Privacy and the Legal Aspects of the Information Superhighway

[ Home Page | Contents ]

The Isle of Man and the Information Superhighway

Privacy and the Legal Aspects of the Information Superhighway

by Dr Malcolm O Norris

Introduction

It is a hallmark of a civilised society that its citizens are orderly and law-abiding, yet they are free to do all they want and lead contented, fulfilled lives. On this criterion, the 35 million (or whatever today's count is) who currently use the Internet may be regarded as a civilised society. Whether that will continue to be so is debatable.

But what is truly remarkable is that they achieve it on the basis of voluntary rules. True, there are certain technical standards that have to be adhered to - with regard to such things as communications protocols, etc - or the whole construction would simply not work. Once those technical requirements are satisfied and communication is achieved, the way in which the system is used is then subject to voluntary conventions and not, in general, to the requirements of legislation.

What is even more remarkable is that this is achieved by people who may have little else in common. Although the largest numbers are those in North America, the Internet users may come from virtually anywhere in the world, more particularly the developed and developing worlds. The Internet users are therefore a collection of subsets of many different societies and cultures.

Currently there is virtually no legislation controlling the use of the Internet. If there were to be legislation controlling it and, more specifically, the activities of those who use it, there would first have to be an international agreement. This would have to be reached by at least 50 different countries and enacted, with only minimal deviation from the international agreement, into the domestic laws of each. If that were to be achieved successfully, it would be one of the most remarkable examples of international cooperation of all time.

Even if agreement to such an international accord were to be obtained, how would adherence be monitored? Surely we would have to create something akin to Orwell's Thought Police. Or, perhaps, the old East German Stasi would be a better analogy. Half the population would have to spend their time monitoring what the other half did, reporting contraventions of the "rules" to a central agency. In fact, the only possible approach would be to ban the use of the Internet altogether ... but how would we do that?

In a Western democratic society, the idea is as preposterous as monitoring all telephone calls made today. When information can be sent half way round the world from a small back bedroom in a remote location at 3am on a Sunday morning, who is going to check that all information sent is in accordance with the appropriate laws? That is not to say that, with the same tough safeguards as are used today in telephone tapping, monitoring should not be permitted in certain very clearly defined cases such as trapping serious criminal activity.

Is the Internet Really Civilised?

The Internet is now undergoing explosive growth. No one knows for sure how many people are users of it, because there is no central registry of users. Estimates vary between 30 million and 45 million, with some going as high as 100 million. The number reported to the American Association for the Advancement of Science in Atlanta suggested 35 million and growing at 4 million per month. What an explosive rate of growth that is!

Is the Internet really as well behaved as I have made out? And, if it isn't, do we really want the thing subject to the might of the law? And if we do want the might of the law, how in cyberspace are we going to monitor it?

The early users of the Internet did live up to the high standards of civilised behaviour I have just described. First the military users who were subject to military discipline and who doubtless adhered rigidly to the rules the military authorities dictated. Later the academic users had an interest in maintaining the smooth running of the net and in building the tools necessary to use it. As time progressed, they came to be supported by the initially small band of enthusiasts who joined them.
When it was relatively new and populated only by enthusiasts and academics, the Internet was undoubtedly civilised. Now, however, there are commercial interests, and others whose standards are not so high, taking a large part in the activity on the Internet. These are clearly growing rapidly in number but are also growing in selfinterest. If the commercial interest is great enough, will they not bend the rules? That is not to say that all commercial interests will abuse their position, but one can be sure that some will, and hence the degree of civilisation is changing.

Ownership and selfregulation

One answer to continuing the ordered conduct of activity on the Internet is to require that its owners should police it. But that begs several questions. Who owns the Internet? Do we want it to be policed? What, precisely, will be policed? (Or, put another way, what offences will there be?) Are the 'owners' capable of policing it?

The answer to the question on ownership is probably 'everyone and noone'. What, after all, is there to own?

