This is an examination of how authorities in Denmark, Poland and the United Kingdom report information requests they make to social media companies.
Most people in these countries assume that there are systems to hold the authorities accountable, for example when the police makes a request to Facebook for profile data about an individual.
There are systems but, after the digital revolution and the advent of social media, society has changed. Many assumptions about how our society functions and should function are turned upside down. Authorities are trying to adapt to this new context but have a hard time with some aspects, transparency towards the public a notable example.
In 2013 we asked Swedish authorities about the requests they make to social media companies. We wanted to get a picture of government openness in this new setting. The results? Nothing. A majority of the public authorities didn’t even reply. Those who did reply didn’t answer with any substance and we concluded that Swedish authorities, once a bastion for openness in the world, don’t know how to act openly in the digital society.
In this new study, we compare three countries with similar characteristics as Sweden. By watching trends from a broader perspective than the national debate, as laws, practices and opionions differ from country to country, we hope to find patterns of how authorities act and to better understand what an effective approach to government transparency looks like.
This study looks at a limited sphere of privacy. When information is published, by an individual in social media, and used in a context other than what it was intended for without the expressed consent of the individual, there has been a violation of privacy and a breach of trust.
What have we learned?
All three nations are bound by the Data Protection Directive of the European Union as well as the European Convention on Human Rights and the EU Charter of Fundamental Rights. Aside from those common elements we have disclosed a number of different national legislations that also have an effect on privacy and data collection.
The most notable similarity is the authority of law enforcement to request information from telecommunication providers in an extensive manner. Denmark does have a provision that most of the information gathering is only allowed if it is of “vital importance” to the investigation, and the low number of requests together with the high compliance rate may suggest that such a provision may work. For Poland and the UK the police have much more extensive capabilities for information acquisition. In Poland there does not seem to exist any limitation on what types of crime can be subject to data collection, and in the UK the number of authorities that may make requests is extremely inflated, which is also reflected in the number of requests made by UK authorities in the company reports.
As for the tax offices the regulations seem to be more diverse. The Danish system allows local tax authorities to get access to information without a warrant and has collected, among other things, logging data and information about use of private credit cards. The tax authorities in the United Kingdom have the right to request interceptions of communications about individuals and premises, just as law enforcement does, and this power is even greater when it comes to information going to and from the UK, as there is no need to specify an individual or premise in such a case. The Polish tax authorities do not seem to have the same powers according to our study.
The use of supervisory powers on the data collection seems to exist, but at least in the case of Poland they have received criticism for not fulfilling their duties, and in the other countries the supervisory authorities have made suggestions for improvements, but it remains to be seen if adherence to these policies will be enforced.
All three reports highlight the difficulty in getting answers and information from authorities regarding the requests they make on communications data. There are some organisations that have managed to get access to such data after much effort, but for the average citizen it is practically impossible to acquire any meaningful knowledge about what the authorities may or may not know about the public in general or individuals specifically.
According to the reports from the social media corporations, the UK has a very high compliance rate with the requests made, as well as huge number of requests that is sometimes several times higher than in Poland or Denmark, even if split per capita.
In Denmark, Telia is the only telecommunications operator that has disclosed information about requests, and their most notable contribution is that the tax authorities had tried to make requests previously but failed to gain access to any information. In the UK there has been a push towards getting private companies to publish transparency reports, but so far only Vodafone Group Plc has complied. In Poland, an NGO named Panoptykon has made considerable strides towards raising public awareness on surveillance capabilities, while the authorities themselves seem reluctant about disclosing their information.
The most noteworthy finding in the practice section is the lack of accountability for governments and authorities in disclosing to the public what they collect and why they collect it.
As far as statistics are concerned, the Polish report notes that Panoptykon has revealed that in 2011 there was approximately 1 933 000 requests made regarding telecommunications data from authorities to telecommunications operators. Despite the increasing use of communications technologies, 2 million requests in a country of 38.5 million (in 2011) can be seen as quite significant. There has also been supervision into the practices of the UKE and the reports have been fairly damning for the authorities.
In the UK Big Brother Watch revealed that, unsurprisingly, the police files a considerable number of communications data requests. Perhaps even more noteworthy is the fact that Jobcentre Plus, an agency looking into social security fraud, made over 10 000 requests in 2011 alone.
In Denmark, the Telecommunications Industry stated that in 2013 there were 3.5 trillion datasets registered by authorities regarding telephone and internet use. That amounts to one packet per Danish citizen, every minute, throughout the year. The industry association has called for a political investigation into these revelations. There are also some statistics available on the use of the Data Retention Directive. In 2012 there was a total of 6678 such requests made, amounting to over 18 individual requests per day during the year.
In conclusion, authorities in all three countries lack systems and routines for reporting to the public about their contact with social media companies.
Politics and trends
In the end, the exact quantities is not the primary concern when it comes to surveillance and collection of personal data. If there is little public debate about these practices, little will change as law enforcement and other authorities that want stronger investigatory powers will have better possibilities of gaining the attention of politicians and lawmakers.
In all of our nations, however, there has been public concern and a significant amount of NGO and watchdog work dedicated to direct the public eye towards the situation. The aforementioned Panoptykon foundation in Poland has published several reports on the subject matter. It is now apparent in polls that public support of surveillance authority is decreasing. It is a minor decrease from often quite alarming levels of support but a decrease nonetheless.
The Danes are, along with the other nordic countries, still trusting towards official agencies. Even so, awareness is being raised concerning the potential dangers of mass data collection. The fact that half of the danish municipalities use Facebook as a tool for investigations in welfare cases shows the need for updated practices and rules. The lack of transparency in the Centre for Cybersecurity and the lack of authority with the Data Protection agency is further evidence of this.
In the UK there has been a widely used political rhetoric in condemning the expansion of surveillance powers, yet no legislative actions have been taken, despite strikingly similar views on the matter when the respective parties are not in power. There is a public agreement with surveillance, but only if it is directed towards a suspect. 68% are fairly or very concerned with online privacy. There does seem to be at least one active watchdog in the Interception of Communications Commissioner, and there is a large group of NGOs working with surveillance issues.
The heavy focus on GCHQ in the Snowden revelations may also spark additional controversy in the public debate in the UK.
Where should the reformation begin in regards to surveillance and data collection? Should the public strive for increasing auditor authorities’ powers? Should engaged politicians write motions to reformulate the capabilities of police or authorities and tax offices, or redefine what constitutes metadata in the eyes of the law?
Perhaps the answer is a combination of these factors. There might not exist a single quick fix solution to a problem that is based in law, modern practice, idealised concepts of law enforcement, internal culture in state institutions and so many other facets of what goes into governments and law enforcement.
Information and public engagement is the way forward. A number of activist groups and NGOs are constantly keeping authorities on their toes. Researchers are trying to turn every page to find what the practices look like. A number of politicians are also very vocal on the matters.
We need our governments to be more transparent. We need to be able to hold governments and authorities responsible for their activities. We need to be able to trust them in that their methods are fair and their actions are proportional and reasonable, and the only way for that trust to be established is transparency and openness towards the public which they serve.
So the takeaway from this study, no matter if you like or dislike information acquisition on a grand scale, no matter if you think the line has been crossed or not, is that we need more information. In a democracy, keeping the public uninformed is an anathema.
The Public needs to know. Transparency is the way forward.