DRAFT 2 - The Internet has effectively rendered privacy as a thing of the past

Internet and the Law w12003024

The Internet has effectively rendered privacy as a

thing of the past.

Critically analyse the above statement with

reference to relevant academic literature, cases and

statutes.

Page 1 of 14


Introduction

The Internet is a system that connects together many individual computer networks allowing

for the transfer of digital data. This is why it is referred to as the network of networks1. As the

Internet develops and expands, it becomes more and more a part of our everyday lives. This

has led to the increase of personal data being used and kept online to identify who we are. It

is arguable this has led to the decline of privacy.

Privacy does not have a definite meaning in English Law. It means different things to

different people all over the world. The most commonly coined phrase is that given by Judge

Cooley, as recognised in the case of Wainwright v Home Office, ‘the right to be left alone’2.

As the right to privacy is one that is enshrined in the European Convention on Human Rights3

(hereinafter ECHR), it is evident that it is worth protecting. Unfortunately, as supported by

the recent Snowden revelations, it appears that this may not be the case, and mass

surveillance under the guise of national security seems to be taking precedent.

This paper seeks to evidence that the Internet has rendered privacy as a thing of the past. It

will do this by focussing on how public bodies use the Internet on a day to day basis to

invade our privacy for reasons of national security. It will also briefly touch on how private

bodies do the same for advertising. In order to achieve this, the current laws on privacy in the

UK must first be understood.

1 Andrew Murray, Information Technology Law (OUP 2010) 162 Wainwright v Home Office [2003] UKHL 53, [2004] 2 AC 406, 4193 Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights, as amended) (ECHR) Article 8

Page 2 of 14


Privacy Rights in the UK

In the UK, we have no overarching right to privacy4. However, as a member state of the

European Union, we do have a right to respect for private and family life under Article 8 of

the ECHR5. Although loosely referred to as a right to privacy, this right is not fundamental. It

is a qualified right and subject to the conditions laid out in Article 8(2)6. These provisions

provide circumstances where the state may justifiably interfere with an individual’s right,

such as in the interests of national security, public safety, and the prevention of disorder or

crime. As set out in the Handyside case, if a case concerning a breach of human rights

reaches the European Court of Human Rights in Strasbourg, a margin of appreciation will be

offered to member states when deciding whether an interference is justified7. In cases

concerning national security, public safety and the prevention of disorder or crime, the

margin of appreciation will be wide8. This offers more flexibility for member states in the

way they run their country.

The UK has incorporated the Articles set out in the ECHR into domestic law under section 2

of the Human Rights Act 1998 (hereinafter HRA). Section 6(1) of the HRA provides, ‘It is

unlawful for a public authority to act in a way which is incompatible with a convention

right’9. This provision makes it so that public authorities, such as the government, courts and

police, must comply with the Articles set out in the ECHR. In this sense, an individual can

bring a claim against a public authority for acting in a way incompatible with their Article 8

right, which offers them a sense of privacy. However, the HRA does not expressly offer

protection against private bodies. For instance, if a private company, such as the many social

networking sites on the Internet that use and bank our personal information, breaches our

Article 8 right, it can be much more difficult to enforce. It is still possible, but what is first

needed is a cause of action.

Traditionally, the primary method of protecting privacy in the UK is through the common

law equitable doctrine of breach of confidence10. Due to the requirement of establishing a

4 Wainwright v Home Office [2003] UKHL 53, [2004] 2 AC 4065 Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights, as amended) (ECHR) Article 86 Ibid Article 8(2)7 Handyside v United Kingdom (1976) Series A no 248 Klass v Germany (1978) Series A no 289 Human Rights Act 1998, s 6(1)10 Coco v AN Clarke (Engineers) Ltd [1968] FSR 415 (Ch)

Page 3 of 14


relationship element11, breach of confidence was seen as a narrow method of protecting one’s

rights. Since the enactment of the HRA in 1998 however, there has been an emergence of

cases concerning privacy rights, and the law of breach of confidence has had a significant

development. This is what is now known as the new tort of misuse of private information12.

