You are here:
AustLII >>
Databases >>
Privacy Law and Policy Reporter >>
1996 >>
[1996] PrivLawPRpr 44
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
Berthold, Mark --- "Regulating surveillance: Hong Kong's proposals - Part II" [1996] PrivLawPRpr 44; (1996) 3(4) Privacy Law & Policy Reporter 74
Regulating surveillance: Hong Kong's proposals - Part II
Mark Berthold
Telecommunications interception
Interceptions
used to be effected with taps placed on wires. With the shift from
telecommunications systems from analogue to digital transmissions
the
distinction between computers and telephones has become blurred. Modern
digitalised switching systems are controlled by computers.
Hence interceptions
may now be effected by manipulating the switching software, including by remote
means (that is, hacking). Mobile
phones use radio signals which (particularly
if analogue) can be intercepted by scanners.
Intercepts will include much information of no value to the tapper. In
Stranger on the Line, Fitzgerald and Leopold identify the following
computer strategies to `distil useful intelligence from a mass of trivia':
-
filtering out spurious traffic on the basis of call destinations;
- keyword recognition: programs registering the occurrence of particular words
in conversation;
- voice recognition: programs recognising specific individuals, whether or not
false accents are used.
They caution against the assumption that it is only criminals or mavericks who
may be tapped. They think VIPs are likely to be of
more interest to the
security community, because of what they know or may have been told.
As
mentioned above, privacy of correspondence is assured by art 17 of the
International Covenant on Civil and Political Rights. The ambit of the
similar provision in the European Convention has been explored at length in a
number of decisions of the European
Court of Human Rights. Those decisions
establish the following points:
-
`Correspondence' extends to telecommunications. The interception of a
telephone call or fax constitutes `interference' with both
`correspondence' and
`private life'.
- Such interference must sanctioned by law. Administrative procedures
promulgated by the executive, no matter how detailed, are insufficient.
- Compliance with domestic laws authorising interception is not necessarily
sufficient. The quality of the law is also relevant. In Malone, the
genesis of the UK Interception of Communications Act 1985, the court
held that:
The law must be sufficiently clear in its terms to give citizens an
adequate indication as to the circumstances in which and the conditions
on
which public authorities are empowered to resort to this secret and potentially
dangerous interference with the right to respect
for private life and
correspondence.
In Huvig the court held that
surveillance laws should specifically address such matters as the categories of
persons liable to/offences susceptible
to interception, the duration of the
intercepts, and the processing and disposal of intercept materials.
-
Domestic laws which fail to define with reasonable clarity the manner and
scope of the discretion to intercept expose all residents
to the risk of
arbitrary surveillance. It is this which constitutes `interference' with the
individual's privacy, whether or not
concrete measures have been applied
against that specific individual. This approach accords with the reality that
the very lack of
reasonable certainty as to whether surveillance is conducted
keeps people subordinate.
While the relevant decisions specifically address the interception of
telecommunications, these principles also apply to postal mail,
and arguably to
physical surveillance.
In
addition to these human rights norms, at an empirical level there is an
increasing need for privacy and security of telecommunications.
-
The public is likely to become increasingly concerned about privacy as a
result of the increased amount of personal information
available online or by
using the phone.
- An allied concern is that of the global marketplace: the increased use of
telecommunications by industry has increased the need for
security of
communications and to prevent the theft of proprietary information.
- Proposals that limit the privacy and security of communications will
ultimately slow the development of advanced networks. Failure
to maintain
confidence in the provision of such privacy and security will translate into
the reduced use of the system, resulting
in the loss of significant revenue and
the attendant benefits expected of the information age.
Accordingly, the Committee proposes that it be an offence intentionally to
intercept or interfere with a communication transmitted
by a distance
communications system while it is in the course of its transmission. This is
slightly broader than s 7 of the Australian
Telecommunications
(Interception) Act 1979 (Cth) in that it proscribes both interception and
interference. `Interference' would extend to the corruption or diversion of a
communication,
without necessarily becoming acquainted with its contents. Also,
as under the UK Interception of Communications Act 1985, the proposed
offence encompasses not only telecommunications systems but also post.
Criminal sanctions such as these protect the integrity of the
telecommunications networks, quite apart from securing privacy for
communicants. Unlike with physical surveillance, telecommunications involve a
third party, namely the service carrier. Furthermore,
the third party is in a
contractual relationship with the communicant. On the other hand, service
carriers are also required to co-operate
with governments in effecting
intercepts on public interest grounds. Governments face a fundamental tension
between two competing
policy objectives.
