european court of human rights – Techdirt (original) (raw)

European Human Rights Courts Rules That Encryption Backdoors Are Illegal Under European Law

from the lol-good-luck-EU-encryption-haters dept

Well… this is an unexpected (and fun!) turn of events. The EU Commission has spent most of the last couple of years trying to talk EU members into voting in favor of weakened encryption, if not actual encryption backdoors. You know, for the children.

On the table are things ranging from mandated client-side content scanning to the compelled breaking of encryption whenever law enforcement wants access to communications. These plans — including parallel efforts by the UK government (which is no longer an EU member) — have attracted more opposition than support, but that hasn’t stopped the commission from moving forward with these efforts, even when its own legal counsel has stated these mandates would violate EU laws.

While it’s possible (but extremely unwise) to blow off your own internal legal guidance to get with the encryption breaking, it’s much more difficult to ignore overriding external legal guidance that says what you’re trying to do is blatantly illegal. You can always hire more subservient lawyers if you don’t like what’s being said by the ones you have. But you can’t blow off the European Court of Human Rights quite as easily.

As Thomas Claburn reports for The Register, a long-running case involving (of all things) the Russian government’s attempt to force Telegram to decrypt communications has resulted in a loss that will be felt by all of the EU’s anti-encryption lawmakers.

The European Court of Human Rights (ECHR) has ruled that laws requiring crippled encryption and extensive data retention violate the European Convention on Human Rights – a decision that may derail European data surveillance legislation known as Chat Control.

The court issued a decision on Tuesday stating that “the contested legislation providing for the retention of all internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society.”

Ouch. Good luck pushing anti-encryption mandates when the court has declared them unnecessary in a democratic society. And, somehow, we have the Russian government to thank for this turn of events.

The case dates back to 2017, which is when Russia’s Federal Security Bureau (FSB) tried to force Telegram to engage in compelled decryption of Anton Podchasov’s communications. Podchasov challenged the order in Russia but the Russian court dismissed it. So, Podchasov brought the matter to the ECHR because — prior to its 2022 invasion of Ukraine — Russia was still part of the Council of Europe and (at least theoretically) subject to ECHR rulings.

Well, Russia may have exited the Council with its illegal invasion, but the courtroom challenge was still active. The final ruling — which will have zero effect on how Russia handles compelled decryption — is throwing a considerably sized wrench into the mechanations of anti-encryption legislators in the EU government.

The court concluded that the Russian law requiring Telegram “to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users.” As such, the court considers that requirement disproportionate to legitimate law enforcement goals.

The EU Commission dropped its anti-encryption demands last summer following considerable pushback from EU member governments. But that doesn’t mean those desires aren’t still there, even if they’re dormant at the moment.

But this ruling will make it almost impossible to resurrect most of the EU Commission’s anti-encryption efforts. The court’s ruling makes it clear there’s no legally justifiable reason for breaking end-to-end encryption. And the ancillary stuff — like client-side scanning and extensive logging demands — is far less likely to receive a warm welcome from member states, not to mention EU courts, following this ruling (even as the European Court of Human Right is not a part of the EU, its judgments cover the EU members as well as other members in the Council of Europe).

Most of the stuff the EU Commission has been trying to enact over the past few years has been declared illegal. If it wants to do these things, it will have to change several other laws first. And that effort is far less likely to succeed, since changing these laws means breaking the law. You can always write illegal laws. You just can’t enforce them.

So, unless the EU Commission has the power to talk its members into backing its preferred brand of friendly fascism, it will just have to dial back its expectations. Sure, those who think any means can be justified by the ends will throw up their hands in despair and proclaim this is the beginning of a new criminal apocalypse. But for everyone else, this ruling means their communications will remain secure — both from EU government agencies as well as entities far more malicious.

Filed Under: backdoors, encryption, eu, eu commission, europe, european court of human rights

Europe's Human Rights Court Says UK Mass Surveillance Violated Rights, Unlawfully Obtained Journalists' Communications

from the leaking-works dept

Another court case prompted by the Snowden leaks has reached its conclusion. And the findings are that Snowden’s revelations were accurate: the NSA’s Five Eyes partners were breaking laws and ignoring people’s rights when engaging in mass surveillance. That’s just a natural side effect of grabbing communications and data in bulk and pretending it’s lawful if you sort through it after you’ve already acquired it.

The UK spy agency GCHQ’s methods for bulk interception of online communications violated the right to privacy and the regime for collection of data was unlawful, the grand chamber of the European court of human rights has ruled.

In what was described as a “landmark victory” by Liberty, one of the applicants, the judges also found the bulk interception regime breached the right to freedom of expression and contained insufficient protections for confidential journalistic material but said the decision to operate a bulk interception regime did not of itself violate the European convention on human rights.

Another one of the claimants — the Bureau for Investigative Journalism — says this is a win for journalists all over Europe. The ruling institutes more protections for news gatherers, which should hopefully prevent some of these violations from reoccurring.

The UK government violated the freedom of the press for decades under its mass spying programme and must now seek independent permission to access any confidential journalistic material, the European Court of Human Rights has ruled.

In a significant victory for press freedom, the new protections will apply to all confidential material collected by journalists in their reporting, not just the identity of sources. The judgment covers state authorities across Europe, including intelligence agencies, government departments and the police.

