WestminsterResearch http://www.westminster.ac.uk/westminsterresearch Cyberspace, Surveillance, Law and Privacy Watt, E. This is an electronic version of a PhD thesis awarded by the University of Westminster. © Mrs Eliza Watt, 2017. The WestminsterResearch online digital archive at the University of Westminster aims to make the research output of the University available to a wider audience. Copyright and Moral Rights remain with the authors and/or copyright owners. Whilst further distribution of specific materials from within this archive is forbidden, you may freely distribute the URL of WestminsterResearch: ((http://westminsterresearch.wmin.ac.uk/). In case of abuse or copyright appearing without permission e-mail [email protected] CYBERSPACE, SURVEILLANCE, LAW AND PRIVACY ELIZA WATT A thesis submitted in partial fulfilment of the requirements of the University of Westminster for the degree of Doctor of Philosophy September 2017 1 Table of Contents Abstract Acknowledgements Author’s Declaration Chapter 1: ‘Introduction to the Thesis’ Introduction Part I: Definitions 1. Cyberspace 2. Peacetime Espionage (a) Espionage, Cyber Espionage and Cyber Surveillance (b) Cyber Espionage (i) Economically and Politically Motivated Cyber Espionage (ii) Cyber Surveillance  Actors Involved in Cyber Surveillance  The Targets of Mass Surveillance  Means and Methods  Types of Intercepted Data (c) Espionage/Cyber Espionage and International Law (i) State Practice (ii) Opinio Juris (d) Cyber Espionage, Cyber Surveillance and State Responsibility (i) The Nature of State Responsibility (ii) Attribution in the Context of Cyber Espionage  Attribution and Mass Cyber Surveillance Programmes  Attribution and Other Forms of Cyber Espionage 3. Transborder Data Searches Part II: Methodology (a) International Treaties (b) Custom (c) Judicial Decisions (d) Teachings of Publicists (e) Acts of International Organizations (f) Soft Law Part III: Scope of the Thesis 2 Chapter 2: ‘Cyberspace and Cybergeopolitics’ Introduction 1. Cyberspace and the ‘Cybergeopolitics’ of Global Internet Governance (a) Cybersecurity Dimensions (i) Cyber Security Approaches of the ‘West’ (ii) The ‘Eastern’ Approaches to Cybersecurity  The Russian Federation  The People’s Republic of China (b) Internet Governance  The First Phase: Cyber Libertarianism versus Cyber Realism  The Second Phase: Global Governance-The ‘Battle for the Sole of the Internet’  The Mulistakeholder Model and ICANN  The Sovereignst Model and the Intergovernmental Policy  The Role of the International Telecommunications Union  Policy Shaping Through Regional Organizations  Domestic Cyber Sovereignty 2. Sovereignty Under International Law and Its Application to Cyberspace (a) Sovereignty (i) Territorial Sovereignty (ii) Other Legal Regimes (b) Jurisdiction in Cyberspace (i) State Jurisdiction in Cyberspace Conclusion Chapter 3: ‘The Role of International Law in Cyberspace Regulation’ Introduction 1. The Application of the Principles of International Maritime Law to the Problem of Cyberspace Governance Through the Use of Analogy (a) General: Use of Analogy in International Law (b) The Law of the Sea and Its Analogous Application to Cyberspace (i) The Development of the International Law of the Sea and Cyberspace Governance-Some Parallels 2. Cyberspace as a Global Common (a) The High Seas (b) The Outer Space (c) Antarctica (d) Cyberspace as a Global Common? 3 3. Cyberspace and the Common Heritage of Mankind (a) Common Heritage of Mankind in International Law (b) Common Heritage of Mankind and Cyberspace Governance 4. The Regimes Governing the Exclusive Economic Zone/Continental Shelf and Their Applicability to Cyberspace (a) Sovereign Rights of Coastal States (b) Jurisdiction of Coastal States (i) ‘Creeping Jurisdiction’ (c) The Applicability of the EEZ/CS Regimes to Cyberspace Governance Conclusion Chapter 4: ‘The Right to Privacy in the Digital Age’ Introduction Part I: General 1. Cyber Surveillance and Transborder Searches (a) Transborder Searches as Breach of Territorial Sovereignty (i) Transborder Searches of Open Source Data (ii) Transborder Searches of Protected Data  Transborder Searches of Protected Data with Consent  Transborder Searches of Protected Data Without Consent Part II: The Right to Privacy of Communications 1. The Right to Privacy