Coppers and Spooks in cyberspace: une liaison dangereuse

By: Douwe Korff , Emeritus Professor of International Law

DKpict1

The theory: “The same freedoms online as offline”

The Digital Enlightenment Forum is based on the belief, also expressed numerous times in international instruments and declarations, that “people should enjoy the same autonomy and rights and freedoms online that they do offline”. We also generally subscribe to the ideas that individuals should first and foremost be subject to the laws and mores of the country where they live, provided that those laws and mores accord with international human rights standards – that states should refrain from interfering in other states and should generally not apply their laws extraterritorially; but that, conversely, violations of public international law or international human rights law are a legitimate concern of the whole international community.

However, these mantras are not reflected in the responses of many states – including states that often portray themselves as the main advocates of human rights and international law – to “bad” actions in cyberspace. Worse, the excessive and unlawful online behaviour of certain state agencies increasingly also informs their behaviour offline.

This blog simply tries to list the issues involved, to help the debate.

What exactly is “cybersecurity” and “cybercrime?

The term “cybersecurity” is used to cover a great many – indeed, in my opinion, far too many – different issues, ranging from purely technical security issues (like protection against non-criminal threats to IT/Internet infrastructure), to “cybercrime” (which itself covers very different things, from interception of communications, online IP “piracy” and “hacking” to child pornography and hate speech), and is sometimes even applied to civil law and –procedure relating to e-contracts, ISP Terms & Conditions, intellectual property, etc., etc.. And in all these regards, it is at times applied to substantive law, procedure, oversight and remedies, national institutions, international instruments, and intergovernmental arrangements and –institutions; at the national and international/transnational level; and also including national and international policy-making in these regards.

At the same time, the very word “cybersecurity” is used to conjure up existential threats relating to “national security” and “international security”.

Cybersecurity and human rights

Cybersecurity issues are often highly human rights sensitive, in particular when they involve monitoring of the activities of individuals in cyber space; pulling of data on individuals (or that may also relate to individuals) from cyberspace; or the storing, sharing, analysing and further using of such data, including profiling.

Any such monitoring or collecting, etc., constitutes ipso facto an interference with at least the privacy rights and the right to data protection of such individuals, and possibly with their rights to freedom of expression, freedom of association and freedom of religion. Moreover, if such measures are taken as part of criminal investigations (or may lead to such investigations), they raise fair trial – and fair investigation – issues.

These cybersecurity human right issues are complicated and aggravated, in particular:

  • if the measures involve cooperation – and data exchanges – between state and private entities (companies, including in particular companies active in cyber space, such as Internet Service Providers (ISPs) and mobile network operators (MNOs) and social network service providers (SNSs);
  • if the measures involve cooperation – and data exchanges – between law enforcement agencies and national security agencies; and/or
  • if there are transnational/international aspects to the measures, i.e., if they either involve actions of entities in one country that directly affect individuals (the data of individuals and the rights of individuals) in other countries (such as the pulling of data from a server in one country for analysis in another country), or if they involve cooperation between entities in different countries (which could be cooperation between private entities in different countries, or cooperation between public entities in different countries [such as international law enforcement- or national security cooperation], or cooperations between private entities in one country and public entities in another country).

Of course, if several of these factors are present, that multiplies the complications.

Cybersecurity and national security

One of the most serious threats to the rule of law is the increasing attempts to define cybersecurity as inherently being part of national security. There are two important aspects to this. It means that:

  1. Individuals suspected of involvement of “threats to [ill-defined] cybersecurity” and/or of being involved in “[any kind of] cybercrime”, are increasingly treated as “threats to national security” – i.e., in effect, as terrorists; and
  2. The issues concerned are increasingly placed within the competence of the national security agencies rather than the ordinary law enforcement agencies and/or that there is an ever-greater blurring of the lines between the work of the LEAs and the NSAs.

In the course of these processes, two serious threats to the rule of law emerge:

  1. Individuals suspected of a wide range of crimes – including crimes not in any way involving violence – are increasingly treated as, or on a par with, “terrorists” and others “threatening the fundamental [constitutional[ order of the State”; and
  2. The law enforcement agencies in states supposedly strongly committed to the rule of law increasingly not only work with, but are beginning to adopt the methods and practices and ethos of the security agencies – who have too often been shown to have little regard to the rule of law.

If we want to preserve the State Under the Rule of Law (der Rechtsstaat, l’État du Droit), we must fight these trends. They may not be new – the author fought against them in the 1970s, 80s and 90s – but they have reared their heads again in mutated forms in the current century. We must re-affirm our commitment to the rule of law and to Enlightenment values – now!

* This blog expands on a powerpoint presentation by the author at the 2015 Computers, Privacy & Data Protection (CPDP) Conference in Brussels, January 2015, on “Cybersecurity & Human Rights”. It also draws on the Council of Europe Commissioner for Human Rights Issue Paper on “The Rule of Law on the Internet and in the wider digital world”, released in December 2014, which was drafted by the author of this blog.

For further reading, see:

The rule of law on the Internet and in the wider digital world, Issue Paper of the Council of Europe Commissioner for Human Rights, prepared by Douwe Korff, December 2014, available at: https://wcd.coe.int/ViewDoc.jsp?Ref=CommDH/IssuePaper(2014)1&Language=lanAll    (Full paper in English; Exec. Summary & Recommendations also available in French, Russian and Turkish)

One thought on “Coppers and Spooks in cyberspace: une liaison dangereuse

  1. laurencemillarnz April 4, 2015 / 1:20 pm

    Dear Douwe

    Thank you for a very helpful discussion starter on an issue that is both complex and important. In such matters, clarity of language is important; however, as you observe, security and law enforcement agencies are assisted by obfuscation, enabling them to do things that would be illegal in the offline world. Placing “cyber” in front of a word (such as cybersecurity or cybercrime) is a signal that “normal rules of law do not apply here”. These terms are now so overladen with ambiguity that I would recommend that we stop using them.

    The idea that we must abide by the laws and mores of the country where we live is also problematic and likely to become more so. The ability to effectively “be” in another country (through video links and geo-relocation of IP address), as well as the increasing global mobility of people, means that it is increasingly difficult to decide what laws and mores I should operate under – the laws and mores of the country where I am situated today, where the service I am accessing is provided from (whatever that means) or the country where I normally reside. The whole concept of laws and mores needs to be rethought.

    Jurisdictional authority is at the heart of this issue. Nearly 20 years ago, the Declaration of Independence of Cyberspace [1] opined that the legal concepts of the real world do not apply. It is into this regulatory vacuum that government agencies, both law enforcement and national security, have elected to operate in their own interests.

    For a current and Kafka-esque example, consider Kim Dotcom: “I never lived there I never traveled there I had no company there But all I worked for now belongs to the U.S.” These actions were taken not in the interest of national security, or criminal behaviour, but an alleged offence under civil law.

    I agree that we need commitment to the rule of law; the questions are what law is relevant and practical for cyberspace, and what mechanisms need to be developed to enforce it.

    [1] https://projects.eff.org/~barlow/Declaration-Final.html (1996)
    [2] https://www.techdirt.com/articles/20150326/18041530458/how-us-government-legally-stole-millions-kim-dotcom.shtml

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s