Unfortunately, it takes lots of plaintiffs and millions of dollars just to obtain a common sense ruling that intercepting journalists’ communications and metadata is a violation of rights. It also takes whistleblowers willing to come forward and expose what they’ve seen while working for surveillance agencies. It’s very unlikely a case would have been brought — much less won — without the Snowden leaks. This legal process began in 2013, shortly after Snowden started releasing material to journalists. And some of the recipients of these leaks saw themselves attacked and surveilled by their governments for reporting on these documents.

From now on, any surveillance targeting journalists or inadvertent collection of their communications and data must be run by an independent entity before it can be used in investigations or prosecutions. The spy agencies must prove their interests are greater than the public’s interest in whatever the journalists are reporting on. They also must show there’s no other way to obtain this same information without utilizing data and communications obtained from journalists. Yes, this may encourage parallel construction and other data laundering, but at least it should deter the direct targeting of journalists.

There may be more favorable rulings in the future. One of the complainants says this win will allow some of its other legal challenges against mass surveillance to move forward. And some of the 17(!) dissenting judges said this ruling — while a landmark decision — does not go far enough to protect journalists and other innocent people from bulk surveillance.

Then there’s the UK’s “Snooper’s Charter” — one that’s been in the works for nearly a half-decade — which would expand surveillance powers in the UK. The UK exited the European Union, making it unclear what effect this decision would have on domestic surveillance. And the UK government’s ongoing war on encryption makes it clear many of those currently writing and approving legislation don’t really care if rights are violated — not if those rights stand in the way of law enforcement investigations and vague national security interests.

But it’s still a significant win. While it may do little for UK journalists now or in the future, it does erect additional protections for journalists located elsewhere in Europe. And it shows whistleblowing works and, indirectly, why far too many governments have decided whistleblowers are threats to be eradicated, rather than protected.

Filed Under: ed snowden, eu, european court of human rights, gchq, human rights, snowden leaks, surveillance, uk

The Wikimedia Foundation Asks The European Court Of Human Rights To Rule Against Turkey's Two-Year Block Of All Wikipedia Versions

from the probably-won't-do-much,-but-should-annoy-Gollum dept

As numerous Techdirt stories attest, the Turkish authorities — and the country’s notoriously thin-skinned President, Recep Erdogan — are unwilling to accept even the slightest criticism of their actions, from any quarter. That has led to huge numbers of Turkish citizens being thrown in prison on the flimsiest pretexts, as well as many Internet sites being blocked in a similarly arbitrary way. Perhaps the most significant digital victim of Turkey’s paranoia is Wikipedia. In April 2017, every language version of the site was blocked under a law that allows the authorities to ban access to Web sites deemed “obscene or a threat to national security“. According to The Atlantic, Wikipedia was blocked because it refused to take down an article that claimed Turkey was “aligned with various terrorist organizations“.

For the last two years, all Wikipedia sites have remained blocked in Turkey. Now, the Wikimedia Foundation, which hosts Wikipedia, has had enough:

Today, we proceed to the European Court of Human Rights, an international court which hears cases of human rights violations within the Council of Europe, to ask the Court to lift the more than two-year block of Wikipedia in Turkey. We are taking this action as part of our continued commitment to knowledge and freedom of expression as fundamental rights for every person.

This is not a step we have taken lightly; we are doing so only after continued and exhaustive attempts to lift the block through legal action in the Turkish courts, good faith conversations with the Turkish authorities, and campaigns to raise awareness of the block and its impact on Turkey and the rest of the world.

The Wikimedia Foundation says that the block was applied because of two articles, not one, but gives no details. In its application to the European Court of Human Rights (ECHR) — not to be confused with the better-known Court of Justice of the European Union — it argues:

the blanket ban of Wikipedia violates fundamental freedoms, including the right to freedom of expression as guaranteed by Article 10 of the European Convention. Moreover, these freedoms have been denied to the more than 80 million people of Turkey who have been impacted most directly by the block, and to the rest of the world, which has lost the nation’s rich perspectives in contributing, debating, and adding to Wikipedia’s more than 50 million articles.

Even if the Wikimedia Foundation wins its case, there is not much that the ECHR can do to force Turkey to comply with a decision that the block should be lifted. It’s true that Turkey is a long-standing party to the European Convention on Human Rights (pdf), and that the fundamental rights provided by the Convention are guaranteed in the Turkish Constitution. But given the track-record of the Turkish authorities of ignoring all outside calls and criticism, we can probably expect more of the same if the ECHR finds against Turkey. On the plus side, this kind of high-profile tut-tutting from arguably the top human rights court in the world would doubtless annoy Erdogan hugely, so there is that.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: european court of human rights, human rights, recep tayyip erdogan, turkey, website blocking
Companies: wikimedia foundation, wikipedia

Another Terrible Court Decision In Europe: Insulting A Religion Is Not Free Speech

from the wait,-what? dept

Let’s start off with the basics, because if I don’t, I know we’ll be flooded with these comments: no, the European concept of “free speech” differs quite a bit from the American one. The American 1st Amendment creates extremely strong protections for all sorts of expression — including insulting or offending expression. Europe has always been a bit more willing to shove various exceptions into the right of freedom of expression, while mostly paying lip service to the concept. Article 10 of the Human Rights Act says that you have the right to your own opinions and the freedom to share them without government interference but, in practice, Europe has always been much quicker in brushing that aside in order to engage in all sorts of censorship from prior restraint to rewriting history.

