Wednesday, 16 December 2015

Zakharov v Russia: Mass Surveillance and the European Court of Human Rights

Lorna Woods, Professor of Internet Law, University of Essex*
The European Court of Human Rights has heard numerous challenges to surveillance regimes, both individual and mass surveillance, with mixed results over the years.   Following the Snowden revelations, the question would be whether the ECtHR would take a hard line particularly as regards mass surveillance, given its suggestion in Kennedy that indiscriminate acquisition of vast amounts of data should not be permissible. Other human rights bodies have condemned this sort of practice, as can be seen by the UN Resolution 68/167 the Right to Privacy in the Digital Age. Even within the EU there has been concern as can be seen in cases such as Digital Rights Ireland (discussed here) and more recently in Schrems (discussed here). The Human Rights Court has now begun to answer this question, in the Grand Chamber judgment in Zakharov v. Russia (47143/06), handed down on December 4 2015.
Zakharov, a publisher and a chairman of an NGO campaigning for media freedom and journalists’ rights, sought to challenge the Russian system for permitting surveillance in the interests of crime prevention and national security. Z claimed that the privacy of his communications across mobile networks was infringed as the Russian State, by virtue of Order No. 70, had required the network operators to install equipment which permitted the Federal Security Service to intercept all telephone communications without prior judicial authorisation.
This facilitated blanket interception of mobile communications. Attempts to challenge this and to ensure that access to communications was restricted to authorised personnel were unsuccessful at national level. The matter was brought before the European Court of Human Rights. He argued that the laws relating to monitoring infringe his right to private life under Article 8; that parts of these laws are not accessible; and that there are no effective remedies (thus also infringing Art. 13 ECHR).
The first question was whether the case was admissible. The Court will usually not rule on questions in abstracto, but rather on the application of rules to a particular situation. This makes challenges to the existence of a system, rather than its use, problematic. The Court has long recognised that secret surveillance can give rise to particular features that may justify a different approach. Problematically, there were two lines of case law, one of which required the applicant to show a ‘reasonable likelihood’ that the security services had intercepted the applicant’s communications (Esbester) and which favoured the Government’s position, and the other which suggested the menace provided by a secret surveillance system was sufficient (Klass) and which favoured the applicant.
The Court took the opportunity to try to resolve these potentially conflicting decisions, developing its reasoning in Kennedy. It accepted the principle that legislation can be challenged subject to two conditions: the applicant potentially falls within the scope of the system; and the level of remedies available. This gives the Court a form of decision matrix in which a range of factual circumstances can be assessed. Where there are no effective remedies, the menace argument set out in its ruling in Klass would be accepted.
Crucially, even where there are remedies, an applicant can still challenge the legislation if ‘due to his personal situation, he is potentially at risk of being subjected to such measures’ [para 171]. This requirement of ‘potentially at risk’ seems lower than the ‘reasonable likelihood’ test in the earlier case of Esbester. The conditions were satisfied in this case as it has been recognised that mobile communications fall within ‘private life’ and ‘correspondence’ (see Liberty, para 56, cited here para 173).
This brought the Court to consider whether the intrusion could be justified. Re-iterating the well-established principles that, to be justified, any interference must be in accordance with the law, pursue a legitimate aim listed in Article 8(2) and be necessary in a democratic society, the Court considered each in turn.
The requirement of lawfulness has a double aspect, formal and qualitative. The challenged measure must be based in domestic law, but it must also be accessible to the person concerned and be foreseeable as to its effects (see e.g Rotaru). While these principles are generally applicable to all cases under Article 8 (and applied analogously in other rights, such as Articles 9, 10 and 11 ECHR), the Court noted the specificity of the situation. It stated that:
‘…. domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures’ [para 229].
In this, the Court referred to a long body of jurisprudence relating to surveillance, which recognises the specific nature of the threats that surveillance is used to address. In the earlier case of Kennedy for example, the Court noted that ‘threats to national security may vary in character and may be unanticipated or difficult to define in advance’ [para 159].
While the precision required of national law might be lower than the normal standard, the risk of abuse and arbitrariness are clear, so the exercise of any discretion must be laid down by law both as to its scope and the manner of its exercise. It stated that ‘it would be contrary to the rule of law … for a discretion granted to the executive in the sphere of national security to be expressed in terms of unfettered power’ [para 247]. Here, the Court noted that prior judicial authorisation was an important safeguard [para 249]. The Court gave examples of minimum safeguards:
§  The nature of offences which may give rise to an interception order
§  A definition of the categories of people liable to have their telephones tapped
§  A limit on the duration of telephone tapping
§  Protections and procedures for use, storage and examination of resulting data
§  Safeguards relating to the communication of data to third parties
§  Circumstances in which data/recordings must be erased/destroyed (para 231)
§  the equipment installed by the secret services keeps no logs or records of intercepted communication, which coupled with the direct access rendered any supervisory arrangements incapable of detecting unlawful interceptions
§  the emergency procedure provided for in Russian law, which enables interception without judicial authorization, does not provide sufficient safeguards against abuse.
The Court then considered the principles for assessing whether the intrusion was ‘necessary in a democratic society’, highlighting the tension between the needs to protect society and the consequences of that society of the measures taken to protect it. The Court emphasised that it must be satisfied that there are adequate and effective guarantees against abuse.
