AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1996 >> [1996] PrivLawPRpr 44

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Berthold, Mark --- "Regulating surveillance: Hong Kong's proposals - Part II" [1996] PrivLawPRpr 44; (1996) 3(4) Privacy Law & Policy Reporter 74

Regulating surveillance: Hong Kong's proposals - Part II

Mark Berthold

Telecommunications interception Interceptions

used to be effected with taps placed on wires. With the shift from telecommunications systems from analogue to digital transmissions the distinction between computers and telephones has become blurred. Modern digitalised switching systems are controlled by computers. Hence interceptions may now be effected by manipulating the switching software, including by remote means (that is, hacking). Mobile phones use radio signals which (particularly if analogue) can be intercepted by scanners.

Intercepts will include much information of no value to the tapper. In Stranger on the Line, Fitzgerald and Leopold identify the following computer strategies to `distil useful intelligence from a mass of trivia':

They caution against the assumption that it is only criminals or mavericks who may be tapped. They think VIPs are likely to be of more interest to the security community, because of what they know or may have been told.

Privacy of communications a human right

As mentioned above, privacy of correspondence is assured by art 17 of the International Covenant on Civil and Political Rights. The ambit of the similar provision in the European Convention has been explored at length in a number of decisions of the European Court of Human Rights. Those decisions establish the following points:

While the relevant decisions specifically address the interception of telecommunications, these principles also apply to postal mail, and arguably to physical surveillance.

Increased need for privacy in a networked world

In addition to these human rights norms, at an empirical level there is an increasing need for privacy and security of telecommunications.

Accordingly, the Committee proposes that it be an offence intentionally to intercept or interfere with a communication transmitted by a distance communications system while it is in the course of its transmission. This is slightly broader than s 7 of the Australian Telecommunications (Interception) Act 1979 (Cth) in that it proscribes both interception and interference. `Interference' would extend to the corruption or diversion of a communication, without necessarily becoming acquainted with its contents. Also, as under the UK Interception of Communications Act 1985, the proposed offence encompasses not only telecommunications systems but also post.

Criminal sanctions such as these protect the integrity of the telecommunications networks, quite apart from securing privacy for communicants. Unlike with physical surveillance, telecommunications involve a third party, namely the service carrier. Furthermore, the third party is in a contractual relationship with the communicant. On the other hand, service carriers are also required to co-operate with governments in effecting intercepts on public interest grounds. Governments face a fundamental tension between two competing policy objectives.

  1. Fostering the development and widespread use of cost-effective information safeguards.
  2. Controlling the proliferation of safeguard technologies that can impair signals intelligence and law enforcement capabilities.

The Committee therefore examined recent US initiatives attempting to deal with this dilemma by endeavouring to virtually guarantee that interception efforts, albeit authorised by warrant, should be necessarily effective. The Committee noted in passing that the power to intercept may be compared with that of search and seizure, but the latter power is not accompanied by any guarantee that the search will not be foiled by suspects hiding items or storing them elsewhere.

Maintaining tappability

The US Government has acted on concerns that new technologies could erode present interception capabilities. This is notwithstanding that some developments make for increased vulnerability to intercepts, such increased use of mobile phones using radio communications and modern systems such as ISDN providing more call transaction data (technical developments in other forms of surveillance such as the miniaturisation of electronics also provide law enforcement with new opportunities). The Digital Telephony and Communications Privacy Improvement Act requires that telecommunications systems be designed to facilitate government interception. Concerns publicly raised about the implications of the legislation include:

In 1990 the Australian Cabinet determined that all public telecommunications systems should be capable of being intercepted for security and law enforcement purposes. In 1991 licence declarations were amended accordingly. The paper notes that the Australian Barrett Report (see 1 PLPR 161) specifically notes that the Australian Barrett Report (see 1 PLPR 161) specifically rejects, on economic grounds, legislation along US lines pending international agreement on interception requirements.

On this issue of maintaining tappability the Committee concludes that the basic issue is the scope of legal controls authorising tapping. It viewed the question of controls on technology to maintain tappability subject to authorisation for specified purposes as outside its terms of reference. It also thought that as encryption is increasingly utilised to preclude the deciphering of communications, the issue of whether the communications can be intercepted in the first place becomes less critical than those posed by cryptography.

