Keresés
Close this search box.

Matija Damjan: Mass surveillance and the privacy of communication

20 October 2022 – Online conversation

The online event “Mass surveillance and the privacy of communication” was held on the Zoom platform on 20 October 2022. The event was moderated by Dr Matija Damjan from the Institute for Comparative Law at the Faculty of Law in Ljubljana who was joined by co-debaters, Dr Klemen Podobnik and Dr Samo Bardutzky, both form the Faculty of Law of the University of Ljubljana.

The programme began at 14:00 with Matija Damjan’s keynote speech entitled “From the prohibition of general monitoring obligations to compulsory scanning of encrypted communications.” Dr Damjan noted that surveillance entails the monitoring of people’s behaviour for the purpose of information gathering, influencing, managing, or directing. This can include observation from a distance by means of electronic equipment, such as closed-circuit television (CCTV), or interception of electronically transmitted information, such as web traffic. It can also include relatively simple technical methods, such as human intelligence gathering and the interception of paper mail at the post office. Surveillance can be used by private individuals to protect their homes, e.g. by installing security cameras. It can be legally used by governments for intelligence gathering – including espionage, and prevention or investigation of crime. On the other hand, surveillance is also used by criminal organisations to plan and commit crimes, and by businesses to gather intelligence on their competitors, suppliers or customers. Even religious organisations have been known to use surveillance techniques to detect heresy and heterodoxy among their members.

The phrase ‘state surveillance’ brings to mind images of the former German Democratic Republic and its infamous secret service Stasi that reportedly held files on every citizen. However, most of the information they kept was gathered using relatively low-tech means since their surveillance system mainly relied on a vast network of spies and agents. A modern example of a state’s attempt to collect and compile their citizens’ private information is the so-called Social Credit System developed by the government of the People’s Republic of China. Through this system, Chinese businesses, individuals and government institutions can be tracked and evaluated for trustworthiness. Unlike its East German predecessor, the Chinese system is based on the cutting-edge technology, such as CCTV cameras with facial recognition and the surveillance of all web traffic.

Both countries mentioned are instances of undemocratic regimes that do not recognise or at least do not protect the right to privacy as a fundamental right. Nevertheless, today’s democratic countries are also not immune to attempts to use modern technology to intercept information online. For example, ECHELON was a worldwide electronic intelligence-gathering operation, mainly for industry espionage, run by the USA in cooperation with other Western governments. Created during the Cold War in order to monitor the military and diplomatic communications of the Eastern Block, it gradually evolved into a global system for the interception of private and commercial communications. In 2013, Edward Snowden revealed the surprising extent of global surveillance systems operated by Western countries, often in cooperation with the largest IT companies.

Social networks, such as Facebook, and other online giants, particularly Google, also collect vast amounts of data on their users. As discussed at the previous webinar in May, this usually happens with the users’ more or less express consent. Although these companies collect and process their users’ personal data almost exclusively for advertising purposes, they are now effectively a part of the global electronic surveillance system that is able to intrude into individuals’ privacy more extensively than the Stasi ever managed.

The European Union’s E-Commerce Directive, adopted in 2000, initially acted as a barrier for turning internet companies into surveillance operators. It prohibited Member States from imposing any general monitoring obligation on internet intermediaries to detect their users’ potentially illegal activities. This principle has been important in preventing the attempts to force the intermediaries to implement deep-packet control of web traffic in combination with algorithmic filtering or blocking of any problematic content. In the series of cases Scarlet Extended, Sabam v Netlog and UPC Telekabel the EU Court of Justice confirmed thateven a court injunction cannot be used to force an internet intermediary to establish a permanent system of preventive filteringof user data as this would amount to an impermissible monitoring obligation.

Nevertheless, an opposite trend can be detected in the most recent EU legislation. The 2019 Directive on Copyright in the Digital Single Market requires online content-sharing service providers (a new category of hosting providers that includes all social networks) to make best efforts in accordance with high industry standards of professional diligence to avoid the availability of any unauthorised works. Although the Directive retains the prohibition of general monitoring obligations, it is unclear how its requirements should be met without resorting to algorithmic filtering of all users’ content. Similarly, the Digital Services Act, adopted this year, will require very large online platforms to perform risk assessments on the use and functioning of their services and, based on the established risks, take mitigating measures to protect users from illegal content, goods and services. The content and operation of such measures is left to the platforms themselves; yet the requirement seems to direct the platforms towards monitoring more closely their users’ activities on the platform, even when these are private.