In this oversight mechanisms are central, especially where individuals will not – given the secret and therefore unknowable nature of surveillance – be in a position to protect their own rights. The court’s preference is to entrust supervisory control to a judge. For an individual to be able to challenge surveillance retrospectively, affected individuals need either to be informed about surveillance or for individuals to be able to bring challenges on the basis of a suspicion that surveillance has taken place.
Russian legislation lacks clarity concerning the categories of people liable to have their phones tapped, specifically through the blurring of witnesses with suspects and the fact that the security services have a very wide discretion. The provisions regarding discontinuation of surveillance are omitted in the case of the security services. The provisions regarding the storage and destruction of data allow for the retention of data which is clearly irrelevant; and as regards those charged with a criminal offence is unclear as to what happens to the material after the trial.
Notably, the domestic courts do not verify whether there is a reasonable suspicion against the person in respect of whose communications the security services have requested interception be permitted. Further, there is little assessment of whether the interception is necessary or justified: in practice it seems that the courts accept a mere reference to national security issues as being sufficient.
The details of the authorisation are also not specified, so authorisations have been granted without specifying – for example – the numbers to be interception. The Russian system, which at a technical level allows direct access, without the police and security services having to show an authorisation is particularly prone to abuse. The Court determined that the supervisory bodies were not sufficiently independent. Any effectiveness of the remedies available to challenge interception of communications is undermined by the fact that they are available only to persons who are able to submit proof of interception, knowledge and evidence of which is hard if not impossible to come by.
The Court could be seen as emphasising in its judgment by repeated reference to its earlier extensive case law on surveillance that there is nothing new here. Conversely, it could be argued that Zakharov is a Grand Chamber judgment which operates to reaffirm and highlight points made in previous judgments about the dangers of surveillance and the risk of abuse. The timing is also significant, particularly from a UK perspective. Zakharov was handed down as the draft Investigatory Powers Bill was published. Cases against the UK are pending at Strasbourg, while it follows the ECJ’s ruling in Schrems, with Davis (along with the Swedish Tele2 reference), querying whether the Digital Rights ruling applies to national data retention schemes, now pending before the ECJ (on that issue, see discussion here). The ECtHR noted the Digital Rights Ireland case in its summary of applicable law.
In setting out its framework for decisions, the Court’s requirement of ‘potentially at risk’ even when remedies are available seems lower than the ‘reasonable likelihood’ test in Esbester. The Court’s concern relates to ‘the need to ensure that the secrecy of surveillance measures does not result in the measures being effectively unchallengeable and outside the supervision of the national judicial authorities and of the Court’ [para 171]. This broad approach to standing is, as noted by Judge Dedon’s separate but concurring opinion, in marked contrast to the approach of the United States Supreme Court in Clapper where that court ‘failed to take a step forward’ (Opinion, section 4).
The reassessment of ‘victim status’ simultaneously determines standing, the question of the applicability of Article 8 and the question of whether there has been an infringement of that right. The abstract nature of the review then means that a lot falls on the determination of ‘in accordance with the law’ and consequently the question of whether the measures (rather than individual applications) are necessary in a democratic society. The leads to a close review of the system itself and the safeguards built in. Indeed, it is noteworthy that the Court did not just look at the provisions of Russian law, but also considered how they were applied in practice.
The Court seemed particularly sceptical about broadly determined definitions in the context of ‘national, military, economic or ecological security’ which confer ‘almost unlimited degree of discretion’ [para 248]. Although the system required prior judicial authorisation (noted para 259], in this case it was not sufficient counter to the breadth of the powers. So, prior judicial authorisation will not be a ‘get out of gaol free’ card for surveillance systems. There must be real oversight by the relevant authorities.
Further, the Court emphasised the need for the identification of triggering factor(s) for interception of communications, as otherwise this will lead to overbroad discretion [para 248]. Moreover, the Court stated that the national authorisation authorities must be capable of ‘verifying the existence of a reasonable suspicion against the person concerned’ [260-2], which in the context of technological access to mass communications might be difficult to satisfy. The Court also required that specific individuals or premises be identified. If it applies the same principles to mass surveillance currently operated in other European states, many systems might be hard to justify.
A further point to note relates to the technical means by which the interception was carried out. The Court was particularly critical of a system which allows the security services and the police the means to have direct access to all communications. It noted that ‘their ability to intercept the communications of a particular individual or individuals is not conditional on providing an interception authorisation to the communications service provider’ [para 268], thereby undermining any protections provided by the prior authorisation system.
Crucially, the police and security services could circumvent the requirement to demonstrate the legality of the interception [para 269]. The problem is exacerbated by the fact that the equipment used does not create a log of the interceptions which again undermines the supervisory authorities’ effectiveness [para 272]. This sort of reasoning could be applied in other circumstances where police and security forces have direct technical means to access content which is not dependent on access via a service provider (e.g. hacking computers and mobiles).
In sum, not only has the Russian system been found wanting in terms of compliance with Article 8, but the Court has drawn its judgment in terms which raised questions about the validity of other systems of mass surveillance.
*Reblogged with permission from the IALS Information Lawand Policy Centre blog
Barnard & Peers: chapter 9

No comments:

Post a Comment