Copyright2013
1
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor in Cyberspace Law & Policy, UNSWVisiting Professor in Computer Science, ANU
Chair, Australian Privacy Foundation (APF)Advisory Board Member, Privacy International (PI)Secretary, Internet Society of Australia (ISOC-AU)
http://www.anu.edu.au/Roger.Clarke/......../DV/SDS-1301 {.html, .ppt}
CPDP – Brussels – 24 January 2013
State Surveillance and Its Governance
Copyright2013
2
State Surveillance and Its Governance
AGENDA
• Categories of Surveillance
• PoV Surveillance as an Example
• Governance Principles for State Surveillance
• How to Get Them
Copyright2013
3
Categories of Surveillance
1. Behavioural Surveillance (Observation)
2. Communications Surveillance (Interception)
3. Dataveillance
4. Location and Tracking Surveillance
5. Body Surveillance
6. Experiential / Attitudinal Surveillance(Reading, Associations)
∑ Combined, Omnipresent and/or Omniscient 'Überveillance' ==> Emergent Omnipotence?
http://www.rogerclarke.com/DV/FSA.html
Copyright2013
4
State Use of the Categories of Surveillance
1. Physical Surveillance• Unaided watching and
listening – eyes and ears• Aided by technology, incl.
telescopic lenses, directional microphones, triggers
• Recorded
2. Comms Surveillance• Eavesdropping• Traffic Interception• Access to Stored Traffic• Reading, eExperiences
3. Dataveillance• Consolidation, Matching,
Warehousing, Mining• Profiling• National Id Schemes• Spyware, Hacking
4. Loc, Track Surveillance• Transaction Trails, Bug-
Planting
5. Body Surveillance • Anklets, Implants
6. Experiential / Attitudinal Surveillance
Copyright2013
5
Point-of-View SurveillanceBase Definition
The use of a device to observe and/or record still- or moving-image and/or sound, that has the following characteristics:
• is human-borne• points away from the human; and• is designed to capture data from
the person's point-of-view or line-of-sight
Mounts may be on the head, spectacles, helmet, etc.May be obvious, non-obvious, or obfuscated
http://www.rogerclarke.com/DV/PoVS.html
Copyright2013
6
PoVS Technologies Extensions to achieve a Looser
Definition• Person-Attached Device, other than to the
heade.g. shoulder-strap, belt
• Person-Held DeviceMay be held at the eye, or in front of the eye, but may be held low, held above the head, etc.
• Personal-Device-Attached Devicee.g. on a baton, taser, pistol
“... 55,000 minicameras mounted on Tasers ... ” (NYT Advertorial, 21 Feb 2012)
• ...
Copyright2013
7
Not-but-Near-to PoVS Technologies
• CCTV and OCTV:• Public Place• Government,
Corporate• Personal
• ANPR:• Fixed• Mobile• Point-to-Point
• Vehicle-Mounted• In-Car Video (ICV)• Drones
• Device-Mounted,but at, not from
• Web-cams
• ...
http://www.rogerclarke.com/DV/PoVS.html
Copyright2013
8
Disbenefits and Risks of PoVS – 1
• ‘Requisite Distance’
• Chilling-effect of ‘the eye’
• Inflammatoriness of ‘the eye’‘Get that camera out of my face!’
• Duelling PoVS
• Falsifiability
• Suppression and Selectiveness
Copyright2013
9
Disbenefits and Risks of PoVS – 2• Retrospective Use:
• Suspicion-generation• Mapping of Social Networks• Guilt by Proximity
Revival and extension of Consorting Crimes
• Behavioural S || Comms S || Dataveillance
• Real-Time Use: Plausible criminalisation based on identity, location, video footage (and comms?)
• Predictive Use: Plausible criminalisation based on intention inferred from observed behaviour
Copyright2013
10
Law Enforcement And Nat Sec Agencies (LEANS)
Inherent Scope to Avoid Controls
• Necessary Delegation to Police of the decision to use force, and to arrest
• Magistrates’ courts favour police evidence• LEANS may provide the only PoVS feed
that is available to an investigator or court• Failure to impose independent controls
over illegal police behaviour
Copyright2013
11
LEANS – Additional Rights and Constraints
Examples from Surveillance Devices Act (Cth)
• Authorised to use optical surveillance devices, in public places, without a warrant, provided that "there is no entry to premises without permission and no interference with any vehicle or thing” (s.37)
• Judicial Warrants – advantageous conditions (ss.1-27)
• Self-Issued Warrants (ss.28-36)
• Warrantless, in a few circumstances (ss.37-40)
• ?Warrantless, in many more• Can be covert, may be able to be suppressed (ss.44-
48)
Copyright2013
12
Sur cf. SousSurveillance (sur = above)
• Enviro-centric• Looks down from above,
physically and hierarchically • bosses watch employees• police watch demonstrators• taxis watch passengers• shopkeepers watch shoppers
• Centralised control• Often secret• Breeds mistrust, which
• Breeds surveillance• Breeds mistrust ...