And, according to a new ruling from the European Court of Human Rights, another exception to free expression is that you can’t disparage religions because it might hurt the feelings of religious practitioners. No, really.

The case, which was originally brought in Austria, involved a woman who hosted an event where she made a bunch of silly and misleading claims about Muslims and the Prophet Muhammad, in particular, claiming that because one of his marriages was to a very young girl, there was an implication that he was a pedophile (and further, strongly implying that other Muslims sought to emulate Muhammad). I’m not entirely clear as to why anyone cares what someone did over a thousand years ago (nor could anyone know with any real certainly what actually happened), but either way, some were offended by these comments — and that’s fine. If someone says offensive things, it’s reasonable for some to take offense.

But to claim its a human rights violation?

Multiple lower courts found that such comments could not be permitted, and it finally went up to the European Court of Human Rights, where much of the discussion centered around what the court believed was a clash, of sorts, between freedom to express opinions and freedom to manifest religion. And, the court comes down in this with an argument that would be laughed out of any US court, in that it sets up a “balancing” test. As Ken White has explained multiple times, the Supreme Court in the US doesn’t recognize any “balancing” test when it comes to free speech. In US v. Stevens, the Supreme Court explicitly rejected any sort of balancing test:

The Government’s proposed test would broadly balance the value of the speech against its societal costs to determine whether the First Amendment even applies. But the First Amendment’s free speech guarantee does not extend only to categories of speech that survive an ad hoc balancing of relative social costs and benefits. The Amendment itself reflects a judgment by the American people that the benefits of its restrictions on the Government outweigh the costs.

With this ruling, the ECHR has clearly stated that it’s going in the exact opposite direction. It directly argues that one?s free speech can be limited by law if it somehow interferes with someone else’s “religious feelings.”

While the applicant stressed that her statements had never been aimed at disparaging Muhammad, she did not dispute the legitimate purpose of criminal convictions under Article 188 of the Criminal Code, namely to protect religious peace. The Court endorses the Government?s assessment that the impugned interference pursued the aim of preventing disorder by safeguarding religious peace, as well as protecting religious feelings, which corresponds to protecting the rights of others…

And, while Europeans may argue, this is madness. It is exceptionally dangerous to free speech. I’m not advocating that anyone should be running around spewing ignorant arguments about religious figures that people adore, but saying that you can block free speech if it will “prevent disorder” or “protect religious feelings,” means that you’ve created a massive heckler’s veto. All you need to do is claim that hearing the speech will make you and your friends riot, or say it’s truly insulted your religious “feelings”, and suddenly it means the speech is not allowed. That’s crazy and will lead to lots of abuse and questionable situations where people censor themselves to avoid any liability at all.

There’s also some truly bizarre and incomprehensible language about how, because free expression includes “duties and responsibilities”, that also means you must “ensure the peaceful enjoyment” of others? religious beliefs. And the court states this right after noting that freedom of expression should allow for offensive, shocking and disturbing comments from non-believers about a religion:

The Court reiterates the fundamental principles underlying its judgments relating to Article 10 …. Freedom of expression constitutes one of the essential foundations of a democratic society and one of the basic conditions for its progress and for each individual?s self-fulfilment. Subject to paragraph 2 of Article 10, it is applicable not only to ?information? or ?ideas? that are favourably received or regarded as inoffensive or as a matter of indifference, but also to those that offend, shock or disturb. The Court further notes that there is little scope… for restrictions on political speech or on debate on questions of public interest…. Those who choose to exercise the freedom to manifest their religion under Article 9 of the Convention, irrespective of whether they do so as members of a religious majority or a minority, therefore cannot expect to be exempt from criticism. They must tolerate and accept the denial by others of their religious beliefs and even the propagation by others of doctrines hostile to their faith

So, while that sounds reasonable, in the very next paragraph the court pulls out a “however…” and then proceeds to basically rip to shreds everything in the paragraph above.

… however, the exercise of the freedom of expression carries with it duties and responsibilities. Amongst them, in the context of religious beliefs, is the general requirement to ensure the peaceful enjoyment of the rights guaranteed under Article 9 to the holders of such beliefs including a duty to avoid as far as possible an expression that is, in regard to objects of veneration, gratuitously offensive to others and profane

And then it’s right back to the old balancing game:

The issue before the Court therefore involves weighing up the conflicting interests of the exercise of two fundamental freedoms, namely the right of the applicant to impart to the public her views on religious doctrine on the one hand, and the right of others to respect for their freedom of thought, conscience and religion on the other

The Court, towards the end, tries to argue that it’s really only the truly egregious insults that will matter, but gives little guidance at all on that:

The Court reiterates that a religious group must tolerate the denial by others of their religious beliefs and even the propagation by others of doctrines hostile to their faith, as long as the statements at issue do not incite hatred or religious intolerance. Article 188 of the Criminal Code (see paragraph 24 above) in fact does not incriminate all behaviour that is likely to hurt religious feelings or amounts to blasphemy, but additionally requires that the circumstances of such behaviour were able to arouse justified indignation, therefore aiming at the protection of religious peace and tolerance. The Court notes that the domestic courts extensively explained why they considered that the applicant?s statements had been capable of arousing justified indignation, namely that they had not been made in an objective manner aiming at contributing to a debate of public interest, but could only be understood as having been aimed at demonstrating that Muhammad was not a worthy subject of worship… The Court endorses this assessment.

