Privacy International isn’t well known in Australia, but for nearly 30 years has been a forum for groups campaigning against surveillance and for privacy and data protection. At the start of this decade it became a charity, based in London, with funding from governments, NGOs and universities. It was one of the human rights and advocacy groups that took the UK government’s surveillance laws to the European Court of Human Rights and successfully had parts of them struck down last month.
Last week, a UK court revealed documents showing Privacy International had been illegally spied on by MI5, the UK’s domestic intelligence agency, its foreign intelligence service MI6 and GCHQ, its signals intelligence arm. They had used two surveillance programs, Bulk Communications Data and Bulk Personal Datasets, to spy on the group, according to the Investigatory Powers Tribunal. The group is challenging both programs in the tribunal. Conveniently, MI5 deleted the information it had gathered immediately before Privacy International was told about the spying.
The UK’s mass surveillance laws, established in 2016 — but currently needing a rewrite because both UK and European courts have struck down key aspects — were put forward by the UK government on the pretext that they would target terrorism. The UK home secretary Amber Rudd welcomed the passage of the laws in 2016, saying “at a time of heightened security threat, it is essential our law enforcement and security and intelligence services have the power they need to keep people safe. The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge.” Terrorism apparently extends to privacy campaigners.
Here, the story has been the same. The government’s mass surveillance laws, passed in 2015, were, we were told, at the time, “vital to investigate terrorism and organised crime”. Gullible journalists parroted its claims that mass surveillance was crucial “for foiling terrorist attacks and investigating serious crime”. Mass surveillance laws would only be used for “the most serious crime – to terrorism, to international and transnational organised crime, to paedophilia,” then-attorney-general George Brandis claimed at the time.
Within months of passage, however, the laws were being used for other purposes. The government’s own data showed that drug and property offences were the primary reasons for their use. And they were used to pursue whistleblowers and journalists. In early 2017, an AFP officer illegally accessed the metadata of a journalist to track down a source as part of an investigation of a media story. The AFP has refused to reveal the identity of the journalist, or inform them that their privacy was breached, and the perpetrator suffered no consequences because of the breach.
The AFP also launched raids against the offices of an opposition frontbencher, Labor staff and Parliament House itself in order to track down the whistleblowers who had revealed embarrassing information about the NBN. The AFP was forced to relinquish the material it seized. The AFP used a loophole in the mass surveillance laws to seize data sent to, not by, journalists in order to identify their sources.
The iron law of mass surveillance is that the laws will be justified with an emotive appeal to the need to stop terrorists and catch pedophiles, but such scum will rarely, if ever, be caught or stopped. Instead, lesser offences in the eternal War on Drugs will be the primary target, and the laws — and the bureaucratic and technological infrastructure that supports them — will invariably be used to pursue those who have embarrassed governments. Once the infrastructure is established, why not use it — against NGOs, against whistleblowers, against journalists, against lawyers, against opposition politicians. Surveillance creep is inevitable.
The government’s current war on encryption will be no different. It has justified trying to undermine encryption based on “terrorists’ exploitation of the internet”. The same journalists have parroted the same lines as they did for mass surveillance, saying the laws were aimed at “suspected terrorists, hackers and cyber-criminals”. But surveillance creep will expand the use of the laws once the framework for forcing companies to co-operate in breaching their customers’ privacy is established.
Whistleblowers will be accused of revealing national security information — remember how crucial we were told the information security around Operation Sovereign Borders was? — and the government’s draconian laws against “insider threats” used to justify breaching encryption to go searching for them and the journalists, politicians, NGOs and lawyers they’ve communicated with. Just ask Privacy International.