This was illustrated in the case of Halford v United Kingdom. In this case Ms Halfords telephone conversations were tapped by her employer to obtain information detrimental to her. The office was part of a private internal network, so fell outside the scope of the ICA 1985. As she could not challenge the alleged tap in court, she brought an action against the UK government alleging a breach of the ECHR Article 8. The ECHR held that calls intercepted from her office telephone could fall within the scope of ‘private life’ in Article 8(1) ECHR, and that her employers had not informed her that her calls may be liable to interception. However Article 8(2) requires that the interference by a public authority must be ‘in accordance with the law’. Since there was no UK law relating to regulation of interception of calls made on telecommunication systems outside the public network, the Court held that the interference could not be ‘in accordance with the law’.
No statutory system of regulating the use of surveillance devices by the police was available until the enactment of the Regulation of Investigatory Powers Act 2000 (RIPA). RIPA is the government’s response to the finding the ECHR in Halford case where the UK did not comply with Article 8. It was primarily designed to ensure compliance with the Convention to ensure that powers to intercept telecommunication and investigate surveillance of individuals are used in accordance to Article 8 of the European Convention.
With regards to internet surveillance RIPA sets out guidance to a partial defence of surveillance as including monitoring, observing or listening to persons, recording anything monitored and surveillance by or with the assistance of a surveillance device. The Home Office argues that RIPA is capable of responding to current and future needs, but whether traditional definitions of surveillance remain appropriate for the modern world is a moot point. These concerns are based on technological advancement meaning individuals can now be monitored in ways not included within traditional understanding of surveillance. The concept of web surveillance falls into this category as it was not directly considered when the regulatory regime was created. In the absence of strict electronic surveillance regulation, it is necessary to consider where web surveillance falls under in the existing regulatory framework.
It is clear that surveillance requires authorisation where it interferes with Article 8, so would a person using the web have legitimate expectation to privacy. If they do then an Article 8(1) right is established and then accordingly a reason under Article 8(2) will be required for surveillance to be authorised.
McArthur suggests that there can be no expectation of privacy on the internet. He believes that the internet is a public space and only situations where measures have been taken to conceal a person’s identity or block tracking software should there be any suggestion of privacy. Gillespie questions McArthur’s view and states ‘Does the mere fact that something occurs in public mean that there can be no expectation of privacy?’ The answer to this is ‘no’ and support for Gillespie’s view can be seen through the decisions made by the European Court of Human Rights.
In Von Hannover v Germany the Court upheld a complaint by Princess Caroline of Monaco who had been photographed by paparazzi whilst engaged in ordinary activities such as horse riding and eating in a restaurant. The Court stated that Article 8(1) ensures that persons are allowed to proceed with their ordinary life without outside interference and that Article 8(1) protects someone even in public places if there is a legitimate expectation of privacy.
The decision in Von Hannover only applies to a right to privacy in a public setting when an expectation of privacy arises. The fact a person is in a public place will not prevent a right under Article 8(1).
Where someone merely acts in a public place the observance and recording of that act will not give rise to an expectation of privacy. This is illustrated in the case of Peck v United Kingdom where the applicant was recorded on CCTV after attempting to commit suicide. The footage was released to several media companies. The ECHR upheld a breach of Article 8 but on the basis that the footage being released interfered with the applicant’s private life rather than the original recording of the incident. In PG v United Kingdom the Court upheld a claim under Article 8(1) that the recording of two suspects voices whilst in custody amounts to a breach in respect to family life. The Court rejected the argument that a police cell was a public space and stated that an expectation of privacy could arise here.
So can this apply to the online world? McArthur firmly believes that the internet is a public space and therefore no expectation of privacy can arise. However this ‘broad’ approach is contrary to the decisions laid down in case law by the European Court of Human Rights as seen above. So if something occurs in a public area it does not mean that there is no expectation of privacy. Gillespie believes that while blog entries are likely to be considered as public there are ways of restricting access. Extreme measures do not have to used to restrict access like social networking sites where users make a profile and choose to restrict it to people who are their ‘friends’ meaning the user has control to people who view his profile.