The service providers own or are responsible for their equipment. Telecoms are responsible for their wires or fibres, and for providing the connection services. Every user, or his or her employer, owns or has responsibility for the equipment that connects to the telephone lines that connect to the computers that form the Internet. Although one service provider may attempt to control what happens on his network computers, he may have little or no influence on other service providers. If his customers do not like what he is doing, they will simply go to another service provider. Although not the case in the Isle of Man, larger countries have, or are moving to, multiple Telecom providers.

If there is a Law, which Law?- National Non-Boundaries

If I send email from the Isle of Man to Australia, which national boundaries does it cross? Does it cross any at all? In practice it may cross the Atlantic by satellite link, returning to ground in the USA. From there it may be retransmitted to a another satellite before coming back to Earth on the Western seaboard of the USA. Further satellites may then take it to Japan before its final hop into Australia.

Did my email cross any borders? Certainly not in the conventional sense. There were no border posts, no immigration officials and no customs checks. But it did get from Onchan to Sydney in a few short seconds. If there are American laws controlling the information I am trying to convey, should they apply for the second or two that my message is in transit through the USA?

If the information in the message I send to Australia is lawful here but not in Australia, is the recipient of my message guilty of an offence, or am I for sending it, or is neither of us? Which jurisdiction applies?

National law

Even within a country the application of law to the Internet may prove extremely difficult. Even if we have an Internet police (the "Cybercops"?), they can only monitor an occasional message. If, as I have already suggested, it works rather like the monitoring of telephone lines now, I would probably use a sophisticated method of encoding which would prevent the Cybercops reading the message I send. If there is such a need to tap lines, surely it will only apply to a minuscule proportion of all the calls taking place.

It is clear that, within a country, the rule of law can be applied to activities on the Internet now. The other day I saw reported in the Sunday Times that a man had been arrested by the FBI for "Cyberrape". He had posted on the Internet a work of fiction called "Pamela's Ordeal", setting out a rather unpleasant experience for a woman who, it is alleged, could be identified as an acquaintance of the accused. Can there actually be such a crime? If there is, how was he detected, and under what legislation was this charge brought?

To find out, I emailed a friend who works for the House of Representatives. He emailed contacts of his, and they replied with, among other useful items, a copy of the affidavit laying the charge against the alleged offender. It turned out that the charge was one of sending threatening material across state or national borders by telecommunications means, an offence under 18 USC §875(c).

The charge was therefore brought under a rather ordinary Act controlling what is sent across the American telephone network. It was investigated by the FBI following a complaint by someone who read the work on the Internet. It had been posted in a public place for anyone to read, so it is not surprising that someone did, and reported it to the FBI.
Interestingly another person was involved. A Canadian is reported to have responded to the story, and made certain suggestions to the original author. He was not charged, presumably because he was outside the jurisdiction of the American authorities.

This story illustrates that:
1.within a jurisdiction it is possible to police what goes on, at least when it is blatant;
2.the jurisdictional limits were clearly illustrated;
3.the fact that I was able to find out so much about the story in less than 24 hours, using only email (and a useful network of acquaintances!) shows the power of the Internet as a means of communicating; and
4.it again illustrates that, even with a quality newspaper, you cannot always believe what you read.

IPSI

I believe the Internet will prove to be very difficult to govern in the way that Governments may wish, for all the reasons laid out in this paper. At a meeting of the American Association for the Advancement of Science in Atlanta in February 1995, three factors were suggested as being the basis of responsible use of the Internet. In my opinion, they were absolutely correct, and I believe that ways must be found of defending these three considerations. They are:
1.privacy, especially of the individual;
2.security, especially of the computer hardware and software; and
3.integrity, especially of the people who use the system.
Whether they will ever be protected by law remains to be seen. In the mean time, I believe all users of the Internet should take their own precautions to make sure they do not suffer.

Firstly, to protect privacy, we should act as if the Internet were all public. Much of it is, but email appears at first glance to be private. How do we know whether our correspondence is being read by others? A colleague once said that all telephone calls should be treated like postcards so, I think, should email. If the message is too sensitive for a postcard, it is probably too sensitive for email. To protect it better, look at one of the many encoding systems now available, but remember the recipient needs the key to decode the message when he receives it.

