W7y8w3

congibo

W7y8w3

Global Information Society Watch 2014Global InformationSociety Watch 2014Communications surveillance in the digital ageAssociation for Progressive Communications (APC)and Humanist Institute for Cooperation with Developing Countries (Hivos)


Global Information Society Watch2014


Global Information Society Watch 2014Table of contentsSteering committeeAnriette Esterhuysen (APC)Loe Schout (Hivos)Coordinating committeeMonique Doppert (Hivos)Valeria Betancourt (APC)Mallory Knodel (APC)Project coordinatorRoxana Bassi (APC)EditorAlan FinlayAssistant editor, publication productionLori Nordstrom (APC)ProofreadingValerie DeeStephanie WildesGraphic designMonocromoinfo@monocromo.com.uyPhone: +598 2400 1685Cover illustrationMatías BervejilloFinancial support provided byHumanist Institute for Cooperation with Developing Countries (Hivos)Global Information Society WatchPublished by APC and Hivos2014Creative Commons Attribution 3.0 Licence‹creativecommons.org/licenses/by-nc-nd/3.0›Some rights reserved.ISSN: 2224-5162ISBN: 978-92-95102-15-6APC-201408-CIPP-R-EN-P-206Printed in UruguayPreface .......................................................... 7Edwin Huizing, (hivos) and Anriette Esterhuysen (apc)Introduction .................................................. 9Gus Hosein - privacy InternationalA principled fight against surveillance ...... 11Katitza Rodríguez - electronic Frontier FoundationThematic reportsDigital surveillance .....................................19Elijah Sparrow - leap encryption access projectThe myth of global online surveillanceexempted from compliance withhuman rights ............................................... 25Alberto J. Cerda Silvauniversity of chile law school and ong derechos digitalesThe harms of surveillance to privacy,expression and association ....................... 29Jillian York - electronic frontier foundationCyber security, civil society and vulnerabilityin an age of communicationssurveillance ................................................. 32Alex Comninos and Gareth Senequejustus-liebig university giessen and geist consultingFrom digital threat to digitalemergency .................................................... 41Fieke Jansen, hivos – the digital defenders partnershipIntermediary liability and statesurveillance ................................................. 45Elonnai Hickok - centre for internet and society (cis) indiaUnmasking the Five Eyes’ globalsurveillance practices ................................. 51Carly Nyst and Anna Crowe - privacy internationalCountry reportsIntroduction ................................................ 57Argentina ..................................................... 60Nodo TAUAustralia ...................................................... 64Andrew GartonBahrain ........................................................ 69Ali AbdulemamBangladesh ................................................. 72Bytes for All BangladeshBolivia .......................................................... 76Fundación REDESBosnia and Herzegovina ........................... 79OneWorld Platform for Southeast Europe(OWPSEE) FoundationBrazil ............................................................ 83Brazilian Institute for Consumer Defense (Idec)Bulgaria ....................................................... 86BlueLink.netBurundi (East Africa region) ...................... 90Collaboration on International ICTPolicy in East and Southern Africa (CIPESA)Cameroon .................................................... 94PROTEGE QVCanada ......................................................... 98AlternativesChile ........................................................... 102ONG Derechos DigitalesChina ........................................................... 106DanweiColombia .................................................... 110ColnodoCongo, Republic 0f .................................... 114AZUR Développement


Costa Rica .................................................. 117Cooperativa Sulá BatsúEgypt .......................................................... 121Leila HassaninEthiopia ...................................................... 125Ethiopian Free and Open Source SoftwareNetwork (EFOSSNET)Gambia, The .............................................. 129Front Page InternationalHungary ...................................................... 133Éva TormássyIndia ............................................................ 137Digital Empowerment Foundation (DEF)Indonesia ................................................... 141Jamaica ....................................................... 143University of the West IndiesJapan ........................................................... 147Japan Computer Access for EmpowermentJordan ......................................................... 151Alarab AlyawmKenya .......................................................... 155Kenya ICT Action Network (KICTANet)Korea, Republic of ..................................... 159JinbonetKosovo......................................................... 163FLOSSKLebanon ..................................................... 166Mireille RaadMexico ........................................................ 169SonTusDatosNepal .......................................................... 174Development Knowledge Managementand Innovation Services Pvt. Ltd.New Zealand .............................................. 178Association for Progressive Communications(APC) and Tech LibertyNigeria ........................................................ 182Fantsuam FoundationPakistan ...................................................... 185Bytes for AllPeru ............................................................ 190Red Científica Peruana and UniversidadPeruana de Ciencias AplicadasPhilippines ................................................. 193Computer Professionals’ UnionPoland ........................................................ 198Panoptykon FoundationRomania ................................................... 202StrawberryNet Foundation and SapientiaHungarian University of TransylvaniaRussia ........................................................ 206Oliver PooleRwanda ....................................................... 210Emmanuel HabumuremyiSenegal ...................................................... 214JONCTIONSerbia ......................................................... 217SHARE Foundation/SHARE DefenseSlovak Republic ....................................... 220European Information Society Institute (EISi)South Africa .............................................. 224Department of Journalism, Film and Television,University of JohannesburgSudan ........................................................ 228Liemia Eljaili AbubkrSwitzerland ................................................232Communica-chSyria ............................................................236Karim BitarThailand .................................................... 240Thai Netizen NetworkTunisia ....................................................... 244Afef AbrouguiTurkey ........................................................ 248Evin Barış AltıntaşUganda .......................................................252Women of Uganda Network (WOUGNET)United Kingdom .........................................256Open Rights GroupUnited States of America ......................... 262AccessUruguay ......................................................267DATAVenezuela ...................................................270Escuela Latinoamericana de Redes (EsLaRed)Yemen .........................................................276Walid Al-SaqafZimbabwe ................................................. 280MISA-ZimbabwePrefaceThe internet is a critical way to push for the progressiverealisation of people’s rights – but, through communicationssurveillance, its potential to be used as a tool for collective,democratic action is slowly being eroded. Users have evenlost trust in it as a safe platform for day-to-day personalcommunications.Using the 13 International Principles on the Application ofHuman Rights to Communications Surveillance as a basis, thisGlobal Information Society Watch (GISWatch) considers thestate of surveillance in 57 countries. Eight thematic reportsframe the key issues at stake.As the reports show, both states and businesses are complicitin communications surveillance. While there is a need forsystems to monitor and protect the public from harm, the rightto privacy, the transparency and accountability of states andbusinesses, and citizen oversight of any surveillance systemare important advocacy concerns.These 13 Principles are an important starting point for civilsociety to achieve this collective action – to push action fordemocratic oversight of surveillance. We hope this issue ofGISWatch contributes towards this change.Edwin Huizingexecutive director, hivosAnriette Esterhuysenexecutive director, apcPreface / 7


IntroductionGus HoseinExecutive director, Privacy Internationalwww.privacyinternational.orgThe extent to which we communicate is part of whatmakes us human. The quest to articulate our needs,desires, interests, fears and agonies motivateddrawing, the gesture, the spoken word and its writtenform. Conversations led to letters, couriers ledto the post, followed on by telegraphs, telephones,mobiles and internet working. We now relay ourmost intimate thoughts and interests over communicationsmedia. Yet with new revelations andinnovations, we are seeing the growing ambitionsof governments and companies to track, monitor,analyse and even monetise the communicative actionsthat are core to our being. To protect humanautonomy in modern society, it is essential for us togovern communications surveillance.Social and technological changes have increasedthe power and pervasiveness of surveillance. First,nearly everything we do today is a communicativeact that is digitally observable, recordable, andmost likely logged, and analysed from the earliestof stages, retrospectively, and in real time. Even ourmovements are logged by service providers.Second, unlike our ephemeral spoken wordsamongst friends in a room, nearly every communicationcan now be collected, analysed, retainedand monetised. It is now possible to capture thecommunications of an entire nation – the modernequivalent of listening to every private and publicconversation in rooms, in homes and offices, townhalls, public squares, cafés, pubs and restaurantsacross the nation.Third, every communication generates increasinglysensitive metadata – data related tothe communications – that is captured, logged,rendered accessible, and mined to draw lists ofsuspects and targets, and to understand our relationshipsand interactions.Fourth, nearly every communication today involvesa third party – the post office, the mobilephone company, the search engine, and the underseacable company, who are likely to be tasked withsurveillance on behalf of the state.Fifth, all of this surveillance can now be donein secret – the tampered envelope is now replacedwith perfect, secretive replications of communications,captured at a number of points in a network.Because of these structural changes to communicationsand the ways we live our lives, there is anew urgency to govern the capabilities of governmentsto trample on privacy.• Following us or knowing everywhere we havebeen is now possible, as our mobile phonesroutinely connect with nearby mobile phone celltowers. Governments seek to access these logseven as companies seek to data-mine the informationfor profiling and “big data” analyses.• Web surfing, the modern equivalent of a walkdown the high street and around the public square,is now monitored by analytics companies and, inturn, governments. Both are keen to understandour interests and desires. Consequently, identifyingeveryone at a public event or in a given areanow requires only accessing records from nearbycell towers, or even launching a police-run mobilebase station that identifies every proximate mobiledevice. The powers of “stop and show yourpapers” will be replaced with the automated andsecretive deployment of device scanners.• While we previously needed secret police andinformants to identify people’s known associates,governments can routinely generate listsof relationships and track interactions by monitoringour communications metadata from chat,text messaging, social networks, emails, and ofcourse, voice communications. This also helpsgenerate lists of previously unknown suspectsor targets. “Guilt by association” could be assessedby who you follow on Twitter, and friendsof friends on Facebook.• And whereas before governments needed to trainspies to infiltrate our friendships and other networks,and to search our homes and go throughour files, they can merely compromise our computersand mobile phones, surreptitiously turnon our cameras and microphones, and gain accessto all our correspondence, documents,images and videos, and even passwords.Introduction / 9


