Data Protection, Passcodes and Karma Police
- September 26, 2015
- Clayton Rice, Q.C.
It has been a hot week on the privacy front! So let’s get caught up.
On September 23, 2015, an opinion by Yves Bot, the advocate general of the European Court of Justice, was released in Schrems v Data Protection Commissioner, Case C-362-14, often referred to in the media as Schrems v Facebook. The opinion relates to a case brought by Maximillian Schrems who asserts that Europeans’ online data was misused by Facebook when it cooperated with the U.S. National Security Agency’s PRISM program (NSA). You will recall that PRISM, which had been revealed by Edward Snowden, gave the NSA access to data collected by American tech companies including Facebook and Google. The opinion specifically considers the application of Article 8 of the European Convention on Human Rights which provides that: “Everyone has the right to respect for his private and family life, his home and his correspondence.”
I will set out the facts and procedural background as contained in the European Court of Justice Press Release No 106/15, Luxembourg, dated September 23, 2015:
- Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is kept. Mr Schrems lodged a complaint with the Irish data protection authority (the Data Protection Commissioner), taking the view that, in light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency ‘the NSA’), the law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2000 the Commission considered that, under the ‘safe harbour’ scheme, the United States ensures an adequate level of protection of the personal data transferred.
- The High Court of Ireland, before which the case had been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.
In summary, Mr Schrems argues that the NSA’s access to information on Facebook’s European users violates Article 8 of the European Convention. He also argues that the data-sharing agreement between Europe and the United States – known as Safe Harbour – does not provide Europeans with adequate recourse if their data is misused by companies or national governments.
On the question referred by the Irish court respecting the effect of the Commission decision, the advocate general’s opinion takes the view that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred “cannot eliminate or even reduce the national supervisory authorities’ powers under the directive on the processing of personal data.” The advocate general concludes that “the Commission decision is invalid.”
On the substantive question regarding the application of the EU’s privacy laws, the advocate general’s opinion concludes that the trans-Atlantic Safe Harbour agreement, allowing companies to transfer data between regions, does not provide sufficient safeguards on how the information may be used. Although the opinion is not binding, the position of the senior legal advisor is often followed by the court. In an article titled European Court Advisor Calls Trans-Atlantic Data-Sharing Pact Insufficient published in the New York Times edition of September 23, 2015, Mark Scott quoted Patrick van Eecke, a data protection lawyer at DLA Piper in Brussels, as saying: “This could have a major economic impact on Europe and the U.S. if the court follows this opinion.”
It is important, as always, to set out the facts relied upon in the opinion itself. The advisor states, at para. 153, that the facts were contained in the court’s request for a preliminary ruling and are “largely accepted by the Commission itself as established.” I cannot overemphasize the importance of the two findings of fact contained in para. 155. They are:
- First, personal data transferred by undertakings such as Facebook Ireland to their parent company established in the United States is then capable of being accessed by the NSA and by other United States security agencies in the course of a mass and indiscriminate surveillance and interception of such data. Indeed, in the wake of Edward Snowden’s revelations, the evidence now available would admit of no other realistic conclusion.
- Second, citizens of the Union have no effective right to be heard on the question of the surveillance and interception of their data by the NSA and other United States security agencies.
The advisor then proceeded to these critical conclusions at paras. 158, 177, 199 and 200:
- It follows from these factors that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the Union which is transferred under the safe harbour scheme, without those citizens benefiting from effective judicial protection.
- In the light of the conditions thus laid down that must be satisfied in order for limitations on the exercise of the rights and freedoms protected by the Charter to be accepted, I find it extremely doubtful that the limitations at issue in the present case may be regarded as respecting the essence of Articles 7 and 8 of the Charter. The United States intelligence services’ access to the data transferred seems to extend to the content of the electronic communications, which would compromise the essence of the fundamental right to respect for privacy and the other rights enshrined in Article 7 of the Charter. Furthermore, since the broad wording of the limitations provided for in the fourth paragraph of Annex I to Decision 2000/520 potentially allows all the safe harbour principles to be disapplied, it could be considered that those limitations compromise the essence of the fundamental right to protection of personal data.
- …[T]he access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communication services, without any requirement that the persons concerned represent a threat to national security.
- Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter.