The privacy of other individuals should also be respected and protected. Even if we only do it because we would like our own privacy protected, it is a fundamental human right we are protecting. In many countries, of course, privacy is protected by
Data Protection laws, so a criminal offence may be committed if we do not protect the privacy of others.

Secondly, give great importance to the security of the information you hold, and make sure that noone can easily break into your computer. Remember that the Internet is the Hacker's Heaven. A hacker can legitimately get onto so many computers and then misbehave to his heart's content. Consider using an isolated machine which can easily be disconnected from others on your system. If someone does get in overnight, the damage they can do is then limited. Make sure too that your users' passwords are good. It is no longer sufficient to use an obscure word or name since hackers can now set up software to run through a dictionary, throwing every word in order at a system until they (often successfully) find one that works. Use combinations of letters and symbols that are not found in the dictionary. Make sure however that there is some easy way of remembering it, and don't write it on a postit note attached to your computer monitor.

Thirdly, consider integrity. You must know that you can rely on the messages you send and receive. You must therefore be sure of the integrity of your hardware, your software, of your own people, and of the people with whom you communicate.
If these three things are observed, the laws, or lack of them, governing the use of the Intemet may not be so important. In other words, every user should take steps to look him or herself.

May I coin the acronym: IPSI. This stands for
Internet
Privacy,
Security, and
Integrity.

Even without laws, respect for these factors will help to ensure the Internet is a civilised society.

Culture

When people from around the world come into contact, their assorted cultures come into contact and, sometimes, into conflict. Like language, some cultures are predatory and begin to swallow up or modify other cultures.

American culture is predominant on the Internet. They started it (the Internet, that is!), they contribute most users to it, and (at least for the foreseeable future) they effectively determine which way it is going. As more users come from other countries, especially Canada, Australia and Europe, other influences come into play, but they remain minor. The Americans set the technical standards and we follow. Only in such matters as technical specifications for the telephone system is there any real difference but that does not matter unless you travel abroad a lot.

European Influences

Is there any way in which European culture can make a worthwhile contribution to the development of the Internet culture? The answer is probably yes, but only if the rest of the world wants to take advantage of the European experience. The area where Europe has something unique to offer is in the protection of the privacy of the individual.

Europe's experience is considerable, based largely on what happened in the Second World War. This was an experience from which many lessons were learnt and, subsequently, many actions taken to avoid such experiences in future. The success of those actions is all too easily forgotten. Western Europe has been peaceful, and last time there was fighting in Sarajevo (in 1914) it lead to a world war. This time it has been contained within the Balkans.

Why is this of interest to us here today? Because it is an example of successful cooperation between nations which has, by and large, been very successful. It has, produced the world's only international organisation capable of enforcing human rights, and by peaceful means. That is an achievement of which all mankind should be proud, and from which all mankind should learn.

How has Europe achieved this? There are two important international political organisations within Europe which are jointly responsible for this success. One is very wellknown, the other, though older and involving more countries, less well known.

Council of Europe

The less wellknown organisation is the Council of Europe. It was set up in May 1949 as a means of avoiding a further European war. Its purpose is to achieve greater unity between member states and to safeguard European heritage, and facilitate social progress through discussion and common action in economic, social, cultural, educational, scientific, legal and administrative matters. It is also charged with the responsibility to maintain and further the human rights and fundamental freedoms of all Europeans.

Only those European countries with pluralist democracies are allowed to join. The old communist style "democracy", where you voted for which communist party member you wanted, was not pluralist (ie, citizens were not free to stand for election, representing any point of view they liked). With the reformation of Central and Eastern Europe, that position has changed drastically and the Council Europe now has 32 members. These are set out in Table 1.
It is true that the definition of Europe is, quite literally, stretched so that it inludes Iceland, Israel, Malta and Cyprus. Russia, a large part of which is in Europe, and which certainly occupies a large proportion of the European continent, is an observer, as is the Vatican.

The headquarters of the Council of Europe are in Strasbourg on the FrenchGerman border, in the Palais de l'Europe. It has a Commission (or Civil Service) to run it, a Parliamentary Assembly consisting of Parliamentarians nominated by the member states, a Council of Ministers who act as its governing body, and it has a flag and an anthem.