A sort of surveillance obligation is much more expressly mandated by the 2021 Regulation on addressing the dissemination of terrorist content online (TERREG), which requires hosting service providers exposed to terrorist content to implement specific measures to identify and expeditiously remove or block any such content.

Even more contentious is the proposal for a new Child Sexual Abuse Regulation (CSAR) presented by the European Commission in May 2022. The new proposed rules seek to increase child safety online by imposing obligations on online communication service providers to detect, report, remove and block access to online child sexual abuse material, including by screening their users’ private communication to detect such material. The draft regulation states that it is compatible with end-to-end encryption, but its critics point out that no technical solutions currently exist that would allow providers to offer their users end-to-end encrypted services while still complying with their detection obligations. Hence, the providers would be forced to either remove encryption or to offer a weakened version of encryption. In both cases, the users’ communication privacy would be diminished.

We can observe that the states increasingly rely on online service providers to carry out the surveillance of citizens on the governments’ behalf since they have already set up most of the necessary infrastructure to do that for their own commercial interests. Apart from threatening the right to privacy in the digital environments in general, a risk exists that this will also serve to entrench the existing monopolies of the largest online platforms. The authorities will not be motivated to institute antitrust actions against the limited number of internet giants or to encourage competition as long as they remain cooperative in government-mandated snooping.

Klemen Podobnik opened the debate by responding to the issue of using antitrust as a tool for the protection of privacy against the technological oligopoly of online platforms. He stressed that competition law, which is based on economic science, cannot respond to a problem that is not only sociological but also anthropological. The issue of big data science, which is a glamorous name for data mining, is not the core of the problem. The crisis of privacy online can in fact be called ecological, as it does not concern only the espionage by the state authorities, as disclosed by Snowden, but the entire technological ecosystem of the internet. Every individual’s smallest, tiniest action or omission can have detrimental consequences for human privacy on the internet, and this is something we should educate people about. This cannot be done by legislation or by antitrust measures, such as breaking up Facebook or Google, as this will achieve nothing. People should be made aware that their choices regarding the software and hardware they use to communicate influence not only their privacy but the privacy of everybody else – of their friends, of their family and so on. When a photo is posted on a social network, the persons in it will be tagged and facially recognised regardless of whether they are themselves users of the network or not. Similarly, the industry-standard email apps threaten the privacy both of receivers and senders as they scan the email to sell ads. The infrastructure of the net should probably also be changed so that it is not centralised as it is today but federated, which could also change the users’ perspective of the internet as merely a highly sophisticated TV.

Matija Damjan mentioned Cory Doctorow’s proposal that social networks should be regulated in a way that would limit the network effect by allowing the easy portability of any user’s data and the interconnectivity between networks. This would allow users to switch between different social network providers and to connect and communicate with users on other networks. On the other hand, it would also allow the providers of social networking services to compete with enhanced levels of privacy and security that they provide to their users.

Samo Bardutzky pointed out that email remains federated much more than social media. You do not need to subscribe to a specific platform to use it, but you can use a client of your own choice as well as your own server. This is different from today’s instant messaging services that are operated by social networks and connected to them so that they can also combine user data from both services. A technological solution for increased privacy should enable people to start using independent privacy-sensitive clients that are interoperable, so that you can use them to connect to a person using a different client. Perhaps an independent communication platform would be necessary to achieve that. The legal issue is to what extent the state can mandate the creation of such a platform.

The final part of the seminar consisted of a Q&A session and general discussion with the audience. Dr Maja Bogataj Jančič from the Intellectual Property Institute in Ljubljana joined us in the debate pointing out that applying antitrust rules to the old mobile communication companies was relatively straightforward, as the cost was expressed in terms of money the customers paid to the provider. With today’s social networks and other online service providers, the customers pay by losing something – their privacy. And this is something that is difficult to estimate in money and hence hard to deal with within the apparatus of competition law. If privacy is considered a constitutional value, it should not be something that you can trade.

The webinar concluded at 14:25 with an invitation to both the audience and the debaters to join us again at similar events in the future.

Please share our article on your favourite channel or send it to your friends.

Facebook
X
LinkedIn

Similar posts

On Wednesday, November 13, the Central European Academy hosted an engaging mini debate to determine…

The objective of this workshop is to examine the means by which the CJEU ensures…

On 11-12 november 2024, Michał Barański, PhD and Assistant Professor at the Faculty of Law…

Scroll to Top
cea mail modal
Megszakítás