UN Report Says Mass Surveillance May Violate International Law

The good folks over at the EFF have a detailed overview of a new report from the UN, which has basically found that mass surveillance, similar to that which is carried out by the NSA and GCHQ can often violate international law. The full report is just 16 pages, but the EFF version highlights some of the key lines. The biggest is the report's rejection of the whole "collect the haystack" approach to mass surveillance. The UN report makes it clear that this is not a reasonable approach, especially when it is not shown to be "necessary and proportionate."

Where there is a legitimate aim and appropriate safeguards are in place, a State might be allowed to engage in quite intrusive surveillance; however, the onus is on the Government to demonstrate that interference is both necessary and proportionate to the specific risk being addressed. Mass or “bulk” surveillance programmes may thus be deemed to be arbitrary, even if they serve a legitimate aim and have been adopted on the basis of an accessible legal regime. In other words, it will not be enough that the measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the haystack, relative to the harm threatened; namely, whether the measure is necessary and proportionate.

It further finds that many countries do not effectively limit who has access to such bulk data collections, which exacerbates the problem:

One factor that must be considered in determining proportionality is what is done with bulk data and who may have access to them once collected. Many national frameworks lack “use limitations”, instead allowing the collection of data for one legitimate aim, but subsequent use for others. The absence of effective use limitations has been exacerbated since 11 September 2001, with the line between criminal justice and protection of national security blurring significantly. The resulting sharing of data between law enforcement agencies, intelligence bodies and other State organs risks violating article 17 of the Covenant, because surveillance measures that may be necessary and proportionate for one legitimate aim may not be so for the purposes of another

It also finds requirements for data retention to be problematic:

Concerns about whether access to and use of data are tailored to specific legitimate aims also raise questions about the increasing reliance of Governments on private sector actors to retain data “just in case” it is needed for government purposes. Mandatory third-party data retention -- a recurring feature of surveillance regimes in many States, where Governments require telephone companies and Internet service providers to store metadata about their customers’ communications and location for subsequent law enforcement and intelligence agency access – appears neither necessary nor proportionate.

The report condemns the pernicious use of "secret interpretations" of the law, something that has become all too common in the US:

Consequently, secret rules and secret interpretations – even secret judicial interpretations – of law do not have the necessary qualities of “law”. Neither do laws or rules that give the executive authorities, such as security and intelligence services, excessive discretion; the scope and manner of exercise of authoritative discretion granted must be indicated (in the law itself, or in binding, published guidelines) with reasonable clarity. A law that is accessible, but that does not have foreseeable effects, will not be adequate. The secret nature of specific surveillance powers brings with it a greater risk of arbitrary exercise of discretion which, in turn, demands greater precision in the rule governing the exercise of discretion, and additional oversight.

While reports like this may not directly impact the US's practices, it adds to the growing understanding and recognition both of what the NSA (and others) does, but also why it's totally unacceptable.