All of this week, whilst I am mainly working on Managing Your Digital Footprint research work, there is a summer school taking place at the University of Edinburgh School of Informatics on Security and Privacy with several talks on social media. This afternoon I’ll be blogging one of these: “Policing and Social Media Surveillance : Should We Have any Privacy in Public?” from the wonderful Professor Lilian Edwards from University of Strathclyde and Deputy Director, CREATe.
I come to you as a lawyer. I often say what I do is translate law to geek, and vice versa. How many here would identify themselves as from a legal discipline (about 10 are), I know most of you are from a computer science or HCI area. What I will talk about is an overlap between law and computer science.
So, a nice way to start is probably David Cameron saying: “In extremis, it has been possible to read someone’s letter, to listen to someone’s call to listen in on mobile communications,” he said. “The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not.“
I’m going to argue that encryption, privacy, etc. is a good thing and that there should be some aspect of privacy around all of those social media posts we make etc. Now, what if you didn’t have to listen to secret conversations? Well right now the security services kind of don’t… they can use Tumblr, Facebook, Twitter etc..
So, a quick note on the structure of this talk. I will set some context on open source intelligence (OSINT), and Social Media Intelligence (SOCMINT). Then I will talk about legal issues and societal implications.
So, SOCMINT and OSINT. In the last 5-7 years we’ve seen the rise of something called “intelligence led” policing, some talk about this as the Minority Report world – trying to detect crime before they take place. We have general risk aversion, predictive profiles, and we see big data. And we see “Assemblages” of data via private intermediaries. So we see not only the use of policing and intelligence data, but also the wide range of publicly available data.
There has been the growth in open source intelligence, the kind of stuff that easy to get for free, including SOCMINT – the stuff people share on social media. You can often learn a great deal from friends graphs, their social graph – even with good privacy settings that can be exposed (used to always be open) and that is used in friend of friends analysis etc. The appeal of this is obvious – there is a lot of it and it is very cheap to get hold of it (RUSI and Anderson Report 2015), 95% of intelligence gathered is from this sort of “open source” origins, the stuff that is out there (ISC 2015). There have been a number of reports in the last year with increadibly interesting information included. Another report stated that 90% of what you need to know if from this sort of open source, and it’s great because it is cheap.
These practices are rising policy challenges (Omand 2012) of public trust, legitimacy and necessity, transparency. And there is the issue of the European Convention on Human Rights: article 8 gives us the right to a private life, which this sort of practice may breach. Under that article you can only invade privacy for legitimate reasons, only when necessary, and it the level of invasion of privacy can only be proportionate to the need in society.
So, looking at what else is taking place here in contemporary practice: we had the Summer Riots in 2011 where the security services used #tweets, BB texts etc. and post riot reports really capture some of the practice and issues there; Flickr stream of suspect photos leading to 770 arrests ad 167 charges, Facewatch mobile app During the 2012 Olympics the police wanted to use social media data, but basically did not know how. So issues here include police managerial capacity; there is sampling bias (see “Reading the Riots”) as Twitter is a very partial view of what is occuring; And there is human error – e.g. in crowdsourced attempts to identify and locate the Boston Bombings.
So I want to talk about the possibility of using public social media posts and question whether they have any protection as private material.
An individual tweets something, says she didn’t intend for it to be seen by the police, commentators online say “What planet is this individual on? Her tweets are public domain” and that is the attitude one tends to see, including in the law courts. e.g. “a person who walks down the street will inevitably be visible” (PG v UK 2008 ECt HR). In the UK that seems to be the standard perspective, that no reasonable expectation to privacy when expressing yourself in public.
In the US there is even less privacy of social media posts, e.g. see C.f. Bartow (2011) who says “Facebook is a giant surveillance tool, no warrant required, which the government can use… with almost no practical constraints from existing laws”. There is no idea of privacy in the US constitution effectively.
You’d think that the EU would be better but where are our traditional concepts of when “reasonable expectation of privacy arises?” Is it in our body, our home (Rynes ECJ 2013), car, what about our data “relating to you” vs “public sphere” (Cf Koops).
So, what are the legal controls? Well the Data Protection law seems obvious but there are strong UK exemptions around detection and prevention of crime – so there is no need for consent.
How about the European Convention on Human Rights article 8, the right to a “private life”. So, the start of my arguement is Von Hannover ECtHR (2004) about intrusion by press rather than police – Princess Caroline of Monaco was being followed by the press in all of her activities. The Court says, seminally, that this is absolutely an invasion of her private life – even though she is a public figure in a public sphere. So we have a concept of privacy being beyond the bounds of your home, of being able to have a right to privacy when out in public.
Now, that was an important case… But it hasn’t had that much impact. So you have cases where the police take photos of people (Wood v Metropolitan Police 2008) or CCTV (reapplication by JR38 for Jusicial review (2015). In the case of Wood a serial activist was going to a corporate AGM, expected to cause trouble, so police followed him and photographed him. Judge said that he was an activist and well known, and could expect to be followed. The arguement was that the image was a one off thing – that not part of ongoing profile.
The most recent case, which was in Northern Ireland, was caught on CCTV during the NI equivelent of the London Riots. The person in question was 14 year old and images were circulated widely, possibly including to the Derry Journal. Again he uses, but in an interesting way. There are at least three judgements.