Sousveillance (sous = below)
• Person-centric• Looks up from below,
less org’d, hierarchical• demonstrators watch police• shoppers watch shopkeepers• citizens watch security people
• Distributed or no control• Often open • Individual or
Community-based, which• Breeds trust
After a Steve Mann Analysis
Copyright2013
13
The Range of Possible Counter-PoVS Powers
• To require a person to not use a PoVS device,in relation to particular activities, or in particular places
• To require a person to do an act re their PoVS devices:
• Delete recordings of particular activities• To take actions in relation to a person’s PoVS devices:
• Seize, i.e. remove from the person's possession• Delete existing recordings of particular activities• Disable particular functionality• Inflict damage• Destroy• Confiscate, i.e. retain long-term or indefinitely
http://www.rogerclarke.com/DV/POVSRA.htmlhttp://www.rogerclarke.com/DV/LTMD.html
Copyright2013
14
Actual Counter-PoVS PowersUnder Australian and NSW Laws
• Major Events (Olympics, Gx, APEC, CHOGM, ...)APEC Meeting (Police Powers) Act 2007 (NSW)
• Self-Authorised Special Powers – LEPRALaw Enforcement (Powers & Responsibilities) Act 02/07 (NSW)Enables NSW Police to self-authorise special powers in public places in the event of what it judges to be "public disorder". The powers include stop and search without warrant and without reasonable grounds for suspicion, and seizing and detaining, originally, a communication device, but since 2007 any "thing, if [its] seizure and detention ... will assist in preventing or controlling a public disorder" (s.87M)
• Anti-Terrorism Laws
Copyright2013
15
Counterveillance Principles
1. Independent Evaluation of Technology2. A Moratorium on Technology Deployments3. Open Information Flows4. Consultation and Participation5. Evaluation / Surveillance Impact Assessment6. Design Principles ==>7. Review Against Those Principles8. Rollback
http://www.rogerclarke.com/DV/SReg.htmlhttp://www.rogerclarke.com/DV/RNSA07.html
Copyright2013
16
The Regulation of Surveillance – Design Principles
1. Justification2. Proportionality3. Openness4. Access Security5. Controlled Use6. Controlled Disclosure7. Controlled Publication8. Non-Retention and Rapid
Destruction9. Review10. Withdrawal
http://www.rogerclarke.com/DV/SReg.htmlhttp://www.privacy.org.au/Papers/CCTV-1001.html
Copyright2013
17
State Surveillance and Its Governance
AGENDA
• Categories of Surveillance
• PoV Surveillance as an Example
• Governance Principles for State Surveillance
• How to Get Them
Copyright2013
18
Standards Documents
• International Telecommunications Union (ITU, since 1865)
• Institute of Electrical and Electronics Engineers (IEEE, since 1884/1912/1963)
• International Organization for Standardization (ISO, since 1947)
• Internet Engineering Task Force (IETF, since 1986/1992)
• British Standards Institution (BSI, since 1901)
• US Govt National Institute of Standards and Technology (NIST, since 1901)
• American National Standards Institute (ANSI, since 1916)
• Deutsche Industrielle Normen(DIN, since 1917)
• Standards Australia (SA, since 1922)
Origins in the Engineering Professions, esp. Construction
Copyright2013
19
The Politics of Standards• Institutionalisation and Scale• Influence = ƒ( Meritocracy / Technocracy )• From Volunteer Professionals
To Corporations, Government Agencies, Industry Associations
• Consumers / Citizens / Reps / Advocates ??