Despite all these dramatic changes in capabilities,unprecedented in the history of surveillance andtechnology, governments are every day seekingto establish new and greater powers, complainingthat they are losing capabilities, or “going dark”.Yet this is the golden age of surveillance. It is madepossible by ambitious intelligence agencies andpolice services, poorly regulated by politicians whoare resistant to understanding technology and humanrights. It is spurred by a surveillance industrythat develops and sells new technologies to governmentsacross the world. And it is enabled bycompanies who fail to secure our communicationsinfrastructure, acquiesce to government demands,and do not resist bad policy that make availablefor access ever larger stores of information on us,generated to profit from our relationships with ourfriends, families and colleagues.We must not presume that this is only aboutcommunications privacy. As nearly everythinginvolves communication in modern society, communicationssurveillance can itself generate previouslyunseen power for the watchers over the watched:individuals, groups and even societies. Because ofthis, the true debate over surveillance resides inquestions of the rule of law: Are some institutionsand capabilities above such a totemic principle?When it comes to modern governance, how do ourexisting governance structures meet the challengesof a new increasingly interconnected society? Or nationalsecurity: Can effective and identifiable linesbe drawn around such an amorphous concept togive clarity to the public?We have barely scratched the surface on any ofthese questions, and within all of this we find ourselvesracing to the future where the boundariesof privacy will be further tested, innocuous informationincreasingly revelatory, and the power tosurveil increasing in its power and scope.Nonetheless, I believe that in an open anddemocratic debate, societies will choose to regulatesuch power. The challenge is that the debatemust be forced upon our governments. Fortunatelywe now have evidence of some of their secret capabilities,thanks to the incredible contribution fromEdward Snowden, and due to investigations into thesurveillance industry that markets new capabilitiesto governments. We must now act upon this knowledge.We must engage with regulators to ensurethat they are aware of the weaknesses in their regulatedindustries.We must reach out to the legal community sothat they understand the risks that surveillanceposes to the justice system and the rule of law. Weneed to work more with technology communitiesso that they are inspired to build more secure andprivacy-enhancing systems. The media and civil societyorganisations need to be made aware of howsurveillance is targeted at journalists and agents ofchange. We must engage with industry so they understandthe dangers of their choices over design oftechnologies and services and the limited autonomythey provide customers that set new standards forabuse by others. And parliamentarians and policymakers must be informed of the very real roles weexpect them to play in the regulation of agencies andthe safeguarding of the right to privacy of their citizens.Regulatory structures should never be createdto act as false flags of legitimacy: rubber stampshave never been acceptable as a form of regulation,and yet the public is being faced with committeesand courts operating in exactly that way.Ultimately the debate around how to regulatesuch power requires a public presence within it.Society relies on its members to represent its bestinterest. The answers to these puzzling and fundamentalquestions are within us – no one elseis going to force the government to understandour needs and expectations other than ourselves.Quite possibly the most important regulatory rolelies with the public in guaranteeing that those whowatch the watchers know that they are not doingso in isolation. Transparency is a core goal to all ofthis. Vigilance over the operation of all structurescannot waver: from the intelligence agency in itsoperations, to the court that authorises its operations,to the committee that oversees the powersand processes to access such power. At the top ofthis pile is the public: hawkish in its oversight andloud in its judgment.A principled fight against surveillanceKatitza RodríguezElectronic Frontier Foundationwww.eff.orgYears before Edward Snowden leaked his first document,human rights lawyers and activists wereconcerned about a dramatic expansion in law enforcementand foreign intelligence agencies’ effortsto spy on the digital world. It had become evidentthat legal protections had not kept pace with technologicaldevelopments – that the state’s practicalability to spy on the world had developed in a waythat permitted it to bypass the functional limits thathave historically checked its ability to spy. Theseconcerns culminated in the International Principleson the Application of Human Rights to CommunicationsSurveillance, 1 a set of principles intended toguide policy makers, activists and judges to betterunderstand how new surveillance technologieshave been eating away at our fundamental freedomsand how we might bring state spying back inline with human rights standards.Over a year and a half in the making, the final versionof the Principles appeared on 20 July 2013, inthe first weeks of what we might call the Snowdenera. An updated version was issued in May 2014. TheSnowden revelations, once they started rolling in,affirmed the worst of our concerns. Intelligence servicesas well as law enforcement had taken it uponthemselves to spy on us all, with little considerationfor the societal effects. Lawmakers and even the executivehad little comprehension of the capabilities oftheir own spymasters, and how our digital networkswere being turned against all individuals everywhere.The need for the Principles was confirmedin spades, but the long and difficult job of applyingthem to existing practices was just beginning.Since then, the Principles have, we hope, beena lodestar for those seeking solutions to the starkreality exposed by Snowden: that, slipping throughthe cracks of technological developments and outdatedlegal protections, our governments haveadopted practices of mass surveillance that rendermany of our most fundamental rights effectively1 https://en.necessaryandproportionate.org/textmeaningless. The Principles have been signed byover 470 organisations and individual experts, andhave played a central guiding role in a number ofthe rigorous debates on the need to limit states’increasingly expansive surveillance capacities.Their impact is already evident in, for example, theUS president’s Review Group on Intelligence andCommunications Technologies report, the Inter-American Commission on Human Rights report 2 andthe Office of the United Nations High Commissionerfor Human Rights’ recent report on the right toprivacy in the digital age. 3 Their influence has alsomanifested in some of the administrative and legislativeattempts to address surveillance problemspost-Snowden. Perhaps most importantly, theyhave functioned as a rallying point for campaigningand advocacy initiatives around the world.Below, we spell out some of the key features ofthe Principles. A more detailed explanation of thelegal grounding for our conclusions in human rightsjurisprudence can be found in a Legal Analysis andBackground Materials document generated in supportof the Principles. 4Core definitions in internationalhuman rights lawThe Principles begin with defining two core conceptsthat spell out the “what” and the “how” ofmeasured surveillance. The first concept focuses onthe type of data to be protected, while the secondone ensures that a broad range of surveillance activityconstitutes an interference with privacy rights.Outdated definitions of these two terms have led toexpansive surveillance practices, as wide swaths ofsensitive data or surveillance activities have beendeemed outside the scope of legal protections.These definitional changes are designed to re-focusprivacy protections away from artificial examinationsof the kind of data or method of interference,and back on the ultimate effect on the privacy of theindividual.2 www.oas.org/en/iachr/expression/docs/reports/2014_04_22_%20IA_2013_ENG%20_FINALweb.pdf3 www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf4 https://en.necessaryandproportionate.org/LegalAnalysis10 / Global Information Society Watch Introduction / 11


