Fact Sheets: Privacy and surveillance

1. What is surveillance?

Surveillance is the monitoring of activities of an individual, group or groups of people. New opportunities for mass surveillance are opening up daily with high-speed, networked computers facilitating many of our everyday activities. Surveillance today may be carried out via the Internet, via telephone networks or via the data profiling of individuals. It is carried out for a variety of reasons - by the private sector for commercial ones (such as the protection of intellectual property rights), or by states for security reasons.

Surveillance may be:

Passive – this analyses the trails of information generated by people’s everyday activities. It usually focuses on patterns of activity and includes techniques such as:

* data profiling and dataveillance (often used for market research, direct marketing or political lobbying)
* online monitoring of internet activity (for example, through data communications, information or cookies to track information on which websites are visited by an individual)
* enforcing intellectual property rights (through embedded information which tracks an individual’s use of a particular software or online service)

Directed – this can usually only be used in certain circumstances relating to serious crime. It directly targets and monitors specific individuals. It includes techniques such as:

* tapping communications (including internet data);
* bugging places of work;
* monitoring or infiltrating activities and networks through human agents.

2. How is surveillance covered by law?

Directed surveillance is covered by the Regulation of Investigatory Powers Act 2000, and the Terrorism Act 2000. They update the powers of the state to tap communications and to infiltrate networks or organisations. These laws require that:

* any directed surveillance must be properly authorised by a person empowered to do so;
* this authorisation must be subjected to scrutiny to ensure that it was justified under the relevant law, and that it was correctly applied.

Some kinds of directed surveillance controls are enabled primarily through general powers given to the police to 'maintain order'. The use of surveillance in policing demonstrations is something of a grey area in terms of regulation; although the type of surveillance used does not necessarily target specific individuals, the Security Services Act 1996 and the Police Act 1997 state that concerted action by many people, even if in itself not illegal, may be investigated as 'serious crime'.

The Anti-Terrorism, Crime and Security Act 2001 strengthens the powers of the state to hold traffic data (see glossary). It also allows government departments to pool their information on terrorism and serious crime as part of their investigations.

Controls over the monitoring of communications data are less restrictive than those for directed surveillance. Communications data is accessible to local government agencies as well as the police or security services.

The Regulation of Investigatory Powers (RIP) Act widened the scope of powers for surveillance. It introduced a new requirement for telecommunications service providers to install special taps to facilitate blanket surveillance based around the automated collection of traffic data.

The RIP Act provides that communications data may be intercepted:

* in the interests of public safety;
* for the protection of public health;
* the collection of tax or charges payable to a government department; or
* for preventing death or injury.

It requires that message contents, on the other hand, should only be read in cases involving:

* national security;
* the prevention of serious crime;
* the protection of the ‘economic well-being’ of the UK.

The European Cybercrime Convention permits communications data to be routinely databased and held for many years and shared with other states that are signatories to the Convention.

Safeguards for the rights of individuals in terms of the use of their personal data come under data protection laws. The rights of individuals to privacy are defined by the Human Rights Act 1998, which implements the European Convention on Human Rights. Article 8 of the Convention states that:

* Everyone has the right to respect for his(/her) private and family life, his(/her) home and his(/her) correspondence.
* There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Under UK law, therefore, a person has no absolute privacy rights. They are all subject to the exceptions above, so there is a wide range of circumstances in which government and other bodies may argue for such exceptions to be made.

3. Does the use of electronic surveillance threaten civil liberties?

In situations where data has been used (even where information is erroneous) in a way that damages a person's private life, individuals have limited legal rights to prevent further disclosure or to seek redress for the damage caused.

Many Internet privacy activists believe that there may be significant cause for concern on the privacy implications in the use of, for example;

* data profiling;
* the growing number of software tools that can only be registered online;
* internet firewalls and cookies;
* communications traffic data which identifies the source of requests, names of files supplied, dates, times, etc. This can enable the generation of profiles of the activities of groups or individuals;
* the databasing and archiving of that information.