My presentation at the Tunis Online Freedom Conference, 17 June 2013. Updated for Asia Privacy Scholars Network conference, 9 July 2013, Hong Kong University, and significantly updated for the SCL Policy Forum, 12 Sep 2013, and presentations at Deutsche Bank and Amberhawk (May 2014)

1. Can the law control Digital
Leviathan?
Ian Brown (Oxford University)
@IanBrownOII
―Since you can’t connect dots you don’t have…we fundamentally try
to collect everything and hang on to it forever‖ – Greg Hunt, CIA
CTO

4. TEMPORA

5. NSA/CIA/FBI/DoD Trusted
Partners
 Bloomberg 14/6/13: ―Thousands of
technology, finance and manufacturing
companies are working closely with U.S.
national security agencies, providing
sensitive information and in return
receiving benefits that include access to
classified intelligence‖
 ―Some U.S. telecommunications
companies willingly provide intelligence
agencies with access to facilities and
data offshore that would require a
judge’s order if it were done in the U.S.‖

6. The domestic rule of law?
UK has ―one of the strongest
systems of checks and balances
and democratic accountability
for secret intelligence anywhere
in the world‖
―Although we have concluded that
GCHQ has not circumvented or
attempted to circumvent UK law, it is
proper to consider further whether the
current statutory framework governing
access to private communications

7. Regulation of Investigatory
Powers Act 2000
8 Contents of warrants.
(4) Subsections (1) and (2) shall not apply to an interception warrant if—
(a) the description of communications to which the warrant relates confines the
conduct authorised or required by the warrant to conduct falling within subsection (5);
and
(b) at the time of the issue of the warrant, a certificate applicable to the warrant has
been issued by the Secretary of State certifying—
(i) the descriptions of intercepted material the examination of which he considers necessary;
and
(ii) that he considers the examination of material of those descriptions necessary as mentioned
in section 5(3)(a), (b) or (c).…
12 Maintenance of interception capability.
(1) The Secretary of State may by order provide for the imposition by him on persons
who—
(a) are providing public postal services or public telecommunications services, or
(b) are proposing to do so,
of such obligations as it appears to him reasonable to impose for the purpose of
securing that it is and remains practicable for requirements to provide assistance in
relation to interception warrants to be imposed and complied with.
(2) The Secretary of State’s power to impose the obligations provided for by an order
under this section shall be exercisable by the giving, in accordance with the order, of
a notice requiring the person who is to be subject to the obligations to take all such
steps as may be specified or described in the notice…

8. Telecommunications Act 1984
94 Directions in the interests of national security etc.
(1) The Secretary of State may, after consultation with a
person to whom this section applies, give to that person
such directions of a general character as appear to the
Secretary of State to be necessary in the interests of
national security or relations with the government of a
country or territory outside the United Kingdom…
(5) A person shall not disclose, or be required by virtue of
any enactment or otherwise to disclose, anything done by
virtue of this section if the Secretary of State has notified
him that the Secretary of State is of the opinion that
disclosure of that thing is against the interests of national
security or relations with the government of a country or
territory outside the United Kingdom, or the commercial
interests of some other person…
(8) This section applies to OFCOM and to providers of
public electronic communications networks.

9. Intelligence Services Act 1994
7 Authorisation of acts outside the British Islands.
(1) If, apart from this section, a person would be liable in
the United Kingdom for any act done outside the British
Islands, he shall not be so liable if the act is one which is
authorised to be done by virtue of an authorisation given
by the Secretary of State…
(9) For the purposes of this section the reference in
subsection (1) to an act done outside the British Islands
includes a reference to any act which—
(a) is done in the British Islands; but
(b) is or is intended to be done in relation to apparatus that is
believed to be outside the British Islands, or in relation to
anything appearing to originate from such apparatus…

10. • “As a former Article III judge, I
can tell you that your faith in the
FISA Court is dramatically
misplaced...
• The Fourth Amendment frameworks
have been substantially diluted in
the ordinary police case. One can
only imagine what the dilution is in a
national security setting…
• It’s an anointment process. It’s
not a selection process. But you
know, it’s not boat rockers. So you
have a [federal] bench which is way
more conservative than before. This
is a subset of that. And it’s a subset
of that who are operating under
privacy, confidentiality, and national
U.S. District Judge
Nancy Gertner (Ret.)
Judicial review?

11. Congressional oversight?
 ―When the American people find out how their
government has secretly interpreted the Patriot
Act, they will be stunned and they will be angry‖
–Senator Ron Wyden, 26/5/11
 ―the technology and technical policy is far
outpacing the background and expertise of most
elected members of Congress or their staffs‖ –
Jacob Olcott, former cybersecurity assistant to
Senator JD Rockefeller IV
 ―one thing that won't have changed in the 50-odd
years since I left the secret world, and never
will, is the gullibility of the uninitiated when faced
with real-life spies. In a flash, all rational
standards of human judgment fall away.‖ –John
Le Carré

12. ―(They said) don’t worry, we’re not
spying on any Americans.
Wonderful, that’s really helpful for
companies trying to work with people
around the world.‖

13. Preserving the rule of law
 Hobbesian state of
intelligence international
law?
 How to implement
meaningful checks and
balances?
Minimisation, warrants, over
sight, transparency
 Technical options?
◦ German interior minister:
―whoever fears their
communication is being
intercepted in any way should
use services that don't go
through American servers.‖
◦ Snowden: ―you should never

14. CJEU on Data Retention Dir.
 ―Those data, taken as a whole, may allow very precise conclusions to be drawn
concerning the private lives of the persons whose data has been retained, such as
the habits of everyday life, permanent or temporary places of residence, daily or
other movements, the activities carried out, the social relationships of those
persons and the social environments frequented by them.‖
 Retention ―constitutes in itself an interference with the rights guaranteed by Article
7 of the Charter… the access of the competent national authorities to the data
constitutes a further interference with that fundamental right‖
 ―the fact that data are retained and subsequently used without the subscriber or
registered user being informed is likely to generate in the minds of the persons
concerned the feeling that their private lives are the subject of constant
surveillance.‖
 Directive does not ―adversely affect the essence of those rights‖, but ―the fight
against serious crime…does not, in itself, justify a retention measure‖
 Broad scope ―entails an interference with the fundamental rights of practically the
entire European population… it is not restricted to a retention in relation (i) to data
pertaining to a particular time period and/or a particular geographical zone and/or
to a circle of particular persons likely to be involved, in one way or another, in a
serious crime, or (ii) to persons who could, for other reasons, contribute, by the
retention of their data, to the prevention, detection or prosecution of serious
offences.‖
Joined cases: Digital Rights Ireland Ltd v Minister for
Communications, Marine and Natural Resources & Ors C-
293/12 and Kärntner Landesregierung, Michael
Seitlinger, Christof Tschohl and others, C 594/12

15. Data Retention judgment
 ―the access by the competent national authorities to
the data retained is not made dependent on a prior
review carried out by a court or by an independent
administrative body whose decision seeks to limit
access to the data‖
 ―does not require the data in question to be retained
within the European Union, with the result that it
cannot be held that the control, explicitly required by
Article 8(3) of the Charter, by
an independent authority of compliance with
the requirements of protection and security, as
referred to in the two previous paragraphs, is fully
ensured.‖
 ―Having regard to all the foregoing considerations, it
must be held that, by adopting Directive 2006/24, the
EU legislature has exceeded the limits imposed
by compliance with the principle of proportionality in
the light of Articles 7, 8 and 52(1) of the Charter.‖