Protected informationThe Principles make clear that it is time to movebeyond the fallacy that information about communicationsdoes not pose as serious a threat toprivacy as the content of communications. Informationabout communications, also called metadata,subscriber information or non-content data, caninclude the location of your mobile phone, clickstreamdata, 5 search logs, or anonymous onlineactivity. Individually, these can be just as invasiveas reading your email or listening to your phonecalls. When combined and analysed en masse, thepicture painted by such data points can be far morerevealing than the content of the communicationsthey accompany. In spite of this reality, pre-internetage (in fact, postal service-based!) legal conceptionshave persisted in some legal systems, offeringless or, in some instances, no protection at all to informationthat is not classified as “content”. Whatis important is not the kind of data that is collected,but its effect on the privacy of the individual.As explained in the Legal Analysis and BackgroundMaterials which have been prepared for thePrinciples:The Principles use the term “protected information”to refer to information (including data) thatought to be fully and robustly protected, even ifthe information is not currently protected by law,is only partially protected by law, or is accordedlower levels of protection. The intention, however,is not to make a new category that itselfwill grow stale over time, but rather to ensurethat the focus is and remains the capability ofthe information, alone or when combined withother information, to reveal private facts about aperson or her correspondents. As such, the Principlesadopt a singular and all-encompassingdefinition that includes any information relatingto a person’s communications that is not readilyavailable to the general public.This concern has been addressed by the latestreport of the Office of the High Commissioner forHuman Rights (OHCHR), which made clear that:From the perspective of the right to privacy, thisdistinction between [content and metadata] isnot persuasive. The aggregation of informationcommonly referred to as “metadata” may givean insight into an individual’s behaviour, socialrelationships, private preferences and identitythat go beyond even that conveyed by accessingthe content of a private communication.5 en.wikipedia.org/wiki/ClickstreamGiven the revealing nature of metadata and contentalike, states should be restrained from uncheckedinterference with any protected information: fromrevealing a speaker’s identity if it is not public; fromwantonly vacuuming up the websites or social mediaone has visited; from stockpiling informationon all the people one has communicated with; andtracking the “when”, “from where”, and “for howlong” of all our digital activities. In the pre-internetage, the much more limited amount and kind of“metadata” available to law enforcement was treatedas less sensitive than content, but given currentcommunications surveillance capabilities, this canno longer be the case.Communication surveillanceMuch of the expansive state surveillance practicesconfirmed during the past year depend onconfusion over whether actual “surveillance” hasoccurred and thus whether human rights obligationseven apply. Some have suggested that ifinformation is merely collected and kept but notlooked at by humans, no privacy invasion has occurred.Others argue that computers analysingall communications in real time for key wordsand other selectors does not amount to “surveillance”for purposes of triggering legal privacyprotections. Still others seek to reduce privacyprotections to “harmful uses” of information. Suchlegal variations can mean the difference betweenreasonable and carefully targeted investigationsand a surveillance state built on the continuousmass surveillance of everyone.In the digital age, where the most sensitiveportions of our lives are constantly communicatedover digital networks, it has never been moreimportant to ensure the integrity of our communications.It means little whether the interferencetakes the form of real-time monitoring of internettransmission, hacking into individuals’ mobile devices,or mass harvesting of stored data from thirdparty providers. The mere recording of internettransactions – even if ultimately unviewed – canhave serious chilling effects on the use of our mostvital interactive medium. We have to ensure thatall acts of communications surveillance are withinthe scope of human rights protections and, hence,are “necessary and proportionate”.On this front, the OHCHR report made clearthat:[A]ny capture of communications data is potentiallyan interference with privacy and, further,that the collection and retention of communicationsdata amounts to an interference withprivacy whether or not those data are subsequentlyconsulted or used. Even the merepossibility of communications information beingcaptured creates an interference with privacy,with a potential chilling effect on rights, includingthose to free expression and association.To remedy this issue, the Principles define “communicationssurveillance” as encompassing themonitoring, interception, collection, analysis, use,preservation and retention of, interference with,or access to information that includes, reflects orarises from a person’s communications in the past,present or future.Scope of applicationThe Principles also address a long-standing problemarising from narrow interpretations adoptedby some states regarding the extraterritorial applicationof their human rights obligations. Somehave argued that the obligation to respect privacyand other human rights of individuals effectivelystops at their national borders. In a world of highlyintegrated digital networks, where individual interactionsand data routes defy any semblance ofterritorial correspondence, such distinctions aremeaningless. The Principles therefore apply tosurveillance conducted within a state or extraterritorially,and regardless of the purpose for thesurveillance – including enforcing law, protectingnational security, gathering intelligence, or anothergovernmental function.The OHCHR’s report explicitly underscores theprinciple of non-discrimination:Article 26 of the International Covenant on Civiland Political Rights provides that “all personsare equal before the law and are entitled withoutany discrimination to the equal protectionof the law” and, further, that “in this respect,the law shall prohibit any discrimination andguarantee to all persons equal and effectiveprotection against discrimination on any groundsuch as race, colour, sex, language, religion, politicalor other opinion, national or social origin,property, birth or other status.”In this regard, the OHCHR’s report stresses theimportance of “measures to ensure that any interferencewith the right to privacy complies withthe principles of legality, proportionality and necessityregardless of the nationality or location ofindividuals whose communications are under directsurveillance.”The 13 PrinciplesThe substantive Principles are firmly rooted inwell-established human rights law. Generally, anylimits on human rights should be necessary, proportionateand for a set of permissible purposes.These limits must be set out in law, and cannot bearbitrary.Under international human rights law, eachright is divided in two parts. The first paragraphsets out the core of the right, while the secondparagraph sets out the circumstances in whichthat right may be restricted or limited. This secondparagraph is usually called the “permissible limitations”test.Regarding the right to privacy, the UN SpecialRapporteur on Counter-Terrorism 6 and the UN SpecialRapporteur on Freedom of Expression 7 havestated that the “permissible limitations” test underArticle 19 of the International Covenant on Civil andPolitical Rights (ICCPR), among other articles, isequally applicable to Article 17 of the ICCPR, whichprohibits the arbitrary or unlawful interference withprivacy rights.The OHCHR report has neatly summarised theseobligations with respect to Article 17 of the ICCPR:To begin with, any limitation to privacy rightsreflected in article 17 must be provided for bylaw, and the law must be sufficiently accessible,clear and precise so that an individual may lookto the law and ascertain who is authorized toconduct data surveillance and under what circumstances.The limitation must be necessaryfor reaching a legitimate aim, as well as in proportionto the aim and the least intrusive optionavailable. Moreover, the limitation placed on theright (an interference with privacy, for example,for the purposes of protecting national securityor the right to life of others) must be shown tohave some chance of achieving that goal. Theonus is on the authorities seeking to limit theright to show that the limitation is connected toa legitimate aim. Furthermore, any limitation tothe right to privacy must not render the essenceof the right meaningless and must be consistentwith other human rights, including the prohibitionof discrimination. Where the limitation doesnot meet these criteria, the limitation would beunlawful and/or the interference with the rightto privacy would be arbitrary.6 UN Special Rapporteur on the Promotion and Protection of HumanRights and Fundamental Freedoms While Countering Terrorism, A/HRC/13/37.7 UN Special Rapporteur on the Promotion and Protection of theRight to Freedom of Opinion and Expression, A/HRC/23/40.12 / Global Information Society Watch Introduction / 13


Legality: No secret lawsThe principle of legality is a fundamental aspect ofall international human rights instruments and therule of law. It is a basic guarantee against the state’sarbitrary exercise of its powers. For this reason, anyrestriction on human rights must be prescribed bylaw. The meaning of “law” implies certain minimumqualitative requirements of clarity, accessibilityand predictability. Laws limiting human rights cannotbe secret or vague enough to permit arbitraryinterference.On that front, the OHCHR made clear that:To begin with, any limitation to privacy rightsreflected in article 17 must be provided for bylaw, and the law must be sufficiently accessible,clear and precise so that an individual maylook to the law and ascertain who is authorizedto conduct data surveillance and under whatcircumstances.The need to meaningfully and publicly explainrights-infringing practices – while important in allcontexts – is key to any effective check on communicationssurveillance, as such practices tend tobe surreptitious and difficult to uncover. Given thehighly technical and rapidly evolving nature of communicationssurveillance, it is also incumbent thatlaws are interpreted publicly and not through secretprocesses effectively free from public scrutiny.The state must not adopt or implement a surveillancepractice without public law defining its limits.Moreover, the law must meet a standard of clarityand precision that is sufficient to ensure that individualshave advance notice of, and can foresee, itsapplication. When citizens are unaware of a law, itsinterpretation, or the scope of its application, it iseffectively secret. A secret law is not a legal limit onhuman rights.In her landmark report, UN High Commissionerfor Human Rights Navi Pillay made clear that:[S]ecret rules and secret interpretations – evensecret judicial interpretations – of law do nothave the necessary qualities of “law”. Neitherdo laws or rules that give the executiveauthorities, such as security and intelligenceservices, excessive discretion; the scope andmanner of exercise of authoritative discretiongranted must be indicated (in the law itself, orin binding, published guidelines) with reasonableclarity. A law that is accessible, but thatdoes not have foreseeable effects, will not beadequate. The secret nature of specific surveillancepowers brings with it a greater risk ofarbitrary exercise of discretion which, in turn,demands greater precision in the rule governingthe exercise of discretion, and additionaloversight.Legitimate aimLaws should only permit communications surveillanceby specified state authorities to achieve alegitimate aim that corresponds to a predominantlyimportant legal interest that is necessary in a democraticsociety.Under international human rights law, anyrestriction on our fundamental freedoms must generallypursue a permissible purpose or “legitimateaim.” These purposes or aims are often enumeratedwithin the article itself. The Principles thereforerequire that communications surveillance only beundertaken in pursuit of a predominantly importantlegal interest. Such interests have been describedby Germany’s highest court as “the life, limb andfreedom of the individual or such interests of thepublic a threat to which affects the basis or continuedexistence of the state or the basis of humanexistence.”The OHCHR has similarly affirmed, in its 2014report, that “any limitation to privacy rights reflectedin article 17 of the ICCPR must be necessary forreaching a legitimate aim.” The report elaborates:Surveillance on the grounds of national securityor for the prevention of terrorism or other crimemay be a “legitimate aim” for purposes of anassessment from the viewpoint of article 17 ofthe Covenant. The degree of interference must,however, be assessed against the necessity ofthe measure to achieve that aim and the actualbenefit it yields towards such a purpose.Finally, communications surveillance cannot beemployed in a manner that discriminates on the basisof grounds such as race, colour, sex, language,religion or national origin, as such discriminationconstitutes an illegitimate purpose.Necessity, adequacy and proportionalityInternational human rights law makes clear thatany interference with our fundamental freedomsmust be “necessary in a democratic society”. In itsGeneral Comments No. 27, the Human Rights Committeeclearly indicates that it is not sufficient thatsuch restrictions serve a legitimate aim, they mustalso be necessary to it. 8 Restrictive measures mustalso be adequate or appropriate to achieving their8 Human Rights Committee, General Comment 27, Freedom ofmovement (Art. 12), UN Doc CCPR/C/21/Rev.1/Add.9 (1999). www1.umn.edu/humanrts/gencomm/hrcom27.htmprotective function. They must also be the leastintrusive options amongst those which might be expectedto achieve the desired result, and they mustbe proportionate to the interest to be protected. Finally,any restrictive measure which undermines theessence or core of a right is inherently disproportionateand a violation of that right.Applying these foundational principles to thecontext of communications surveillance, the Principlesaffirm that:Necessity: Often, a surveillance objective mightbe achieved using far less intrusive mechanisms.While it is by no means necessary to exhaust otheroptions, it should be recognised that communicationssurveillance is inherently invasive and shouldnot be a tool of first recourse.Adequacy: It is not sufficient to show that a givensurveillance practice is necessary for achievinga given objective; it must also be adequate and appropriateto it. As noted by the High Commissioner,at minimum, communications surveillance which interfereswith privacy “must be shown to have somechance of achieving [its] goal.”Proportionality: Communications surveillanceshould be regarded as a highly intrusive act thatinterferes with human rights and poses a threat tothe foundations of a democratic society. Communicationssurveillance for investigative purposes,in particular, should only occur once the state hasconvinced an objective third party – a judge – thata serious threat to a legitimate interest exists andthat the communications mechanism in questionwill yield information that will assist with that seriousthreat.No voluntary cooperation: Current digital networksand interactions entrust vast amounts ofpersonal and sensitive data in the hands of a widerange of third party intermediaries, including internetservice providers (ISPs), email providers,hosting companies and others. Through their discretionarydecisions to comply (or not) with statesurveillance requests, these intermediaries can dramaticallyimpact on the privacy rights of all. Suchvoluntary sharing bypasses due process and posesa serious threat to the rule of law. The Necessaryand Proportionate Principles therefore prohibit anystate communications surveillance activities in theabsence of judicial authorisation.No repurposing: Contrary to many official statements,the modern reality is that state intelligenceagencies are involved in a much broader scopeof activities than simply those related to nationalsecurity or counterterrorism. The Necessary andProportionate Principles state that communicationssurveillance (including the collection ofinformation or any interference with access to ourdata) must be proportionate to the objective theyare intended to address. And equally importantly,even where surveillance is justified by one agencyfor one purpose, the Principles prohibit the unrestrictedreuse of this information by other agenciesfor other purposes.The OHCHR report also emphasises this point,noting that:The absence of effective use limitations hasbeen exacerbated since 11 September 2001, withthe line between criminal justice and protectionof national security blurring significantly. Theresultant sharing of data between law enforcementagencies, intelligence bodies and otherState organs risks violating article 17 of the Covenant[on Civil and Political Rights], becausesurveillance measures that may be necessaryand proportionate for one legitimate aim maynot be so for the purposes of another.Integrity of communications and systemsNo law should impose security holes in our technologyin order to facilitate surveillance. Underminingthe security of hundreds of millions of innocentpeople in order to ensure surveillance capabilitiesagainst the very few bad guys is both overbroad andshort-sighted, not least because malicious actorscan use these exploits as readily as state agents.The assumption underlying such provisions – thatno communication can be truly secure – is inherentlydangerous, akin to throwing out the baby withthe bathwater. It must be rejected.The OHCHR report supports that conclusion,stating that:The enactment of statutory requirements forcompanies to make their networks “wiretapready”is a particular concern, not least becauseit creates an environment that facilitates sweepingsurveillance measures.Notification and right to an effective remedyNotification must be the norm, not the exception.Individuals should be notified that access to theircommunications has been authorised with enoughtime and information to enable them to appeal thedecision, except when doing so would endangerthe investigation at issue. Individuals should alsohave access to the materials presented in supportof the application for authorisation. The notificationprinciple has become essential in fighting illegal oroverreaching surveillance. Any delay in notificationhas to be based upon a showing to a court, and tied14 / Global Information Society Watch Introduction / 15


