Last week, CDT, Google, and the Global Network Initiative hosted a summit in Berlin on a topic of critical importance to all Internet users: transparency about government demands to Internet service providers and telecommunications companies for users’ data. In 2010, Google became the first company to report how many of these requests it had received, and a range of other companies from Comcast and Verizon to Facebook and Pinterest have since followed suit. Some of these companies, most notably Microsoft and Vodafone, have begun to refer explicitly to “human rights” when explaining why they have decided to disclose information to their customers about the number of requests they receive from government agencies, law enforcement, and courts. From CDT’s perspective, this rapidly-emerging trend of corporate transparency about government surveillance is unquestionably a positive development, and one that should be encouraged.
However, the increasing number of company transparency reports should not distract us from a very important fact: under international human rights law, it is governments—not companies—that are responsible for ensuring that the public understands the essential aspects of when and how surveillance programs operate. ISPs and telecoms are therefore effectively stepping in to fill an information gap that government secrecy has unlawfully created, and users are left to rely upon the voluntary efforts of these companies rather than being able to learn about surveillance programs from their governments as a matter of course.
There are several international human-rights treaties that guarantee a right to privacy as well as a right to freedom of expression. These range from the Universal Declaration of Human Rights (a document that, while technically not binding upon countries, reflects a widely-agreed understanding of the basic human rights that every government must uphold) to major agreements such as the International Covenant on Civil and Political Rights, the American Convention on Human Rights, and the European Convention on Human Rights. Where the right to privacy in particular is concerned, the ICCPR, ACHR, and ECHR all provide that any government interference with the right must be lawful. According to the European Court of Human Rights, this means that governments can only engage in secret surveillance where that surveillance is expressly authorized in publicly-accessible laws; furthermore, those laws must be clear enough to allow individuals to be able to foresee when they might be subject to surveillance (for example, if their governments suspect that they are planning to commit certain crimes). Although the Court has found that the 47 countries that are subject to its jurisdiction are not required to notify anyone that his or her communications are presently being monitored, it has also ruled that governments are not allowed to place a complete prohibition on the disclosure of any information about who has been monitored and why. In other words, at least in the European Court’s view of the law, the public is entitled to basic information about the classes of people that a government has monitored (or is likely to monitor) and how this monitoring is done. No country can hide its surveillance program entirely behind a veil of secrecy, at least where that country’s interception of communications within its own borders is concerned.
Thanks to the companies that have published transparency reports, we now know much more than we did four years ago about which governments have sought user data and how often the ISPs and telecoms have granted these requests. Google, for example, has revealed that the US authorities made 10,574 requests for user data (including both content and metadata) between July and December 2013, and that the company provided some or all of the requested data in 83 percent of those cases. Additionally, we now know that several governments are listening directly to the content of Vodafone customers’ telephone conversations, because—in a groundbreaking and courageous report published earlier this month—Vodafone has told us so.
However, notwithstanding these developments, users face inherent problems when they are forced to rely on businesses for this type of information. One of these problems is that each company’s transparency report presents surveillance-related data in a different way and with different degrees of completeness, making it difficult for users to understand exactly how extensively their own countries are monitoring communications, or to compare surveillance activities across countries and companies (although the creator of one database is currently trying to make the latter task easier). Sometimes, this incompleteness or inconsistency in the information occurs simply because a company has chosen to break its data down in a particular manner, but more often, it occurs because governments have prohibited companies from disclosing certain information. Some governments have even managed to obtain direct access to service providers’ infrastructures, meaning that the providers themselves do not know how many of the communications that pass through their systems are being monitored. Meanwhile, another significant problem for users, as Vodafone has noted in its report, is that no company will ever be able to paint a comprehensive picture of communications monitoring by itself: Google will only know about the requests a government has made to Google, and Facebook will only know about the requests that have been made to Facebook. Moreover, smaller companies may be less willing or able than larger ones to face the serious legal risks that come with publishing surveillance-related reports at all. This means that only the government itself is in a position to give its citizens all of the information to which they are entitled.
Transparency reporting is a laudable trend, and, until governments begin to comply more consistently with all aspects of the right to privacy, a vital one. In congratulating the companies, however, we should not lose sight of the fact that the wall of absolute secrecy they are helping to dismantle should not be there in the first place, since governments are under an obligation to disclose this information.