And what if I were to join a religion focused on worshiping free speech — and declared that this ridiculous ruling harmed my religious feelings by suggesting such worship was not only misplaced, but illegal? Would I then be able to claim the Court itself had violated my apparent rights to not have my religious feelings offended?

Again, no matter what you think of the nameless plaintiff’s statements, which were silly, the idea that (1) that should be balanced against how upset it might make people and (2) that the balance should weigh against her, seems crazy and outright offensive to freedom of expression.

Filed Under: article 10, echr, europe, european court of human rights, free speech, human rights, religion, religious feelings

European Court Of Human Rights: UK Surveillance Revealed By Snowden Violates Human Rights

from the well-of-course-it-does dept

Yet another vindication of Ed Snowden. Soon after some of the documents he leaked as a whistleblower revealed that the UK’s GCHQ was conducting mass surveillance, a variety of human rights groups filed complaints with the European Court of Human Rights. It’s taken quite some time, but earlier today the court ruled that the surveillance violated human rights, though perhaps in a more limited way than many people had hoped.

At issue were three specific types of surveillance: bulk interception of communications, sharing what was collected with foreign intelligence agencies, and obtaining communications data (metadata) from telcos. The key part of the ruling was to find that the bulk interception of communications violated Article 8 of the Human Rights Act (roughly, but not exactly, analogous to the US 4th Amendment). It was not a complete victory, as the court didn’t say that bulk interception by itself violated human rights, but that the lack of oversight over how this was done made the surveillance “inadequate.” The court also rejected any claims around GCHQ sharing the data with foreign intelligence agencies.

In short, the court found that bulk interception could fit within a human rights framework if there was better oversight, and that obtaining data from telcos could be acceptable if there were safeguards to protect certain information, such as journalist sources. But the lack of such oversight and safeguards doomed the surveillance activity that Snowden revealed.

Operating a bulk interception scheme was not per se in violation of the Convention and Governments had wide discretion (?a wide margin of appreciation?) in deciding what kind of surveillance scheme was necessary to protect national security. However, the operation of such systems had to meet six basic requirements, as set out in Weber and Saravia v. Germany. The Court rejected a request by the applicants to update the Weber requirements, which they had said was necessary owing to advances in technology.

The Court then noted that there were four stages of an operation under section 8(4): the interception of communications being transmitted across selected Internet bearers; the using of selectors to filter and discard ? in near real time ? those intercepted communications that had little or no intelligence value; the application of searches to the remaining intercepted communications; and the examination of some or all of the retained material by an analyst.

While the Court was satisfied that the intelligence services of the United Kingdom take their Convention obligations seriously and are not abusing their powers, it found that there was inadequate independent oversight of the selection and search processes involved in the operation, in particular when it came to selecting the Internet bearers for interception and choosing the selectors and search criteria used to filter and select intercepted communications for examination. Furthermore, there were no real safeguards applicable to the selection of related communications data for examination, even though this data could reveal a great deal about a person?s habits and contacts.

Such failings meant section 8(4) did not meet the ?quality of law? requirement of the Convention and could not keep any interference to that which was ?necessary in a democratic society?. There had therefore been a violation of Article 8 of the Convention.

The court also found that acquiring data from telcos violated Article 8 as well, for similar reasons.

It first rejected a Government argument that the applicants? application was inadmissible, finding that as investigative journalists their communications could have been targeted by the procedures in question. It then went on to focus on the Convention concept that any interference with rights had to be ?in accordance with the law?.

It noted that European Union law required that any regime allowing access to data held by communications service providers had to be limited to the purpose of combating ?serious crime?, and that access be subject to prior review by a court or independent administrative body. As the EU legal order is integrated into that of the UK and has primacy where there is a conflict with domestic law, the Government had conceded in a recent domestic case that a very similar scheme introduced by the Investigatory Powers Act 2016 was incompatible with fundamental rights in EU law because it did not include these safeguards. Following this concession, the High Court ordered the Government to amend the relevant provisions of the Act. The Court therefore found that as the Chapter II regime also lacked these safeguards, it was not in accordance with domestic law as interpreted by the domestic authorities in light of EU law. As such, there had been a violation of Article 8.

Both of those elements also ran afoul of Article 10’s protection of free expression because journalists’ communications had been swept up in the bulk data collection:

In respect of the bulk interception regime, the Court expressed particular concern about the absence of any published safeguards relating both to the circumstances in which confidential journalistic material could be selected intentionally for examination, and to the protection of confidentiality where it had been selected, either intentionally or otherwise, for examination. In view of the potential chilling effect that any perceived interference with the confidentiality of journalists? communications and, in particular, their sources might have on the freedom of the press, the Court found that the bulk interception regime was also in violation of Article 10.

When it came to requests for data from communications service providers under Chapter II, the Court noted that the relevant safeguards only applied when the purpose of such a request was to uncover the identity of a journalist?s source. They did not apply in every case where there was a request for a journalist?s communications data, or where collateral intrusion was likely. In addition, there were no special provisions restricting access to the purpose of combating ?serious crime?. As a consequence, the Court also found a violation of Article 10 in respect of the Chapter II regime.