to an actual danger to the investigation at issue orharm to a person.Before the internet, the police would knock on asuspect’s door, show their warrant, and provide theindividual a reason for entering the suspect’s home.The person searched could watch the search occurand see whether the information gathered wentbeyond the scope of the warrant. Electronic surveillance,however, is much more surreptitious. Datacan be intercepted or acquired directly from a thirdparty such as Facebook or Twitter without the individualknowing. Therefore, it is often impossible toknow that one has been under surveillance, unlessthe evidence leads to criminal charges. As a result,the innocent are the least likely to discover thattheir privacy has been invaded. Indeed, new technologieshave even enabled covert remote searchesof personal computers and other devices.The OHCHR report lays out four characteristicsthat effective remedies for surveillance-related privacyviolations must display:Effective remedies for violations of privacythrough digital surveillance can thus come in avariety of judicial, legislative or administrativeforms. Effective remedies typically share certaincharacteristics. First, those remedies must beknown and accessible to anyone with an arguableclaim that their rights have been violated.Notice (that either a general surveillance regimeor specific surveillance measures are in place)and standing (to challenge such measures)thus become critical issues in determining accessto effective remedy. States take differentapproaches to notification: while some requirepost facto notification of surveillance targets,once investigations have concluded, many regimesdo not provide for notification. Some mayalso formally require such notification in criminalcases; however, in practice, this strictureappears to be regularly ignored.The 2014 OHCHR report continues, stressing theimportance of a “prompt, thorough and impartialinvestigation”; a need for remedies to actually be“capable of ending ongoing violations”; and notingthat “where human rights violations rise to the levelof gross violations, [...] criminal prosecution will berequired.”Safeguards for international cooperationPrivacy protections must be consistent across bordersat home and abroad. Governments should notbypass national privacy protections by relying onsecretive informal data-sharing agreements withforeign states or private international companies.Individuals should not be denied privacy rights simplybecause they live in another country from theone that is surveilling them. Where data is flowingacross borders, the law of the jurisdiction with thegreatest privacy protections should apply.More to be doneThe Necessary and Proportionate Principles providea basic framework for governments to ensure therule of law, oversight and safeguards. They also callfor accountability, with penalties for unlawful accessand strong and effective protections for whistleblowers.They are starting to serve as a model forreform around the world and we urge governments,companies, NGOs and activists to use them to structurenecessary change.But while the Principles are aimed at governments,government action is not the only way tocombat surveillance overreach. All of the communicationscompanies, internet and telecommunicationsalike, can help by securing their networks and limitingthe information they collect and retain. Online serviceproviders should collect the minimum amount of informationfor the minimum time that is necessary toperform their operations, and effectively obfuscate,aggregate and delete unneeded user information.This helps them in their compliance burdens as well:if they collect less data, there is less data to hand overto the government. Strong encryption should be adoptedthroughout the entire communications chainand, where possible, for data in storage.It is clear that under the cloak of secrecy, malfunctioningoversight and the limited reach of outdatedlaws, the practice of digital surveillance in countriesfrom the far North to the far South has overrun thebounds of human rights standards. We all hope to seeactivists around the world showing exactly where acountry has crossed the line, and how its own policymakers and the international community might reinit back. We must call for surveillance reform to ensurethat our national surveillance laws and practicescomply with human rights standards and to ensurethat cross-border privacy is in place and effectivelyenforced. Working together, legal plus technical effortslike deploying encryption, decentralisation ofservices and limiting information collected, can serveas a foundation for a new era of private and securedigital communications.Thematic reports16 / Global Information Society Watch Introduction / 17


Digital surveillanceElijah SparrowLEAP Encryption Access Projecthttps://leap.seThis report examines the properties that makedigital communication prone to surveillance andprovides a general overview of where and how thissurveillance takes place. For our purpose here, anyinternet or phone-based communication is consideredto be digital communication, but we excludefrom consideration other forms of surveillance suchas direct observation or photography.The properties of digital communicationIt is no easy task to pinpoint what we mean when wesay “surveillance”. As a first approximation, DavidLyon defines surveillance as “the focused, systematic,and routine attention to personal details forpurposes of influence, management, protection, ordirection.” This definition tries to convey the way inwhich surveillance has historically functioned as anecessary aspect of maintaining modern society, 1for example, in sorting citizens from non-citizens,the sick from the healthy, the credit worthy fromthe credit risks. He then immediately goes on tonote that surveillance is often not focused, systematicor routine at all – for example, in the caseof dragnet surveillance that captures informationfrom the digital communication of everyone withoutany evidence of its efficacy. What are we to make ofsurveillance in a digital age, where the capture andprocessing of personal information by powerful actorsis not just routine but ubiquitous? Increasingly,surveillance does not seem an activity undertakenfor simple “influence, management, protection ordirection”, but instead seems to be much more,constituting the core security strategy of manynation-states and the core business model for thelargest internet firms, credit card companies, andadvertisers.Most historians of surveillance likely agree withLyon’s assertion that “digital devices only increasethe capacities of surveillance or, sometimes, help to1 Lyon, D. (2007). Surveillance Studies: An Overview. Cambridge:Polity Press, p. 14.foster particular kinds of surveillance or help to alterits character.” 2 It is worthwhile, however, to askwhat precisely is different about “digital”, and howthis transformation of surveillance scale and charactermight represent something substantially new.Perfect digital copyA good analogy for the key difference betweenanalogue and digital communication is to comparespeech with the printed word. Without modernaudio equipment, it is difficult for a human to reproducespeech exactly, but it is very easy to reproducewritten words. Like written words, digital informationis encoded into discrete and reproduciblecomponents. Because of this, digital information isalways copied perfectly, unlike analogue communication,where data was conveyed via imprecise andephemeral voltage or frequency levels. More to thepoint, digital information can only be copied. Youcannot move digital information from one place toanother without making a perfect copy. The copyoperation frequently fails, but the process is alwaysaudited for errors and repeated until the copy isperfected.Many points of captureWhen communication is digital, surveillance lies atits very heart. Because every possible step in thetransmission and reception of digital communicationresults in a perfect copy, the information atevery step is exposed for easy capture. As we transitionto all communication being digital, we moveinto a world with an explosion in the potential sitesof surveillance capture. At the same time, the relativelycentralised nature of the core backbone of theinternet makes it possible to monitor most of theworld’s traffic from a few key locations. 3 Also, the2 Ibid., p. 15.3 Although most people think of the internet as decentralised, itis more accurate to describe the topology as polycentric. Thebackbone core of the internet that carries nearly all the trafficis owned by a handful of “Tier 1” carriers, making it possible tocapture most of all internet traffic by listening at the points ofexchange between these carriers. This is less true of traffic fromthe large internet sites, such as Google, Facebook and Netflix, asthey have recently installed content delivery networks “inside” thenetworks of the large internet service providers.18 / Global Information Society Watch Thematic reports / 19