Encryption

While the impact of new technologies on the capability to intercept communications is mixed, technical developments concerning the deciphering of intercepted communications are less equivocal. Encryption is now capable of effectively preventing the interceptor from understanding the communication. In the last five years encryption technology has become readily available to individuals and businesses. This availability will accelerate with the continued expansion of the Internet with its capacity to disseminate strong cryptographic software world-wide and without charge. The Clipper chip initiative was launched on the basis that encryption may be deployed not only to secure legitimate privacy and security concerns, but also to conceal the activities of criminals and terrorists. The Clipper chip provides a government encryption standard facilitating descrambling communications encrypted with the chip. Under the proposed `Key escrow' scheme two `trusted third parties' are designated, who each hold a piece of the decryption key. The communication can only be decrypted by obtaining both pieces of the key, upon production of a warrant.

The Committee concludes that it is futile for Hong Kong to proceed down the Clipper chip path and promote a standard providing trapdoor access to government agencies. Other standards without such access would naturally continue to be resorted to by the criminals, terrorists, etc. Unless everyone used the encryption code, the entire effort is futile. Prohibiting other encryption standards was considered unrealistic, given their ready availability to anyone with a modem and computer. The Committee believes that effective encryption will become increasingly available, thereby securing by non-legal means privacy of telecommunications for those wishing to avail themselves of it.

Privacy of other communications

While the global information infrastructure is vitally dependent on adequate security and privacy of transmissions, many communications are effected by simple face-to-face contact. Although issues such as securing the integrity of networks do not arise here, the core privacy concern remains. The offences proposed above regarding the bugging of private premises and their surveillance by remote means would protect communications conducted entirely within their precincts. However, this territorial restriction is not apt for private communications. To cover this, the Committee proposes that it also be an offence intentionally to intercept or interfere with a communication by means of a technical device (whether or not the communication itself is mediated by means of a technical device), provided that interception could not have been effected without the use of a device. The proviso ensures that conversations that could be casually overheard are not protected.

Regulatory framework

In accordance with the aim of providing integrated regulation of intrusions, the Committee proposes the same legal framework for both physical surveillance and the interception of communications. This contrasts with the variety of laws within other jurisdictions, usually with resultant gaps (particularly as regards visual surveillance). In devising such a comprehensive scheme the Committee was not encumbered with considering robust existing protections -- such protections as they are in Hong Kong are limited in scope and indefinite in their application.

A warrant system: handling of exceptions.

Two main approaches are possible in determining the scope of statutory exceptions authorising intrusions:
  1. Stipulating defences which are self-executing, but whose exercise is subject to challenge and review. This is the approach generally adopted by data protection laws. For example, a data user may decline to afford access to data on the basis that its release is likely to prejudice law enforcement. The data user will usually invoke the exemption unilaterally and the Privacy Commissioner will only have occasion to review it if he receives a complaint. However, while appropriate in dealing with departures from the data protection principles, the Committee thought this mechanism inadequate in sanctioning the more serious intrusions involved in surveillance or the interception of communications. Also, the use of exemptions under data protection laws is relatively transparent, whereas individuals will seldom become aware of being subjected to surveillance or the interception of communications.

  2. Implementing a warrant system, requiring prior approval of the proposed intrusion by an independent authority. In addition to providing independent scrutiny, a warrant requirement furnishes the intruder with a written authority which he can produce if challenged. This is a practical necessity where the intrusion in question either:

    (a) requires the technical assistance of a third party, such as a service carrier. This is the usual position when intercepting public telecommunications systems (unilateral hacking would be too time consuming); or

    (b) the intrusion is of a nature which carries the risk of being detected by the victim, such as physical entry to premises.

Most remote surveillance, however, requires no external assistance and is inherently undetectable. However, to subject only some intrusions to the warrant requirement would encourage resorting to unregulated alternative methods. Accordingly a judicial warrant requirement is proposed for all surveillance and intercepts. The Australian approach of dividing up the issue of warrants according to whether they related to law enforcement (for the judiciary) or to security (for the Attorney-General) was rejected. The Committee noted that the US Supreme Court had declined to accept that `internal security matters are too subtle and complex for judicial evaluation.' The judicial role envisaged is not one of independent fact finding, however, but of being satisfied that authorisation is warranted on the basis of the broad picture deposed to.

Grounds for warrants

As intimated above, the only two grounds on which intrusions may be authorised are that they relate to security, or law enforcement. To sustain the first ground the information sought must be likely to be of substantial value in furthering security, defence, or international relations in respect of Hong Kong and the information cannot be reasonably obtained by other means. The paper also notes the increasing prevalence of state-sponsored industrial and economic espionage. While rejecting an exemption authorising intrusions along UK lines of `safeguarding the economic well-being' of the territory, the Committee proposes that warrants issue for the purpose of safeguarding the stability of the local financial system. It specifically had in mind the maintenance of the US dollar peg with the local currency (the proposed exception has already been attacked by the media and described as unwarranted by the monetary authority).