On the final issue of passing on the info to foreign intelligence agencies, the court didn’t find any human rights issues there:

The Court found that the procedure for requesting either the interception or the conveyance of intercept material from foreign intelligence agencies was set out with sufficient clarity in the domestic law and relevant code of practice. In particular, material from foreign agencies could only be searched if all the requirements for searching material obtained by the UK security services were fulfilled. The Court further observed that there was no evidence of any significant shortcomings in the application and operation of the regime, or indeed evidence of any abuse.

It would have been nice if there was more of a blanket recognition of the problems of bulk interception and mass surveillance. Unfortunately the court didn’t go that far. But at the very least this has to be seen as a pretty massive vindication of Snowden whistleblowing on the lack of oversight to protect privacy and the lack of safeguards to prevent telcos from sharing information with the government that should have been protected.

Filed Under: bulk collection, echr, ed snowden, european court of human rights, gchq, human rights, mass surveillance, suveillance

In A Surprising Decision, European Court Of Human Rights Says Sweden's Mass Surveillance Is Fine

from the but-top-EU-court's-views-may-matter-more dept

In the wake of Snowden’s revelations of the scale of mass surveillance around the world, various cases have been brought before the courts in an attempt to stop or at least limit this activity. One involved Sweden’s use of bulk interception for gathering foreign intelligence. A public interest law firm filed a complaint at the European Court of Human Rights (ECtHR). It alleged that governmental spying breached its privacy rights under Article 8 of the European Convention on Human Rights (pdf). The complaint said that the system of secret surveillance potentially affected all users of the Internet and mobile phones in Sweden, and pointed out that there was no system for citizens to use if they suspected their communications had been intercepted. The ECtHR has just ruled that “although there were some areas for improvement, overall the Swedish system of bulk interception provided adequate and sufficient guarantees against arbitrariness and the risk of abuse”:

In particular, the scope of the signals intelligence measures and the treatment of intercepted data were clearly defined in law, permission for interception had to be by court order after a detailed examination, it was only permitted for communications crossing the Swedish border and not within Sweden itself, it could only be for a maximum of six months, and any renewal required a review. Furthermore, there were several independent bodies, in particular an inspectorate, tasked with the supervision and review of the system. Lastly, the lack of notification of surveillance measures was compensated for by the fact that there were a number of complaint mechanisms available, in particular via the inspectorate, the Parliamentary Ombudsmen and the Chancellor of Justice.

When coming to that conclusion, the Court took into account the State’s discretionary powers in protecting national security, especially given the present-day threats of global terrorism and serious cross-border crime.

One expert in this area, TJ McIntyre, expressed on Twitter his disappointment with the judgment:

It might have been too much to expect bulk intercept ruled out in principle, but it is surprising to see a retreat from existing standards on safeguards.

McIntyre played a leading role in one of the key cases brought against mass surveillance, by Digital Rights Ireland in 2014. It resulted in the EU’s top court, the Court of Justice of the European Union (CJEU), ruling the EU’s Data Retention Directive was “invalid“. As McIntyre notes, the detailed ECtHR analysis mentions the CJEU decision, but not the more recent ruling by the latter that struck down the “Safe Harbor” framework because of mass surveillance by the NSA.

The judgment significantly waters down safeguards previously developed by the ECtHR in relation to notification and possibility of a remedy against unlawful surveillance.

For example, McIntyre points out the ECtHR accepted that it is necessary for the Swedish signals intelligence service to store raw material before it can be manually processed:

Remarkably weak controls on storage and downstream use of intercept material were accepted by the ECtHR — in particular, it was satisfied with retention of bulk intercept “raw material” for one year!

Something of a setback in terms of limiting mass surveillance, the latest judgment goes against the general trend of decisions by the arguably more important CJEU court. In 2014 the latter effectively ruled that its own decisions should take precedence over those of the ECtHR if they came into conflict. That is now more likely, given the CJEU’s hardening position against mass surveillance, and the diverging judgment from the ECtHR, which shows some softening.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: european convention on human rights, european court of human rights, human rights, mass surveillance, sweden

European Court Asked To Overturn Ruling Saying Linking To Defamatory Content Is Defamatory

from the neither-publishing-nor-republishing dept

It seems like common sense. The person legally responsible for defamatory statements is the person making the defamatory statements. But since pursuing that person often seems too difficult, legislators, courts, and disingenuous plaintiffs have engaged in mental/litigious gymnastics in hopes of finding third parties responsible for the statements of others.

We’ve seen a long list of lawsuits filed against service providers in response to defamatory content hosted on their platforms. We’ve seen courts — mostly outside of the US — convert third-party platforms into “publishers” for the sake of delisting/content removal court orders. We’ve seen numerous attempts to avoid Section 230 defenses by recrafting defamation lawsuits as trademark infringement litigation.

We’ve even seen some bad lawmaking, attempting to strip away protections for service providers to make it easier to hold them responsible for the actions of others.

The European Court of Human Rights is in the middle of another attempt to hold third parties responsible for the allegedly-defamatory statements of others.

The applicant in the case before the Court, Aleksey Navalnyy, is a prominent Russian political activist and opposition leader who sought to highlight the corruption that Mr Magnitsky had exposed. With this in mind, he posted a link on his LiveJournal blog to a YouTube video reporting on the 5.4 billion RUB tax refund. A Russian court held that the video was defamatory of an individual referred to in the report. The court found Navalnyy liable for statements that were made in the video as if they were his own, and ordered him to pay 100,000 RUB (approximately 1,400 GBP) in damages to the individual.

