any material risk to the strategic capability of the UK's intelligence agencies would be unacceptable”. Secondly, it noted that an “important contribution” to the duty to safeguard the public is the effective prosecution of serious organised crime and terrorism. “This requires that the best evidence is made available for such prosecutions”. It came to a relative simple conclusion in treating intercept material the same as any other sensitive material is treated under the Part two of the Act. For that reason it supported the use of intercept material as evidence.

In order to prosecute cybercrime successfully, evidence must be obtained legally, and it must be understandable. The most controversial power is under Part three of the Act which requires the disclosure of private encryption keys. Encrypted text is not readable without the appropriate key and plain text evidence is only admissible if legally obtained.

The power to require disclosure, contained in s.49 of the Act, means that a person will be required to hand over the decryption key. That person shall be guilty of an offence if he knowingly fails to comply with the disclosure notice.

So should a suspect be forced to hand over to hand over his decryption key to a lawful authority? It can be argued that not only is this an unsustainable infringement on our personal liberty but also an abuse of the European Human Rights Convention. The question is whether, in certain circumstances, infringements of such rights are justified. It may be that in the interests of our safety and security and in the pursuit of prevention and detection of crime and disorder such infringement of our civil liberties are justified, but only provided there are certain safeguards in place to restrict potential abuse.

The internet and other forms of electronic communication being linked with global terrorism has impacted has significantly impacted on governments attitude towards online privacy and surveillance. Many of the legislative responses to the threat of terrorism post- September 11th 2001 in the UK have been enacted with great speed driven by necessity. This has created a conflict between those whose primary interests is in law enforcement and bodies concerned with the protection and promotion of individual rights and freedoms. If the right balance is not achieved between these groups’ interests then the individuals may lose elements of the protection introduced and developed over the years, whilst the government may become less popular in the public eyes if they are seen unconcerned with the rights of the citizens.

The most important change relates to increased rights of access to personal data. Section 22 of the RIPA Act empowers a senior police to require a provider to disclose any communication data in the interests of national security. The Act does not require providers to retain data. However, the quick passage of the Anti-Terrorism, Crime and Security Act 2001 through Parliament in a matter of weeks indicated the time period to retention of data. Section 102 of the Act confers powers of the Secretary of State to draw up codes of practice specifying the period of time to which providers would be allowed to retain communication data. Lloyd criticises this code of practice both in terms of the time period of the retention of data and the range of governmental agencies that are granted access to this data.

In conclusion law enforcement and national security, have been engaging in surveillance and interception activities for many years. To a significant extent, these forms of investigation were historically unregulated. However as technological capabilities of surveillance developed, so did the awareness of the threat to privacy and the need for regulation. The RIPA was a response to this area of development. On the one hand, it allows the use of diverse investigatory powers, while on the other, it provides a regulatory framework, designed to respect the obligations imposed by the Human Rights Act 1998. In so doing, it has achieved a fragile balance between the competing demands of privacy and surveillance.

McArthur firmly believes that conducting surveillance in the online world does not need regulation, as it is a public space. However as we have seen the ECHR cases would suggest otherwise. Privacy can never be guaranteed online, but the same is true of the offline world. Privacy can never be guaranteed online, the same is equally true of the offline world. The regulation of surveillance exists to ensure that the state only interferes with a person's private life when necessary. The modern telecommunications world has meant that the boundary between a person's offline and online lives is ‘muddled’ at best, and it is important that the law recognises the right to personal integrity online.

Bibliography

Cases

Malone v United Kingdom (1984) 7 EHRR 14
Halford v United Kingdom [1997] ECHR 32
Peck v United Kingdom (2003) 36 E.H.R.R. 41
PG v United Kingdom (2001) 46 E.H.R.R. 51
Von Hannover v Germany (2005) 40 E.H.R.R. 1
Friedl v Austria (1996) 21 E.H.R.R. 83
Copland v United Kingdom (2007) 45 E.H.R.R. 37

Books

A Westin, ‘Information Technology in a Democracy’ (1971) Unir Micro. lms Int.,

Articles

R Clarke ‘Information Technology and Dataveillance’ (1988) Communications of the AMC Vol 31 No. 5
N Jarvie, ‘Control of cybercrime - is an end to our privacy on the Internet a price worth paying? Part 2’ (2003) C.T.L.R., 9(4), 110-115
A Charlesworth, ‘Law enforcement and libraries in the UK: privacy, proportionality & good practice’ (2003) L.I.M., 3(2), 71-75
I Mason Human rights, privacy and local authority investigations: learning to live with the Regulation of Investigatory Powers Act 2000 (2002) J.L.G.L. 5(4), 84-87
A Gillespie, ‘Regulation of internet surveillance’ E.H.R.L.R. 2009, 4, 552-565
R.L. McArthur, “ Reasonable Expectations of Privacy” (2001) 3 Ethics and Information Technology 123,
S. Coleman, “ E-mail, terrorism, and the right to privacy” (2006) 8 Ethics and Information Technology 17
N Birkett, ‘Report of the Committee of Privy Councillors appointed to inquire into the interception of communications’ (Cm 283)
D Ormerod & S McKay, ‘Telephone intercepts and their admissibility’ (2004) Crim. L.R. Jan, 15-38
J Chilcot, ‘Privy Council Review of intercept as evidence’ (Cm 7324)
M Ryder, ‘RIPA reviewed’ (2008) Arch. News 4, 6-9
G Ferguson & J Wadham, ‘Privacy and surveillance: a review of the Regulation of the Investigatory Powers Act 2000’ (2003) E.H.R.L.R. Supp 101-108

