Thinking About Surveillance Harm

“Show me a victim; the story needs a human face.” I’ve lost count of the number of times that journalists have qualified their interest in surveillance stories this way. That’s why the story of the phone-tapped German Chancellor was so compelling—even if political expediency saw victimhood substituted for “disappointment.” No less telling is how much of the media lapped-up Snowden’s other revelations about mass surveillance as if it were a crime against humanity itself; the exposure of the sheer scale of the NSA and friends’ capabilities intimates the potential scale of the harm.

But as far as the criminal law is concerned with identifiable persons harmed directly by a perpetrator, the classic “victim” is hard to come by. And where invasions of privacy are a demonstrable precursor to other serious human rights abuses, the latter tend to overshadow the former. In addressing surveillance harm, therefore, I would like to think there is a role for “zemiology,” the study of social harms and, more recently, those particular harms caused by states, institutions, and corporations.

Locating Surveillance Harm

It is tempting to approach surveillance harms by cataloguing different techniques of mass surveillance and their objective (demonstrable) and subjective (perceived) impacts. My own view is that in today’s mass surveillance-oriented societies, where so much depends on who is doing the watching and why, the locus of harm is best derived from the context: the “war on terror,” the workplace, the policing of protest and dissent, migration control, the management of public space and so forth. In turn, the harms are surely best understood from the particular vantage point of the “suspect communities” in question.

In practical terms it may also be helpful to distinguish between the collection of information, which may (uncomfortably) be both privacy-invasive and objectively harmless to an individual, and the use of that information, which may have devastating and demonstrable consequences for those affected. This is arguably the difference between information societies and surveillance societies and as such is the key battleground in any attempt to mitigate harm through better regulation.

Mass Surveillance in the European Union

We had mass surveillance in the EU long before Edward Snowden revealed the dragnet surveillance of the USA-led “Five Eyes” alliance to be of an even greater order of magnitude. This includes dedicated EU legal frameworks for domestic and cross-border interception of telecommunications (what we still know as ‘real-time’ phone-tapping); the mandatory retention of financial transactions and telecommunications ‘metadata’; the establishment of population databases and the roll out of biometric IDs; and the surveillance and profiling of air travelers and would-be migrants and refugees.

It follows from the points raised above that I am less concerned with the victims of these frameworks—those whose phones were unlawfully tapped or who whose fingerprints were wrongly matched to crime scenes, for example—than I am with the qualitative harms that they have caused. It’s not that there aren’t any victims (on the contrary, many surveillance activists can cite such cases chapter-and-verse); it’s because the greater social harm has come from the development and implementation of layer-upon-layer of pervasive surveillance and identification practice. If the “goal,” post-Snowden, is to curb mass surveillance, these frameworks also demonstrate the magnitude of the task ahead. The remainder of this paper focuses on telecommunications data retention and financial surveillance.

EU “Data Retention” Laws (Metadata)

Whistleblowing has revealed the staggering breadth of US court orders mandating the collection of communications data as well as the “hacking” of fiber-optic cables and data centers on both sides of the Atlantic. Yet, in the EU, laws compelling telecommunications and internet service providers to retain all “metadata” (i.e. traffic, not content) were adopted in 2006.

The “Data Retention” Directive, as it is known, crossed the Rubicon in terms of mass surveillance by establishing the principle that intimately personal information must be retained in case the security and law enforcement community need it later. The Directive, which is currently being reviewed by the European Court of Justice (ECJ) for compatibility with Europe’s human rights conventions, sets a retention period of six months to two years.

A second EU law intended to regulate access to the retained data never materialized, leading to massive disparities in the practice of communications data surveillance across the member states. Several national courts have already declared the domestic laws implementing the Directive incompatible with their constitutions, including Germany, which, having failed to introduce replacement legislation, now finds itself in the ludicrous position of being one of the most spied upon countries under the PRISM program (et al.) while being sued by the European Commission for €315,000 per day (under “infringement proceedings”) for failure to implement an EU law that mandates mass surveillance at home.

Following referrals from several national courts, the European Court of Justice must now rule on whether the EU Data Retention Directive unduly restricts individual rights to free movement (a founding principle of the EU), since metadata from cell phone networks can be used for locational surveillance; rights to privacy and “data protection” (which limit the purposes that personal information can be used for); and the right to freedom of expression, which (like the First Amendment) should ensure that people can “receive and impart information and ideas without interference by public authority.” Fundamentally, the ECJ must decide whether the Directive’s impact on these rights has been kept to an absolute minimum as required by EU law, and whether any such restrictions are “necessary in a democratic society,” as required by human rights convention.

