The range of measures for processing personal data on a large scale is manifold and constantly growing. Recently, the government boasted of adopting new measures to fight terrorism, including the Passenger Name Record(PNR), which involves the creation of a database based on information provided by transport companies. On another note, data retention requires companies to collect and store metadata from all users of communications networks. While the arsenal is growing, the authorities frequently call on private actors to obtain certain information. Indeed, in the era of Big Data, the amount of data processed by commercial companies is exponential, especially since it represents a significant financial stake. Mass surveillance is therefore not just a matter of « new measures » to give investigators something to work with; surveillance based on collaboration between public authorities and private actors is just as intrusive.
A NEEDLE THAT KEEPS GETTING LOST IN THE HAYSTACK
The controversy over large-scale data processing has been in the media spotlight since the revelations of whistleblower Edward Snowden in June 2013, when he exposed the National Security Agency (NSA) programs through which the United States intercepts the content of our communications globally. These data, collected secretly, are likely to be transmitted to foreign intelligence services. In Belgium, for example, intelligence services can use information collected by the NSA without being required to investigate whether the data was collected legally(1).
At the European level, the debate on large-scale data processing was fueled by the implementation of a European directive on data retention. This measure requires telecommunications operators to collect and store all metadata: IP address, pseudonyms used, lists of contacts, dates and times of sending and receiving e‑mails, Internet sites consulted, dates and times of connection, etc. The metadata, which does not take into account the content of the communications or e‑mails, must be stored for a certain period of time in order to be accessible (upon request) to law enforcement authorities. The retention of data and their storage is therefore carried out a priori, systematically and indiscriminately, independently of the opening of a criminal investigation; access to data collected by law enforcement authorities, on the other hand, presupposes the existence of such an investigation.
The Data Retention Directive, once transposed into Belgian law, was brought directly before the Constitutional Court. Its critics argued that such a measure was disproportionate given the seriousness of the invasion of the right to privacy. They also underlined the risk of stigmatization of presumed innocent but potentially suspicious people, as the data of all users is collected without any link to the opening of a criminal investigation. On April 8, 2014 at the European level -, on June 2, 2015 at the Belgian level -, the Court of Justice of the European Union and the Constitutional Court invalidated and annulled the provisions in question. The judges point out the lack of sufficient guarantees provided by the measure with regard to the extent of the data collected. The Constitutional Court, taking up the terms of the Court of Justice, further notes: » The fact that the storage of data and their subsequent use is carried out without the subscriber or registered user being informed is likely to generate in the minds of the data subjects […] the feeling that their privacy is under constant surveillance .(2) Indeed, data retention, even if it does not concern the content of our communications, remains very intrusive insofar as the metadata » taken as a whole, are likely to allow for very specific inferences about the privacy of the individuals whose data were retained . »(3). Both European and Belgian judges have therefore put a (first) brake on the massive and undifferentiated storage of metadata. Their decisions require the legislator to review the provisions in order to limit the invasion of privacy to what is strictly necessary, for example by providing for a shorter data retention period. The first obstacle is that, at the time of writing, Belgium is in the process of adopting a new law. The subject is therefore far from over, especially since the provision adopted in the wake of the London and Madrid attacks in 2005 at the European level has not been the subject of any sufficiently concrete study to affirm that it is effective in the fight against serious crime and terrorism.
Finally, more discreetly, the government is preparing to introduce a Passenger Name Record, which is to provide for the processing of passenger data. The Belgian-style NRP aims to build a database from information provided by users of international airlines, trains and ships. This national file, supervised by the Federal Public Service of the Interior, has the particularity of being subject to a special algorithm that cross-references certain data in order to establish particular profiles with a view to detecting possible terrorists, but also to fight against illegal immigration. Like data retention, this database is consolidated a priori, independently of the opening of a criminal investigation, but also involves data processing for profiling purposes. This measure, which has been particularly criticized for its « preventive » nature, also leaves open the question of the effectiveness of PNR in achieving its objective. As an example, the movements by motorized vehicles as it was the case for the Paris attacks are not detected, the bombs can always explode at the entrances of the airports as it was the case for the Brussels attacks, for example. Moreover, in the midst of the fight against social fraud, or even the fight against social security contributors, the risk of misuse of the initial purpose of this information is tempting.
The large-scale data processing techniques put in place by the authorities are therefore mainly criticized for their lack of proportionality considering that « mass surveillance has potentially serious implications for freedom of the press, freedom of thought and expression, and freedom of assembly and association, and that it carries a high risk of misuse of the information collected against political opponents »(4). However, in order to comply with the European Convention on Human Rights, an interference must be necessary and proportionate. Before adopting a provision, the legislator is supposed to ensure that there are no other measures that are less restrictive or that already achieve the desired goal. In this case, in addition to the lack of a clear and proven demonstration of the effectiveness of massive and undifferentiated data storage for counter-terrorism purposes, the need to put in place such systems can also be questioned.