apidly falling cost of sensors to convert real-worldinputs into digital signals has resulted in a proliferationof these sensors in our environment, from ourconsumer devices to agriculture to sensor networksdesigned to improve urban life.Data immortalityAlthough your personal device might fail, informationstored on servers in digital formats effectivelylives forever. Physical storage mediums often haveshort life spans, but information is nearly alwaysstored in duplicate, so that when one physical devicebegins to fail the information is automaticallymirrored to another storage device. Error-correctingprotocols ensure that this endless copying never resultsin an imperfect copy. As the amount of storageavailable per dollar continues to grow exponentially,there is often no need to ever throw anythingaway, even for very large datasets.AutomationThe capture, storage and analysis of digital informationis largely automated, unbound by the limitationsof available human labour. The former East Germansecret police employed as many as two millioninformants, 4 but today it would require only a handfulof off-the-shelf network monitoring devices, placed inkey locations, to far surpass the Stasi’s reach. The resultof this automation is that both state intelligenceservices and internet businesses that monetise userinformation have taken the general approach of capturingeverything, when practical, with the idea thatthe data might be useful in the future.To be sure, there are limits to how much informationcan be captured and effectively analysed.These limits, however, have been pushed backfaster and farther than most observers expected, asboth nation-states and private firms have investedheavily in ways to store and process more data.High confidentialityIn the past, when surveillance was labour intensiveand available only at a few specific sites in the communicationprocess, it was possible to establish alegal framework that adequately sanctioned andcontrolled the when, where, who and why of statesurveillance. Digital communication has destroyedthis in two ways: first, the barriers to entry for capturinginformation for surveillance are very low;and second, the only way to prevent nearly everyonefrom doing so is to encrypt the data, but thisalso prevents state-sanctioned surveillance. Data is4 Koehler, J. (2000). Stasi: The untold story of the East Germansecret police. Boulder: Westview Press.either widely vulnerable to surveillance by a varietyof actors, many nefarious, or it is secure, encrypted,and eludes state control. In practice, of course,this is still not entirely the case, because most securityproducts are deeply flawed and determinedstate actors and criminal organisations are able tobypass these systems. The poor quality of existingsecurity products is changing rapidly, however, asmore people become aware of the level of surveillancein their lives and seek out increased security.One potential middle ground that could allowsanctioned surveillance but prevent unsanctionedcompromise is the so-called “key escrow” technology,such as the type promoted by the United States(US) government in the 1990s under the Clipper Chipprogramme. In practice, this technology has notproven itself to be secure, and widespread adoptionwould require making normal cryptography illegal, amove only likely in the most repressive contexts.So far, the mathematics behind common encryptionstandards, such as OpenPGP or AES, havegenerally held strong and those seeking to decryptconfidential communication are fighting an uphillbattle. Typically, attacks against encrypted communicationexploit other weaknesses, but are unableto break the encryption itself. 5Low anonymityIf communication can theoretically be made highlyconfidential without much effort, the opposite istrue of anonymity. It is possible, for example, toidentify a unique fingerprint of the radio signalsproduced by all wireless digital devices. In general,every electronic device emits electromagnetic radiationthat can be used to identify it and often toeavesdrop remotely. 6 Even our web browsers advertiseto every web server a set of attributes that cancomprise a unique fingerprint. 7Government and private sector organisationsoften argue that the certain datasets they collectand maintain are anonymous because they do notinclude the real names of people. In reality, re-5 One of the top cryptographers in the world, Adi Shamir, has said“cryptography is bypassed, not penetrated.” This is not to implythat systems are generally secure. Far from it – they are usuallyentirely insecure, but rarely because of a fundamental flaw in thecryptography. Peter Gutmann’s excellent presentation “Crypto Won’tSave You Either” covers most of the major security problems in recentmemory and details how attackers simply bypassed encryption: www.cs.auckland.ac.nz/~pgut001/pubs/crypto_wont_help.pdf6 Elliot, M. (2013). Noise Floor: Exploring the World of UnintentionalRadio Emissions. Presentation at DEF CON 21. Video:www.youtube.com/watch?v=5N1C3WB8c0o, slides:https://docs.google.com/presentation/d/1Z_IRt6R2FL7POeY4JpYGLDAIAdEHprQY13f-NVIfwE7 Eckersley, P. (2010). How Unique Is Your Web Browser?https://panopticlick.eff.org/browser-uniqueness.pdfsearchers have been able to de-anonymise nearlyevery such dataset when given an opportunity. 8 Forcertain types of information, like location and relationships,it often requires only a few points of datato unmask a person’s identity by correlating withanother dataset in which real names are known.The rise of packet-switched networks, like theinternet, has also made anonymity difficult. Thehistorical transition from analogue to digital wasaccompanied by a similar transition in networkingfrom circuit switching to packet switching. Whereonce a single continuous circuit was required tomake a phone call, now a phone call is digitisedand converted into millions of tiny packets, routedthrough equipment that handles millions ofother calls. Every packet contains a source and destinationheaders so that each device in the networkknows where to forward the packet on to. Packetbasedrouting has revolutionised communication asmuch as digitisation has by allowing the massive investmentin old copper cables to be re-purposed fordigital networks that can transport millions of timesmore data. One consequence of packet-switchednetworks is that it is extremely easy, at many pointsand times in the network, to determine the flow ofwho is communicating with whom.All digital data carried over a network is convertedinto packets, with different communicationprotocols layered on top, such as phone calls,email and financial exchanges. These higher-levelcommunications involve their own, and distinct, informationregarding the from, to and when of therelationship, but the general idea is the same. Thistype of transactional or relationship data, recentlydubbed “metadata” in the press, is structured andefficient to store, lending itself to various types ofpowerful analysis that can reveal surprising informationfrom seemingly innocuous data.Attempts to mask these associations with trickssuch as onion routing and data mixing are mostlyexperimental, make communication much slower,and are rarely used. 9 Because the success of these8 One of the first examples of surprising de-anonymisationconcerned the “anonymised” dataset released by Netflixfor a competition to improve their recommendation engine.Narayanan, A., & Shmatikov V. (2008). Robust De-anonymizationof Large Sparse Datasets. www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf9 Onion routing is a process where a communication stream is routedthrough many computers, each one unaware of all the others exceptfor their immediate peers. It is used in low-latency anonymisationnetworks like Tor. Data mixing is a process where many asynchronouspackets of data or messages are combined into a common flow, andthen potential routed through multiple mixing nodes. Data mixing isused in high-latency anonymisation networks like Mixmaster. Bothprocesses attempt to anonymise communication by using manyservers, but each approach makes different trade-offs.anonymising networks is dependent on their scale,anyone seeking anonymity in their digital communicationis fighting an uphill battle until suchapproaches become commonplace.In brief, surveillance of digital communication isubiquitous, automatic, and effectively lives forever.In the future, people will likely find it easy to encryptthe content of their communication, but theirpattern of communication and relationships willlikely be difficult to keep from being exposed.A brief taxonomy of digital communicationsurveillanceIn examining where surveillance of digital communicationtakes place, we divide surveillance into twocategories: attack or capture.Points of attackAttacks are attempts to subvert the way a computingsystem is supposed to work. Attacks mightbe legal and ordered by a court, carried out by agovernment without legal authorisation, or entirelyextralegal. Attacks might be carried out byprivate contractors, government agents, or organisedcrime. Regardless of who is carrying out theattack, and for what purpose, attacks share manycommon characteristics.Network interposition: In a man-in-the-middle(MiTM) attack, the attacker interposes themselvesin the communication stream between two partiesin order to modify the data. Modified traffic can beused to steal authentication information, modifyweb applications, or inject Trojans into the target’sdevice. Although network interposition attacks aretypically associated with powerful surveillanceagencies like the US National Security Agency(NSA) and Government Communications Headquarters(GCHQ) in the United Kingdom (UK), even smallgovernments with very limited resources have madeeffective use of MiTM attacks against dissidents (forexample, the Tunisian government in the lead-upto the Jasmine Revolution of 2011). 10 Regardless ofthe physical location of the target, a MiTM attackcan be launched from nearly anywhere, even on amodest budget, due to critical vulnerabilities in theprotocol that negotiates routes on the internet. 11Mobile devices are also vulnerable to MiTM attacks10 O’Brien, D. (2011, January 5). Tunisia invades, censors Facebook,other accounts. Committee to Protect Journalists. https://cpj.org/blog/2011/01/tunisia-invades-censors-facebook-other-accounts.php11 Pilosov, A., & Kapela, T. (2008). Stealing The Internet: An Internet-Scale Man in the Middle Attack. Paper presented at DEF CON 16.https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf20 / Global Information Society Watch Thematic reports / 21