At the ECJ’s hearing on the case in June, the five member states defending the Directive were asked to produce “evidence” demonstrating the necessity of mandatory data retention. Statistics pertaining to the use of retained data in criminal investigations and prosecutions were duly presented alongside police anecdotes showing the utility of historical metadata, but the Directive’s advocates still had to acknowledge an overall lack of statistical evidence demonstrating the need for mandatory retention as compared to less intrusive methods such as “freezing” or “data preservation” orders. In light of Snowden’s revelations, the ECJ’s pending judgment on the legitimacy of the Directive could yet produce the most important ruling on surveillance in Europe for three decades.

Financial Surveillance and Mass Profiling

As with communications data retention, EU law requires all financial service providers to keep all customer and transactional data for a minimum of five years to facilitate criminal investigations and prosecutions. Moreover it also requires those providers to engage in the profiling and on-going surveillance of their customers. These obligations and the other “due diligence” requirements described below have been developed by the Financial Action Task Force (FATF), an obscure intergovernmental body to whose standards almost all countries in the world are now committed.

EU money laundering regulations also require banks and other financial and non-financial businesses to report to the police any suspicion that their clients may be trying to conceal the proceeds of crime. To this end, they must vet new customers for possible involvement in money laundering, monitor their accounts for suspicious financial transactions (“SUSTRANS”) and file suspicious transactions reports (STRs) to responsible national authorities. SUSTRANS are suspicious cash movements over 15,000 USD/EUR, or a series of linked transactions totaling this amount. In 2012, the FATF decided to halve this threshold. Tens of millions of STRs are already generated globally every year with little or no regard for the perfectly innocent people who may be affected.

After 9/11, the “positive disclosure” rules in the money laundering regulations were extended to terrorist financing, de facto requiring financial services providers and other designated businesses to vet their customers for links to terrorism. They have since been extended to corruption, requiring the vetting of customers for links to “politically exposed persons” (PEPS: politicians, government officials, judges etc.), and most recently, “non-proliferation,” a development apparently designed solely to supplement the financial sanctions against Iran adopted by the USA and EU.

Whereas civil society has said little about the FATF rules (and even encouraged them in the case of pro-transparency and anti-corruption NGOs), the banking sector laments how onerous they have become. Indeed the requirements are now so extensive that an entire industry has emerged to fulfill the due diligence requirements on their behalf. Statewatch is about to publish a report on one of the market leaders, World-Check, which was purchased in 2011 by Thompson-Reuters for $530 million and whose services are used by most of the world’s major banks as well as hundreds of law enforcement and regulatory agencies.

World-Check’s core business is a global database of individuals and entities who may pose a money laundering, terrorist financing, bribery, or corruption risk. Specifically, the World-Check database contains “up-to-date profiles” on people and organizations named on around 350 national and international “blacklists,” identified as PEPs or family members, listed on law enforcement or regulator sites, or named in the media as being guilty or suspected of involvement in one of the FATF predicate offences.

Our investigation reveals that the World-Check database now contains around 2 million records on individuals and organizations: a bigger criminal intelligence database than that of the EUROPOL (the European Police Office), and markedly different insofar as it is available to purchase on the open market. Among the most alarming findings of our investigation is that individuals and organizations can evidently be included in the database on the basis of any association with, for example, “terrorism.” So if you are mentioned as an associate or supporter of the wrong kind of people—even in the least reputable of media outlets – you risk being flagged-up later by the banks as a “terrorism risk”.

Because the financial sector has become so risk averse on the back of the exemplary fines (of hundreds of millions of dollars) for lapses in due diligence handed down in the USA and elsewhere, it balks at any sign of risk, however tenuous. This means that if you are identified as a terrorism risk in the World-Check database, or those maintained by its competitors, you are unlikely to be able to get a bank account or send money abroad.

The harms caused by this kind of crude risk profiling, which include stigmatization and financial exclusion, have been acutely felt in Muslim communities around the world, and by NGOs working in conflict zones or at the sharp end of the “war on terror.” With the mania for all things “big data”, and financial incentives for turning large datasets into “actionable intelligence,” World-Check may offer a taste of what is to come.