-
Fostering the development and widespread use of cost-effective information
safeguards.
- Controlling the proliferation of safeguard technologies that can impair
signals intelligence and law enforcement capabilities.
The Committee therefore examined recent US initiatives attempting to deal with
this dilemma by endeavouring to virtually guarantee
that interception efforts,
albeit authorised by warrant, should be necessarily effective. The Committee
noted in passing that the
power to intercept may be compared with that of
search and seizure, but the latter power is not accompanied by any guarantee
that
the search will not be foiled by suspects hiding items or storing them
elsewhere.
The
US Government has acted on concerns that new technologies could erode present
interception capabilities. This is notwithstanding
that some developments make
for increased vulnerability to intercepts, such increased use of mobile phones
using radio communications
and modern systems such as ISDN providing more call
transaction data (technical developments in other forms of surveillance such
as
the miniaturisation of electronics also provide law enforcement with new
opportunities). The Digital Telephony and Communications Privacy Improvement
Act requires that telecommunications systems be designed to facilitate
government interception. Concerns publicly raised about the implications
of the
legislation include:
-
Security -- while law enforcement would be assisted by systems
modifications facilitating eavesdropping, so too would criminals, spies and
terrorists.
- Impact on the role of service carriers -- while carriers have hitherto
had an arms-length relationship in complying with warrants, legally mandating
tappability forces
them to become, in effect, agents of law enforcement
- Cost -- estimates for the cost of technical conversions of switches
and computers needed for compliance vary from US$500 million and 1.8
billion.
In 1990 the Australian Cabinet determined that all public telecommunications
systems should be capable of being intercepted for security
and law enforcement
purposes. In 1991 licence declarations were amended accordingly. The paper
notes that the Australian Barrett Report (see 1 PLPR 161) specifically
notes that the Australian Barrett Report (see 1 PLPR 161) specifically
rejects, on economic grounds, legislation along US lines pending international
agreement on interception requirements.
On this issue of maintaining tappability the Committee concludes that the basic
issue is the scope of legal controls authorising
tapping. It viewed the
question of controls on technology to maintain tappability subject to
authorisation for specified purposes
as outside its terms of reference. It also
thought that as encryption is increasingly utilised to preclude the deciphering
of communications,
the issue of whether the communications can be intercepted
in the first place becomes less critical than those posed by cryptography.
While
the impact of new technologies on the capability to intercept communications is
mixed, technical developments concerning the
deciphering of intercepted
communications are less equivocal. Encryption is now capable of effectively preventing the
interceptor
from understanding the communication. In the last five years
encryption technology has become readily available to individuals and
businesses. This availability will accelerate with the continued expansion of
the Internet with its capacity to disseminate strong
cryptographic software
world-wide and without charge. The Clipper chip initiative was launched on the
basis that encryption may be
deployed not only to secure legitimate privacy and
security concerns, but also to conceal the activities of criminals and
terrorists.
The Clipper chip provides a government encryption standard
facilitating descrambling communications encrypted with the chip. Under
the
proposed `Key escrow' scheme two `trusted third parties' are designated, who
each hold a piece of the decryption key. The communication
can only be
decrypted by obtaining both pieces of the key, upon production of a warrant.
The Committee concludes that it is futile for Hong Kong to proceed down the
Clipper chip path and promote a standard providing trapdoor
access to
government agencies. Other standards without such access would naturally
continue to be resorted to by the criminals, terrorists,
etc. Unless everyone
used the encryption code, the entire effort is futile. Prohibiting other
encryption standards was considered
unrealistic, given their ready availability
to anyone with a modem and computer. The Committee believes that effective
encryption
will become increasingly available, thereby securing by non-legal
means privacy of telecommunications for those wishing to avail
themselves of it.
While
the global information infrastructure is vitally dependent on adequate security
and privacy of transmissions, many communications
are effected by simple
face-to-face contact. Although issues such as securing the integrity of
networks do not arise here, the core
privacy concern remains. The offences
proposed above regarding the bugging of private premises and their surveillance
by remote means
would protect communications conducted entirely within their
precincts. However, this territorial restriction is not apt for private
communications. To cover this, the Committee proposes that it also be an
offence intentionally to intercept or interfere with a communication
by means
of a technical device (whether or not the communication itself is mediated by
means of a technical device), provided that
interception could not have been
effected without the use of a device. The proviso ensures that conversations
that could be casually
overheard are not protected.
