Thursday, 11 November 2010

A rather phormulaic proposal

Following yesterday's mini-rant on the failure to publicise this and the rather short consultation period, Matron has now had the opportunity for a more intimate heart-to-heart with the ever-so-under-the-radar Home Office proposals on changes to RIPA. The verdict: while there doesn't seem to be anything particularly offensive in there, she can't help feeling that we are once more bearing witness to the UK government trying very hard to comply with the nagging of those pesky Europeans while, really, not changing things all that much in practice.

By way of background, the changes to RIPA became necessary because the European Commission - following, among other things, a letter writing campaign by that excellent Open Rights Group - referred the UK to the European Court of Justice because it felt that it had not fully implemented rules on the confidentiality of electronic communications contained in the E-Privacy Directive (2002/58/EC). That Directive provides that member states must adopt provisions which prohibit the unlawful interception and surveillance of electronic communications unless the users concerned have given their consent. According to the Data Protection Directive, that consent must be "freely given, specific and informed". Member states must also establish appropriate sanctions where these prohibitions are infringed and independent authorities must be charged with supervising this are to prevent any unlawful interception.

As per usual, the UK has watered down these draconian requirements a little to make life easier for the folks in the interception trade. Section 1(1) RIPA only prohibits intentional interceptions - accidents do happen, don't they?; section 3(1) RIPA lets offenders off the hook if they had "reasonable grounds for believing that consent has been given" and as for establishing a proper supervising authority, well, there was that minor issue of a gap between the supervisory powers of the Information Commissioner (who doesn't do interceptions) and the Interception of Communications Commissioner - or IoCC - (who doesn't concern himself with the conduct of private entities).

All this left said private entities in the fairly comfortable and almost entirely unregulated sphere in which companies like Phorm and their ISP partners then thought that it might be a good idea secretly to analyse people's web surfing habits the better to determine their interests so that targeted advertising can be delivered to their screens. Let's face it, folks, cheap broadband doesn't pay for itself.

When the Phorm, sorry storm, broke loose, however, many of those people figured they'd rather not have every single one of their online moves recorded - albeit, according to Phrom's PR, in the most privacy-friendly way possible - and many of the CSPs had to beat a hasty retreat. Phorm itself has, for them time being, left the building, although it is still flogging its technology in other countries.

But back to the European Commission, the ECJ and the UK's urgent need to do something to avoid further costly proceedings. The consultation paper proposes, in essence, three things:
  1. The government, acknowledging that section 3(1) of RIPA does not provide the required clarity the CSPs need to determine whether or not their customers have consented to their weird schemes, wants to "remove the ambiguity" and thereby "ensure that the provision is consistent with the definition of consent" contained in the Data Protection Directive. It doesn't say, exactly how it wants to do this. Whether it will simply remove the offending "reasonable grounds" passage or whether it will come up with something more roundabout is one of the things we will have to look out for when the draft legislation is published. But for the time being this does not sound to bad. However, there is a problem with the use of consent in this context and this is one of the points that Matron wants to look at in a little more detail later.
  2. The government also wants to expand the functions of the IoCC so that, in the future, he can - following a complaint by a user - investigate CSPs in cases of unlawful, unintentional interceptions. Again, this seems to address the European Commission's concerns to a certain extent, but even the work of the IoCC in his natural habitat of supervising the interception activities of public bodies is not without question, and the same issues do arise here. Of that, too, more below.
  3. Finally, the governments wants to introduce a new civil monetary penalty of up to £10,000 that the IoCC can impose on anyone violating the prohibition on unintentional interceptions. He may also be given the power to issue a notice requiring the unintentional unlawful interception to cease. Any penalty or enforcement notice may be appealed to the First-tier Tribunal and the proposal includes comprehensive provisions governing such an appeals process.

So far, so business-as-usual. The procedures proposed here came pretty much straight out of the regulatory textbook and bear many a resemblance to the procedures that apply in the context of complaints to the Information Commissioner about data protection breaches. There is no reason why it shouldn't work in this context. Except...

Consent

As in all cases where consent is used in a relationship between businesses and individuals, there is actually a pretty big questionmark both over the "informed" and over the "freely given" part. Informed consent should mean, as the very minimum, that she who consents to something, should be aware of what she is consenting to. As we all know, in an online context this is little more than a legal fiction because UK law allows providers to hide consent provisions deep in the recesses of their privacy policies or terms of use which no one in their right mind ever reads unless they are mentally disturbed or a privacy lawyer or both.

This means that on the basis of these new rules, there is nothing stopping CSPs to include relevant implied consent provisions in their business terms, from which point forward they will no longer have to worry about their customers' consent at least, if they want to carry out interceptions for the purpose of behavioural advertising.

As many people wiser and more knowledgeable in this area than Matron have pointed out, this may still not actually allow them to intercept those communications because the consent of both participants to the communication is needed under RIPA. But if that communication concerns, for example, a user visiting a website for some online shopping, that website - as the other participant - could possibly be persuaded by the CSP to agree to the monitoring of that traffic in return for a small cut of the advertising revenue thus created. Stranger things have happened at sea and there are probably no limits to the length to which most online businesses would go when developing new monetisation strategies.