Misuse of private information is a two part test. The first part is to establish whether there

was a reasonable expectation of privacy or not13. This is a broad question of fact that takes

into account all the relevant circumstances of the case14. The second part is a balancing

exercise between the claimants Article 8 right and the defendants Article 10 right15.

It has now been judicially recognised that values and scope of Article 8 are worth protecting

and can apply in disputes between individuals and private bodies. Using misuse of private

information as a cause of action, an individual can take a private body to court. The court is

then under an obligation to work in a way compatible with convention rights. Therefore, a

court must hear your claim for breach of your Article 8 right by a private body. This is known

as the indirect horizontal effect16.

The development of breach of confidence shows that the court believes our right to privacy is

important and one that should be protected. From this, it is arguable now that the UK does

have some form of protection of privacy. However, this may not always be the case. The

Internet is proving a powerful tool to public and private bodies in the surveillance of the

population, as highlighted by Edward Snowden in 2013. Mass surveillance is one way in

which the Internet is extinguishing privacy.

11 Coco v AN Clarke (Engineers) Ltd [1968] FSR 415 (Ch) 41912 Campbell v MGN Ltd [2004] UKHL 22, [2004] 2 AC 457, 46413 Murray v Express Newspapers plc [2008] EWCA Civ 446, [2009] Ch 481, 50214 Ibid15 Axel Springer AG v Germany (2012) 55 EHRR 6, 20016 Ian Leigh, ‘Horizontal rights, the Human Rights Act and privacy: lessons from the Commonwealth?’ (1999) ICLQ 57, 75

Page 4 of 14


Privacy and Surveillance

As previously mentioned, the development of the Internet has led to more and more personal

information is being stored and logged online. This happens through the means of social

networking sites, online shopping, apps requesting location services and various other

avenues. According to a recent Ofcom report, Eighty-five per cent of households owned at

least one Internet-enabled device in 201217. It was also found that the average amount of time

Internet users spent online, just through a laptop or desktop, was 24.6 hours per month. This

was more than double the amount of time users spent online in January 200418. When we

spend this amount of time online, and store the vast amount of information that is required,

we leave ourselves open to attacks on our privacy. The form in which this happens most is

surveillance.

The main, most commonly used form of surveillance has been identified as data

surveillance19. Data surveillance involves the collection and retention of an individual’s

Internet and phone usage. This allows for the mapping of a person’s travel and interactions,

online and offline, which in turn reveals information about their personality20. That

information can allow for the tracking of their movements and regulating of their behaviour.

This can have a very real effect on a person’s behaviour. If they know they are being

watched, or possibly being watched, it inhibits what they would normally and openly do. We

lose the ability to interact anonymously, inhibiting our freedom of expression21.

An analogy can be draw from Jeremy Bentham’s panopticon. Bentham designed a prison

building with the ability to be manned by just one prison guard. The prison was a circular

building with a guard house positioned centrally, permitting one guard constant surveillance

of every inmates cell. The guard could see the inmates at all times, but the inmates could not

see the guard. Although the guard could not physically watch every inmate at once, the

inmates would never be sure whether they were being watched or not. This would dictate

their behaviour, as they would not want to risk punishment22. This can be seen in modern

society through the use of data surveillance. Though 200 years old, Bentham’s concept of the

17 Ofcom, ‘Communications market report 2012’ (Ofcom, 18 July 2012) 24018 Ibid 24519 Ian J Lloyd, Information Technology Law (7th edn, OUP 2014) 1120 Ibid 1221 Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights, as amended) (ECHR) Article 1022 Kim Davies, ‘Panopticon’ in Mary Bosworth (eds), Encyclopedia of Prisons and Correctional Facilities, vol 2 (SAGE Publications 2005) 663-665

Page 5 of 14


panopticon is still being used to represent modern society and the Internet today since citizens

are under constant surveillance23. Cookies and web bugs allow public and private bodies to

find out every webpage a user visits, item they look at in the course of shopping, or web

search they enter into Google24. They can then use this electronic trace of user’s activities to

create data profiles25. Just like the panopticon, it changes the way we use the Internet as we

are in constant fear of being linked, categorised, and possibly punished, whether we are being

watched or not.

