Data offences by corporations, governments or secret services are hardly being sanctioned at all under criminal law. This creates a legal vacuum – and a lot of power.
Data is valuable. A friend of mine, David, recently got his laptop stolen from inside a car. Unfortunately also the two backups were gone, he had put them together in a bag in the hectic of packing. He was smashed to the ground. Ten years of his digital identity were lost. Correspondence, documents, activities, ideas, sketches, texts, photos, many contacts, approaches, memories, you name it. His friends could only show their concern, but hardly measure his loss.
Still, this is not about petty crime. This example of data loss only shows what we already suspect: Our data sphere has become part of what defines us as a person. Just like an ancient poet is forgotten when his writings are lost, so also a part of us lives in our data.
Whoever holds our collected data treasure in their hands can gain more intimate access to our brain than we have ourselves. E.g., an appropriate algorithm can read out a possible tendency to depression from an ordinary instagram account — and it can reliably predict the time of the next surge. Nothing less than this dimension, this sphere, is at stake when we use the term “privacy”. We expect anyone who deals with this part of us to handle it carefully and strictly within the framework we ourselves desire.
Data offences are anything but trivial
Has anyone noticed? The word data offence is unusual, it currently has less than 700 hits in Google search, data offender is rarely found while sexual offender has over 1,5 million results. We speak of “data breaches,” “unauthorized data collections,” “intrusion“. Which doesn’t clarify that these sometimes involve massive incapacitation and threats to our security. The sanctions are correspondingly lax. For data processors, the worst — albeit unlikely — scenario is public exposure with a few conditions. Among politicians, the maximum penalty is resignation from an office. That’s what we already call “putting heads on the block”.
Data protection officers are the tomfools of the modern age. Data protection is regarded as an annoying formality and a brake on efficiency, and not – as it should be – as an indispensable tool for a self-determined future. The respect for our digital persona so low, that you can violate it with impunity:
When spying out and intercepting data, the reconnaissance rate is around 20 percent (figures given for Germany), and for data modification / computer sabotage between 10 and 40 percent, depending on the occurrence. If a suspect is identified, the number of convictions is around 4 percent. The specialist blog Cives.de writes about these miserable condemnation rates of data offence:
There’s hardly ever an indictment. This can be explained by the fact that most of these offences are already brought to an end by the public prosecutor’s office before the charges are brought. It can do this if it considers the offence to be a misdemeanour, if it considers the offender’s guilt to be low or if it cannot see any public interest in the prosecution. It may also waive a claim if the suspect pays damages or a sum of money.
The number of convictions in Germany is in the lower two-digit range every year. And they are likely to be monetary penalties in particular, in no case existential ones such as social work or even prison sentences.
- The company Cambridge Analytica from the environment of the right-wing radical Steve Bannon has, with Facebook’s approval, misappropriated 50 to 87 million data records (including their friend contacts) in order to promote the presidency of Donald Trump and presumably the Brexit. Even if one considers that the company went bankrupt (in the meantime it has been newly founded) and the whole thing meant quite a scandal for Facebook, from the investors’a point of view it was worth the effort. One can assume that many of those affected would have vehemently contradicted this use of their data and are suffering from the political consequences today.
The judicial treatment: Yes, there were embarrassing hearings of Mark Zuckerberg before committees of the US Congress and the EU Parliament. But even the threat of a maximum fine of 500,000 pounds in the UK could not persuade Facebook to cooperate and be fully transparent. No wonder, the amount corresponds to a fluctuation of the Facebook share price by 0.000002 percent. When the trade authority FTC imposed a fine of 5 billion US dollars in the USA, this was at least seen as a slap on the wrist – and caused the share price to rise because of the security now gained. What did not happen were house searches, interrogations, imprisonment for contempt or imprisonment, as would have been the case with economic crimes of this magnitude. And one single, harmless lawsuit for data transparency is currently underway to shed some light on the matter.
- The production and export of espionage software to countries such as Saudi Arabia, Brunei, Turkmenistan etc. helps the local governments to locate opposition members and silence them. This is comparable to the production and supply of weapons. Because these so-called dual-use goods, are in any case only suitable for one thing: spying on people, whether legal or illegal. That the embargo that has been carried off is a scandal that should disqualify the politicians involved. But even without an embargo, it is clear to anyone that this software is used to deliver unwanted persons as lambs to the slaughter.
The judicial treatment: The companies involved in the questionable deals and even their representative protocols have been published on Wikileaks. In a single, admitted indictment by Privacy International against Gamma International UK Ltd., an investigation was conducted by the OECD’s National Contact Point. The concluding report contained a series of friendly recommendations to orient oneself in future to “the general obligations to respect human rights” and “to meet the standards of the guidelines”. The very style of the report is a slap in the face for the upright democrats who are imprisoned in Bahraini torture prisons:
The UK NCP also considers that the company’s overall engagement with theNCP process has been unsatisfactory, particularly in view of the serious nature of the issues raised. Through its legal representative, the company hasraised obstacles to the complaint’s progress, whilst failing to provide information that would help the NCP make a prompt and fair assessment of these. The NCP considers that this does not have the appearance or practical effect of acting in good faith and respecting the NCP process.