In
accordance with the aim of providing integrated regulation of intrusions, the
Committee proposes the same legal framework for
both physical surveillance and
the interception of communications. This contrasts with the variety of laws
within other jurisdictions,
usually with resultant gaps (particularly as
regards visual surveillance). In devising such a comprehensive scheme the
Committee
was not encumbered with considering robust existing protections --
such protections as they are in Hong Kong are limited in scope
and indefinite
in their application.
Two
main approaches are possible in determining the scope of statutory exceptions
authorising intrusions:
-
Stipulating defences which are self-executing, but whose exercise is subject
to challenge and review. This is the approach generally
adopted by data
protection laws. For example, a data user may decline to afford access to data
on the basis that its release is likely
to prejudice law enforcement. The data
user will usually invoke the exemption unilaterally and the Privacy
Commissioner will only
have occasion to review it if he receives a complaint.
However, while appropriate in dealing with departures from the data protection
principles, the Committee thought this mechanism inadequate in sanctioning the
more serious intrusions involved in surveillance or
the interception of
communications. Also, the use of exemptions under data protection laws is
relatively transparent, whereas individuals
will seldom become aware of being
subjected to surveillance or the interception of communications.
- Implementing a warrant system, requiring prior approval of the proposed
intrusion by an independent authority. In addition to providing
independent
scrutiny, a warrant requirement furnishes the intruder with a written authority
which he can produce if challenged. This
is a practical necessity where the
intrusion in question either:
(a) requires the technical assistance of a third party, such as a service
carrier. This is the usual position when intercepting public
telecommunications
systems (unilateral hacking would be too time consuming); or
(b) the intrusion is of a nature which carries the risk of being detected by
the victim, such as physical entry to premises.
Most remote surveillance, however, requires no external assistance and is inherently undetectable. However, to subject only some
intrusions to the warrant
requirement would encourage resorting to unregulated alternative methods.
Accordingly a judicial warrant
requirement is proposed for all surveillance and
intercepts. The Australian approach of dividing up the issue of warrants
according
to whether they related to law enforcement (for the judiciary) or to
security (for the Attorney-General) was rejected. The Committee
noted that the
US Supreme Court had declined to accept that `internal security matters are too
subtle and complex for judicial evaluation.'
The judicial role envisaged is not
one of independent fact finding, however, but of being satisfied that
authorisation is warranted
on the basis of the broad picture deposed to.
As
intimated above, the only two grounds on which intrusions may be authorised are
that they relate to security, or law enforcement.
To sustain the first ground
the information sought must be likely to be of substantial value in furthering
security, defence, or
international relations in respect of Hong Kong and the
information cannot be reasonably obtained by other means. The paper also
notes
the increasing prevalence of state-sponsored industrial and economic espionage.
While rejecting an exemption authorising intrusions
along UK lines of
`safeguarding the economic well-being' of the territory, the Committee proposes
that warrants issue for the purpose
of safeguarding the stability of the local
financial system. It specifically had in mind the maintenance of the US dollar
peg with
the local currency (the proposed exception has already been attacked
by the media and described as unwarranted by the monetary authority).
Under the law enforcement exception proposed, the intrusion must be for the
purpose of preventing or detecting serious crime (defined
as being punishable
by a seven-year maximum prison sentence, or three years if bribery is involved)
where, in addition:
-
there is probable cause for suspicion of the target; and
- the information is not reasonably available by less intrusive means.
An
unusual feature of the proposals is that they countenance applications for
warrants by the private sector. The paper notes that
the functions of private
investigators overlap somewhat with those of the police. For example,
businesses may be reluctant to involve
the police in investigating in case it
adversely affects their image. The principle that the application of exceptions
is determined
by the purpose rather than by the identity of the applicant is
already embodied in Hong Kong's data protection law.
In
restricting the authorisation of warrants to the prevention and detection (but
not prosecution) of crime, the Committee has adhered
to the approach adopted by
the UK Interception of Communications Act, as confirmed by the House of
Lords in Preston. Intrusions may be engaged in for the purposes of
forestalling potential crimes and seeking out crimes once committed. But once
the
charge has been laid the intrusions should cease. Furthermore, it adopts
the UK Act's restrictive approach to the retention of intercept
materials
obtained for investigative purposes, including their use in any subsequent
prosecution. Following the UK, the Committee
proposes that following the
completion of the investigation phase the materials should be destroyed. The
result will be that they
will cease to exist prior to any trial and will hence
be effectively inadmissible.
This departure from jurisdictions such as Australia and the US which
countenance the admissibility of surveillance materials is justified
on several
grounds.
