The FBI’s recent legal entanglement with Apple, in which it attempted to force the technology giant to circumvent the encryption on one of its devices so it could access the personal data contained inside, was notable for reasons far beyond the scope of the incident itself.
The San Bernardino case not only raised questions as to the nature of the government-corporation relationship – and how much the former can make the latter dance to its tune – but also how much (or how little) privacy protection we as individuals can expect from our respective governments. In this instance, the court order did not need to be granted as the FBI obtained a method of bypassing Apple’s password system – but the legal action sets a worrying precedent for governments looking to use their legal clout to access personal information from the devices we use everyday.
A battle on both sides of the Atlantic
In the United Kingdom, Apple has continued its ‘company of the people’ approach towards personal data by submitting evidence – along with Yahoo, Google, Twitter, Microsoft and Facebook – that challenges the draft Investigatory Powers Bill that the Government is currently looking to push through parliament.
Together, these companies raise several concerns about the extra-territorial jurisdiction, bulk data collection practices and proposed oversight structure that they believe need to be addressed for the new laws to be fairly applied. As the written submission points out, the UK’s legislation will have notable ramifications globally, with several countries likely to follow its lead when devising their own surveillance rules. This makes it vital that the UK puts in place a considered, balanced approach that ensures both public safety and personal liberty.
What is being proposed?
The 300-page Investigatory Powers Bill replaces and builds upon existing emergency legislation, and will compel internet and phone companies to store twelve months’ worth of online browsing history of every citizen in the UK. These service providers will need to be able to intercept and collect personal information using their networks upon request, access to which the Government believes is critical for its security efforts.
For foreign companies this will purportedly be limited to targeted data requests, although the evidence provided by Apple and others suggests that the legislation ‘unilaterally asserts UK jurisdiction overseas in seven of the eight major powers in the Bill’.
One of the big issues with similar laws is bulk data collection, whereby a large amount of personal metadata is accumulated using mass surveillance techniques. This practice was highlighted by former NSA worker Edward Snowden when he leaked data that detailed how much non-essential identifiable information on everyday activities was being collected by government agencies.
While the USA has recently watered down its own data collection abilities with the Freedom Act, the Investigatory Powers Bill in its current form represents a significant beefing up of the UK’s surveillance powers. Furthermore, it remains unclear on a number of points relating to the gathering of bulk data: it does not include provisions to ensure that only data related to the specific request for information is retained, while the letter of evidence also suggested that the limited powers to collect data in this manner could be abused and become the rule, rather than the exception.
Honourable or hypocritical?
“We owe it to our customers to protect their personal data to the best of our ability.”
– Written evidence supplied by Apple to the UK Government
It is one thing standing up for individual privacy when a government is the perceived aggressor, but many of the companies co-signing the written submission to parliament hardly have whiter-than-white reputations when it comes to protecting their users’ personal information.
Google has an extensive history of data breaches, unauthorised collection of data from WiFi networks and failing to meet legal requirements for data protection in several EU countries. Twitter, meanwhile, has previously seen thousands of its accounts compromised, in one instance suffering from a hack whereby a quarter of a million users had the personal data in their accounts accessed by malicious third parties. Out of all of the businesses that submitted evidence on the Government’s proposals, only Apple and Yahoo were awarded the full five-star rating for user data protection in the latest Who Has Your Back report by the Electronic Frontier Foundation.
It is clear that many of these companies have work to do on the way they handle their own customers’ data, but standing in opposition to the bill in its current form is an important step for doing so. As Scarlet Kim, legal officer at Privacy International, points out:
“Should the British bill pass in its current form, the UK government will have the power to force Apple and other technology companies to undermine the security of their products and services.”
Engaging with internet-connected devices will always be a calculated risk for users but, with several companies belatedly realising the importance of privacy to the individual, there is the potential that a reasonable equilibrium might be found between company, individual and state. Yet, as the party least able to influence the debate, we as individuals have to trust the others to formulate a compromise that doesn’t skew the balance too heavily in their favour.