“A Terrorist Act, An Act of Parliament, an Act of Sabotage…”

Amanda Russell & Margaret Smillie,

Bannatyne Kirkwood France & Co,

Glasgow, Scotland

“OUT OF THE BOX,” Bileta Conference 2004

INTRODUCTION

Today, perceived wisdom will no doubt have it that our responsibilities and rights are, or should be, met by rule of law. It is goes without saying that the rule of law referred to ultimately derives from the decisions of the democratic world’s governments. These Heads of State are in turn bound to reflect the needs and interests of their voters.

Unfortunately, however, life can not always be so regularly structured. Unscheduled, shocking events can demand a government’s and indeed a world’s immediate response, with sweeping and profound effect. Does any government really have a choice but to act reflexively to protect world safety in these circumstances? Can they really take the time to take cognisance of other, less weighty freedoms when the very right to life is under threat? Or must they respond to those who deliver outrageous “justice” with legislation wrought out of fear and panic?

THE HEARTH AND THE SALAMANDER

"…an electronic ocean of sound . . . coming in on the shore of her unsleeping mind.”[1]

Ray Bradbury in Farenheit 451, warning even the wary, that what is coming may well be entirely concealed in a fusion of dissension and conflict.

September 11th 2001;

  • 8.45 am - a plane crashes into the north tower of the World Trade Centre.
  • 9.03 am - a plane crashes into the south tower of the World Trade Centre.
  • 9.43 am - a plane crashes into the Pentagon, Washington.
  • 10.10 am - a plane crashes in Somerset County, Pennsylvania.

These atrocities left behind an indelible image. They reduced countries around the world to a state of shock and disarray. Bin Laden’s intentions may have been more basic, but the most wanted man in America changed the concept of civil liberties in the 21st Century beyond recognition. His actions resulted in legislation around the world being implemented in a blind panic, from the Patriot Act,[2] in the USA to the Anti-Terrorism Crime & Security Act 2001 in the UK.

These Acts were only part of the worldwide reaction to the attacks. In December 2001, the US Attorney General John Ashcroft issued a stern warning to anyone who questioned moves to expand powers in the fight against terrorism. The message was clear, to terrorists and human rights activists alike - world governments would not be thwarted in their mission. In one fell swoop the First Amendment and the ECHR were seemingly abandoned in favour of the PATRIOT and the ATCS, which became instant household names.

In the midst of the panic, The UK [3] government insisted that the new powers created were only those that were necessary, ‘balanced and proportionate to the risk we face.’ In it’s infancy, the bill resulted in a great deal of friction between the Houses. The Act, nevertheless was pushed through, with assurances that it was to be ‘a sounder and safer legislation than the bill,’[4]

Home Secretary David Blunkett stated;

“……Throughout the passage of the bill I have been willing to listen and take on board constructive comments from members of both houses, while refusing to bow to those who would have made the bill unworkable and temporary…we have achieved virtually everything we wanted from this Act – a comprehensive package of measures to protect the country from terrorist attack, detect and persecute terrorists and undermine terrorist and criminal networks.”[5]

Such was the ATCS Act of 2001 and it united the UK and the USA in the war on terrorism.

Two years and at least one war later, no other Act in recent times has been subjected to such public criticism. The ATCS arguably changes the communication infrastructure as a whole. It therefore begs the question, are the Act’s powers still ‘a mixture of the welcome, the reasonable, the worrying and the completely unacceptable.’[6]

THE SIEVE AND THE SAND

This paper will concentrate on the concepts of the disclosure of information and the retention of data to ascertain the effects of the provisions of the Anti-terrorism Crime and Security legislation. We will limit the discussion to the concepts of privacy and data protection and the freedom of expression. Before doing so, however, we will briefly address the main differences between the Bill and the Act-

The Bill and the Act-

Part 3, Disclosure of Information - unlike the Bill the Act was supposedly intended to provide a safeguard for privacy rights. The Act now states that any disclosure must be ‘proportionate’ to what ‘is sought to be achieved’ and that there ought to be ‘satisfaction of disclosure.’

Part 11, Retention of communication data – The Bill’s clause on ‘Codes and Agreements’ for Retention of Communication data was replaced with a procedure for a ‘Voluntary Code of Practice’ to be approved by Resolution by each House.

Disclosure of Information

The disclosure of information clause within ATCS allows government agencies such as Customs and Excise and the Inland Revenue to pass on information to police and other security services to aid ‘criminal investigations.’ Indeed it places a positive obligation upon them to do so.

The definition of ‘criminal investigations’ in the ATCS is given as ‘an investigation of any criminal conduct, including an investigation of alleged or suspected criminal conduct and an investigation of whether criminal conduct has taken place.’