Under the law enforcement exception proposed, the intrusion must be for the purpose of preventing or detecting serious crime (defined as being punishable by a seven-year maximum prison sentence, or three years if bribery is involved) where, in addition:

Private sector intrusions

An unusual feature of the proposals is that they countenance applications for warrants by the private sector. The paper notes that the functions of private investigators overlap somewhat with those of the police. For example, businesses may be reluctant to involve the police in investigating in case it adversely affects their image. The principle that the application of exceptions is determined by the purpose rather than by the identity of the applicant is already embodied in Hong Kong's data protection law.

Retention and admissibility of surveillance materials

In restricting the authorisation of warrants to the prevention and detection (but not prosecution) of crime, the Committee has adhered to the approach adopted by the UK Interception of Communications Act, as confirmed by the House of Lords in Preston. Intrusions may be engaged in for the purposes of forestalling potential crimes and seeking out crimes once committed. But once the charge has been laid the intrusions should cease. Furthermore, it adopts the UK Act's restrictive approach to the retention of intercept materials obtained for investigative purposes, including their use in any subsequent prosecution. Following the UK, the Committee proposes that following the completion of the investigation phase the materials should be destroyed. The result will be that they will cease to exist prior to any trial and will hence be effectively inadmissible.

This departure from jurisdictions such as Australia and the US which countenance the admissibility of surveillance materials is justified on several grounds.

Notification following termination of surveillance/intercepts

Jurisdictions such as the US require that the subject of intrusions be notified of the fact following their termination. This marks the seriousness of the earlier intrusion and should deter the authorities from engaging in these activities unnecessarily. Also, by enabling the individual to challenge such intrusions, it reinforces mechanisms enhancing accountability, such as complaints procedures and the provision of compensation.

Nonetheless, merely informing an individual of the fact that he or she had been subject to surveillance would provide him or her only limited assistance. But if it extended to the release of surveillance materials, this would necessitate their retention and the risk of their release to others. Furthermore, a notification requirement would have to be made subject to a proviso ensuring that such notification would not `prejudice' the purposes of the original intrusion. One view is that prejudice may result merely by the failure to keep people in the dark about the incidence of surveillance. For the prejudice requirement to be meaningful, it would have to focus on the particular circumstances of the case. Relevant considerations would include whether it is the original target or his (sometimes) innocent contacts which are to be notified and whether it is likely to prejudice future surveillance efforts. Applying the notification requirement rigorously would require consideration of who should be notified and what surveillance materials should be released. The Committee thought that this would have significant resource implications, without a clear concomitant benefit. Alternative mechanisms of increasing accountability were preferred, including the requirement that the supervisory authority release detailed annual reports.

The supervisory authority: functions and powers

The Committee thought it essential that a supervisory authority have the task of monitoring agencies compliance regarding requirements such as reporting and the destruction of materials. However, instead of utilising an existing agency, it proposes that a Justice of Appeal be appointed to perform a role similar to that of the UK Commissioner for Interceptions. This would include the review on a random basis of warrants issued, but also those warrants generating complaints (although ex-parte application procedures will result in few targets being alerted to their issue). His role would be to examine whether the warrant was properly issued (including scrutinising supporting affidavits) and whether its terms have been complied with. The Committee doubted the feasibility of the supervisory authority going further than reviewing the paperwork. He would not have the resources to investigate the possibility of unauthorised surveillance. That would have to be a police matter, even though they may entail their investigating their own ranks.

While the US Wiretap Act lacks a review authority, it requires the issuing judge to provide a detailed report on the terms of all warrants issued and for the prosecution authorities to detail the resources expended and the yield (arrests and convictions etc) derived from their execution. The government issues annual reports setting out the details, with useful summaries and graphs.

The Committee thought that detailed reports along these lines play a crucial role in increasing public accountability for surveillance and intercepts. It therefore proposes that it be a statutory requirement that annual reports detail:

Compensation

Given the covert nature of surveillance and intercepts, the individual will generally need the services of a private investigator to conduct technical sweeps to confirm whether he had been the subject of unauthorised intrusions. The Committee proposes that compensation be payable where the intruder can be identified.

Press reaction

The Committee's proposals have generated considerable coverage, with at least 14 articles to date in the English language papers alone. Reactions include the media's concern that their not having been accorded an exemption will prejudice investigative reporting. A number of submissions are likely. More generally, the community's awareness of these issues (including their vulnerability to intrusions) is likely to have been significantly enhanced. v

Mark Berthold, a former legal officer of the Commission, researched and drafted the Consultation Paper. He is now co-authoring a book on data protection law in Hong Kong.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/1996/44.html