McArthur further argues that restricting the access does not change the inherent public nature of the internet because it is possible to avoid access using electronic measures. Coleman disagrees with this notion and believes that we should focus on the essential part of the right to privacy is the ability to control access to one’s information. This would seem to be fit well with the decisions of the ECHR. Applying this view to the internet would mean that posting information on a password controlled sites does give rise to an expectation of privacy and the use of measures to avoid access controls would amount to surveillance.
Some aspects of online surveillance can amount to an interference of privacy; therefore authorisation is required to a reason why Article 8(2) may be pleaded. This means authority must be granted under RIPA 2000. There are three types of covert surveillance stated in Part two of the Act. They are directed surveillance, intrusive surveillance and a covert human intelligence source.
Applying these types of surveillance to the web it may be necessary to examine what sites a person has accessed. Such information would be of valuable interest to law enforcement agencies in the context of terrorism. However this cannot be done covertly as the physical possession of the computer is needed. By using Trojan software the police can covertly follow what sites are being accessed and access communication data.
An issue here would be would be gathering evidence as to the sites visited amount to surveillance or interfere with Article 8(1)? The ECHR held in Friedl v Austria that the systematic recording of a person’s activities interferes with their rights under Article 8(1). So if Trojan software was used to detect websites a person has accessed then this can be regarded as a systematic recording of a person’s activity. This principle was applied in the case of Copland v United Kingdom where an employee had her telephone, internet activity and email monitored. Here the court found a violation of Article 8 and stated that interception of email is analogous to that of telephone calls.
Another way in which information on the use of the internet can be obtained is through communications data. Under RIPA this can be put into three forms of data traffic, service-use data and subscriber information.Communications data will be useful to law enforcement agencies if they are conducting surveillance in respect of someone accessing the internet. It would allow them to build up a picture of the offender. However, the gathering and use of data would infringe Article 8. Therefore Part 1 of RIPA may come to aid here by providing a legal framework meaning as long as the information being sought is necessary and proportionate, surveillance would be allowed to occur without breaching Article 8 of the ECHR.
With internet crimes can occur globally rather than in a particular jurisdiction so it can only be policed if the perpetrators are brought to justice. Surveillance can be used as a procedure in policing internet crimes. But in order for the policing to effective the evidence obtained in the course of detection of the crime and the perpetrator of it must be admissible in court. European case law has shown that admissibility is a matter of regulation by national courts.
The Birkett Report recognised the need for statutory regulation of evidential rather than intelligence uses of the interception product. It recommended that such material could be used as evidence in appropriate cases.
Sections 15 to 18 of RIPA also seek to govern the revelation at trial of the material obtained during interception. The sections provide another illustration of RIPA's lack of clarity and its inadequacy in respecting privacy rights. The provisions under ss.17 and 18 of RIPA seek to limit the use of material gathered from telephone intercepts to and ‘intelligence’ rather than an ‘evidential’ role.
On one view, there is something odd in a system which seeks to authorise an activity (ss.1-9), then recognises that that activity leads to material which will be relevant at trial (s.18), and yet seeks to suppress that material and even the fact of its existence (s.17). The policy of allowing the police to maximise their use of surveillance mechanisms sits well alongside the State's interest in maximising the chances of subsequent conviction and maximising policing efficiency. This view is controversial as the refusal to allow the intercepted product to be used as evidence for the prosecution can hardly be in favour crime control and maximising convictions. Furthermore, a difficult concept to understand here is how the policy of secrecy is greater than the fundamental right to a fair trial.
The potential flaws in the execution of the existing system were one reason change was needed. The Chilcot Report investigated ‘... whether a regime to allow the use of intercepted material in court can be devised that facilitates bringing cases to trial while meeting the overriding imperative to safeguard national security.’
It was directed by two principles. In relation to the “overriding imperative to safeguard national security” it, concluded that “any material risk to the strategic capability of the UK's intelligence agencies would be unacceptable”. Secondly, it noted that an “important contribution” to the duty to safeguard the public is the effective prosecution of serious organised crime and terrorism. “This requires that the best evidence is made available for such prosecutions”. It came to a relative simple conclusion in treating intercept material the same as any other sensitive material is treated under the Part two of the Act. For that reason it supported the use of intercept material as evidence.
In order to prosecute cybercrime successfully, evidence must be obtained legally, and it must be understandable. The most controversial power is under Part three of the Act which requires the disclosure of private encryption keys. Encrypted text is not readable without the appropriate key and plain text evidence is only admissible if legally obtained.