Privacy and Public Bodies

The data used to create these data profiles is termed communications data. Another type of

data is content data. Communications data is data on the origin, destination, route, and time

of any form of communication. This is also known as metadata. Content data is the content of

that communication. Communications data can be just as valuable as content data for the

reasons highlighted above. It allows for data profiles to be made and conclusions to be

drawn26. To avoid abuse of power, the interceptions of both these types of data are regulated

by the Regulation of Investigatory Powers Act 2000 (hereinafter RIPA). Part 1 of the Act is

split into two chapters. Chapter I covers the interception and obtaining of content data27.

Chapter II covers the acquisition and disclosure of communications data28. Section 1 of the

Act makes it an offence for any person, either connected with law enforcement or as a private

body, to intercept any communication in the course of its transmission by means of a private

telecommunication system29. An exception is given to law enforcement authorities, who must

seek a warrant to intercept30. The public bodies that can intercept and access data are set out

in section 2231, and the justifications for access are set out in section 22(2)32. Having strict

legislation on the interception of data is necessary to monitor and limit surveillance, stop

abuse of power, and in turn protect our right to privacy. However, as shown by the

whistleblower Edward Snowden’s leaks on America’s National Security Agency (hereinafter

23 Ibid 66524 Ian J Lloyd, Information Technology Law (7th edn, OUP 2014) 14825 Kim Davies, ‘Panopticon’ in Mary Bosworth (eds), Encyclopedia of Prisons and Correctional Facilities, vol 2 (SAGE Publications 2005) 66526 Rio Ferdinand v MGN Limited [2011] EWHC 2454 (QB)27 Regulation of Investigatory Powers Act 2000, ss 1 - 2028 Ibid ss 21 - 2529 Ibid s 130 Ibid ss 6 - 1131 Ibid s 2232 Ibid s 22(2)

Page 6 of 14


NSA) and the UK’s Government Communications Headquarters (hereinafter GCHQ)

activities, this may not always be the case.

The NSA is America’s intelligence agency, like GCHQ is the UK’s. In June 2013, Edward

Snowden, ex-contractor for the NSA, leaked information through The Guardian regarding a

program that the NSA used called PRISM. It allowed them to gain direct access to content

data held by Google, Facebook, Apple and other giant Internet related companies33.

Information regarding a second program was also released, that showed the NSA had been

granted a secret court order requiring US telecommunications companies to transmit user’s

communications data on a continuing basis34. The revelations revealed that GCHQ had been

supplied information from the PRISM program, and had its own operation codenamed

Tempora. This operation involved the tapping into transatlantic fibre-optic cables which carry

the world's Internet traffic and phone calls, allowing for the monitoring of the world’s

communications35. The revelations showed that NSA and GCHQ were conducting mass

surveillance on the world’s population without public knowledge. While the NSA, GCHQ

and political leaders maintained the mass surveillance was within the law, academics and

other relevant legal experts have challenged this. A study conducted by Sergio Carrera of the

Centre for European Policy Studies and Francesco Ragazi of Leiden University in light of the

revelations showed that mass Internet surveillance by the NSA and GCHQ violated human

rights36.

In the aftermath of the revelations, human rights organisation Liberty, amongst others,

initiated legal proceedings against GCHQ based on Snowden’s allegations37. Section 65

RIPA establishes that the Investigatory Powers Tribunal will handle all complaints by

citizens concerning communications interception38, and so was the location of the instant

hearing. Liberty’s argument came in two parts. First, that GCHQ had unlawfully been

supplied information obtained through the NSA’s PRISM program as they did not have a

33 Mirren Gidda, ‘Edward Snowden and the NSA files – timeline’, The Guardian (London, 21 August 2013)<http://www.theguardian.com/world/2013/jun/23/edward-snowden-nsa-files-timeline> accessed 21 April 201534 Ian J Lloyd, Information Technology Law (7th edn, OUP 2014) 835 Ewen MacAskill and others, ‘GCHQ taps fibre-optic cables for secret access to world's communications’, The Guardian (London, 21 June 2013) <http://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa> accessed 11 April 201536 Sergio Carrera and others, ‘National Programmes for Mass Surveillance of Personal Data in EU Member States and Their Compatibility with EU Law’, (Policy Department C: Citizens' Rights and Constitutional Affairs, 15 October 2013) part 4.137 Liberty v Government Communications Headquarters [2014] UKIPTrib 13 77-H, [2015] 1 Cr App R 24 38 Regulation of Investigatory Powers Act 2000, s 65