As I noted previously, Mr Schrems initially brought his privacy complaint against Facebook in Ireland but the Irish courts referred the case to the European Court of Justice which will now decide whether the Safe Harbour agreement should be axed. In an article titled Facebook is at the centre of a huge privacy controversy. For once, it isn’t Facebook’s fault published by The Washington Post on September 25, 2015, Henry Farrell and Abraham Newman observed that the consequences are potentially enormous if Safe Harbour is overturned: “U.S. business will no longer be able to use it to legally bring the personal data of European citizens to the U.S. Nor will they have any obvious alternative way to transfer data – the other standard methods will almost certainly be vulnerable to the same legal challenges. The fundamental problem is that U.S. companies cannot provide any guarantees that the NSA and other U.S. security agencies won’t help itself to their data, since they don’t control the U.S. government.”
On the same day, September 23, 2015, an intriguing ruling on cell phone privacy was decided by Judge Mark Kearney in Securities and Exchange Commission v Huang et al, (U.S. Dist. Ct., Penn.), Civil Action No. 15-269, who held that the state cannot force a person to give up the passcode to a smartphone for Fifth Amendment reasons.
In this case, the Securities and Exchange Commission (SEC) is investigating the defendants for insider trading. They worked at Capital One as data analysts and used their jobs to figure out sales trends at major U.S. companies and to trade stocks in those companies ahead of announced company earnings. The SEC asserts that they turned a $150,000 investment into $2.8 million.
Capital One let its employees, including the defendants, use company smartphones. Employees picked their own passcodes that are not shared with Capital One. When Capital One fired the defendants, they returned their phones which Capital One then turned over to to the SEC as part of the investigation. The SEC now wants to access the phones because it believes that evidence of insider trading is stored on them. But there’s a hitch. Only the defendants know the passcodes.
The SEC applied to the court for an order compelling the defendants to disclose the passcodes. The defendants opposed on Fifth Amendment grounds arguing that such an order would force them to testify against themselves in violation of the privilege against self-incrimination. Judge Kearney agreed.
The case raised the application of the “foregone conclusion” doctrine in Fifth Amendment jurisprudence which says that the Fifth Amendment does not block compliance with a court order when the testimonial part of complying is a foregone conclusion. Put another way, if the government knows the testimonial part of complying with the order, and is not seeking to prove it from the order, then the Fifth Amendment cannot be used to avoid compliance.
The government argued that the foregone conclusion doctrine applied because, “…any incriminating aspect to Defendants’ production of their personal passcodes already is a foregone conclusion because it can show defendants were the sole users and possessors of their respective work-issued phones.” Judge Kearney ruled that the argument “missed the mark” because the existence of specific files sought on the phones was not a foregone conclusion, at p. 6:
“The court of appeals’ reasoning in In re Grand Jury again persuades our analysis. There, the Court of Appeals for the Eleventh Circuit refused to apply the ‘foregone conclusion’ doctrine because the Government could not meet its burden of showing with ‘reasonable particularity’ what ‘if anything, was hidden behind the encrypted wall.’ 670 F.3d at 1349. While the Government need not ‘identify exactly’ the underlying documents it seeks, ‘categorical requests for documents the Government anticipates are likely to exist simply will not suffice.’ Id. at 1348. There, the Government could not show the encrypted drives actually contained any files, nor could it show which files would if any prove to be useful. Id. at 1347.
Here, the SEC proffers no evidence rising to a ‘reasonable particularity’ any of the documents it alleges reside in the passcode protected phones. Instead, it argues only possession of the smartphones and Defendants were the sole users and possessors of their respective work-issued smartphones. SEC does not show the ‘existence’ of any requested documents actually existing on the smartphones. Merely possessing the smartphones is insufficient if the SEC cannot show what is actually on the device.”
The ruling in Huang was critiqued by Professor Orin Kerr of the George Washington University Law School in an Opinion titled Fifth Amendment protects passcode on smartphones, court holds published in The Washington Post edition dated September 24, 2015. Here is Professor Kerr’s argument:
“I think the Huang court is wrong because the government did not seek an order forcing the defendants to hand over records of insider trading. If that had been the order, the ruling would be correct. The defendants would have a clear Fifth Amendment privilege, and the ‘foregone conclusion’ doctrine would not apply. If that were the case, the government would be relying on the defendants to tell the government what investigators are trying to figure out: whether any records of insider trading are on the phone, and where on the phone they can be found. That’s not a foregone conclusion, so the government can’t make the defendants do that work for them.