Any disclosure has to be proportionate. Unfortunately there is no definition of “proportionate” in the Act. Nevertheless the Collins Dictionary defines ‘proportionate’ as “being in proper proportion’ and ‘proportion’ as ‘a part considered with respect to the whole.’ This rather vague definition, can be argued to greatly enhance the powers granted. Further, the extended categories of disclosure do not appear to be limited in any way by anti- abuse filters.

Retention of Communication Data

What is communication data?

Communications data embraces the ‘who’, ‘when’ and ‘where’ of communication but not the content and the definition is contained in a variety of sources in the UK-

  1. Traffic data[7] - information about the communication, i.e., who the user contacted, details of time, where and user locus.[i]
  2. Use of Communications services[8] - information that identifies the services used and length of usage.[ii]
  3. Communication Service users[9] – that is information that identifies the user of the service, i.e. name, address, phone number. [iii]

Under the ATCS, communication service providers (CSP) must now retain data for investigatory purposes. The whole community at large, from individuals to corporations and private bodies are now charged with the responsibility of combating terrorism. At the time of implementation of the Act, however, no guidance was given as to how this was to be achieved. Persons were left to rely upon the Regulation of Investigatory Powers Act 2000 for guidance. It was not until December 2003, when the Code of Practice for Voluntary Retention of Communication Data came into force, that any real guidance was available.

The Code of Practice for Voluntary Retention of Communication Data

The code stipulates what is regarded as best practice and obliges CSP’s to retain data for national security purposes, in order that ‘….communication service providers can assist in the fight against terrorism by meeting agreed time periods for retention of communications data that may be extended beyond those periods for which their individuals company currently retains data for business purposes’[10]

Adhering to the Code is optional, but operators must nevertheless continue to adhere to data protection principles[11]. It is also worth noting that whilst adherence to the code is voluntary, there is nothing voluntary about the obligation itself.

The Ball in the Bowling Alley

The disclosure of information clause alone bowls through no less than 53 statutes – and there is no visible means for constraint of the ball. The ramifications for the provisions of the act are immeasurable. Let us examine only the rights of privacy, freedom of expression and data protection that were in existence at the time of the act’s implementation together with the provisions in place for public security and safety. We can then address what changes have been wrought, and whether or not any attempts have been made to redress the balance.

Let us firstly consider our rights.

  1. Our Rights Before, Now and After

A.Privacy and Data Protection

Privacy

In 1791, in furtherance of the Constitution, the US Bill of Rights recognised the right to privacy (although there is no explicit right).[12] In1888, Judge Cooley defined privacy as ‘the right to be let alone’[13].

Over in Europe, The European Convention for the Protection of Human Rights and Fundamental Freedoms was adopted into the law of Scotland on the enactment of The Scotland Act 1998, in the form of The Human Rights Act 1998. The rest of the UK was a little slower in taking up the mantle, but the Act was incorporated into UK law in October 2000. The provisions of Article 8 decreed that “Everyone has the right of respect for his private and family life, his home and correspondence.” The intention was to protect the individual against arbitrary interference by public authorities.[14] The ECHR required Member States to provide legal safeguards for the protection of privacy, to be overridden only in exceptional circumstances.

During the 60’s and 70’s academics debated and finally agreed that the right should not be interfered with, without due process of law. Through ‘best practice’ principals the government sought to ensure a system of fair process, minimal intrusion and limited process of personal data in light of the expansion of Information Technology.[15] In 1993, the World Wide Web (WWW) found its way into the commercial world, making it all the more pertinent to consider the adequacies of the protections. Designed as it was for anonymity, it was felt that the existing Habeas Data rights were insufficient as the protection on the Web and more stringent regulation was required.

Data Protection

In 1981, the Council of Europe held discussions on ‘the right of privacy of an individual regarding automated processing of personal data.’[16] These discussions led to the European Data Protection Directive, 95/46 EC, which was implemented in the UK by the Data Protection Act 1984 and amended in 1998.

This Act gives the individual and others the right to access certain information. It sets out the specific and stringent guidelines for the legitimate processing of “personal information”[17]

B. Freedom of expression

Freedom of expression has long been held to be the corner stone of democratic society. Historically it was one of the first human rights to be demanded and indeed guaranteed in law. The right is expressly protected under Article 10[18] of the ECHR.[19] Bear in mind that the press are subject to the provisions of the ATCS, just like any other body. No exemption from these onerous obligations is afforded.

So much for the rights, let us now look at the provisions that were already in place, for the protection of public security and safety.