A SHIFT IN SURVEILLANCE TO PRIVATE ACTORS
Private actors are considered privileged actors in the context of criminal investigations insofar as, by processing data for marketing and billing purposes, they automatically access a set of personal data. This data, once collected, can be stored for a certain period of time to be submitted to particular algorithms. On the Internet, for example, many free services such as Skype, Facebook, Google, Twitter, Youtube, Amazon… process our digital data « en masse » in order to establish consumer profiles. The flow of data between private actors and law enforcement authorities is frequent. Indeed, in Belgium, private actors are expressly subject to an obligation to cooperate with the judicial authorities; they therefore regularly assist in criminal investigations. A prosecutor can request from Internet service providers such as VOO, Proximus, Telenet, certain communication data, namely the identity of the subscriber of a telephone line, an e‑mail address, an Internet connection, an IP address, etc. An examining magistrate will be able to cross-reference these data to, for example, geolocate a person, identify his movements, intercept his communications or intercept his emails. In some cases, the latter may also force persons presumed to have special knowledge of a computer system to cooperate by blocking access to the data or by providing the encryption key if the data is encrypted. The person requested has the option of hiding behind the right to silence, provided that he or she is directly involved in the investigation. Finally, certain intermediaries, and in particular web hosts, are required to report to the Public Prosecutor any illicit activities or information of which they are aware. They must also block on request or on their own initiative sites » inciting hatred » for example, or « apology of terrorism ».
While most companies « play along », some sometimes refuse to collaborate. For example, Yahoo! has already challenged a prosecutor’s request to disclose certain data. The Public Prosecutor’s Office wanted to determine the identity of several users of e‑mail addresses used in a fraud case. However, Yahoo! would not comply with the request. The company justified its refusal by invoking the lack of authority of Belgian law with respect to an American company subject to American law. Moreover, she disputed that she was under an obligation to cooperate since the request came from a prosecutor and not an investigating judge. Indeed, the investigating judge can involve all or almost all private actors, whereas the Public Prosecutor’s Office was supposed to limit itself, in principle, to the Internet service providers, i.e. VOO or Proximus. The Court of Cassation has finally settled the controversy. First, it considers that the law is applicable to any company » that provides e‑mails in Belgium, participates in the economic life (of the country) ». Second, the Court held that the obligation to provide certain data and to cooperate with the prosecutor’s request is not limited to Internet service providers, as invoked by ‘Yahoo! This is an important nuance, since this interpretation allows the prosecutor to obtain data from most of the services available on the Internet, such as Skype or Facebook, without having to call on the investigating judge. However, the opening of an investigation is supposed to provide the accused with certain guarantees against the risk of illicit and arbitrary access to data.
In a similar vein, recently Apple refused to comply with an FBI order to decrypt the cell phone of one of the San Bernardino shooters. In addition to unlocking the phone, the FBI wanted Apple to develop a new version of the operating system. This technical assistance would have allowed US law enforcement agencies to facilitate the unlocking of any smartphone. However, according to Apple, such software facilitating access to phones undermines the security and confidentiality of stored data. In the end, the FBI finds a loophole that allows them to access the data on the phone. In this case, the American investigative services go further than the « simple » obligation of collaboration explained above. The investigators wanted to force a private actor to design doors that would facilitate access to the data contained in the system. In Belgium, such an obligation does not exist but could be conceived. Currently, however, the law allows intelligence services to hack into a computer system « with or without the use of technical means, false signals, false keys or false qualities « . The latter are thus able to interfere in a computer by inserting a computer virus for example and to collect the desired information. These can be transferred to the police if necessary.
Consequently, if the large-scale processing of data through measures such as the obligation to retain data or the PNR agreement is much talked about for reasons of proportionality, it must be noted that, in addition to the lack of proven effectiveness In concreto, the « necessary » character of such devices could also give rise to a broad debate. Traveler data collected by travel agencies, for example, are already accessible upon request of the public prosecutor. Similarly, the Public Prosecutor’s Office has the possibility to access communications data already stored by operators for commercial purposes, regardless of the existence of a retention obligation. Not to mention the cost of such measures, the debate on mass surveillance should therefore be broadened. Indeed, the line between commercial « mass » surveillance and security « mass » surveillance is far from being watertight. Therefore, widespread encryption remains the most effective answer to protect our privacy.
- A ce sujet, voir le rapport annuel du Comité R disponible à l’adresse suivante : http://www.comiteri.be/images/ pdf/Jaarverslagen/Activiteitenverslag_2014.pdf
- C.J.U.E., 8 avril 2014, Digital Rights Ireland Ltd & Michael Seitlinger e.a., affaires jointes C‑293/12 & C‑594/12. 8 avril 2014. Point 37 et 65 C.C., 11 juin 2015, n°84/2015.
- Points 26–27 et 37 de l’arrêt Digital Rights.
- Ibid., point 10.