• Influence from muted to nil, due to:• Dominance of
Meritocracy/Technocracy• Dominance of Corporate Power• Limited Resources for Analysis, Travel
Copyright2013
20
So ... Civil Society Standards Documents
• An alternative voice to the documents that are published by and for industry, and by and for governments
• A counter-balance tothe power of industry and governments
• An antidote to civil society's exclusion / weak voice in industry standards processes
• Public Expectations:• Articulated• Communicated• Available in Advance
• Benchmarks:• Established• Applied by Civil
Society• Applied by Others
• Protection of the public from badly conceived projects
• Assurance for investments both public and privatehttp://www.rogerclarke.com/DV/CSSD.html
Copyright2013
21
How To Get Governance• Promulgate Standards• Hammer Home the Absence of Governance
• Evaluate Against Those Standards• Expose, and Exploit Embarrassment
• Media Backgrounders• Media Releases• Formal Reports by Civil Society
• Build External Coalitions of Interest• Anonymity is needed by Undercover Operatives• Location and Tracking Threatens Marketing,
Strategy and Merger&Acquisition Execs
Copyright2013
22
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor in Cyberspace Law & Policy, UNSWand in Computer Science, ANU
Chair, Australian Privacy FoundationAdvisory Board Member, Privacy International
Director, ISOC-AU
http://www.anu.edu.au/Roger.Clarke/......../DV/SDS-1301 {.html, .ppt}
CPDP – Brussels – 24 January 2013
State Surveillance and Its Governance
Copyright2013
23
Copyright2013
24
Copyright2013
25
TheBlurring
of
Speculative
Fiction
and
Reality
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Copyright2013
26
Dimensions of Surveillance
1. Of What?
2. For Whom?
3. By Whom?
4. Why?
5. How?
6. Where?
7. When?
Copyright2013
27
General Rights to Use PoVS• On the Person’s Own Property
• A general right, subject to provisos• On Other People’s Property
• A revocable right, subject to provisos• In a ‘Private Place’
• Only if a party to the conversation?• In a ‘Public Place’
• If ‘a reasonable expectation of privacy’ exists
• Usability if obtained without permission? in breach? in violation of a denial of consent?e.g. breach of confidence? Privacy Act use / disclosure?
Copyright2013
28
Constraints on General Rights to Use PoVS
Property-Related Constraints• On (or near?) Government Property
• Military Properties – Crimes Act (Cth) s.82• Clth Properties – Crimes Act (Cth) s.89• Designated Areas (Sydney Opera House!?)
• On Other People’s Property• Can be precluded internally, but maybe
cannot preclude looking into the premises• ?However, not inside a building
if a reasonable expectation of privacy exists• In Workplaces (NSW, ACT only?)
• mere notice that surveillance is undertaken• some limits on ‘private place’• magistrate’s authority for covert
surveillance
Copyright2013
29
Constraints on General Rights to Use PoVS
• Censorship and Anti-Voyeurism Laws(peeping-tom, upskirting, downblousing)
• ? Torts• Land – Trespass, Nuisance• Person – Trespass, Obstruction, Assault, AVOs (NSW)??• Emotional State – Harassment, Stalking, PSIOs (Vic)?• Deceit – Factual Misrepresentation??, Passing-Off??
• Specific Legislation, e.g.:• Major Events (Olympics, G8, APEC)
• ?Party to the conversation?Eavesdropping is/was a common-law offenceBut, in NSW, deleted in 1995 (s.580B of Crimes Act)
• ?Direct action by the subject of the surveillance; butprotections are for PoVS’ers rather than the aggrieved
Copyright2013
30
State Surveillance and Listening Devices Acts
Vic, WA, NT (1998-2000)& NSW (2007), Qld
Surveillance Devices ActsProhibition of surveillance of a ‘private activity’, except:• by someone who is
a party to the activity• if the activity is happening
outside the building; or• if the circumstances
indicate that the parties do not care if they are seen
SA, Tas, ACT1971, 1972, 1990
Prohibition of aural surveillance
of a private activity, except ...
Workplace (NSW, ACT)• Must be declared• Covert only with a
magistrate's approval
Anti-Voyeurism laws may put toilets, bathrooms, change-rooms off-limits
Copyright2013
31
Unenforced Laws
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Candice Falzon & Sonny Bill Williams – April 2007Apparently in breach of Crimes Act 1900 (NSW) ss. 91I-91M re voyeurism,
and Surveillance Devices Act 2007 (NSW) s.8 re optical surveillance,BUT no prosecution found
Copyright2013
32
Pragmatic Constraints• Many ‘public places’ are government-owned
and some are privatised (e.g. airports)• Powerful organisations are able to achieve a
great deal more than weaker organisations and individuals:
• Larger Real Estate(industrial and commercial premises, hospital and university campuses, malls, ...)