Page 7 of 14


warrant, and second, that GCHQ’s own, Tempora, was also illegal. They alleged that these

activities breached Article 8 and, through the panopticon concept highlighted above, Article

10. GCHQ argued that any interference was necessary in the interests of national security.

Before the tribunal, came two questions. The first was, are there publically known rules for

the interception of communications whose content is sufficiently indicated39. It was found

that prior to Snowden’s revelations, the surveillance may have been disproportionate, but

after, when the information was in the public domain, it became proportionate. The tribunal

was satisfied on this point as, although they were classified, arrangements implementing the

statutory framework sufficiently restricted the potential for abuse40. The second was, are these

rules subject to proper oversight41. The tribunal saw that the statutory bodies, in addition to

the tribunal itself, provided enough to satisfy this requirement, which ensured the legality of

the surveillance42. In principal, GCHQ’s actions were lawful. However, the tribunal’s

decision does not come without scrutiny.

The safeguards the Liberty case refers to are the Interception of communications

commissioner, the Intelligence and Security Committee and the Tribunal itself43. In coming to

its decision that GCHQ’s actions were lawful, it relied heavily on the fact that these

safeguards were adequate in protecting citizens ECHR rights. However, it can be argued that

this is not the case, and a scrutiny of their practice is necessary.

In the 2013 Annual Report of the Interception of Communications Commissioner, it was

found that the total number of authorisations and notices for communications data, excluding

urgent oral requests, was 514,60844. On the basis that there are 64 million people in the UK45,

this is a request to intercept communications data on roughly 1 in 125 people. It is arguable

that this is not proportionate, even in the interests of national security. The interference is on

too high a scale.

39 Liberty v Government Communications Headquarters [2014] UKIPTrib 13 77-H, [2015] 1 Cr App R 24, 335-33840 Ibid 335-33841 Ibid 335-33842 Ibid 335-33843 Ibid 31444 Interception of Communications Commissioner, 2013 Annual Report of the Interception of Communications Commissioner (HC 1184, 2014) para 4.1445 Office for National Statistics, ‘Population Estimates for UK, England and Wales, Scotland and Northern Ireland, Mid-2013’ (Office for National Statistics, 26 June 2014) <http://www.ons.gov.uk/ons/rel/pop-estimate/population-estimates-for-uk--england-and-wales--scotland-and-northern-ireland/2013/index.html> accessed 13 April 2015

Page 8 of 14


The Investigatory Powers Tribunal has been considered fundamentally flawed. Arguments

were put forward by leading academics as evidence for the recent Intelligence and Security

Committee report in 2015. The tribunal was criticised for upholding complaints on a tiny

majority of cases, being unable to practically make judgements on cases heard in secret,

rarely publishing its rulings, and not having a right of domestic appeal46. It is been considered

strange that such a secretive tribunal, which is a court in all but name, can make judgements

on such fundamental issues such as human rights47. It is argued that if the way in which

justice is carried out in regards to surveillance is fundamentally flawed, then our Article 8

right cannot be sufficiently enforced, and so is being infringed upon by the internet.

As mentioned above, Article 8 is not an absolute right. Article 2, the right to life, however, is.

It was found in the Intelligence and Security Committee’s investigation that, when deciding

whether an interference is necessary, GCHQ will use what is called the HRA triple test48.

This test involved the requirement that an interference be for a lawful purpose, necessary and

proportionate before being carried out. There are clearly circumstances in the age we live in

where an individual’s right to privacy may be incompatible with our collective right to

security, and one right must take precedence over the other. This test must be passed before

action can be taken which compromises an individual’s right to privacy49. It is the belief that,

although not safeguarded perfectly, interference is always necessary, no matter how intrusive.