from cheap “IMSI catchers”, widely used by lawenforcement. 12Physical compromise: The large intelligenceagencies have top-secret product catalogues ofhundreds of high-tech equipment that can behidden inside a device or modify a device to alloweavesdropping, 13 sometimes installed in newequipment before it reaches the customer. 14 Butan attacker seeking to physically compromise adevice does not need the budget of the NSA: fora few dollars, anyone can order online a tiny USBdongle that snaps between a keyboard and a computerand allows the attacker to record every keystroke. 15 Because physical compromise is very difficultto detect, computing devices that have beenphysically in the possession of an attacker shouldnot be trusted.Remote exploit: Software, in general, is full ofunknown security vulnerabilities waiting to be discovered.Most of the time, these vulnerabilities areidentified by responsible researchers who notifythe software authors so that a fix can be made availableor an update automatically applied. Attackersare able to take advantage of the gap in time betweenwhen a vulnerability is fixed and when thisfix is actually applied in order to exploit the flaw andhijack a computer or steal information. If a vulnerabilityis first discovered by an attacker it is calleda “0-day”, because there have been zero days sincethe vulnerability has been known to the public orthe software developers. Various governments, aswell as some criminal organisations, spend largeamounts of money developing 0-days and purchasingthem on the black market. 16Social engineering: Attackers often rely onfooling humans rather than computer systems, aprocess called “social engineering”. Humans canbe remarkably easy to trick. For example, when researchersscattered random USB memory sticks in12 Stein, J. (2014, June 22). New Eavesdropping Equipment SucksAll Data Off Your Phone. Newsweek. www.newsweek.com/yourphone-just-got-sucked-25579013 Appelbaum, J., Horchert, J., & Stöcker, C. (2013, December29). Shopping for Spy Gear: Catalog Advertises NSA Toolbox.Der Spiegel International. www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerousdevices-a-940994.html14 Greenwald, G. (2014, May 12). How the NSA tampers with USmadeinternet routers. The Guardian. www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internetrouters-snowden15 As of this writing, there are dozens of key loggers available onAmazon.com, most for less than USD 100 and many with remotewireless access.16 Menn, J. (2013, May 10). Special Report - U.S. cyberwarstrategy stokes fear of blocback. Reuters. in.reuters.com/article/2013/05/10/usa-cyberweapons-idINDEE9490AX20130510a parking lot, most of the people who found themplugged them into their organisation’s privatenetwork, 17 an extremely insecure practice that canresult in a MiTM attack or provide an easy entry fora Trojan. 18 One highly effective and low-cost form ofsocial engineering is called “spear phishing”, wherethe attacker uses some bit of personal informationabout the target to trick the target into opening ahostile Trojan. Many people, for example, wouldopen an email attachment that appears to comefrom a friend or colleague. Social engineering canalso be as simple as impersonating someone on thephone.Software updates: In some cases, the softwareupdate system designed to apply security fixes to adevice can itself be the delivery pathway for a Trojanor other malicious code. Sadly, few update systemsare very secure. 19 The United Arab Emirates, for example,used the BlackBerry update mechanism inorder to install remote surveillance capabilities onall BlackBerry customers in the country (without theknowledge of or approval from BlackBerry). 20Third-party compromise: With the recent riseof cloud computing, nearly all users rely on thirdparties to keep some or all of their sensitive informationsafe. As consolidation has resulted in fewerthird parties holding an ever larger cache of personaldata, attackers and governments have turnedtheir attention to these third parties as an efficient,centralised source of surveillance data. 21 The dailyparade of data-breach headlines is evidence of thegrossly inadequate security practices by many ofthese third parties.Trojans: A Trojan is a type of computer virus disguisedas a benign programme, or it may even behidden inside a modified version of a common application.In a “phishing” attack, the target installs17 The fault here is not really human error, but human error only inthe context of very poorly designed operating system security.Edwards, C., et al. (2011, June 27). Human Errors Fuel Hackingas Test Shows Nothing Stops Idiocy. Bloomberg News. www.bloomberg.com/news/2011-06-27/human-errors-fuel-hacking-astest-shows-nothing-prevents-idiocy.html18 Greenberg, A. (2014, July 31). Why the Security of USB IsFundamentally Broken. Wired. www.wired.com/2014/07/usbsecurity19 Cappos, J., et al. (2008). A Look in the Mirror: Attacks on PackageManagers. https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf20 Coker, M., & Weinberg S. (2009, July 23). RIM Warns Update HasSpyware. Wall Street Journal. online.wsj.com/news/articles/SB12482717241717223921 Gellman, B., & Poitras L. (2013, June 6). U.S., British intelligencemining data from nine U.S. Internet companies in broad secretprogram. Washington Post. www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.htmlthe Trojan themselves, fooled into believing the applicationis legitimate. When used by governments,the Trojan is often installed manually when thedevice is out of the possession of its owner or viaman-in-the-middle network attacks. Although manyTrojans are created by those sending “spam” or organisedcrime, Trojans are also big business: oneTrojan developed by Hacking Team, an Italian surveillancecompany, is used by over 60 governmentsand allows the operator access to nearly all aspectsof a target’s mobile device. 22Usability error: At present, most software thatallows you to communicate securely is highly sensitiveto mis-configuration or misuse, providing manyopportunities for attack. Many chat applications,for example, have a default setting that will allow anattacker to bypass secure connections between theclient and the server. 23 In 2008, the default settingin Thunderbird caused thousands of German usersto silently drop transport encryption when their internetservice provider (ISP) accidentally disruptedthe secure connection negotiation (since fixed). 24The very concepts required for confidential communication,such as public and private key or keyfingerprints, are deeply confusing for many users. 25Points of captureRather than an attack that exploits a flaw, someforms of surveillance are an incidental or core functionof the system itself.Devices: Nearly every end-user computing devicethat facilitates digital communication retains awealth of personal information as part of its normaloperation. Particularly in the case of mobile devices,this information likely includes web browsinghistory, location history, call records, photographs,and a record of messages sent and received. Userdevices also often store a copy of authenticationcredentials that can be used to gain access to informationstored by third parties. Some devicesare very small or even invisible: for example, an“embedded system” containing a rudimentary computinglogic and memory capacity can be found in22 Zetter, K. (2014, June 24). Researchers Find and Decode the SpyTools Governments Use to Hijack Phones. Wired. www.wired.com/2014/06/remote-control-system-phone-surveillance23 By specification, chat applications that support the XMPP chatstandard must use StartTLS for secure connections, but StartTLSwill downgrade to plain text and insecure connections if the TLSnegotiation fails (which is not hard for an attacker to cause).Only if the chat application is configured to notify the user of thisdowngrade, or prevent it, will the user be assured of a secureconnection. This same vulnerability exists in many email clients.24 Heise Security. (2008). Eingriff in E-Mail-Verschlüsselung durchMobilfunknetz von O2. heise.de/-20623325 Whitten, A., & Tygar J.D. (1999). Why Johnny Can’t Encrypt: AUsability Evaluation of PGP 5.0. www.gaudior.net/alma/johnny.pdfUSB memory sticks, some RFID chips, 26 and appliances.Despite their simplicity, these embeddedsystems can be programmed to record informationabout the user, as in the case of the 2006 World Cupwhere the event tickets themselves contained anRFID chip that both reported personal informationto authorities whenever the ticket passed a scannerand also recorded on the ticket itself a history of locationsthe ticket had been. 27Device emissions: As noted previously, everydevice, and many applications, emit uniquesignatures that can be used to track the location,behaviour or internal workings of a device. Theseunique signatures take many forms: by design, webbrowsers present uniquely identifying informationto every website they visit; by design, every mobilephone has a unique and unchangeable trackingidentifier that is logged by cell phone towers; byaccident, devices emit unique electromagneticradiation that can remotely reveal the screen contents;by accident, central processing units (CPUs)emit low level noise that a remote listener can useto extract private keys; 28 and so on. What counts asa device will soon become difficult to define, as consumergoods such as clothing, watches, appliancesand tickets start to include tiny embedded systems– even food 29 may soon be tracked via RFID.Networks: Surveillance can take place at everystep in a data packet’s journey from source to destination.Networks may be monitored close to anendpoint, as when an IMSI catcher is used to monitorthe traffic of a target mobile device, at the ISPlevel, or at the level of the internet backbone wheremost traffic eventually flows. Because the internetis polycentric, relying on a handful of large carriersfor connections among ISPs, a small number ofstrategic listening posts are able to monitor a highpercentage of all traffic. Typically, large intelligenceagencies monitor traffic near the backbone, smallgovernments will monitor all the traffic in and out oftheir country (typically at the ISP level), and everyonetakes part in monitoring close to the endpoint(including organised crime). The US and UK use networksurveillance to build very large databases of26 RFID (radio frequency identification) is a technology that allows anitem to report a globally unique identifier when the tiny RFID chipis passed near a scanner. Some RFID chips, however, also containembedded systems with a small degree of computing logic andmemory capacity.27 Blau, J. (2006, May 26). Security Scores Big at World CupTournament. PCWorld. www.pcworld.com/article/125910/article.html28 Genkin, D., et al. (2013). RSA Key Extraction via Low-BandwidthAcoustic Cryptoanalaysis. www.cs.tau.ac.il/~tromer/acoustic29 Gatto, K. (2011, May 31). The NutriSmart system would put RFIDsinto your food for enhanced information. PhysOrg.com. phys.org/news/2011-05-nutrismart-rfids-food.html22 / Global Information Society Watch Thematic reports / 23