A. International Law ad the Right to Privacy of Communications B. Regional Human Rights Systems and the Right to Privacy of Communications (a) The European Convention on Human Rights (b) The Inter-American Human Rights System C. Domestic Legal Basis Permitting Interception of Communications (a) Domestic Legal Frameworks Authorising Foreign Surveillance and the Principle of Non-Discrimination Part III. Do Human Rights Treaties Apply to Extraterritorial Cyber Surveillance and Transborder Access to Data? 1. Extraterritorial Application of Human Rights Treaties (a) A Narrow View (b) The Expansive View (c) Applicability of Human Rights Treaties to Extraterritorial Cyber Surveillance 4 2. Transborder Access to Data as a Violation to the Right to Privacy Part IV: Cyber Surveillance as an Interference with the Right to Privacy of Communications 1. UN General Assembly Resolution 68/167 2. The Report of the UN High Commissioner for Human Rights (a) Mass Surveillance Necessarily Interferes with Privacy (b) The Interception or Collection of Metadata Interferes with the Right to Privacy (c) Retention of Data Amounts to Interference 3. UN Special Rapporteur 4. The Council of Europe 5. The IAHR Special Rapporteur 6. The Court of Justice of the European Union 7. The Legal Contours of the Interference with the Right to Privacy of Digital Communications Part V: Justifications 1. Limitations: Articles 17 ICCPR, 8 ECHR and 11 ACHR (a) ‘In Accordance with the Law’ (i) Legal Basis (ii) Accessibility (iii) Foreseeability (b) Legitimate Aim-National Security (i) The Effectiveness of Cyber Surveillance Programmes in Fighting Terrorism (c) Necessity (i) Proportionality (ii) Existing Legal Safeguards Conclusion Chapter 5: ‘International Legal Solutions to State Mass Cyber Surveillance’ Introduction Part I: Regulation of States’ Activities in Cyberspace Through a Hard Law Instrument A. International Level (a) Solution 1- An International Legally Binding Treaty for Cyberspace Based on 5 the UN Law of the Sear Convention 1982 and the Common Heritage of Mankind (i) The Feasibility of an International Treaty for Cyberspace  Continued Lack of Agreement Among the International Community  What International Organization  The Time Factor  Human Rights Obligations and the Cyber Treaty (b) Solution 2- Reliance on the Existing International Human Rights Treaties to Protect Online Privacy (i) Modernizing Article 17 ICCPR (ii) Universal Periodic Review B. Regional Level (a) Solution 3- Regulation of Mass Surveillance Through a Regional Legally Binding Treaty (i) The Intelligence Codex and the European Convention on Human Rights  Defining ‘Communications Surveillance’  Legality  Legitimate Aim  Judicial Authorisation  Complaints Mechanism (ii) The Intelligence Codex and Political Realism (b) Solution 4- Creating an International Legal Framework for Data Protection (i) The ‘Globalization’ of Convention 108 Part II: The Use of Soft Law and Confidence Building Measures (a) Solution 5- Soft Law Instruments (i) Soft Law in International Law Making (ii) UN General Assembly Resolutions on the Right to Privacy in the Digital Age (iii) Soft Law and Data Protection (iv) Soft Law as a Tool to Enable Data Transfers (v) Soft Law and Access to Data by Law Enforcement Agencies (vi) Confidence Building Measures Conclusion Chapter 6: ‘Concluding Remarks and Recommendations for Future Research’ Bibliography 6 Abstract The thesis titled, Cyberspace, Surveillance, Law and Privacy analyses the implications of state sponsored cyber surveillance on the exercise of the human right to privacy of communications and data privacy of individuals, subject to untargeted interception of digital communications. The principle aim of the thesis is to assess the legality of mass cyber surveillance of the Five Eyes alliance, with an emphasis on the United States and the United Kingdom. The study also considers the growing trend among the law enforcement agencies to access data without consent located in foreign jurisdictions without recourse to the Mutual Legal Assistance arrangements. The objective of the thesis is to demonstrate that these activities breach states’ human rights obligations under the international human rights frameworks and to show the unprecedented impact that surveillance technologies continue to have on this right. The