European courts and politicians have made efforts before to find those posting links to certain content just as liable as those who uploaded it. Previous attempts have mostly been related to copyright infringement, but this case isn’t an anomaly in terms of holding one person responsible for someone else’s statements.

The briefing [PDF], composed by a number of internet free speech activists, including the EFF, Access Now, and the Media Law Resource Centre, points to a number of precedential decisions from all over the world that make it clear the original defamer is the only one who should be found culpable for defamatory statements. To do otherwise is to threaten the basic operating principles of the internet, and the public discourse it facilitates.

Given the ubiquitous operation of hyperlinking on the Internet, it is an impermissible interference with Article 10 for the use of hyperlinks to be capable of giving rise to liability in defamation;

Given the dynamic nature of the content on the Internet to which hyperlinks may provide access (but over which the poster of the hyperlink is unlikely to have control), attaching liability in defamation to the provision of hyperlinks risks a particularly pronounced chilling effect on freedom of expression in violation of Article 10

It also points out the court shouldn’t hold bloggers to a higher standard than journalists by robbing them of the protections afforded to traditional press agencies.

Defences that are available in law to the traditional media should also be made available to bloggers and online news sites – the formal designation of persons should be immaterial for the purposes of Article 10 rights in this context.

If the ruling is upheld, linking to other sources will dry up, both in traditional media and blogging. To link to statements of others would be to assume culpability for those persons’ statements. Information would cease to flow as journalists and bloggers erect protective silos of info, generated from single sources. This end result would make those journalists and bloggers appear less trustworthy, as they would be unlikely to link to supporting statements and evidence if there’s even a small possibility those sources might become a subject of litigation in the future.

Then there’s the very real issue of content control: those linking to others can’t prevent alteration of the content they’re linking to, which may change drastically in tone and substance without the linker ever being made aware of the alterations. Just ask anyone who’s hotlinked an image, only to find it replaced with something embarrassing/hideous/both in response to the inconsiderate usage of someone else’s bandwidth.

Linking to other sources allows readers to gather more information and come to their own conclusions. Eliminating this makes information dissemination worse and further solidifies existing echo chambers. It’s a bad thing for the internet and would result in less informed users.

Filed Under: aleksey navalny, defamation, eu, europe, european court of human rights, linking, russia, simon magnitsky

European Court Of Human Rights May Have Just Outlawed Mass Surveillance Without Most People Realizing It

from the so-now-what? dept

While much of the focus in the past few years has been on surveillance conducted by the NSA for the US, it should be noted that many European countries do a ton of surveillance too — often with fewer restrictions (though they may not be as good at it). And while there have been some high profile legal attacks on the surveillance done by the UK’s GCHQ (a close partner of the NSA), CDT is noting that some little-watched cases in the European Court of Human Rights may have technically outlawed mass surveillance without most people even realizing it. It’s two separate cases in particular, Roman Zakharov v. Russia and Szabo and Vissy v. Hungary:

In Zakharov, the Court alluded to the possibility of broad indiscriminate surveillance only in passing, since the scenario it was considering was one in which the security services could start intercepting a telephone conversation at any time, but were not explicitly alleged to be intercepting all conversations (or related data such as the time and duration of calls) at all times. The Court found that a government may only intercept telephone communications where the body authorizing the surveillance has confirmed that there is a ?reasonable suspicion? of wrongdoing on the part of ?the person concerned.? This language, along with the Court?s statement that a surveillance authorization ?must clearly identify a specific person ? or a single set of premises? as the subject of the monitoring, seemed to set the stage for a ruling that UK-style society-wide surveillance programs such as Tempora are illegal under the ECHR.

In an unexpected form, that ruling may have arrived. Noting (as the Zakharov judges also did) that ?a system of secret surveillance ? may undermine or even destroy democracy under the cloak of defending it,? the Court in Szabo and Vissy considered whether the challenged Hungarian laws provide ?adequate and effective guarantees against abuse.? The answer was no: the phrase ?strictly necessary in a democratic society,? the Court explained for the first time, means not only that a surveillance measure must be strictly necessary for ?safeguarding the democratic institutions? at a general level, but must also be ?strictly necessary ? for the obtaining of vital intelligence in an individual operation.? Crucially, the Court added that the Hungarian authorities must therefore interpret a law allowing surveillance authorizations to apply to ?a range of persons??which, as the Court observed, could potentially include everyone in Hungary?very narrowly. According to the Court, the body authorizing the surveillance must ?verify whether sufficient reasons for intercepting a specific individual?s communications exist in each case.?

In other words: no gathering of an enormous indiscriminate haystack in order to search for a needle.

As the blog post from CDT recognizes, there is at least some confusion over what this ruling really means. So it’s not as if it’s entirely clear cut that mass surveillance has been banned in Europe. But, it’s quite likely that these rulings will be relied on in other cases as well, and the fact that there are statements that basically require “individualized targeting” certainly suggests that most mass surveillance programs are illegal in Europe. That could make things fairly interesting for the many, many surveillance programs around Europe that are not even remotely close to “individually targeted.”