  1. Safety provisions before, now and after.

A. The Regulatory Investigatory Power Act (RIP) 2000.[20]

This Act was designed to provide a comprehensive statutory scheme for state surveillance, adhering, however, to the European Convention on Human Rights and the EU Directive 97/66/EC on the processing of personal data and the protection of privacy. Interestingly enough the RIP Act allows for any public authority designated by the Home Secretary to access ‘communication data’. The Act covered the interception of communications made via public postal systems, public telecommunications systems and private telecommunications systems. [21]

Under the Act, ‘Public telecommunication systems[22]’ does not necessarily mean those covered by a license. It includes any "telecommunications service which is offered or provided to, or to a substantial section of, the public in any one or more parts of the United Kingdom".[23] It therefore includes fixed line providers, mobile service providers and ISP’s.

The RIP Act was not designed to give a blanket license to employers or their staff to monitor and record communications. It was only intended to provide police agencies with access to communication data without a court order for the purposes of criminal investigation, protecting public health and safety, tax collection and matters of national security.

RIP was not without it’s detractors. Lord Phillips of Sudbury,[24] stated that the legislation had not been properly examined by politicians because they had not truly understood it. He was of the opinion that ‘several parts of RIPA are flawed, including the oversight powers that should keep access to citizens' data in check’.[25] Tim Berners-Lee, the inventor of the worldwide web, attacked the Act for giving governments 'great power to abuse personal and commercial innovation'.[26] He opined that such legislation would never be seen in America. (He clearly had not foreseen the passing of the US Patriots Act. )

The black box- ATCS and RIP 2000

It would appear that no consideration was given to these commentators when debating the ATCS, as this Act goes further still. Under ATCS, ISPs can be forced to install "black boxes" when linking computers with the Internet, and these will allow security forces to monitor e-mail messages. The authorities can also force individuals and companies to decode encrypted messages or face prosecution.’[27] When the powers given under both acts are combined, the result is that content and traffic data can be directly collected by the black boxes, without the need for a judicially granted warrant.

This does not mean that the government will force all ISP's to install black box. That will be decided when considering questions of necessity and proportionality. It is of little dispute that the collection of data is crucial in the fight against terrorist attacks. The problem is that, in the UK information, which is disclosed to the relevant authorities, can invoke Part 4 of the ATCS Act. This is the most controversial Part of ATCS, as it more emphatically derogates from Article 8.

B. The Terrorism Act 2000

The terrorism Act of 2000, gave the police further powers to investigate terrorism. In particular, the disclosure of Information clause[28] makes it an offence to fail to notify the authorities in suspicious circumstances. If, in the course of his trade, profession, business or employment a person comes to believe or suspect that a terrorist offence may be committed then he is obliged to disclose that information to the relevant authority as soon as is reasonably practicable[29].

ATCS and TA 2000

The TA 2000 Act applies to acts of terrorism. The ATCS goes one step further and broadens it’s scope to all criminal activity, whether or not the activity has terrorist implications. The would be criminal should be aware, however, that the penalties under the latter act are in fact less harsh[30].

C. Are RIP, TA and ATCS enough?

Past experience shows that ISPs are invariably more than willing to co-operate with criminal investigations unless they are specifically restrained by legislation. Effectively then, it would appear that the sole barrier to the wholesale transfer of information is the Data Protection Act 1998. And all this even before the implementation of ATCS. You could be forgiven for thinking that by the time the ATCS was implemented, this bevy of provisions was sufficient to satisfy the most authoritarian of governments, pursuing the most belligerent of terrorists. You would, however, be wrong.

D. There’s more - The Snooper’s Charter

Unsatisfied with the combined pincer effect of RIP, the Terrorism Act and now the ATCS, the government set out to introduce a draft order to further extend the surveillance powers already available under the RIP. They attempted to introduce part 1, Chapter 2 of the Act in 2002, which was instantly dubbed the “ Snooper’s Charter.” If it had been passed, the chapter would have granted public bodies;

including seven Whitehall departments and every local authority new powers to demand the production of communications data, and would have empowered them to seize private information from phone companies, internet service providers (ISPs) and postal operators, without having to obtain a court order.’[31]

The response by civil liberties protectionists was immediate and vociferous. Ian Brown, director of the Foundation for Information Policy Research[32], said:

"I am appalled at this huge increase in the scope of government snooping. Two years ago, we were deeply concerned that these powers were to be given to the police without any judicial oversight. Now they're handing them out to a practically endless queue of bureaucrats in Whitehall and town halls." Simon Davies[33] accused the Home Office as having “absolutely breached its commitment that this law would not become a general surveillance power for the government.” He made the fair point that the “exhaustive list of organisations who will be able to access data without a court order proves that this amounts to a systematic attack on the right to privacy."