research also highlights the inadequate protection of privacy in the internet. This leads to the evaluation of a number of possible legal solutions on the international level to the problem of mass surveillance, since the internet is a global environment designed for unrestricted data flows among jurisdictions and therefore facilitates continued violation of privacy of communications and data privacy. The thesis finds that bearing in mind (a) the highly politicised nature of the internet governance discourse, (b) the reluctance of states to subject peacetime espionage to international law regulation through a legally binding treaty, (c) the fact that international human rights law relating to privacy of communications is in need of modernization, (d) the reluctance of states to commit to a legally binding cyber treaty, (e) the slow pace with which customary cyber international law rules emerge and (f) the tendencies of states on the domestic level towards the introduction of draconian surveillance legislation at the expense of privacy, any progress in this regard at this stage will be piecemeal and likely to be achieved through a combination of the updating of the existing international and regional human rights and data protection instruments and soft law agreements. 7 Acknowledgments I wish to thank my supervisors, Professor Hélène Lambert, Professor Marco Roscini and Professor Andreas Philippopoulos-Mihalopoulos. I am particularly grateful to Professor Lambert and Professor Roscini for their hard work, support and rigour, with which they guided me throughout the duration of this research. I should also like to thank Ms Ruth MacKenzie for her comments at the various stages of the research. A special thanks to Dr Steve Greenfield for giving me an opportunity to gain a valuable teaching experience and Mr Stephen Bunbury for his kindness, support and for being a great role model. Author’s Declaration I declare that all the material contained in this thesis is my own work. 8 Chapter 1: ‘Introduction to the Thesis’ INTRODUCTION On 6th June 2013 a British newspaper, the Guardian reported that the United States (US) National Security Agency (NSA) collects domestic telecommunications metadata from Verizon Business Network Services.1 The following day, the same newspaper revealed details about PRISM, a suite of NSA programmes that targeted internet communications and stored data of ‘non-US persons’ outside the US and those communicating with them, together with the extent to which the US companies cooperate with the government.2 More revelations followed, including details of the interception of communications by both the NSA and its British counterpart, Government Communications Headquarters (GCHQ) on political leaders attending 2009 London G20 summit and GCHQ conducting massive intercepts of domestic communications.3 This information came to the fore, as a result of document disclosures by a former Booz Allen Hamilton employee, Edward Snowden. Snowden made it publically known that the scope of intelligence gathering activities, by the NSA and other similar organizations, is now unprecedented. Once a narrow, targeted focus of intelligence agencies on gathering information domestically has escalated to allegedly targeting communications of everyone by default.4 Snowden confirmed that the NSA ‘specifically targets the communications of everyone. It ingests them by default. It collects them in its system and it filters [...] analyses [...] measures […] and […] stores them for periods of time simply because that’s the easiest, most efficient, and most valuable way to achieve these ends’,5 that is getting intelligence by whatever means. 1 Glenn Greenwald, ‘NSA Collecting Phone Records of Millions of Verizon Customers Daily’ (6 June 2013) The Guardian, <https://www.theguardian.com/world/2013/jun/06/nsa- phone-records-verizon-court-order>. 2 Susan Landou, ‘Making Sense from Snowden: What’s Significant in the NSA Surveillance Revelations’ (2013) 11 IEEE Computer and Reliability Societies, p. 66. 3 ibid. 4 ibid. 5 Laura Poitras and Glenn Greenwald, ‘NSA Whistleblower Edward Snowden: I Don’t Want to Live in a Society That Does These Sort of Things’ (9 June 2013) The Guardian <http://www.theguardian.com/world/video/2013/jun/09/nsa-whistleblower-edward-snowden- interview-video>. 9