The power to require disclosure, contained in s.49 of the Act, means that a person will be required to hand over the decryption key. That person shall be guilty of an offence if he knowingly fails to comply with the disclosure notice.
So should a suspect be forced to hand over to hand over his decryption key to a lawful authority? It can be argued that not only is this an unsustainable infringement on our personal liberty but also an abuse of the European Human Rights Convention. The question is whether, in certain circumstances, infringements of such rights are justified. It may be that in the interests of our safety and security and in the pursuit of prevention and detection of crime and disorder such infringement of our civil liberties are justified, but only provided there are certain safeguards in place to restrict potential abuse.
The internet and other forms of electronic communication being linked with global terrorism has impacted has significantly impacted on governments attitude towards online privacy and surveillance. Many of the legislative responses to the threat of terrorism post- September 11th 2001 in the UK have been enacted with great speed driven by necessity. This has created a conflict between those whose primary interests is in law enforcement and bodies concerned with the protection and promotion of individual rights and freedoms. If the right balance is not achieved between these groups’ interests then the individuals may lose elements of the protection introduced and developed over the years, whilst the government may become less popular in the public eyes if they are seen unconcerned with the rights of the citizens.
The most important change relates to increased rights of access to personal data. Section 22 of the RIPA Act empowers a senior police to require a provider to disclose any communication data in the interests of national security. The Act does not require providers to retain data. However, the quick passage of the Anti-Terrorism, Crime and Security Act 2001 through Parliament in a matter of weeks indicated the time period to retention of data. Section 102 of the Act confers powers of the Secretary of State to draw up codes of practice specifying the period of time to which providers would be allowed to retain communication data. Lloyd criticises this code of practice both in terms of the time period of the retention of data and the range of governmental agencies that are granted access to this data.
In conclusion law enforcement and national security, have been engaging in surveillance and interception activities for many years. To a significant extent, these forms of investigation were historically unregulated. However as technological capabilities of surveillance developed, so did the awareness of the threat to privacy and the need for regulation. The RIPA was a response to this area of development. On the one hand, it allows the use of diverse investigatory powers, while on the other, it provides a regulatory framework, designed to respect the obligations imposed by the Human Rights Act 1998. In so doing, it has achieved a fragile balance between the competing demands of privacy and surveillance.
McArthur firmly believes that conducting surveillance in the online world does not need regulation, as it is a public space. However as we have seen the ECHR cases would suggest otherwise. Privacy can never be guaranteed online, but the same is true of the offline world. Privacy can never be guaranteed online, the same is equally true of the offline world. The regulation of surveillance exists to ensure that the state only interferes with a person's private life when necessary. The modern telecommunications world has meant that the boundary between a person's offline and online lives is ‘muddled’ at best, and it is important that the law recognises the right to personal integrity online.
Bibliography
Cases
- Malone v United Kingdom (1984) 7 EHRR 14
-
Halford v United Kingdom [1997] ECHR 32
- Peck v United Kingdom (2003) 36 E.H.R.R. 41
- PG v United Kingdom (2001) 46 E.H.R.R. 51
- Von Hannover v Germany (2005) 40 E.H.R.R. 1
- Friedl v Austria (1996) 21 E.H.R.R. 83
- Copland v United Kingdom (2007) 45 E.H.R.R. 37
Books
A Westin, ‘Information Technology in a Democracy’ (1971) Unir Micro. lms Int.,
Articles
