Outrage over the forcing of companies to hand over customers’ data may prompt a rebalancing of security and privacy priorities
Data protection used to be boring. For most companies it was a dull compliance exercise. But Edward Snowden changed all that. The former US National Security Agency (NSA) contractor started his drip-feed of leaks about mass electronic surveillance by governments in June 2013. Snowden has revealed that agencies in the US and other countries routinely require companies to hand over the data of their customers for law enforcement and anti-terrorism purposes.
Few people would object to investigators obtaining court orders to access the emails and other communications of suspects. But Snowden showed that the use of investigatory powers has tipped over into something else. Authorities access emails, videos, social networking messages or other communications secretly and based on search terms rather than on reasonable suspicion about named individuals. The result is surveillance rather than investigation: a vast hoovering up of the data of millions of people, including the entirely innocent.
The revelations have left companies in a difficult position. Mass electronic surveillance potentially violates the privacy rights of their customers. Data-driven businesses, such as Facebook, Google and Yahoo, which have been targeted by the NSA, risk being seen as fundamentally untrustworthy – as proxy data gatherers for sinister government spying.
Companies at first were slow to respond to this risk. For example, Facebook founder Mark Zuckerberg in the wake of Snowden's leaks wrote that Facebook could not be faulted for handing data over to government. Facebook would “only provide the information if is required by law”, he wrote, and it was for governments, rather than companies, to be “much more transparent about all programmes aimed at keeping the public safe”.
Increasingly, however, companies have more actively defended their reputations against the charge that they have too-willingly passed data to government. Yahoo is the most recent example of a company coming out fighting. The internet services giant has started to publish documents from a secret US court case in 2007 and 2008 in which it challenged NSA data requests. Yahoo only handed over data after losing the case and a subsequent appeal. In a blog post of 11 September 2014, Yahoo's General Counsel, Ron Bell, wrote that the company's efforts showed it had made an effort to resist on its customers' behalf what it viewed as “unconstitutional and over-broad surveillance”.
The right side of the law
Ultimately, companies cannot refuse to comply with lawful government demands for data, even if they do view the requests as excessive. However, says Paolo Balboni, a data protection lawyer and scientific director of the European Privacy Association, “it is a very valuable point of view to look at data protection compliance as a matter of corporate responsibility”.
One aspect of this is that internal processes need to be more rigorous than ever. “Consumers are demanding more and more data protection,” Balboni says. “You need to create a corporate culture around it.” This includes “making policies well known to employees” to ensure that data is handled properly and unauthorised data transfers do not take place.
Companies also need to know the law. The eagerness of governments to get their hands on company data banks for profiling or surveillance has resulted in a “significant number of requests coming from law enforcement agencies”, Balboni says. These are “sometimes adequately legally grounded, sometimes not”. Companies need to know when to comply and when to refuse.
In the UK, the importance of understanding the law is underlined by the way police requests for data held by companies have become almost routine. In 2013, under powers to access data retained by telecommunication and internet companies (see Box), 514,608 requests were made by police and other agencies, according to the UK Interception of Communications Commissioner (IOCC). These requests do not require a court order and concern data such as times and places of calls, internet protocol addresses or subscriber details, rather than the content of communications.
Of these requests, IOCC figures show, about 88% were made by the police, and 11.5% by the intelligence agencies, with a small number made by “other authorities”, including local councils. According to the IOCC, the large number of requests from the police could indicate that criminal investigations in the UK are now conducted with “automatic resort to communications data” and that legal safeguards that require requests to be “necessary and proportionate” are not always being observed.
Companies are also starting to respond to the reputational risk raised by government data requests through greater transparency. There is a “legitimate interest of the citizens to understand what is going on”, Balboni says.
Sue Gold, a data protection consultant with law firm Osborne Clarke, says companies “need to be more upfront about what they are doing”. They should show to customers and the public in general that they are “not trying to hide”. Telecommunication and internet companies in particular – which are on the front line in the government data sweep – are beginning to provide consumers with information on the extent of government requests for data, though “sometimes their hands are tied” by government-imposed requirements to not disclose any information, Gold says.
