The last couple of weeks have been full of the revelations about NSA spying on a massive scale. What has been slightly disconcerting is that the agency and its defenders have essentially tried to argue that the spying doesn't matter because it's only aimed at "foreigners". But that's us: which means that we are the target of this spying, even if others get caught up in it too.
I'll be coming back to the implications of that in another post, but here I just want to point out something else: that it's important to remember that we are already being spied upon on a routine basis by our own governments, thanks to the EU's Data Retention Directive:
The Data Retention Directive requires operators to retain certain categories of data (for identifying users and details of phone calls made and emails sent, excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism.
27 EU States have notified the Commission about the transposition of the Directive into their national law. However, of these, Germany and Belgium have only transposed the legislation partially.
That's from the official EU page on the subject, which continues with the following claim:
Law enforcement authorities in most EU States have reported that retained data play a central role in their criminal investigations. These data have provided valuable leads and evidence that have resulted in convictions for criminal offences and in acquittals of innocent suspects in relation to crimes which, without an obligation to retain these data, might never have been solved.
This is, of course, exactly the argument the UK government is using for its even more intrusive Snooper's Charter. The vague, unsubstantiated claims made above sound plausible: that if you track everyone's communications all the time you'll be able to find out stuff that allows you to convict more people. The detailed reality turns out to be rather different, as the case of Denmark demonstrates:
According to the Danish law, all Internet traffic must be logged, registered and stored for one year. As mentioned above, this practice is called session logging. But a casual Internet user can, and usually does, generate an enormous amount of data in a single sitting of casual web surfing. As a result, the police and security services are drowning in a tsunami of user data that they cannot sort and therefore cannot use. According to the above-cited report compiled by the Danish Ministry of Justice, 90 percent of the data collected under the Data Retention Law is acquired via session logging — i.e., Internet surveillance. But the software used by the Danish police has proven inadequate for the task of handling and analyzing the majority of the data, rendering it useless — even as the privacy rights of ordinary citizens not suspected of any crime is routinely violated.
The Danish police themselves admit this:
The police, meanwhile, have concluded that requiring telecoms to store Internet subscriber data has not helped them track criminals, which was the ostensible purpose of the practice.
More data does not equal more information. Indeed, probably just the opposite: had police forces spent more time and resources using conventional, targeted tools, instead of trying to trawl through enormous and growing quantities of data, they might have had rather more luck.
Still, you might think there's not much to be done now. However, it turns that a serious challenge is currently being made to the Data Retention Directive that could cause it to be overturned completely. Digital Rights Ireland has been mounting a slow-burning campaign against the Directive that began back in 2006:
These laws require telephone companies and internet service providers to spy on all customers, logging their movements, their telephone calls, their emails, and their internet access, and to store that information for up to three years. This information can then be accessed without any court order or other adequate safeguard. We believe that this is a breach of fundamental rights. We have written to the [Irish] Government raising our concerns but, as they have failed to take any action, we are now forced to start legal proceedings.
Accordingly, we have now launched a legal challenge to the Irish government's power to pass these laws. We say that it is contrary to the Irish Constitution as well as Irish and European Data Protection laws.
We also challenge the claim that the European Commission and Parliament had the power to enact the Data Retention Directive. We say that this kind of mass surveillance is a breach of Human Rights, as recognised in the European Convention on Human Rights and the EU Charter on Fundamental Rights which all EU member states have endorsed.
If we are successful, the effect will be to undermine Data Retention laws in all EU states, not just Ireland, and to overturn the Data Retention Directive. A ruling from the European Court of Justice that Data Retention is contrary to Human Rights will be binding on all member states, their courts and the EU institutions.
Digital Rights Ireland Chairman T J McIntyre is also quoted as saying:
These mass surveillance laws are a direct, deliberate attack on our right to have a private life, without undue interference by the government. That right is underpinned in the laws of European countries and is also explicitly stated in Article 8 of the European Convention on Human Rights. The Article specifies that public authorities may only interfere with this right in narrowly defined circumstances.
The information will be collected and stored on everyone, regardless of whether you are a criminal, a policeman, a journalist, a judge, or an ordinary citizen. Once collected, this information is wide open to misappropriation and misuse. No evidence has been produced to suggest that data retention laws will do anything to stop terrorism or organized crime.
We accept, of course, that law-enforcement agencies should have access to some call data. But access must be proportionate. In particular, there should be clear evidence of a need to move beyond the six months of storage which is already used for billing purposes. Neither the European Commission nor the European police forces have made any case as to why they might require years of data to be retained.
That's spot on: nobody is suggesting the police should not have the tools they need, but as the Danish experience clearly shows, giving the police minutely-detailed information about what every one of us is doing is not only a devastating attack on our private life, but it is actually counter-productive for the purposes of law enforcement.
The good news is that seven years later, Digital Rights Ireland's case has finally reached the highest court in Europe:
The Court of Justice of the European Union has joined two cases on the validity of the data retention directive (2006/24/EC) for a hearing before the Grand Chamber on 9 July 2013. The references for a preliminary ruling, brought to the ECJ by the Irish High Court (C-293/12 Digital Rights Ireland) and by the Austrian Constitutional Court (C-594/12 Seitlinger and Others) question the compatibility of the data retention directive with Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union, and the ECJ has indicated to the parties that the hearing will focus on Articles 7 and 8 of the Charter.
The rest of that post linked to above contains the gory legal details, but as Digital Rights Ireland explains, the key point remains this:
If we are successful, it will strike down these laws for all of Europe and will declare illegal this type of mass surveillance of the entire population.
That would be a truly massive win for privacy and liberty in the Europe, and it's extraordinary that Digital Rights Ireland has almost single-handedly brought us to this point. If, like me, you are wondering what you could do to support this amazing move, the simple answer is: please make a donation, however small. It's extremely quick and easy to do – I've done it, and I urge you to do the same.
If it helps to overturn the disproportionate EU Data Retention Directive and its pernicious assumption that governments have a right to spy on our past communications, kept for the purpose in huge and thus dangerous databases, it could be the best few quid you've spent in a long time.