Filed Under: eu, europe, european court of human rights, mass surveillance

Huge Loss For Free Speech In Europe: Human Rights Court Says Sites Liable For User Comments

from the this-is-big-and-dangerous dept

Last year we wrote about a very dangerous case going to the European Court of Human Rights: Delfi AS v. Estonia, which threatened free expression across Europe. Today, the ruling came out and it’s a disaster. In short, websites can be declared liable for things people post in comments. As we explained last year, the details of the case were absolutely crazy. The court had found that even if a website took down comments after people complained, it could still be held liable because it should have anticipated bad comments in the first place. Seriously. In this case, the website had published what everyone agrees was a “balanced” article about “a matter of public interest” but that the website publisher should have known that people would post nasty comments, and therefore, even though it automated a system to remove comments that people complained about, it was still liable for the complaints.

The European Court of Human Rights agreed to rehear the case, and we hoped for a better outcome this time around — but those hopes have been dashed. The ruling is terrible through and through. First off, it insists that the comments on the news story were clearly “hate speech” and that, as such, “did not require any linguistic or legal analysis since the remarks were on their face manifestly unlawful.” To the court, this means that it’s obvious such comments should have been censored straight out. That’s troubling for a whole host of reasons at the outset, and highlights the problematic views of expressive freedom in Europe. Even worse, however, the Court then notes that freedom of expression is “interfered with” by this ruling, but it doesn’t seem to care — saying that it is deemed “necessary in a democratic society.”

Think about that for a second.

The Court tries to play down the impact of this ruling, by saying it doesn’t apply to any open forum, but does apply here because Delfi was a giant news portal, and thus (1) had the ability to check with lawyers about this and (2) was publishing the story and opening it up for comments.

The rest of the ruling is… horrific. It keeps going back to this “hate speech” v. “free speech” dichotomy as if it’s obvious, and even tries to balance the “right to protection of reputation” against the right of freedom of expression. In other words, it’s the kind of ridiculous ruling that will make true free expression advocates scream.

When examining whether there is a need for an interference with freedom of expression in a democratic society in the interests of the ?protection of the reputation or rights of others?, the Court may be required to ascertain whether the domestic authorities have struck a fair balance when protecting two values guaranteed by the Convention which may come into conflict with each other in certain cases, namely on the one hand freedom of expression protected by Article 10, and on the other the right to respect for private life enshrined in Article 8

And the court insists that the two things — reputation protection and free speech “deserve equal respect.” That’s bullshit, frankly. The whole concept of a right to a reputation makes no sense at all. Your reputation is based on what people think of you. You have no control over what other people think. You can certainly control your own actions, but what people think of you?

The court sets up a series of areas to explore in determining if Defli should be held liable for those comments. In the US, thanks to Section 230 of the CDA, we already know the answer here would be “hell no.” But without a Section 230 in Europe — and with the bizarre ideas mentioned above — things get tricky quickly. So even though the court readily agrees that the article Defli published “was a balanced one, contained no offensive language and gave rise to no arguments about unlawful statements” it still puts the liability on Delfi. Because the site wanted comments. It actually argues that because Delfi is a professional site and thus comments convey economic advantage, Delfi is liable:

As regards the context of the comments, the Court accepts that the news article about the ferry company, published on the Delfi news portal, was a balanced one, contained no offensive language and gave rise to no arguments about unlawful statements in the domestic proceedings. The Court is aware that even such a balanced article on a seemingly neutral topic may provoke fierce discussions on the Internet. Furthermore, it attaches particular weight, in this context, to the nature of the Delfi news portal. It reiterates that Delfi was a professionally managed Internet news portal run on a commercial basis which sought to attract a large number of comments on news articles published by it. The Court observes that the Supreme Court explicitly referred to the fact that the applicant company had integrated the comment environment into its news portal, inviting visitors to the website to complement the news with their own judgments and opinions (comments). According to the findings of the Supreme Court, in the comment environment, the applicant company actively called for comments on the news items appearing on the portal. The number of visits to the applicant company?s portal depended on the number of comments; the revenue earned from advertisements published on the portal, in turn, depended on the number of visits. Thus, the Supreme Court concluded that the applicant company had an economic interest in the posting of comments. In the view of the Supreme Court, the fact that the applicant company was not the writer of the comments did not mean that it had no control over the comment environment…

Also? Having “rules” posted for comments somehow increases the site’s liability, rather than lessens it as any sane person would expect:

The Court also notes in this regard that the ?Rules of comment? on the Delfi website stated that the applicant company prohibited the posting of comments that were without substance and/or off-topic, were contrary to good practice, contained threats, insults, obscene expressions or vulgarities, or incited hostility, violence or illegal activities. Such comments could be removed and their authors? ability to post comments could be restricted. Furthermore, the actual authors of the comments could not modify or delete their comments once they were posted on the applicant company?s news portal ? only the applicant company had the technical means to do this. In the light of the above and the Supreme Court?s reasoning, the Court agrees with the Chamber?s finding that the applicant company must be considered to have exercised a substantial degree of control over the comments published on its portal.

Yes, that’s right. They get in more trouble for posting rules saying behave. It’s incredible.

The next key finding: because commenters are anonymous and anonymity is important — and because it’s difficult to identify anonymous commenters — well, fuck it, just put the liability on the site instead. That really does seem to be the reasoning:

According to the Supreme Court?s judgment in the present case, the injured person had the choice of bringing a claim against the applicant company or the authors of the comments. The Court considers that the uncertain effectiveness of measures allowing the identity of the authors of the comments to be established, coupled with the lack of instruments put in place by the applicant company for the same purpose with a view to making it possible for a victim of hate speech to effectively bring a claim against the authors of the comments, are factors that support a finding that the Supreme Court based its judgment on relevant and sufficient grounds. The Court also refers, in this context, to the Krone Verlag (no. 4) judgment, where it found that shifting the risk of the defamed person obtaining redress in defamation proceedings to the media company, which was usually in a better financial position than the defamer, was not as such a disproportionate interference with the media company?s right to freedom of expression….