Web links

BBC News, M Easton ‘Whitehall plan for huge database’ 14th January 2007 <> accessed 5th March 2011
IJ Lloyd ‘Privacy and data protection’ 29th May 2008 <> accessed 7th March 2011

Legislations

Interception of Communications Act 1985
Regulation of Investigatory Powers Act 2000
Anti-Terrorism, Crime and Security Act 2001
Human Rights Act 1998

BBC News, M Easton ‘Whitehall plan for huge database’ 14th January 2007 <> accessed 5th March 2011

DM Wood ‘A Report on the Surveillance Society’ September 2006 <http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_full_report_2006.pdf> accessed 5th March 2011

IJ Lloyd ‘Privacy and data protection’ 29th May 2008 <> accessed 7th March 2011

A Westin, ‘Information Technology in a Democracy’ (1971) Unir Micro. lms Int.,

Supra n3:11

R Clarke ‘Information Technology and Dataveillance’ (1988) Communications of the AMC Vol 31 No. 5 p498

Ibid p500

Supra n3:11

N Jarvie, ‘Control of cybercrime - is an end to our privacy on the Internet a price worth paying? Part 2’ (2003) C.T.L.R., 9(4), 110-115 at 113

Supra n3:7

Supra n3:6

A Charlesworth, ‘Law enforcement and libraries in the UK: privacy, proportionality & good practice’ (2003) L.I.M., 3(2), 71-75 at 72

Malone v United Kingdom (1984) 7 EHRR 14

Interception of Communications Act 1985

Supra n14:72

Halford v United Kingdom [1997] ECHR 32

Supra n14:73

Regulation of Investigatory Powers Act 2000

I Mason Human rights, privacy and local authority investigations: learning to live with the Regulation of Investigatory Powers Act 2000 (2002) J.L.G.L. 5(4), 84-87 at 84

RIPA 2000 s.48 (2).

A Gillespie, ‘Regulation of internet surveillance’ E.H.R.L.R. 2009, 4, 552-565 at 554

R.L. McArthur, “ Reasonable Expectations of Privacy” (2001) 3 Ethics and Information Technology 123, 126

Supra n23:555

Von Hannover v Germany (2005) 40 E.H.R.R. 1

Ibid at 51

Peck v United Kingdom (2003) 36 E.H.R.R. 41

PG v United Kingdom (2001) 46 E.H.R.R. 51

Supra n24:123

Supra n23:556

Supra n24:124

S. Coleman, “ E-mail, terrorism, and the right to privacy” (2006) 8 Ethics and Information Technology 17 at 20

Supra n23: 555

Section 26(2) of RIPA 2000 states surveillance is directed where it is covert and undertaken for the purposes of a specific investigation, is likely to result in the obtaining of private information about a person.

Section 26(3) of RIPA 2000 describes surveillance as intrusive where it involves surveillance in residential premises

Section cover human a person who establishes a personal relationship with someone for the covert purpose

Supra n23:558

Friedl v Austria (1996) 21 E.H.R.R. 83

Copland v United Kingdom (2007) 45 E.H.R.R. 37

RIPA 200 s.21 4(a)

Ibid s.21 4(b)

Ibid s.21 4(c)

Supra n23:560

Supra n10:110

N Birkett, ‘Report of the Committee of Privy Councillors appointed to inquire into the interception of communications’ (Cm 283)

D Ormerod & S McKay, ‘Telephone intercepts and their admissibility’ (2004) Crim. L.R. Jan, 15-38 at 31

Ibid at 31

J Chilcot, ‘Privy Council Review of intercept as evidence’ (Cm 7324)

Ibid at para 1

Supra n49:90

Supra n49:204

M Ryder, ‘RIPA reviewed’ (2008) Arch. News 4, 6-9 at 9

Supra n10:114

RIPA 2000, s.53(1)

Supra n10:114

Supra n3:18

Supra n3:17

Anti-Terrorism, Crime and Security Act 2001

Supra n3:18

Human Rights Act 1998

G Ferguson & J Wadham, ‘Privacy and surveillance: a review of the Regulation of the Investigatory Powers Act 2000’ (2003) E.H.R.L.R. Supp 101-108 at 101

Supra 23:565