Click here to see the 32 Member States of the Council of Europe at the end of 1994. (LInk to be inserted)

Importance of the Council

The importance of the Council of Europe lies in its wide membership and its legal status. Whereas members of the United Nations can, and do, ignore that organisation when they choose to, the Council has (at least some) Conventions which are legally binding on its members.

The most important of all is the "Convention for the protection of human rights and fundamental freedoms". Opened for signature on the 4th November 1950, it came into full force on the 18th May 1954 when it had been ratified by ten member states. The Convention sets out the rules according to which a democratic state should treat its citizens, and created a Commission to review alleged offences against this Convention. It also created the Court of Human Rights with the power to judge member states for alleged offences against citizens in contravention of the convention, and to penalise them if found guilty.

The United Kingdom was instrumental in setting up the Council of Europe and was one of the original ten members. It ratified the Convention on human rights and, at the request of the Isle of Man, territorially extended its ratification to include the Island. In other words, the Isle of Man subscribes, however indirectly, to the human rights convention and is bound by the decisions of the Human Rights Court.

It is interesting to note that most member states (I am not sure about some of the newer members) have incorporated the Convention on human rights into their domestic laws. The UK has resolutely refused to do this and has, perhaps as a result, the worst record of offences against the Convention recorded at the Court of Human Rights.

Of particular interest to us today is Article 8 of the Convention on Human Rights. This states that:
1Everyone has the right to respect for his private and family life, his home and his correspondence.
2There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Privacy is therefore seen as a fundamental human right. Human Rights should not be confused with "consumer rights", as they sometimes are by commercial organisations and even governments. Furthermore, it should be noted that they are rights to be enjoyed equally and fully by each and every individual, and are not some form of "average" right of a group of people in which some receive more and others less than the average. The right to your privacy is a minimum to be applied to each and every individual, and not to be taken away by government or commercial organisations just because it suits them.

In the 1970s many member states, and hence the Council of Europe, foresaw the potential threat to individual privacy of the large computers then being brought into use. Of course, most of us now have far more computing power (in other words, a far more potent weapon) sitting on our desks than was available in some the largest mainframes of those days. The foresight of our ancestors is therefore all the more remarkable.

The result of this was twofold.
1.It lead to the introduction of Data Protection Laws. The (then West) German Land of Hesse stands out as having the world's first such law, passed in 1970 and coming into effect in 1971. The first national law was passed by Sweden in 1973, and came into effect in 1974.

2.It also led to the preparation by the Council of Europe of the Convention for the protection of individuals with regard to the automatic processing of personal data.
This Convention was opened for signature on the 28th January 1981, and came into effect on the 1st October 1985 when five member states had ratified it. It contains the Data Protection Principles which feature so strongly in our own Data Protection Act 1986. Furthermore it contains the requirement for states to establish appropriate sanctions to be taken against transgressors, including the right to stop the transmission of personal data across national borders to countries which do not offer similar or equivalent protection. This is the real killer sanction: it is generally agreed that the action of the Swedish Data Commission in preventing personal data travelling to the UK, thus losing a lucrative order for the production of magnetic stripe cards, stirred the British Government into action.

Why is this relevant to todays discussions? Because it provides legally binding restrictions on what can be done on computers, and hence the Internet, within the Convention countries in Europe.

The European Union

The other European organisation, the one which, surely, everyone has heard of, is the European Union. It now consists of 15 states, all of whom are members of the Council of Europe.

It was at the annual meeting of the world's Data Protection and Privacy Commissioners in Berlin in 1989 that the European Data Protection Commissioners pointed out that they had the power to put the forthcoming single European Market in jeopardy through the obligation of Convention countries, in certain circumstances, not to allow the export of personal data to non-Convention countries. In that year, only five of the twelve members had Data Protection Acts.

The Commissioners passed a resolution requesting the European Commission to give urgent consideration to the situation. The Council of Ministers had, in 1982, requested all members to pass Data Protection Acts and ratify the Council of Europe Data Protection Convention during the next two years. By 1989, most had ignored the request.