Further on the question of liability, the court finds that because Delfi’s filter wasn’t good enough, that exposes it to more liability. I wish I were making this up.

Thus, the Court notes that the applicant company cannot be said to have wholly neglected its duty to avoid causing harm to third parties. Nevertheless, and more importantly, the automatic word-based filter used by the applicant company failed to filter out odious hate speech and speech inciting violence posted by readers and thus limited its ability to expeditiously remove the offending comments. The Court reiterates that the majority of the words and expressions in question did not include sophisticated metaphors or contain hidden meanings or subtle threats. They were manifest expressions of hatred and blatant threats to the physical integrity of L. Thus, even if the automatic word-based filter may have been useful in some instances, the facts of the present case demonstrate that it was insufficient for detecting comments whose content did not constitute protected speech under Article 10 of the Convention…. The Court notes that as a consequence of this failure of the filtering mechanism, such clearly unlawful comments remained online for six weeks….

Then the court says that because the “victims” of “hate speech” can’t police the interwebs, clearly it should be the big companies’ responsibility instead:

Moreover, depending on the circumstances, there may be no identifiable individual victim, for example in some cases of hate speech directed against a group of persons or speech directly inciting violence of the type manifested in several of the comments in the present case. In cases where an individual victim exists, he or she may be prevented from notifying an Internet service provider of the alleged violation of his or her rights. The Court attaches weight to the consideration that the ability of a potential victim of hate speech to continuously monitor the Internet is more limited than the ability of a large commercial Internet news portal to prevent or rapidly remove such comments.

Finally, the court says that since the company has stayed in business and is still publishing, despite the earlier ruling, it proves that this ruling is no big deal for free speech.

The Court also observes that it does not appear that the applicant company had to change its business model as a result of the domestic proceedings. According to the information available, the Delfi news portal has continued to be one of Estonia?s largest Internet publications and by far the most popular for posting comments, the number of which has continued to increase. Anonymous comments ? now existing alongside the possibility of posting registered comments, which are displayed to readers first ? are still predominant and the applicant company has set up a team of moderators carrying out follow-up moderation of comments posted on the portal (see paragraphs 32 and 83 above). In these circumstances, the Court cannot conclude that the interference with the applicant company?s freedom of expression was disproportionate on that account either.

The ruling is about as bad as you can imagine. It is absolutely going to chill free expression across Europe. Things are a bit confusing because the EU Court of Justice has actually been much more concerned about issues of intermediary liability, and this ruling contradicts some of those rulings, but since the two courts are separate and not even part of the same system, it’s not clear what jurisdiction prevails. It is quite likely, however, that many will seize upon this European Court of Human Rights ruling to go after many websites that allow comments and free expression in an attempt to block it. It is going to force many sites to either shut down open comments, curtail forums or moderate them much more seriously.

For a Europe that is supposedly trying to build up a bigger internet industry, this ruling is a complete disaster, considering just how much internet innovation is based on enabling and allowing free expression.

There is a dissenting opinion from two judges on the court, who note the “collateral censorship” that is likely to occur out of all of this.

In this judgment the Court has approved a liability system that imposes a requirement of constructive knowledge on active Internet intermediaries (that is, hosts who provide their own content and open their intermediary services for third parties to comment on that content). We find the potential consequences of this standard troubling. The consequences are easy to foresee. For the sake of preventing defamation of all kinds, and perhaps all ?illegal? activities, all comments will have to be monitored from the moment they are posted. As a consequence, active intermediaries and blog operators will have considerable incentives to discontinue offering a comments feature, and the fear of liability may lead to additional self-censorship by operators. This is an invitation to self-censorship at its worst.

It further notes how this works — in such a simple manner it’s disturbing that the court didn’t get it:

Governments may not always be directly censoring expression, but by putting pressure and imposing liability on those who control the technological infrastructure (ISPs, etc.), they create an environment in which collateral or private-party censorship is the inevitable result. Collateral censorship ?occurs when the state holds one private party A liable for the speech of another private party B, and A has the power to block, censor, or otherwise control access to B?s speech?. Because A is liable for someone else?s speech, A has strong incentives to over-censor, to limit access, and to deny B?s ability to communicate using the platform that A controls. In effect, the fear of liability causes A to impose prior restraints on B?s speech and to stifle even protected speech. ?What looks like a problem from the standpoint of free expression … may look like an opportunity from the standpoint of governments that cannot easily locate anonymous speakers and want to ensure that harmful or illegal speech does not propagate.? These technological tools for reviewing content before it is communicated online lead (among other things) to: deliberate overbreadth; limited procedural protections (the action is taken outside the context of a trial); and shifting of the burden of error costs (the entity in charge of filtering will err on the side of protecting its own liability, rather than protecting freedom of expression).

It’s disappointing they were unable to convince their colleagues on this issue. This ruling is going to cause serious problems in Europe.

Filed Under: cda 230, comments, defamation, estonia, europe, european court of human rights, free expression, free speech, hate speech, intermediary liability, liability, moderating comments, secondary liability
Companies: delfi