metadata in order to build a social network graph ofeveryone who communicates digitally 30 as well asthe full content of some 200 million text messagesa day 31 (it is almost certain that other intelligenceagencies attempt similar surveillance, but it is notyet documented publicly). Some countries havedata retention laws that require ISPs to keep recordsof certain metadata, such as the sites thata user visits and their IP address, for up to sevenyears. 32 For a smaller country, however, it is entirelypossible for a government to retain the content ofcommunication as well, including all text messagesand all phone conversations, using inexpensivecommercially available equipment.Third parties: All digital communication leavesa record with third-party intermediaries (except inspecial circumstances). 33 Third parties may includeemail providers, telephone carriers, ISPs, creditcard companies, online retail, computer backup orfile storage, and many mobile app developers (sincemany apps will store user data on the server). Muchof the third-party tracking is carried out for thepurpose of advertising and market research, someof which is visible, in the case of loyalty discountcards, while some is invisible to the user, such asad targeting. Third-party advertising networks areable to track a user’s internet behaviour, even whenthe user switches devices, because most websitesand mobile applications use one or more of thesame advertising and tracking networks. Althoughintended for commercial use, government surveillanceagencies are able to use tracking data sent toadvertising networks 34 and application data sent tocomputer servers 35 as a rich source of surveillanceof personal information.30 Greenwald, G., & Ackerman S. (2013, June 27). How the NSA is stillharvesting your online data. The Guardian. www.theguardian.com/world/2013/jun/27/nsa-online-metadata-collection31 Ball, J. (2014, January 16). NSA collects millions of text messagesdaily in ‘untargeted’ global sweep. The Guardian. www.theguardian.com/world/2014/jan/16/nsa-collects-millions-textmessages-daily-untargeted-global-sweep32 The Wikipedia page on data retention has the most up-to-dateoverview of the current state of retention laws around the world.https://en.wikipedia.org/wiki/Telecommunications_data_retention33 It takes a very careful design to create a system that does not leakcommunication records to intermediaries. Even most peer-to-peersystems will leak relationship or timing information in the traffic.As of this writing, probably the most effective system designed toleave no useful information with intermediaries is a program called“Pond”, although it is still experimental, hard to use, and has fewusers. See: https://pond.imperialviolet.org34 Soltani, A., et al. (2013, December 10). NSA uses Googlecookies to pinpoint targets for hacking. Washington Post. www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/nsa-usesgoogle-cookies-to-pinpoint-targets-for-hacking35 Ball, J. (2014, January 27). Angry Birds and ‘leaky’ phone appstargeted by NSA and GCHQ for user data. The Guardian. www.theguardian.com/world/2014/jan/27/nsa-gchq-smartphone-appangry-birds-personal-dataDigital surveillance grows upDigital surveillance is still in its infancy. Governmentscollect more data than they know how toeffectively process, facial recognition is still notaccurate, and tracking databases are full of falseinformation. For some, this is a comfort: no matterhow much the surveillance net expands, itwill be full of holes (and also false positives, withsometimes tragic personal results for those falselyconvicted). 36Unfortunately, we are living in an age wherethe management and processing of informationhas become an essential component of industry,agriculture, public health, military, and soon education– in other words, nearly every aspect of statemanagement and private business. These systemsall need information to function, and surveillancedesigned to feed these systems more information isgetting better all the time. Digital surveillance maybe in its infancy, but it is working hard to grow upfast.Despite the rather dire picture painted by thisbrief tour of digital surveillance, those who areconcerned by the rapid maturation of surveillanceand expansion into more aspects of social life havecause for hope. The struggle for the future of digitalcommunication – who can control the flow of bitsand who can assign identity to those bits – is beingactively fought on the terrains of politics, law andtechnology. While all these terrains are important,new advances in the technology of encryption, usabilityand open protocols have the potential tooffer powerful protection to the common user in thenear future.36 Starr, G. (2014, June 26). What Your Cell Phone Can’t Tell thePolice. The New Yorker. www.newyorker.com/online/blogs/newsdesk/2014/06/what-your-cell-phone-cant-tell-the-police.htmlThe myth of global online surveillance exemptedfrom compliance with human rightsAlberto J. Cerda SilvaUniversity of Chile Law School and ONG Derechos Digitaleswww.derecho.uchile.cl, https://www.derechosdigitales.orgIntroductionSince mid-2013 there have been continuing revelationsabout the implementation by the United States(US) government of a series of programmes that constitutea system for global mass online surveillance.The initiative involves several agencies, primarilyled by the National Security Agency (NSA), in closecooperation with companies that provide servicesthrough the internet. The system, which mostly targetsforeigners and overseas communications, hasaffected private communications everywhere, fromheads of state to ordinary web users.These revelations about a system for globalmass online surveillance have raised human rightsconcerns. Over time, these concerns have beenrejected by suggesting that human rights have noapplication on the matter because they lack specificnorms, have a narrow scope, or are irrelevantto non-state actors. These arguments have built amyth that online cross-border surveillance wouldbe exempted from compliance with human rightslaw. This report challenges these misconceptionsby, first, restating the full application of humanrights law over global mass online surveillance and,second, calling attention to the current limitationsof human rights law for achieving actual enforcementof human rights worldwide.Human rights law on surveillanceThroughout the 1990s, there was a belief that theinternet was a laissez-faire environment exemptedfrom any governmental control, regulation andrestriction. This misconception was fuelled by libertarianideas that overstate the borderlessness,openness and virtual anonymity of the internet. 1These features, however, rather than preventing anyregulatory approach, merely challenge the efficiencyof regulations, raising the difficulty of international1 Barlow, J. P. (1996). A Declaration of the Independence ofCyberspace. https://projects.eff.org/~barlow/Declaration-Final.htmlharmonisation of regulations. Through the years,the internet has become an environment heavilyregulated in which several layers of regulation andlaws overlap, one of them being international humanrights law. In fact, as some recent resolutionsby the United Nations make clear, human rights arefully applicable to the online environment. 2Although human rights are wholly applicable tothe internet, it has been suggested that online surveillancehas no implications from a human rightsviewpoint, since there is no specific rule on thematter in any international instruments on humanrights. This argument, however, rests on a shortsightedand literal interpretation of the law. Thoseinstruments, rather than dealing with specific risks,set forth general rules and principles that must beapplied in numerous concrete circumstances. In theparticular case of mass online surveillance, it raisesconcerns related to several rights, such as privacy,due process, protection of personal data, equal protection,and judicial protection, among others.Ruling that surveillance has implications for humanrights does not mean that surveillance shouldbe outlawed, since its practice may be allowed incertain circumstances. On the contrary, it opens ananalysis to determine if a given measure of surveillanceis in compliance with human rights. In otherwords, human rights are not absolute and could besubject to certain limitations – and, some practicesof surveillance that limit certain human rights couldbe permissible.However, countries are not completely freeto limit human rights; on the contrary, they mustcomply with certain rules established by internationallaw on the matter. 3 First, limitations require2 United Nations General Assembly, Resolution on the promotion,protection and enjoyment of human rights on the Internet, UN Doc.A/HRC/20/L.13, 29 June 2012; United Nations Resolution adoptedby the General Assembly on 18 December 2013: The right to privacyin the digital age, UN Doc. A/RES/68/167 (21 January 2014); andUnited Nations General Assembly, The promotion, protection andenjoyment of human rights on the Internet, UN Doc. A/HRC/26/L.24,(20 June 2014). See also the Report of the Office of the UnitedNations High Commissioner for Human Rights: The right to privacy inthe digital age, UN Doc. A/HRC/27/37, 30 June 2014.3 Kiss, A. C. (1981). Permissible limitations on rights. In Louis Henkin(Ed.), The International Bill of Rights: The Covenant on Civil andPolitical Rights. New York: Columbia University Press, pp. 290-310.24 / Global Information Society Watch Thematic reports / 25


an enabling law, that is, an act passed by the legislature.4 Second, limitations must have a legitimatepurpose. In fact, human rights could be subject tolimitations for several reasons, including nationalsecurity, public safety and order, as well as publichealth and morals. According to the UniversalDeclaration of Human Rights, limitations arepermissible “for the purpose of securing due recognitionand respect for the rights and freedoms ofothers.” 5 Third, limitations must be proportional,that is, there must be certain balances between theimposed restriction and its attempted purpose. 6And fourth, when adopting limitations, countriesmust establish appropriate safeguards to preventthe misuse and abuse of restrictions regarding humanrights.While the US has authorised the NSA’s systemfor global mass online surveillance in domestic law,it fails to meet any other requirement set forth byinternational human rights law. First, although itseems justified on the grounds of legitimate purpose,international law proscribes any limitationthat discriminates arbitrarily, such as those basedon distinctions of religion, political or other opinion,and national or social origin, among others. 7Second, the system does not meet the test of proportionality,since even if adequate for fulfilling itspurpose, it is unnecessary because there are lesssevere means of achieving the intended objective,and it is disproportional because the detrimental effectson human rights of implementing a system forglobal mass online surveillance exceed its potentialbenefits. And third, the evidence has shown that thesafeguards provided by law, mainly through judicialcontrol in implementing policies, were neither sufficientnor appropriate, since they were completelyovercome by the actual implementation of thesystem.In sum, although a system for global massonline surveillance, similar to that implementedby the NSA, may be in compliance with a givencountry’s domestic law, it certainly violates internationalhuman rights law by arbitrarily discriminating4 Inter-American Court of Human Rights, Advisory Opinion OC-6/86of 9 May 1986, “Laws” in article 30 of the American Convention onHuman Rights, para. 38.5 Universal Declaration of Human Rights, Article 29 (2).6 Barak, A. (2012). Proportionality: Constitutional Rights and TheirLimitations. Cambridge: Cambridge University Press.7 American Declaration of the Rights and Duties of Man, articles Iand II; Universal Declaration of Human Rights, articles 1 and 2;European Convention on Human Rights, article 14; InternationalCovenant on Civil and Political Rights, article 2; InternationalCovenant on Economic, Social and Cultural Rights, article 2;American Convention on Human Rights, article 1; Charter ofFundamental Rights of the European Union, article 21; and AfricanCharter on Human and Peoples’ Rights, article 2.against its target population, by being unnecessaryand disproportional, and by lacking appropriatesafeguards.Protection beyond citizenship and territoryAnother misconception that has been used to justifymass online surveillance, especially overseas,involves narrowing the scope of human rights lawby arguing that it does not provide protection to eitherforeigners or non-resident subjects. In the caseof the NSA’s initiative, this argument states that theUS Constitution would only recognise the fundamentalrights of citizens and, therefore, foreignerswould be excluded from protection. 8 As a result,while domestic law provides for some safeguardsin favour of nationals (which have proved deficient),they are virtually non-existent for alien citizens.Although this conception may be consistent withdomestic law, it runs notoriously short on meetinginternational human rights law.Limiting human rights protection to citizensalso infringes human rights law. In fact, all internationalinstruments on the matter recognise thatthese rights belong to everybody, disregarding theirnationality or citizenship. As the Universal Declarationof Human Rights states, they are inalienablerights of “all members of the human family” that“human beings shall enjoy.” 9 Excepting certain politicalrights that are attached to citizenship, suchas voting and being elected, all other human rightsbelong to people without permissible exceptionsbased on being a citizen of a given country. On thecontrary, international instruments on human rightslaw expressly forbid distinctions of any kind, notonly based on race, colour, sex or language, butalso on religion, political or other opinions, as wellas national or social origin, among other statuses. 10Related to the argument that attempts to exemptcompliance with human rights in the case ofsurveillance over foreigners, it has been arguedthat no government is required to guarantee rightsother than those of people under its own jurisdictionand, therefore, there is no duty to respecthuman rights of people overseas. This narrow conceptionargues that one state cannot be compelledto promote, protect and respect human rightswithin other states, since this is a primary competenceof the state that exercises jurisdiction overthe territory. Additionally, this conception rests on8 Cole, D. (2003). Are Foreign Nationals Entitled to the SameConstitutional Rights As Citizens?, Thomas Jefferson Law Review,25, 367-388.9 Universal Declaration of Human Rights, Preamble.10 See note 7.the literal interpretation of the word “territory”, asthe physical space under the exclusive control ofa given state that forces compliance with humanrights law. This argument is, however, deceptiveand anachronistic.Human rights law was created after the SecondWorld War in order to develop binding internationallaws that would prevent a recurrence of theatrocities experienced. The law was not limited toviolations committed by governments against theirown nationals in their own territory, but also peoplefrom other jurisdictions, sometimes in territoriesthat were not under exclusive control. It is true thata state may not be able to promote and protect humanrights in other jurisdictions than its own, butit certainly can (and must) respect those rights byconstraining its own officials from violating themon and off its territory. Moreover, in the case of asystem of global online surveillance, it is not clearin which country’s territory human rights violationstake place.However, the main problem with narrowingthe scope of human rights to a physical territorialspace is that, in a globalised world with noticeableimprovements in transport and communications,one confronts an impermissible loophole from ateleological perspective that looks into the purposeof human rights law rather than the narrowerwording of a human rights treaty. The extraterritorialapplication of human rights is the only one thatprovides meaning to human rights in the currentstate of affairs. 11 Even if limited, this extraterritorialeffect of international human rights law has beenupheld by international courts, as well as domesticcourts, such as the United Kingdom courts thatrecently held liable its soldiers for human rightsviolations committed against civilians in Afghanistan.A teleological interpretation of human rightsobligations is the only one that could make sensein a digital age, in which a violation of those rightscould be committed remotely, between one countryand another.11 United Nations Human Rights Committee, General Comment No.31 [80] Nature of the General Legal Obligation Imposed on StatesParties to the Covenant, 29 March 2004, UN Doc. CCPR/C/21/Rev.1/Add.13 (26 May 2004), para. 10. See also: Moreno-Lax, V.,& Costello, C. (2014). The Extraterritorial Application of the EUCharter of Fundamental Rights: From Territory to Facticity, theEffectiveness Model. In S. Peers, T. Hervey, J. Kenner, & A. Ward(Eds.), The EU Charter of Fundamental Rights: A Commentary.Oxford: Hart Publishing, pp. 1657-1683; and Grabenwarter, C.(2014). European Convention on Human Rights: Commentary.Oxford: Beck/Hart.Non-state actors’ responsibilityAnother misconception about the human rights implicationsof surveillance argues that those rightsare only enforceable against state actors, but notagainst non-state actors and, therefore, privateactors spying on people are not subject to humanrights scrutiny. This belief is anchored in the factthat international instruments on human rights setforth obligations only on state parties, since theyhave standing as legal entities before internationallaw. In addition, this argument points out that, althoughhuman rights philosophy has been therefor a while, international instruments crystallisedthem as a reaction against the experiences of totalitarianstates that led to the horrors of the SecondWorld War, in which governments infringed theirown citizens’ rights. In this view, preventing violationscommitted by private parties is not a matterof concern for international human rights law, butan issue left to the discretion of each country’s domesticlaw. This argument is, however, misleading.Although international instruments on humanrights primarily set forth obligations on states, theyhave at the very least indirect effects on non-state actors,such as corporations involved in surveillance.In fact, those instruments demand that states notonly respect but also promote and protect humanrights. 12 Because of this, in addition to restrainingstates from violating human rights, internationallaw imposes on states a duty to encourage and tosafeguard those rights from infringing actions ofthird parties. As a matter of fact, case law by humanrights courts has made explicit that the state isnot only responsible for its own actions, but also forfailing to protect those rights when violations arecommitted by non-state actors, such as paramilitaryforces. 13 It follows, naturally, that since the state isinternationally responsible for human rights, even ifnon-state actors violate them, the state has a dutyto enforce those rights against infringing non-stateactors in domestic law. Therefore, the state musttake actions in order to prevent human rights violationsby both state and non-state actors.In order to comply with the obligation of ensuringthat surveillance does not infringe on the rightto privacy, as well as other human rights, countrieshave adopted diverse paths. Some countries haveprevented illegal surveillance by: adopting lawsthat regulate in detail the processing of personal12 United Nations Human Rights Committee, General Comment No.31 [80] Nature of the General Legal Obligation Imposed on StatesParties to the Covenant, 29 March 2004, UN Doc. CCPR/C/21/Rev.1/Add.13 (26 May 2004), paras. 1-8.13 Inter-American Court of Human Rights, Velasquez Rodriguez Case(Series C) No. 4, para. 172, 29 July 1988.26 / Global Information Society Watch Thematic reports / 27