-
As a preliminary point, it accords with existing practice in Hong Kong. In
1992 a government spokesman stated that all interceptions
were in connection
with investigations and were not part of evidence-gathering for trials. The
only case subsequently involving the
admission of intercepts concerned an
international drug operation where the intercepts had been effected by the
Royal Mounted Police.
This reluctance to disclose in court surveillance
materials may be partly accounted for by a concern that these activities remain
clandestine.
- The use of surveillance/intercept materials as evidence will require their
retention for this purpose. Retention carries the risk
of dissemination. But
their use as evidence not only ensures that dissemination is the outcome, but
that it is public dissemination
that will result. In other words, use as
evidence will necessarily compound the invasion of privacy entailed by the
original intrusion.
Particularly in the case of intercepts, innocent parties
may be involved.
- The requirement that surveillance and intercept materials be destroyed and
hence unavailable as evidence should provide a significant
disincentive to
undertaking such intrusions in the first place.
Jurisdictions
such as the US require that the subject of intrusions be notified of the fact
following their termination. This marks
the seriousness of the earlier
intrusion and should deter the authorities from engaging in these activities
unnecessarily. Also,
by enabling the individual to challenge such intrusions,
it reinforces mechanisms enhancing accountability, such as complaints
procedures
and the provision of compensation.
Nonetheless, merely informing an individual of the fact that he or she had been
subject to surveillance would provide him or her
only limited assistance. But
if it extended to the release of surveillance materials, this would necessitate
their retention and
the risk of their release to others. Furthermore, a
notification requirement would have to be made subject to a proviso ensuring
that such notification would not `prejudice' the purposes of the original
intrusion. One view is that prejudice may result merely
by the failure to keep
people in the dark about the incidence of surveillance. For the prejudice
requirement to be meaningful, it
would have to focus on the particular
circumstances of the case. Relevant considerations would include whether it is
the original
target or his (sometimes) innocent contacts which are to be
notified and whether it is likely to prejudice future surveillance efforts.
Applying the notification requirement rigorously would require consideration of
who should be notified and what surveillance materials
should be released. The
Committee thought that this would have significant resource implications,
without a clear concomitant benefit.
Alternative mechanisms of increasing
accountability were preferred, including the requirement that the supervisory
authority release
detailed annual reports.
The
Committee thought it essential that a supervisory authority have the task of
monitoring agencies compliance regarding requirements
such as reporting and the
destruction of materials. However, instead of utilising an existing agency, it
proposes that a Justice
of Appeal be appointed to perform a role similar to
that of the UK Commissioner for Interceptions. This would include the review
on
a random basis of warrants issued, but also those warrants generating
complaints (although ex-parte application procedures will
result in few targets
being alerted to their issue). His role would be to examine whether the warrant
was properly issued (including
scrutinising supporting affidavits) and whether
its terms have been complied with. The Committee doubted the feasibility of the
supervisory
authority going further than reviewing the paperwork. He would not
have the resources to investigate the possibility of unauthorised
surveillance.
That would have to be a police matter, even though they may entail their
investigating their own ranks.
While the US Wiretap Act lacks a review authority, it requires the
issuing judge to provide a detailed report on the terms of all warrants issued
and for
the prosecution authorities to detail the resources expended and the
yield (arrests and convictions etc) derived from their execution.
The
government issues annual reports setting out the details, with useful summaries
and graphs.
The Committee thought that detailed reports along these lines play a crucial
role in increasing public accountability for surveillance
and intercepts. It
therefore proposes that it be a statutory requirement that annual reports
detail:
-
the number of warrants authorised;
- their average length and their extensions;
- the classes of location of the surveillance, that is, domestic, business
etc;
- the type of surveillance utilised; and
- the number of persons arrested and convicted as a result of the intrusions.
This should assist the community to assess whether the
incidence of intrusions
is merited.
Given
the covert nature of surveillance and intercepts, the individual will generally
need the services of a private investigator
to conduct technical sweeps to
confirm whether he had been the subject of unauthorised intrusions. The
Committee proposes that compensation
be payable where the intruder can be
identified.
The
Committee's proposals have generated considerable coverage, with at least 14
articles to date in the English language papers
alone. Reactions include the
media's concern that their not having been accorded an exemption will prejudice
investigative reporting.
A number of submissions are likely. More generally,
the community's awareness of these issues (including their vulnerability to
intrusions)
is likely to have been significantly enhanced. v
Mark Berthold, a former legal officer of the Commission, researched and drafted the Consultation Paper. He is now co-authoring a book
on data protection law in Hong Kong.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/1996/44.html