Interference could have stopped terror attacks such as the recent Charlie Hebdo attacks in

Paris50. The ordinary citizen should have nothing to fear or hide, so surely interference, and

the absolute right Article 2, should take precedent.

46 Intelligence and Security Committee of Parliament, Privacy and Security: A modern and transparent legal framework (HC 1075, 12 March 2015) para 21447 Andrew Wheelhouse, ‘The Legality of Mass Surveillance Operations’ (Oxford Human Rights Hub Blog, 7 February 2015) <http://ohrh.law.ox.ac.uk/the-legality-of-mass-surveillance-operations/> accessed 13 April 201548 Intelligence and Security Committee of Parliament, Privacy and Security: A modern and transparent legal framework (HC 1075, 12 March 2015) para 23 - 2749 Ibid para 23 - 2750 Andrew Wheelhouse, ‘The Legality of Mass Surveillance Operations’ (Oxford Human Rights Hub Blog, 7 February 2015) <http://ohrh.law.ox.ac.uk/the-legality-of-mass-surveillance-operations/> accessed 13 April 2015

Page 9 of 14


Private surveillance

The Internet has not only led to the growth of public authorities using mass surveillance in

the interests of national security, it has also led to private companies using it for data

profiling and user-specific advertising. However, unlike public bodies, private bodies do not

have a duty under the HRA to uphold the right to privacy. Instead, what is necessary is pre-

existing legislation, or the action of misuse of private information51. With this tort, an

individual can enforce their Article 8 right against a private company.

One way private companies create data profiles of Internet users is using cookies. These may

be used to identify the fact that a particular user has accessed the site previously, and can be

used to customise the page according to previous activities. They may also be used to relieve

the user of the need to supply full details of name, address and financial information52.

Conversely, they can be used to create user-specific advertising and data profiles53. This

obviously has implications on privacy. With the increased use of the internet in day to day

life, the use of cookies in the UK has increased proportionately54. The EU recognised that

with the increased use of Internet and cookies, a risk to privacy was posed. Whereas old

cookie regulations required an ‘opt-out’ service55, which was often hidden in privacy policies,

the new 2011 require a much more prominent notice of the use of cookies, as well as an ‘opt-

in’ service56. This shows that the EU recognises privacy is at risk with increased Internet

usage. It shows that, in a commercial context, the development of the Internet walks hand in

hand with the development of the protection of privacy. However, even though the protection

of privacy is necessary, to some, the use of cookies is necessary. Facebook is a free-to-use

service for example. This means the only way it can make its money is through

advertisements. The reason its advertisements are so successful is through the use of cookies.

Cookies are necessary for the Internet to keep on developing, which in turn provides new

innovative services for us. Balancing this development and the right to privacy is one which

is difficult to achieve in this information society.

51 Mosley v United Kingdom (2011) 53 EHRR 3052 Ian J Lloyd, Information Technology Law (7th edn, OUP 2014) 15353 Andrew Murray, Information Technology Law (OUP 2010) 3854 Nicole Kobie, ‘Why the cookies law wasn't fully baked – and how to avoid being tracked online’ The Guardian (London, 19 March 2015) <http://www.theguardian.com/technology/2015/mar/19/cookies-how-to-avoid-being-tracked-online> accessed 15 April 201555 Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2003 SI 2003/242656 Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 SI 2011/1208

Page 10 of 14


Conclusion

The recent Snowden revelations have shown that the US and UK intelligence agencies, the

NSA and GCHQ, are conducting mass surveillance on the worlds Internet and

telecommunications traffic. Although the Investigatory Powers Tribunal, supported by the

2015 Intelligence and Security report, found GCHQ’s actions as ECHR compatible in the

Liberty case, there is an argument for bias. The actions do infringe on all citizens Article 8

rights as intercepting the worlds Internet traffic without a warrant cannot be justified as ‘in

the interests of national security’. It is too disproportionate.