Lord Kerr says “The facet that the activity… Is suspected to be criminal… will not alone be sufficient to remove it from… application of article 8”. That’s a big deal – suspicion of criminal activity isn’t enough for your rights to be exempt. However in this case the second test, whether the intrusion is justified, was found to be the case. And they took very little time to decide it was a justified act. Under proportionality of rights of individual, and rights of community to protect itself, they felt this intrusion was justified. They say that he’d benefit too – saying that that 14 year old might be diverted from a life of crime. They lay it on a bit but they are under pressure to justify why they have not stigmatised this youth through sharing his image. So, an interesting case.
So, there is some expectation of privacy in public but even so interference can be justified. Interferance must be justified as necessary, proportionate and according to law. But security usually seems to win in UK? (Wood, JR38). Even if no reasonable expectation of privacy, may still be part of “private life”. But all of this assumes that you know you are being surveilled, of your information being accessed. But you may not know if your data is being used to build up profiles, to build up an airport stop list, etc.
Now, in response to Snowdon, we have something called RIPA – an envisioned “digital” scheme to cover surveillance of personal data. This scheme covers real time interceptions of emails, warrant from secretary of state needed. But social media isn’t part of this. They just seem to be making up how they manage that data.
Now I want to argue that use of SOCMINT shouldn’t have any special excemption…
Demos in 2013 asseted “open” SOCMINT collection (and processing) needs no authorisation of any kind. Why? They argued that no expectation of privacy so long as user new from T&C that public data might be collected, especially via API. I think that is just egregiously stupid… Even if you believed that it would apply to the platform – not for the police, the rest of the world, etc.
The other argument is the detailed profile argument. And that is that even if we admit that this material is “public” there is still part of ECHR which is that detailed profiles of this sort need to be treated with respect – that comes from practices by the Stasi and concerns around the possibility of a secret police state, Juris Prudence (Rotaru v Romania) covers this.
So, my perspective is that there is a real difference between structured and unstructured data… Even if in public is SOCMINT an autoamatic dossier? With Google most of the internet is a structured dossier. With that in mind ECtHR case law has seen structured dossiers maintained ver time as a key threat – Rotaru v Romainis dictum: “public information can fall within the scope of private life where it is systematically collected and stored in files held by authorities”. So does the Rotaru distinction between structured data in files held by police, and unstructured data hold up in the age of Google and data mining (e.g. Google Spain (ECJ 2014), UK RIPA case (2015).
As we move into the internet as the main site for key publishing of data, and as the internet of things and smart cities come online
Q1) Should we be able to do data mining on large sets of social data?
A1) Big data, data mining and the internet of things can be seen as the three horsemen of the apocalypse in a way. And that’s the other talk I could have given. The police, using this sort of data are using data in a different context, and that isn’t ok under ECHR art 8.
Q2) I remember a paper about a year ago about the distinction between what an individual can do in terms of asking about others etc. They have more right that the police in some contexts.
A2) There is this weird thing where if you are not looking at specific people, you aren’t as restrained. That’s because it used to be the case that you could find out very little without investigating an individual. That has changed considerable but he law hasn’t been updated to reflect that.
Q3) A lot about us is public, so don’t we just have to deal with this. I see the concerns of a police state, but I don’t understand where you are drawing the line on legal controls on policing. If they can only do the same as a member of the public then there shouldn’t be an issue there…
A3) You’ve given that answer yourself – the power dynamic is asymmetrical. They have capacity to join data up to their own databases – which may include your being a witness or victim of crime, not always suspect or perpetrator. There is a lot of black boxing of data here…
Q3) What controls are you proposing?
A3) Honestly, I don’t know if the quick answer. But if we look at the requirements for intercepting letters, email, telephone are strict, searching homes, pretending to be friend etc. are less strict… But that scooping up of mass data is something different in terms of implications and we need some form of safeguarding around that, even if less strict than some other approaches/interceptions.
There is overwhelming evidence that young people don’t realise the potential implications of their sharing of data, and see these spaces as a private space away from other areas of their life in which they find themselves surveilled. So there is a reasonable presumption of privacy there.
Q3) I think there is a need for appropriate controls on police activities, I agree with that. If I share things only with friends on facebook and police look at that, that is an investigation. But if I tweet something it is public
A3) This is the classic liberal argument I don’t agree with. Tweeting is a bit different. Facebook is the new mall, the new social space, they use openness to serve them socially, believing it will only be read by peers. So they have a reasonable expectation of privacy. Part of Bartett and Millar work is about the use of the word “rape” – in gaming culture it is being used to take a game. Imagine that being crunched. That’s the sort of issue that can arise in big data. I’m not saying police needs a warrant for all Twitter data capture, I’m saying we need to think about what is appropriate.
Q4) There is a perspective that taking the UK out of the EU Human Rights Act is a red herring to distract from other legislation.
A4) Even if we left the EU Human Rights Act, the UK Government would find many of its protections are embedded in other part of EU law, so it would still require appropriate respect of individual rights to privacy. But that’s a political conversation really.
Q5) So, in terms of the issues you have raised, how do we understand what is private and what is public data?
A5) I think essentially that we need to safeguard certain points in what has become a continuum in privacy around human rights, something that will set some barriers about the types of interventions that can occur, and what kind of oversight they require.
And with that Lilian’s excellent and information-packed talk is done. Really interesting and there were clearly plenty more questions arising. Particularly interesting for me thinking about the Digital Footprints work, and the legislative context for the research we have been undertaking on student expectations, experiences, practices.