All around the world we see public authorities requesting access to more and more individual user data, in particular from telecommunication operators and Internet service providers. Information revealed by Edward Snowden showed us how such measures can escalate into mass surveillance programmes that violate citizens' fundamental rights.
In our first attempt at a “transparency report”, we looked at what happens at the interface of Internet service providers and public authorities in Poland. Who sends requests for users' data? How many and for what purpose? What legal procedures are followed and what safeguards apply? Our pilot study includes analysis of legal provisions and collection of data from both major Internet Service Providers and public authorities. The report explains systemic problems that were identified in our research and that should be solved in order to ensure adequate standard of protection for individuals. Data on requests made by public authorities was collected with the help of four Polish Internet Service Providers: Agora, Google, INTERIA.PL and Onet.
The study showed that the unquestioned leader in terms of requests for Internet user data in Poland is the prosecutor’s office (62,7% of the requests reported by the ISPs participating in the study). The police placed second (33,2%). Requests submitted directly by courts are much less frequent, while requests from government authorities are entirely marginal.
None of the companies participating in the pilot study gathers detailed data regarding the legal grounds which the government authorities rely on, and those public entities that make most data requests refused to answer the question about legal grounds for their requests. A vast majority of requests for Internet users’ data passes through judicial or law enforcement authorities that obtain data for the purposes of criminal proceedings. Assuming that the information provided is reliable, and the government does not make covert requests for data gathered by the companies, there are no premises for assuming that Polish government agencies implement programs of mass surveillance in the scope of collecting information on individuals using Internet services.
Information regarding the number of requests from public institutions was made available by all four companies taking part in the pilot study. In the period included in the study, the number of requests from public authorities rose consistently. What is the reason for that growth? There is reason to believe that the rise in the number of requests for Internet users’ data on the part of government bodies is a side effect of increased social activity on the Internet. Due to the fragmented nature of the data analysed, it is difficult to judge whether or not the increase in data requests is a broader and permanent tendency. In any case, reducing the discussion on government authorities' willingness to know about their citizens and how this affects online service providers into simple numbers is an unnecessary and dangerous simplification. It is not the scale which is important, but primarily whether public authorities make requests only when they have valid grounds, and whether companies respond only when they have to.
The principles for collecting and storing customer data in Poland are regulated by the Act on Providing Services by Electronic Means and the Act on Personal Data Protection (APSEM). However, these provisions may be disregarded by those companies which do not fall within Polish jurisdiction, even if they operate on the Polish market. Polish regulations do not allow for the free access of the government to databases in which companies store the data of Internet users. The prosecutor’s office, the police, and other bodies may only obtain information regarding specific individuals, and they must always present an appropriate decision that clearly spells out its legal grounds. The law does not precisely specify the elements which a data request addressed by government authorities to a private company should contain. This causes interpretative doubts which the companies have to resolve according to their own judgement and at their own risk.
The article was originaly published in EDRi-gram newsletter - Number 12.9, 7 May 2014.