The result of the Commissioners' approach was, in September 1990, a draft Council Directive on Data Protection. This was met with mixed reactions. Most Data Protection Authorities regarded it as a significant step forward (some, such as the French CNIL, thought it did not go far enough). Some Data Users most notably the direct marketing and travel industries saw it as a serious infringement of their right to trade freely. Some direct marketers described the directive as rubbish, not worth the paper it was written on.

After the Commission had received many comments on the content of the Directive, it went to the European Parliament for comment. They produced a long list of amendments, in general strengthening the rights of the individual to determine what happened to his or her own personal data.

In November 1992 the Commission produced a second draft of the Directive. A working party of officials from each of the member governments started a very long series of meetings to produce an "agreed position" which the Council of Ministers could accept. The negotiations lingered on until 6th February 1995 when the draft was "effectively passed" by the Council of Ministers. The Swedes and the Finns had only received the translations of the document into their native languages the Friday before and were therefore not prepared to vote on it. At the Financial Council meeting on the 20th February it was finally passed, and now goes to the Parliament for a second reading. We can expect it to stay there for up to twelve months, and I, for one, await its outcome with considerable interest.

Structure of the European Union

The structure of the EU is not unlike that of the Council of Europe, but larger and better financed. It has a Council of Ministers, a Commission, a Parliament a court (the European Court of Justice), and a court of auditors. The Parliament meets in both Brussels and Strasbourg: when in Strasbourg they use the same hall as the Council of Europe Parliamentary assembly. They both share the same blue flag with twelve gold stars around it, and they both share the same anthem: Schiller's Ode to Joy from the fifth movement of Beethoven's Ninth Symphony.

Very confusing.

Directives

Apart from the Data Protection Directive, others currently under preparation by the EU include Telecommunications, Databases and Distance Selling.

The Telecommunications directive, setting out to protect the privacy of individuals using the telephone system, was originally issued in draft form at the same time as the Data Protection Directive. Although it has progressed farther than the latter, it is difficult to see how it can complete its progress before Data Protection is settled. This is because the Data Protection Directive is an umbrella directive, setting the general principles that have to be observed in other directives which deal with privacy.

The Database directive is concerned with the protection of the copyright of databases. This is obviously of importance to users of the Internet, but I believe the only real protection may prove to be not to make available on the Internet information whose copyright you want to protect.

The Distance Selling directive is concerned primarily with the protection of consumer rights. This is likely to be of importance when you buy articles advertised on the Internet from a country outside your own but within Europe.

Nations with Data Protection

For information, Table 2 below lists those nations which are currently known to have Data Protection Acts or Bills. To them may be added Quebec, which is remarkable for being the first North America jurisdiction to have a European style Data Protection law, Japan which has a number of local Data Protection laws, and Hong Kong which has a Data Protection Code based on the European draft directive, but which has not yet been passed by the Legislative Council.

[ Link not yet available ]

Conclusions

I believe the Internet will prove to be very difficult to govern in the way that Governments may wish, for all the reasons laid out in this paper. Indeed, it is even questionable whether it should or can be tightly controlled.

At a meeting of the American Association for the Advancement of Science in Atlanta in February 1995, three factors were suggested as being the bases of responsible use of the Internet. In my opinion, they were absolutely correct, and I believe that ways must be found of defending these three factors. They are:
1.privacy, especially of the individual;

2.security, especially of the computer hardware and software; and

3.integrity, especially of the people who use the system.

Within the Data Protection Convention countries within Europe, the first of these, privacy, has a degree of protection.

Whether they will ever be protected by international law remains to be seen. In the mean time, I believe all users of the Internet should take their own precautions to make sure they do not suffer.
If these three things are observed, the laws, or lack of them, governing the use of the Internet may not be so important. In other words, every user should take steps to protect him or herself.

I have coined the acronym IPSI, standing for:
Internet
Privacy,
Security, and
Integrity.

If you remember nothing else from this conference, please try to remember to defend these three factors of responsible use of the Internet.

[ Home Page | Contents ]