- A school in Pennsylvania hit the headlines in 2010 after schoolkids were targeted via cameras and screenshots from hundreds of school laptops at their homes. The school’s interest was obviously focusing at a potential drug abuse by the pupils. Ten thousands of photos of private situations were taken and some of them exchanged and discussed by the employees.
The judicial treatment: In the end, the school had to pay a fine of 610,000 US dollars after a civil class action lawsuit, mainly because nude pictures were involved. However, a criminal offence committed by employees was not prosecuted by the courts because “no evidence of criminal intent” had been provided. In this respect, the spying itself was not considered illegal.
- Last, not least – what happened to the Snowden revelations? In a nutshell: We had various large-scale surveillance programs that were not controlled by parliaments and actually hidden from them. The Five Eyes secret services of Australia, Canada, Great Britain, New Zealand and the USA, were particularly involved. From recording all Internet communications (full take) to spying on friendly politicians, from slandering individual people to intimidating the press, every crime one can imagine is taking place here. Tapped laptop cameras, manipulated online votes, the instrumentalization of terrorist threats, industrial espionage, private research – apart from the limits of what is technically feasible, the secret services knew and know no taboos.
The judicial treatment: The participating states (and others) immediately set about reviewing the practices outlined – and legalizing them almost completely. E.g., instead of (unlawfully) spying out one’s own population, they changed to spying out each others populations (in accordance with the law) and then exchanging the data obtained. Almost all the practices uncovered violate the spirit and letter of every democratic constitution. They should lead to dozens of responsible persons going behind bars for decades. Instead, the bearer of the message is discredited and criminalized..
On privacynotprism.org.uk you get an impression of what the legal process has achieved in the model democracy of Great Britain: A full concession that the monitoring practice is contradicted the European Charter of Human Rights, a continuation of the practices under slightly changed – and thus legalized – premises. Full stop. The sequel is currently under way: A hearing by the European Court of Human Rights.
Compared to all other participating countries, these are dream successes. Still not a single official has been brought to justice. No employee was personally held liable for the wide range of offenses committed by the GCHQ. Noone was was determined for „high treason by anti-constitutional actions“ and „crimes against humanity“ (like the head of Stasi Erich Mielke was after the end of the GDR). The prosecutor’s office in Cologne had initiated in the matter of GCHQ versus Stellar investigations „against unknown“. From the results, nothing is heard until today.
Conclusion: The perpetrators have to fear exactly nothing. The examples illustrate a legal understanding that sees the abuse of data or the violation of privacy as casual oversights, well-meaning trivial offenses, economic thinking or legitimate state self-protection. It’s embarrassing for a few employees or directors to get caught. But in the worst case it costs company money and a career setback of one to two years. Bad luck.
Offences against data are offences against persons
Normally, it is right-wing regulars’ speakers who demand ever harsher punishments. As a satisfaction, out of anger, so that the insecure world may come back into order. As a humanist, I don’t enjoy seeing someone stew in jail. Hardly anyone is finally “improved” there. And yet I plead for harder (or better appropriate, even perceptible) punishments for data crimes. Above all for reasons of deterrence, so that criminal behaviour is perceived as criminal. And because I would consider it fair – within the framework of our judicial system.
If someone has repeatedly driven much too fast and his driving licence is revoked, this is a noticeable sanction. He must have ignored several warnings and followed his drive unflinchingly. If he has actually endangered others, we think it is right to punish him more severely. And with bodily injury the game is over completely.
If someone networks the data of millions of people in such a way that they become transparent citizens and thus massively restrict their fundamental rights, turning them into anxious and incapacitated state appendages instead of sovereigns, what does he have to fear? Contradiction? A critical press? A rebuke or even a career damper? Reasonably, he would have to be removed from office immediately and then justify himself under criminal law for his anti-constitutional activities.
The signal is clear: you can fiddle with other people’s data as you like, you really have nothing to fear.
This isn’t about “Lock them up!” Of course matters have to be weighed. This is no different in the case of shoplifting, where the spectrum ranges from accidentally taking something unpaid to gang-like serial offenders. Someone who unknowingly works sloppily with data is different to someone who maliciously damages others for personal reasons. And someone who has made spying his business model is to be judged differently. It’s important that a verdict is reached and that this reflects the convicted person’s (for others possibly existentially) harmful behavior.
Perhaps it is also psychology that offers us a bargain: Going to a store and stealing something is a physical process. It has the smell of the antisocial. Concluding a dividend stripping deal or playing Monopoly with data is a quasi-virtual process committed on the computer in a clean environment. This “gentleman” image stands in the way of an objective evaluation. A judge is more likely to take the excuses of an eloquent executive in a well-fitting blazer than those of the member of a rip-off gang in broken english. Here we need a rethink.
We would have a lot to gain: Appropriate penalties for data misuse could lead to a world where it feels okay to entrust all your data to a cloud in any functioning democracy. And this would also have helped my friend David.