• Access to Parliaments, by:Government agenciesLarge corporationsIndustry associations
Copyright2013
33
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
http://www.gizmodo.com.au/2011/01/recording-a-police-officer-could-get-you-15-years-in-jail/
Copyright2013
34
Uncontrolled Use of Such Laws in Australia
• December 2008 re Nick Holmes a CourtCamera-enabled Blackberry confiscated Without apparent justification
• Presumption of authority under Anti-Terrorism laws
• Reports suggest previous such incidents
http://techwiredau.com/2008/12/who-watches-the-watchers-australian-threatened-with-arrest-under-australian-anti-terrorism-act-for-being-a-citizen-journalisthttp://www.couriermail.com.au/police-snatch-blackberry/story-fna7dq6e-1111118412772
Copyright2013
35
http://thetandd.com/animal-rights-group-says-drone-shot-down/article_017a720a-56ce-11e1-afc4-001871e3ce6c.html
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Copyright2013
36
Precepts• Terrorism is not new and nor is it unusual• Although the 'power to weight ratio' of a single strike
has increased (because fewer terrorists can deliver a bigger payload), this does not have particularly significant implications for public policy
• Reactionary extremism must not be accepted at face value. National security and law enforcement interests cannot have carte blanche to do what they say needs to be done in order to counter the threats
• Secrecy is not a necessary pre-condition of Security• It is not legitimate to treat Public Safety issues as
though they were National Security matters• A single State identity does not stop 'virgin terrorists'
http://www.rogerclarke.com/DV/RNSA07.html
Copyright2013
37
Law Reform Recommendations – Ignored?
1983Australian Law Reform Commission appears to have addressed some aspects relevant to the issues (ALRC 1983, c. para. 1125)
1995NSW Privacy Committee provided Recommendations in relation to surveillance in the workplace (NSWPC 1995)
2005NSW Law Reform Commission made Recommendations in relation to both Overt Surveillance and Covert Surveillance (NSWLRC 2005)
2008Australian Law Reform Commission briefly discussed surveillance, made no direct Recommendations but Recommendation 74-1 re a Statutory Cause of Action lists as an example of a serious invasion of privacy: ... (b) where an individual has been subjected to unauthorised surveillance (ALRC 2008)
2010Victorian Law Reform Commission recommended a law and a set of guiding principles for the responsible use of surveillance devices in public places (VLRC 2010)
Copyright2013
38
Challenges Involved in Achieving Balance
• Advertorials, even in the NYT, today 21 Feb 12• Public-Private Partnerships cf. Procurement Probity• Policemen in Corporate Promo Videos• One-Sided Expression of Potential Benefits
e.g. “negating false complaints” cf.“appropriate resolution of complaints”
• Marginalisation of Disbenefits and Risks• Absence of Risk and of Privacy Impact Assessment• Absence of Consultative Processes with Advocates• Absence of Requirements-Based Scheme Design
Copyright2013
39
Media Use of (PoV)Surveillance – Specific Principle
• DO NOT, unless a clear justification exists:• seek or gather personal data• observe or record personal behaviour
• Base justification only on:• consent by the person to whom the data relates• express legal authority; or• an over-riding public interest
• The nature of the activities, and their degree of intrusiveness:• must reflect the nature and extent of any consent
provided• must reflect the nature and extent of any express legal
authority; and• must be proportionate to the nature and significance of
the public interest arising in the particular circumstances
Copyright2013
40
Media Use of (PoV) SurveillanceControlled Activities
1. Activities that intrude into the person's private space
2. Activities that intrude into the person's reasonable expectations, even though they are in a public space
3. Deceit, such as:• masquerade
• misrepresentation or subterfuge pretexting / blagging, masquerade
• unexpected observation or recording
4. Exploitation of vulnerability, naiveté or ignorance, esp. children, limited mental capacity, etc.
5. Intrusions into private space of people in sensitive situations
6. Coercion, incl. implication of a legal or moral obligation, intimidation, excessive persistence
7. Perceived trespass, nuisance, obstruction, pursuit, harassment or stalking
Copyright2013
41
Australian Privacy Foundation (Sep 2009)
Policy Statement re Visual Surveillancehttp://www.privacy.org.au/Papers/CCTV-1001.html
1. Justification... a Privacy Impact Assessment (PIA) must be conducted ...... publication of a clear explanation ...... public consultation ...... consideration of less privacy-invasive alternatives
2. Proportionality... benefits ... must outweigh the negative impacts ...... no more intensive ... and no more extensive than justified
Copyright2013
42
Australian Privacy Foundation (Sep 2009)
Policy Statement re Visual Surveillance
http://www.privacy.org.au/Papers/CCTV-1001.html
3. Openness / TransparencyCovert requires formal, specific and bounded legal authority, issued by an independent judicial institutionOvert, in private space and in public spaces where a reasonable expectation of privacy exists, <ditto>, and must disclosed and clearly notified Overt, in public spaces, must be disclosed, clearly notifiedIn all cases, any identifiable data arising, under any circumstances, must be treated as personal data under data protection laws