Cassandra Voices

Author: Olga Slipetska

  • UK’s Surveillance Regime in Breach of European Convention on Human Rights

    In a previous editions of Cassandra Voices we discussed the Russian surveillance system, called SORM, and the far-reaching data privacy impact it may have vis-à-vis private individuals and communication service providers.

    Russia is not the only state struggling to strike a balance between national security concerns that often mandate extensive surveillance measures, and the right to data privacy of its citizens. Recently, the approach employed by the UK in this area, specifically, the Regulation of Investigatory Powers Act 2000 that provides a legislative basis for governmental surveillance, was subjected to the scrutiny of the European Court of Human Rights (‘ECHR’) in Strasburg.

    In particular, in the case of Big Brother Watch and Others v. the United Kingdom the ECtHR had a chance to opine on the legality of the UK bulk interception regime, its intelligence sharing policy with foreign governments, and the manner in which it may collect data from communications services providers.

    Concerns around the UK government surveillance techniques were triggered following Edward Snowden’s allegations about the British Government Communications Headquarters’ (‘GCHQ’) surveillance protocols being even more extensive than the equivalent powers resorted to by the US government. Specifically, Snowden referred to the GCHQ-driven operation codenamed ‘TEMPORA’, which has supposedly facilitated tapping and storing of an unprecedented amount of data about private citizens in the UK. The British government has since neither confirmed nor denied the existence of such an operation.

    The issue has been subsequently picked up by civil rights activists, journalists and non-governmental organizations, including Big Brother Watch, Transparency International, Privacy International, Bureau of Investigative Journalism, Open Rights Group etc., with the ECHR passing final judgment on September 13th, 2018.

    By five votes to two the ECHR judges ruled that the bulk interception regime adopted by the UK violated Article 8 of the European Convention on Human Rights (‘ECHR’), specifically a right of respect for private and family life/communications, in the absence of sufficient safeguards to prevent abuse. The Court noted that while the bulk interception techniques themselves did not constitute a breach of Article 8, the failure to secure adequate safeguards did.

    The Court also held, by six votes to one, that the approach for collecting data from communications service providers breached Article 8, and that both the bulk interception regime and the regime for obtaining data from communications service providers violated Article 10 – the right to freedom of expression and information – of the ECHR, again, due to an absence of safeguards to prevent the abuse of systems, guaranteeing an appropriate level of confidentiality.

    Notably, the UK regime for sharing intelligence with foreign governments was found to be in compliance with Articles 8 and 10.

    It should be noted that the Court issued its judgement in the context of the Regulation of Investigatory Powers Act 2000 that currently forms a legal basis for surveillance activities pursued by the government in the UK. The Investigatory Powers Act 2016 is a new piece of legislation that was supposed to come into force after the allegations have been made and, therefore, fell outside of the scope of the present case. Once fully in force, this Act is expected to heavily amend the existing regimes with the recent ECHR judgement, hopefully, a timely guidance for this purpose.

  • Your Fitbit Might be Walking You into Trouble

    In the previous edition of Cassandra Voices Eoin Tierney explored the extent to which data is routinely harvested in a variety of ways, some of which we cannot easily control. This extends to hardware used to measure one’s fitness.

    Fitbit, a company producing a famous activity tracker, is no exception. Data gleaned from these devices, usually worn like watches, has even been accepted as evidence in criminal trials in the United States. While in certain contexts such application renders numerous advantages, in the wrong hands there are obvious risks to the kind of information amassed by Fitbit being in circulation.

    With the General Data Protection Regulation (GDPR) entering into force last month, organisations all over the globe are reconsidering their data protection approaches and, as a result, updating their privacy policies. The brand-new Fitbit Privacy Policy, last updated on April 23rd 2018, can be found on the Fitbit’s official website.

    Like most privacy policies, its main objective is to align the company’s data privacy policies with the requirements of the GDPR. In particular, it lays down the scope of data routinely collected by Fitbit devices which includes a customer’s name, email address, phone number, payment details and geographic location, period of time for which such data is retained, and more..

    All these provisions are worth noting down for anyone who uses or intends to use Fitbit devices. One category that is essential for the Fitbit operations, but should have a red flag attached to it in the context of the GDPR, is the health-related and biometric data.

    In particular, Fitbit routinely collects your ‘logs for food, weight, sleep, water or female health tracking’, as well as other details that may furnish a vivid picture of any user’s behavioural patterns.

    Article 9 of the GDPR places data concerning health and biometric data within the special categories of personal data, processing of which is restricted to ten instances only. These, include, among others, explicit consent, public interest consideration and performance of obligations in the area of employment and social security.

    Article 9.4 goes further, creating wide leeway for member states to legislate in this area – something that should have Fitbit on its guard for legislative developments in the countries where it operates.

    This being said, Fitbit’s Privacy Policy does acknowledge the extent of sensitive personal data gathered by its watches and commits to obtain a separate consent from its users for related processing. It also expressly reserves the right to ‘preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request’.

    This is a typical provision found in most privacy policies. The GDPR itself expressly allows the disclosure of personal data following a mandatory legal requirement.

    However, in case of Fitbit it took an unexpected turn in a recent Wisconsin murder trial, when a judge allowed step-tracking data, generated by Fitbit, as evidence to prove the defendant was not capable of committing a murder, as the device proved he had been sleeping at that time.

