«

»

For the sake of privacy it’s time to ditch the expression “Mass Surveillance”

Light dispersion illustration.By Simon Davies

For more than forty years privacy scholars have made a core distinction between targeted surveillance (directed at individuals and small groups) and mass surveillance (directed against large populations). Experts agreed that the world was moving toward an era of mass surveillance in which there was a reversal of the onus of proof, turning entire nations into suspects.

Clearer definitions and sharper words are urgently needed to keep pace with the evolution of surveillance.

This duality reflected the basis of legal protections in many countries but the distinction is becoming redundant. Clearer definitions and sharper words are urgently needed to keep pace with the evolution of surveillance.

Mass surveillance, either from agencies such as the NSA or from law enforcement organisations, has been very much in the news lately. In the US, in particular, the constitutional basis for such activity is the focus of sharp debate. However the stark reality is that the threat is more complex than you might imagine. Increasingly powerful technologies that enable mass surveillance are accompanied by closer institutional relationships for information sharing, surveillance privatisation through such companies as Google, a vastly increased number of international assistance instruments, an increase in legal obligations to collect data and new communications and social networking platforms that offer a rich reserve of less regulated data. In combination, these shifts are resistant to reform.

The mass surveillance issue is not confined merely to security agencies, but also to police and government authorities. Almost three quarters of a million requests for “traffic data” are made each year by UK authorities, all of which can reveal an intimate picture of a person’s associations, online transactions, geographic movements, interactions, friendships and lifestyle. Needless to say this data necessarily triggers a dragnet involving a much greater number of people. At what point does traffic data become intrusive targeted surveillance that requires greater protections?

The stark reality is that the threat is more complex than you might imagine.

The EU Data Retention Directive that enables this intrusion doesn’t bother itself with this question. It bluntly requires communications providers to store traffic information on all their customers for long periods in case it is requested. This requirement has been ruled unconstitutional in a small minority of countries.

It’s a privacy truism that the more available data becomes, the more comprehensively authorities will want to use it. How else could one explain more than 1,800,000 data requests by Poland each year – around one request per twenty of its population. True, Poland has a prosecutorial system that leaves limited discretion in such matters, but the same cannot be said of Belgium, which in 2008 made more than a quarter of a million requests – around double per head of population of Britain’s figure.

When authorities are required to base their application for surveillance on probable cause their scope is restricted. With traffic data the application is procedural. It can merely be part of a line of inquiry that borders on a fishing expedition. Realising that authorities face conventional restrictions, parliaments have shifted justification for surveillance from judicial to administrative, and from evidence-based to pre-emptive.

Realising that authorities face conventional restrictions, parliaments have shifted justification for surveillance from judicial to administrative, and from evidence-based to pre-emptive.

It’s reasonable to argue that unregulated mass surveillance in 2013 achieves a level of intrusion on an individual that approximates the “regulated” targeted surveillance of a few years ago. While it’s true that targeted surveillance can involve extremely invasive techniques such as human intelligence gathering and content interception, distinguishing between the two spheres has increasingly become arbitrary.

Targeted surveillance has historically been more intrusive and is thus conditional on a higher test of evidence and proportionality, along with more rigorous approval and oversight. In principle, targeted surveillance is tightly focused and requires some form of probable cause that can be assessed by a court, senior official or politician. Time limits and associative restrictions are often placed on such surveillance, with (to at least an extent) some degree of measurable oversight. Or so the story goes.

However maintaining meaningful levels of privacy protection in a changing tech environment is a bit like regulating recreational drug use. As drug manufacture moved from natural derivatives to synthetic compounds the entire prohibition framework went into meltdown. Similarly, as surveillance moved from analogue to digital the old regulatory framework became unstable. The task of keeping pace with new developments created a lag that in some circumstances triggered a vast protective gap.

Media have focused on blanket surveillance, while parliaments and regulators have largely stuck to the less sexy ground of targeted techniques in which more conventional enforcement measures can be enacted. The problem – as with the expansion of synthetic drugs – is that mass surveillance techniques have evolved to such an extent that they now envelop the traditional space of targeted surveillance. That’s to say, the subset of the population subjected to more traditionally intrusive surveillance has been encroached upon by an increasingly invasive and less regulated blanket surveillance, rendering the protections less meaningful over time.

What we’re now facing is invasive universal targeting.

In many nations, the creation of protections in a world of blanket surveillance will not evolve until there’s a shift in the legal framework. Countries such as the UK and Ireland lack the constitutional safeguards of Germany or even Romania. Countries with weak safeguards will continue to atomise “targeted” surveillance into a small number of conveniently defined streams, while permitting mass surveillance to continue unchecked. The proposed Data Protection regulation that is designed to bring privacy reform to Europe offers little hope that individuals could bring fresh cases against mass surveillance.

My thoughts are these. We need to move away from the term “mass surveillance”. Just like the word “privacy” it has become a passive expression (and ironically used to be known as “passive surveillance”). What we’re now facing is invasive universal targeting. As academics and advocates we should consider avoiding such a hierarchical distinction between the old spheres and focus more on similarities between the various surveillance realms.

It’s time for a new and more powerful phrase that better describes the precarious landscape that is about to occupy our lives.