US telecoms firm Verizon, for example, was subject in 2013 to at least one secret order from a US court requiring it to hand over to intelligence services on a daily basis its call logs for all calls within the US or from the US to other countries. The court order was published by the UK’s Guardian newspaper. Verizon declined to comment on the order, but at the beginning of 2014 did publish a summary of the number of law enforcement demands for customer data – not including the data covered by the court order – that it received in 2013. The summary shows it received 321,545 requests.
Other companies that publish such information include AT&T, Google and Deutsche Telekom. AT&T's tally for 2013 was 301,816 requests for phone records and subscriber information. But arguably the most comprehensive disclosure so far is the Vodafone Law Enforcement Disclosure Report (LEDR). The first LEDR was included in the company's 2013-14 sustainability report and collates the data requests Vodafone received from law enforcement agencies in the year to 31 March 2014.
The LEDR notes that the right to privacy is enshrined in international human rights law. Vodafone senior communications manager Matt Morgan says information on compliance with privacy laws was previously included in Vodafone sustainability reports, but was “targeted at a reasonably niche audience”. The difference now is that “over the last two years, this issue has been thrust to the forefront of the public mind”.
The report covers 29 countries where Vodafone operates. Data is provided on the number of requests received from police or other agencies, or the report refers the reader to where the information can be found if published by the government in question. In Egypt, India, South Africa and Turkey, the report notes, disclosure of the number of data requests would be unlawful, and so the information cannot be provided.
Morgan says the report was “extremely challenging to produce”. Guidance from governments was sought in some countries where the legal situation is unclear. Vodafone hopes that the report leads to “a more informed debate” on privacy, Morgan says. “Our business is really based on trust,” he says. “If our customers don't trust us we have a serious problem.”
Competing on privacy
Kord Davis, an Oregon-based consultant on digital issues and author of a 2012 book, Ethics of Big Data, says that as companies expand their digital offerings, concern grows about the “creepiness” of technologies that can be used for surveillance. Technologically, “it's still the wild, wild west out there”, he says. “Having a transparent set of data-handling policies is actually a competitive advantage.” Consumer trust “offers benefits including increased innovation, faster adoption of products and services, and deeper brand loyalty”.
This is ever more important because the potential threat to privacy is set to grow. Claudia Diaz, an assistant professor in the computer security and industrial cryptography research group at Belgium's KU Leuven university, says numerous emerging technologies could compromise privacy. “This includes a variety of mobile applications that typically have access to rich contextual information about the users – list of contacts, location, and even access to camera and microphone – but also cloud services,” she says.
The surveillance potential of these technologies is increased by the ever greater capacity to create and interrogate giant databases. As the privacy risks multiply, companies will come under greater pressure to be transparent, and to put the protection of their customers' data at the heart of their operations.
In Europe, the debate about government access to personal data for security purposes, and the impact of this on privacy, has been encapsulated in arguments over the European Union's Data Retention Directive (DRD). The DRD was introduced after the 2004 Madrid train bombings and the July 2005 attacks in London. It required telecom and internet companies to retain customer communications data for up to two years and to hand it over to law enforcement agencies on request.
In April 2014, however, the European Court of Justice invalidated the directive, on the basis that mass data retention was disproportionate and contravened privacy rights. For companies, this creates a tricky situation. EU countries adopted national laws based on the DRD, and in most cases these remain in place pending legal challenges. Companies must continue to obey the laws in the countries where they operate, despite the DRD having been struck out at European level.
As soon as the DRD was invalidated, the UK government rushed through the Data Retention and Investigatory Powers (Drip) Act 2014, which was designed to ensure that data retention requirements remain in place in the UK and that companies cannot use the European ruling to refuse law enforcement data requests. Sue Gold of Osborne Clarke says: “In many ways, Drip hasn't changed what the position was before.” But the act includes a sunset clause meaning it will expire in December 2016. Two members of parliament have said they will challenge Drip in the high court. Companies will have to manage the uncertainty on behalf of their customers until the situation is resolved.cyber security data security digital privacy Human rights NSA online privacy