But coming back to the user who is, normally, the CSP's customer. Will this user have the right not to consent to the interception of her communications by her CSP without loosing the ability to use the CSPs service? Online business terms are usually take-it-or-leave-it, my-way-or-the-highway kinda terms. CSPs may well be of the opinion that targeted advertising, which is after all used to co-finance cheap broadband access, is a necessary revenue stream in a competitive environment and that any user who doesn't play ball is free to find another provider. The problem is that, if all CSPs think that way, there will be no other provider to go to. And what then?

For this sort of thing we have two analogies in the law which we may want to draw upon. The first is the way in which the law deals with cookies. Now as we all know, there is some change coming in this area, but the one thing that remains unchanged is the fact that website operators that wish to use cookies can prevent users who refuse them from accessing certain parts of their website. CSPs could therefore argue that it should be the same in the case of targeted advertising and the related interceptions of users' communications. Is that justifiable, though?

The other analogy is employment law, where the use of consent is very limited becauses it is widely accept that in an employer-employee relationship it will rarely be freely given.

If, therefore, as a stubborn user who does not want to have her communications intercepted, Matron would, in practice, no longer longer be able to find an ISP that will have her, she would possibly no longer be able to access the internet. However, as Matron and many others of her persuasion have long argued, by now the internet is such an important part of everyone's life - it facilitates not only economic and social activities but also education and political participation - that to be without internet access is tantamount to the violation of a human right.

Now, some readers might think that this is a bit of an exaggeration, and maybe it is, but if "choice", that famous holy grail of the free marketeers, comes down to a choice between one ISP who will intercept your communications and another who will do the same, is that not a clear case of market failure? And shouldn't the government anticipate this situation and do something about it, now that it has the chance?

Sanctions

The government did apparently consider introducing criminal sanction rather than a civil penalty, but it decided against it in the end because it feared that the enforcement of such sanctions would be impractical and impose undue strain on the UK's police forces.

As a card carrying, bleeding-heart liberal, Matron is no great friend of potentially increasing the country's prison population for non-violent offences (although, as a practicing lawyer, it has been her experience that the threat of criminal sanctions tends to focus the CEO's mind) and for that reason she will not criticise the government from shying away from this step.

However, realistically, the penalty of "up to £10,000" is unlikely to be a major deterrent for CSPs as this is the sort of amount that many companies view as beer money. Unfortunately, one of the viable alternatives - giving the user whose communications have been intercepted a right to claim damages - already doesn't work in the area of data protection because in the absence of punitive damages it is actually terribly difficult to prove financial loss in these circumstances.

Which makes Matron think that maybe something along the lines of the recently introduced data security breach notification system should be put in place instead. That system, for those who do not know, requires providers of electronic communications services to notify any breach of data security to the Information Commissioner and, if the Commissioner thinks that this is appropriate, to the affected data subjects.

As we are largely talking about unintentional interceptions when we are talking about sanctions, should we suggest a similar procedure here? Where the CSPs, if they find out that they accidentally intercepted someone's communications, would be required to send an "oops" notice to the IoCC who, if the breach was grave enough, might also force them to send a similar notice to their customers? As we know, bad publicity is a much stronger incentive not to do wrong than a monetary slap on the wrist. It may just work.

Complaints

However, even this last proposal overlooks the main issue with this new procedure, namely that, as a rule, the IoCC will act in response to a complaint by a user who suspects that her communications have been intercepted. We already have this right in relation to interceptions by public authorities and it has gotten us exactly nowhere. That is largely because most of us will never realise or suspect that our communications have been intercepted. It doesn't show up on our screens and, by and large, we will never find out about it unless the interceptor is very open or very stupid.

This is borne out by the figures in relation to state interceptions:

  • In 2008, the Information Tribunal received 176 complaints about suspected interception. In 2009 it was a mere 156. Now bearing in mind that this was round about the time that the Phorm story broke in the press, which may or may not have increased sensibility, it makes sense to look at the earlier figures and, lo and behold, in 2007, it was only 66, 86 in 2006, and 80 in 2005.
  • Since RIPA came into force, the Information Tribunal has upheld exactly four, yes FOUR, of these complaints. Hardly a result that has the national security services quaking in their boots.

So if the IoCC's duty to act is merely based on him receiving a complaint, then I think we can all rest assured that CSPs will not have an awful lot to fear when it comes to their murky online dealings. Commissionary legal protection in this area is not effective, it never has been. In relation to state interceptions this has nonetheless been accepted because of the need to keep interception activities of the security services secret. Whether one agrees with that approach or not, this is certainly not an argument that can or should be applied to interceptions by private entities. Individuals whose communications have - even unintentionally - been intercepted, should be made aware of this and should be given appropriate judicial relief. The IoCC, if it is him who is charged with oversight over this area, should be given full auditing powers - including dawn raid powers, if necessary - to ensure that private interceptions are detected and the legal sanctions enforced.

The confidentiality of our communications is not only an individual right, it is a public good that gives people the confidence to act freely and without fear in the online environment. We endanger it at our peril.

1 comment:

  1. Bravo :-)

    I have nothing to add! A first :)

    ReplyDelete