This case is different, however, because the government is seeking an order to obtain the passcodes. The details of what records are on the phone should be irrelevant to whether the foregone conclusion doctrine applies because access to the phone is independent of what records are stored inside it. Handing over the passcode has the same testimonial aspect regardless of what is on the phone. Because the government already knows which defendant used which phone, the fact that a particular defendant knew how to access a particular phone by knowing the passcode is a foregone conclusion.”
But the question persists whether the foregone conclusion doctrine applies at all. Why? Because the defendants are being asked to say what the passcodes are. They are testimonial statements. Professor Kerr addressed this question in a follow-up Opinion titled A revised approach to the Fifth Amendment and obtaining passcodes published in The Washington Post edition of September 25, 2015. I will let Professor Kerr speak for himself:
“…Jonathan Mayer has persuaded me that the court was right that the foregone conclusion doctrine doesn’t apply – but for a different reason. In Huang, the SEC wants the defendants to respond to this directive: ‘Identify the Passcode for the smartphone that you used during the course of your employment.’ The parties, the judge, and I had focused on whether and how the foregone conclusion doctrine applies.
Jonathan argues that this was the wrong question. The foregone conclusion doctrine can’t apply because the government isn’t asking the defendants to produce anything. The doctrine only applies to acts of production. But the government has sought an order here that the defendants have to say something, not turn something over. Because the foregone conclusion doctrine only applies to acts of production, not direct testimony, it can’t apply in the Huang case.”
After thinking it over, I tend to think that’s right. The doctrine applies only to acts, not direct testimony. So I now agree with Jonathan on this point: When the government seeks disclosure or a password, the government is seeking a testimonial statement and the foregone conclusion doctrine isn’t relevant.”
Then, on September 25, 2015, The Intercept published another Snowden blockbuster in an article titled PROFILED: From Radio to Porn, British Spies Track Web Users’ Online Identities by Ryan Gallagher. I’ll get out of the way and let Mr. Gallagher tell you about it:
“There was a simple aim at the heart of the top-secret program: Record the website browsing habits of ‘every visible user on the Internet.’
Before long, billions of digital records about ordinary people’s online activities were being stored everyday. Among them were details cataloging visits to porn, social media and news websites, search engines, chat forums, and blogs.
The mass surveillance operation – code-named KARMA POLICE – was launched by British spies about seven years ago without any public debate or scrutiny. It was just one part of a giant global Internet spying apparatus built by the United Kingdom’s electronic eavesdropping agency, Government Communications Headquarters, or GCHQ.”
Mr. Gallagher states that the revelations about the scope of GCHQ’s surveillance are contained in documents obtained by The Intercept from Edward Snowden. Previous reports based on leaked National Security Agency files exposed how GCHQ taps into Internet cables but many details about what happens to the seized data remain obscure. Mr. Gallagher goes on to discuss major strands of GCHQ’s existing electronic eavesdropping capabilities:
“One system builds profiles showing people’s web browsing histories. Another analyzes instant messenger communications, emails, Skype calls, text messages, cell phone locations, and social media interactions. Separate programs were built to keep tabs on ‘suspicious’ Google searches and usage of Google maps.
The surveillance is underpinned by an opaque legal regime that has authorized GCHQ to sift through huge archives of metadata about the private phone calls, emails and Internet browsing logs of Brits, Americans, and any other citizens – all without a court order or judicial warrant.”
According to Alexander J. Martin in an article titled KARMA POLICE: GCHQ spooks spied on every web user ever published by The Register on September 25, 2015, KARMA POLICE was constructed between 2007 and 2008 and developed with the explicit purpose of correlating “every user visible to passive SIGNIT with every website they visit, hence providing either (a) a web browsing profile for every visible user on the Internet, or (b) a user profile for every visible website on the Internet”.
These new revelations about how Britain’s “out-of-control spy agency went full Stasi on innocent surfers” prompted Eric King of Privacy International to observe on Twitter that: “Best argument for Judicial Authorization I’ve seen comes from GCHQ’s own internal documents.”
So, where does this leave us? The litigation in Schrems v Data Protection Commissioner continues. A final judgment is expected by the end of the year although some pundits suggest that a decision could come as early as next month. Whether the government will appeal the ruling in SEC v Huang et al is a wait-and-see game at the moment. And the situation in Britain’s surveillance state? Well, it just gets worse.