    In another instance, Fitbit logs were used by Connecticut police, this time to charge Richard Dabate for murdering his wife. The man concocted a fictional story to cover the murder, but his wife’s Fitbit brought the truth to the surface, revealing inconsistencies in Dabate’s version of events.

    Yet another example of Fitbit usage that clearly goes beyond what a fitness bracelet was intended for is the partnership that insurance companies are entering into with Fitbit.

    In particular, individuals are offered the option of a type of coverage that involves wearing a tracking device and sharing the data it collects with the insurance provider. On the one hand, such development will help insurance companies to stay up to date with the health condition of their customers and, if the need be, provide necessary assistance in case of an accident.

    At the same time, it effectively offers a full overview of a person’s life, including information about biorhythms, habits, and lifestyle quirks, that may later be utilized by insurance providers for purposes contrary to the interest of insurees, for example, by denying them insurance coverage, or raising their premium.

    *******

    The aforementioned cases illustrate how modern technologies may be utilized in ways that an average user would never expect when purchasing a devise. This may bring benefits, while in other instances it shares intimate information about its owner which could be their detriment.

    The purposes for which public authorities and external companies are using Fitbit-generated data remain contentious. Clearly, it turns out deceptively-guiltless fitness-tracking-gadgets turn out to amass unprecedented amounts of personal data.

    Arguably this tendency will only increase in future, with companies seeking more and more personal data to enhance and customise their products and services, in order to remain competitive in the modern market of accelerated technological development.

    For now, the least a regular user should do is to stay up to date with his or her rights under existing data protection legislation; as well as developing a clear picture of what personal data, and for which purposes, is being processed, and used, by manufacturers.

    All of these questions should be addressed in the privacy policy of any company in question, and these are usually available on a company’s website.

    So next time, before blithely hitting the ‘I accept’ button in a privacy notice pop-up while configuring your Fitbit device, make sure you genuinely do not mind that sensitive and, otherwise, confidential, information about you is being collected, analysed, stored and even shared externally for purposes that go far beyond keeping you fit.

  • How Russian Internet Surveillance Operates

    The issue of data privacy is becoming a source of increasing individual and corporate unease with wide political ramifications. To that end the European Union’s General Data Protection Regulation (GDPR), which comes into force in less than two months, will attempt to harmonize and enhance data protection standards across the continent.

    Around the world governments actively monitor Internet communications. Here I examine Russia’s System for Operative Investigative Activities (SORM) that the government employs for the purposes of lawful interception of various IT and telecommunication systems.

    The original version of SORM was introduced in 1995, and allowed the Federal Security Services (FSB) to monitor phone calls and the Internet activity of users, despite the limited reach and functionality of Internet services at that time.

    SORM-1 was represented by special hardware furnished by the FSB that telecommunication operators were mandated to adopt within their infrastructures. The arguments used in favour of SORM-1 were around maintaining security in the public interest, at a time of considerable unrest in the country.

    As information technologies have matured in Russia, so have the technologies utilized by the government to oversee and, where the need arises, tame them. In 1998 a new version of SORM was released (SORM-2). This time it was required that SORM-2 be installed on the servers of Internet service providers, thus providing the FSB with oversight over all transactions passing through these servers.

    Subsequently, the scope of SORM-2 was further expanded to encompass monitoring of social networks and forum traffic. All operators were required to integrate this fully at their own cost. In addition, more governmental institutions and security agencies, apart from the FSB, were given leave to exploit the information-gathering-potential of SORM-2 (including the Police, Customs Authorities, Presidential Security Services and others).

    In 2014 the most recent version of SORM was deployed pursuant to a ministerial order issued by the Russian Ministry of Communication, with less than a one year deadline imposed for implementation. SORM-3 covers a wider range of online resources and activities, which may be subjected to targeted surveillance. These include, but are not limited to, users’ phone numbers, unique media access control addresses, as well as email addresses accessed from, for instance, mail.ru, yandex.ru, rambler.ru etc.

    Notably, SORM-3 resorts to a very comprehensive data processing protocol called Deep Packet Inspection (DPI), in which the content of each piece (packet) of data is thoroughly scrutinized, and rerouted accordingly.

    Ordinarily, in order to acquire specific data, the governmental agency in charge requires a court order. But operatives are under no obligation to present this to a raided party. Refusal to divulge data in the absence of a court order will get you nowhere. Moreover, while the court order is required to seize the content, metadata (the description and ancillary context of the data in question) may be collected in its absence.

    In 2015 the lawfulness of SORM was raised by the European Court of Human Rights in Zakharov v Russia. The Court held that SORM potentially violates Article 8 of the European Convention on Human Rights (a right to respect for private and family life), concluding that given the significant risk of SORM being misused, the Russian state had failed to provide adequate safeguards to eliminate its potential arbitrariness, as well as failing to arrange for suitable measures to prevent unwarranted scrutiny.

    At present, Russia is not the only county introducing far-reaching control of its IT and Telecommunication platforms. Systems that bear resemblance to SORM are already operating in the Europe Union with the European Telecommunications Standard’s Institute’s (ETSI) specifications, and in the United States through the Communications Assistance for Law Enforcement Act.

    Although targeted surveillance plays an important role in the prevention of crime, including terrorism, the full scope of governmental surveillance technologies are not clearly defined, either in Russia, or in other countries.