- R Clarke ‘Information Technology and Dataveillance’ (1988) Communications of the AMC Vol 31 No. 5
- N Jarvie, ‘Control of cybercrime - is an end to our privacy on the Internet a price worth paying? Part 2’ (2003) C.T.L.R., 9(4), 110-115
- A Charlesworth, ‘Law enforcement and libraries in the UK: privacy, proportionality & good practice’ (2003) L.I.M., 3(2), 71-75
- I Mason Human rights, privacy and local authority investigations: learning to live with the Regulation of Investigatory Powers Act 2000 (2002) J.L.G.L. 5(4), 84-87
- A Gillespie, ‘Regulation of internet surveillance’ E.H.R.L.R. 2009, 4, 552-565
-
R.L. McArthur, “ Reasonable Expectations of Privacy” (2001) 3 Ethics and Information Technology 123,
- S. Coleman, “ E-mail, terrorism, and the right to privacy” (2006) 8 Ethics and Information Technology 17
-
N Birkett, ‘Report of the Committee of Privy Councillors appointed to inquire into the interception of communications’ (Cm 283)
- D Ormerod & S McKay, ‘Telephone intercepts and their admissibility’ (2004) Crim. L.R. Jan, 15-38
- J Chilcot, ‘Privy Council Review of intercept as evidence’ (Cm 7324)
- M Ryder, ‘RIPA reviewed’ (2008) Arch. News 4, 6-9
- G Ferguson & J Wadham, ‘Privacy and surveillance: a review of the Regulation of the Investigatory Powers Act 2000’ (2003) E.H.R.L.R. Supp 101-108
Web links
-
BBC News, M Easton ‘Whitehall plan for huge database’ 14th January 2007 <> accessed 5th March 2011
-
IJ Lloyd ‘Privacy and data protection’ 29th May 2008 <> accessed 7th March 2011
Legislations
- Interception of Communications Act 1985
- Regulation of Investigatory Powers Act 2000
- Anti-Terrorism, Crime and Security Act 2001
- Human Rights Act 1998
BBC News, M Easton ‘Whitehall plan for huge database’ 14th January 2007 <> accessed 5th March 2011
DM Wood ‘A Report on the Surveillance Society’ September 2006 <http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_full_report_2006.pdf> accessed 5th March 2011
IJ Lloyd ‘Privacy and data protection’ 29th May 2008 <> accessed 7th March 2011
A Westin, ‘Information Technology in a Democracy’ (1971) Unir Micro. lms Int.,
R Clarke ‘Information Technology and Dataveillance’ (1988) Communications of the AMC Vol 31 No. 5 p498
N Jarvie, ‘Control of cybercrime - is an end to our privacy on the Internet a price worth paying? Part 2’ (2003) C.T.L.R., 9(4), 110-115 at 113
A Charlesworth, ‘Law enforcement and libraries in the UK: privacy, proportionality & good practice’ (2003) L.I.M., 3(2), 71-75 at 72
Malone v United Kingdom (1984) 7 EHRR 14
Interception of Communications Act 1985
Halford v United Kingdom [1997] ECHR 32
Regulation of Investigatory Powers Act 2000
I Mason Human rights, privacy and local authority investigations: learning to live with the Regulation of Investigatory Powers Act 2000 (2002) J.L.G.L. 5(4), 84-87 at 84
A Gillespie, ‘Regulation of internet surveillance’ E.H.R.L.R. 2009, 4, 552-565 at 554
R.L. McArthur, “ Reasonable Expectations of Privacy” (2001) 3 Ethics and Information Technology 123, 126
Von Hannover v Germany (2005) 40 E.H.R.R. 1
Peck v United Kingdom (2003) 36 E.H.R.R. 41
PG v United Kingdom (2001) 46 E.H.R.R. 51
S. Coleman, “ E-mail, terrorism, and the right to privacy” (2006) 8 Ethics and Information Technology 17 at 20
Section 26(2) of RIPA 2000 states surveillance is directed where it is covert and undertaken for the purposes of a specific investigation, is likely to result in the obtaining of private information about a person.
Section 26(3) of RIPA 2000 describes surveillance as intrusive where it involves surveillance in residential premises
Section cover human a person who establishes a personal relationship with someone for the covert purpose
Friedl v Austria (1996) 21 E.H.R.R. 83
Copland v United Kingdom (2007) 45 E.H.R.R. 37
N Birkett, ‘Report of the Committee of Privy Councillors appointed to inquire into the interception of communications’ (Cm 283)
D Ormerod & S McKay, ‘Telephone intercepts and their admissibility’ (2004) Crim. L.R. Jan, 15-38 at 31
J Chilcot, ‘Privy Council Review of intercept as evidence’ (Cm 7324)
M Ryder, ‘RIPA reviewed’ (2008) Arch. News 4, 6-9 at 9
Anti-Terrorism, Crime and Security Act 2001
G Ferguson & J Wadham, ‘Privacy and surveillance: a review of the Regulation of the Investigatory Powers Act 2000’ (2003) E.H.R.L.R. Supp 101-108 at 101