However, we now live in an era were national security is under as great a threat from

terrorism as it has ever been. This can be illustrated by the recent Charlie Hebdo attacks in

Paris. Privacy is the price we must now pay for national security. People invent false care

about their privacy rights being infringed, yet complain at a much louder capacity when

national security fails. Ordinary citizens should not have anything to fear or hide, so should

not be concerned with their right to privacy being infringed, when their Article 2, right to life,

is at stake. If allowing GCHQ and the NSA to intercept our internet traffic, which prima facie

invades our privacy, is the price we must pay for national security, then the ordinary citizen

must believe this is one which is fair and proportionate.

Word Count: 3,227

Page 11 of 14


BIBLIOGRAPHY

Primary Sources

UK Primary Legislation

Human Rights Act 1998

Regulation of Investigatory Powers Act 2000

Cases from England and Wales

Campbell v MGN Ltd [2004] UKHL 22, [2004] 2 AC 457

Coco v AN Clarke (Engineers) Ltd [1968] FSR 415 (Ch)

Liberty v Government Communications Headquarters [2014] UKIPTrib 13 77-H, [2015] 1 Cr App R 24

Mosley v United Kingdom (2011) 53 EHRR 30

Murray v Express Newspapers plc [2008] EWCA Civ 446, [2009] Ch 481

Rio Ferdinand v MGN Limited [2011] EWHC 2454 (QB)

Wainwright v Home Office [2003] UKHL 53, [2004] 2 AC 406

European Union Legislation

Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2003 SI 2003/2426

Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 SI 2011/1208

European Court of Human Rights Legislation

Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights, as amended) (ECHR)

European Court of Human Rights Cases

Axel Springer AG v Germany (2012) 55 EHRR 6

Handyside v United Kingdom (1976) Series A no 24

Klass v Germany (1978) Series A no 28

Page 12 of 14


Secondary Sources

Books

Davies K, ‘Panopticon’ in Bosworth M (eds), Encyclopedia of Prisons and Correctional Facilities, vol 2 (SAGE Publications 2005)

Lloyd I J, Information Technology Law (7th edn, OUP 2014)

Murray A, Information Technology Law (OUP 2010)

Articles

Leigh I, ‘Horizontal rights, the Human Rights Act and privacy: lessons from the Commonwealth?’ (1999) ICLQ 57

–– Mason S, ‘The Internet and Privacy: Some Considerations’ (2015) CTLR 68

Websites and Blogs

Kobie N, ‘Why the cookies law wasn't fully baked – and how to avoid being tracked online’ The Guardian (London, 19 March 2015) <http://www.theguardian.com/technology/2015/mar/19/cookies-how-to-avoid-being-tracked-online>

Office for National Statistics, ‘Population Estimates for UK, England and Wales, Scotland and Northern Ireland, Mid-2013’ (Office for National Statistics, 26 June 2014) <http://www.ons.gov.uk/ons/rel/pop-estimate/population-estimates-for-uk--england-and-wales--scotland-and-northern-ireland/2013/index.html>

Wheelhouse A, ‘The Legality of Mass Surveillance Operations’ (Oxford Human Rights Hub Blog, 7 February 2015) <http://ohrh.law.ox.ac.uk/the-legality-of-mass-surveillance-operations/>

Newspaper Articles

Gidda M, ‘Edward Snowden and the NSA files – timeline’, The Guardian (London, 21 August 2013)<http://www.theguardian.com/world/2013/jun/23/edward-snowden-nsa-files-timeline>

MacAskill E and others, ‘GCHQ taps fibre-optic cables for secret access to world's communications’, The Guardian (London, 21 June 2013) <http://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa>

Page 13 of 14


Other Secondary Sources

Carrera S and others, ‘National Programmes for Mass Surveillance of Personal Data in EU Member States and Their Compatibility with EU Law’, (Policy Department C: Citizens' Rights and Constitutional Affairs, 15 October 2013)

Intelligence and Security Committee of Parliament, Privacy and Security: A modern and transparent legal framework (HC 1075, 12 March 2015)

Interception of Communications Commissioner, 2013 Annual Report of the Interception of Communications Commissioner (HC 1184, 2014)

Ofcom, ‘Communications market report 2012’ (Ofcom, 18 July 2012)

Page 14 of 14

Documents

DRAFT 2 - The Internet has effectively rendered privacy as a thing of the past