information by state and non-state actors; regulatingthe commercialisation of dual-use technology(i.e. goods that can be used for both legitimate andillegitimate purposes, such as spyware and communicationintercepting devices); rejecting anyevidence obtained that infracted on human rights,such as the illegal interception of communications;and punishing the most outrageous acts of intrusionson privacy. This legislative approach providesa certain level of legal certainty, but has somelimitations, mainly the fact that it does not grantcomprehensive protection.Countries with a modern constitutional frameworkhave adopted a different path for protectinghuman rights in domestic forums. They have incorporatedinternational instruments on human rightsinto their domestic constitutions and made thoserights enforceable against both state and non-stateactors. This is the case in Latin American countries,in which there are a number of court decisionsbased on constitutional grounds that nullify dataretention laws, grant privacy in online communications,prevent rights-abusive processing of personaldata, and limit video surveillance to proportionalcircumstances. This constitutional protection of humanrights grants comprehensiveness, althoughit is usually followed by legislative acts that detailconcrete implications in more complex cases.The internet has become crucial for our lives,and it will be even more important as more peopleconnect, accessing more services, and for longerperiods of time. The internet is, however, an environmentessentially controlled by private actors: fromentities that assign technical sources 14 to those thatadopt technical standards, from those that provide14 Such as IP addresses and domain names.the backbones and telecommunication services, tothose that offer access and content. The fact thatthe internet is under private control should not bean excuse for preventing the realisation of humanrights in the online environment and, therefore,states are required to promote and protect humanrights against the abuse of non-state actors. Thisdoes not prevent the adoption of an internationalinstrument on corporate human rights responsibility,particularly for cases in which a governmentcannot or does not want to enforce this through domesticremedies. 15The actual problem:Human rights enforcementInternational human rights law provides rulesapplicable to a system for global mass onlinesurveillance. What the case of the NSA shows,instead, is a different problem in current internationallaw. There is a loophole in the enforcementof human rights with respect to those recalcitrantcountries that fail to adjust their domestic lawsand policy measures to human rights standards. 16Domestic mechanisms of enforcement may help, ifavailable, but they are insufficient when resolvingissues based on mere parochial law standards, ora narrow-minded legal approach. There are certainmechanisms available in international forums, butthey tend to be political rather than legal in nature.Unfortunately, in the case of the NSA, the US hasnot recognised the jurisdiction of any internationalcourts. Therefore, it seems unfeasible that any legallybinding decision on the matter of whether asystem for global mass online surveillance violatesinternational human rights law will be made.15 United Nations General Assembly, Resolution on elaborationof an international legally binding instrument on transnationalcorporations and other business enterprises with respect tohuman rights, UN Doc. A/HRC/26/L.22/Rev.1, 25 June 2014.16 Louis Henkin, International Human Rights Standards in NationalLaw: The Jurisprudence of the United States, in Benedetto Confortiand Francesco Francioni (eds.), Enforcing International HumanRights in Domestic Courts (Martinus Nijhoff Publishers, 1997), pp.189-205.The harms of surveillance to privacy,expression and associationJillian YorkElectronic Frontier Foundationwww.eff.orgFreedom is the freedom to say that two plus twomake four. If that is granted, all else follows.George Orwell, 1984On 5 June 2013, the Washington Post and theGuardian simultaneously published documentsthat would rock the world. The documents, leakedby ex-National Security Agency (NSA) contractor EdwardSnowden, were not the first disclosures aboutthe United States’ vast surveillance complex, buthave arguably had the most impact.Before last year, awareness of digital surveillancein the US – and indeed, in much of the world– was minimal. Disclosures made by WikiLeaks in2011 can be credited for an uptick in reporting onsurveillance 1 – particularly in the Middle East – butdid little to inspire research on the societal impactof it.The knowledge, or even the perception, of beingsurveilled can have a chilling effect. A 2012industry study conducted by the World EconomicForum found that in high internet penetration countries,a majority of respondents (50.2%) believethat “the government monitors what people do onthe Internet.” At the same time, only 50% believethat the internet is a safe place for expressing theiropinions, while 60.7% agreed that “people who goonline put their privacy at risk.” 2A member survey conducted by writers’ organisationPEN American Center in December 2013discovered that, since the publication of the firstNSA leaks, 28% of respondents have “curtailed oravoided social media activities,” while another 24%have “deliberately avoided certain topics in phone1 CNet. (2011, December 1). Wikileaks disclosure shines light onBig Brother. CBS News. www.cbsnews.com/news/wikileaksdisclosure-shines-light-on-big-brother2 Dutton, W., Law, G., Bolsover, G., & Dutta, S. (2013). TheInternet Trust Bubble: Global Values, Beliefs, and Practices.Davos: World Economic Forum. www3.weforum.org/docs/WEF_InternetTrustBubble_Report2_2014.pdfor email conversations.” Perhaps even more worryingly,a full 16% have avoided writing or speaking oncertain topics. 3Surveillance affects us in myriad ways. It infringeson our personal freedoms, submits us tostate control, and prevents us from progressing asa society.The equal rights to privacy, speechand associationWhen we talk about surveillance, it often followsthat we speak of the importance of privacy, of beingfree from observation or disturbance, frompublic attention. In the US, privacy is a fundamentalright, enshrined in the Fourth Amendment to theConstitution.Of course, this is no coincidence – underKing George II, the American colonisers foundthemselves at the mercy of writs of assistance,court-issued orders that allowed the King’s agentsto carry out wide-ranging searches of anyone, anytime;a precursor to the modern surveillance state. 4Once issued, an individual writ would be valid forthe King’s entire reign, and even up to six monthspast his death.It was only after the death of King George IIthat a legal challenge was mounted. When a customsofficer in Boston attempted to secure newwrits of assistance, a group of Boston merchants,represented by attorney James Otis, opposed themove. Otis argued that the writs placed “the libertyof every man in the hands of every petty officer,”an argument that founding father John Adams laterclaimed “breathed into this nation the breath oflife.” It was from this societal shift that the FourthAmendment was born.The opposition to surveillance, however, isnot borne only out of a desire for privacy. In theUnited States, the First Amendment – that which3 The FDR Group. (2013). Chilling Effects: N.S.A. Surveillance DrivesU.S. Writers to Self-Censor. New York: PEN America. www.pen.org/sites/default/files/Chilling%20Effects_PEN%20American.pdf4 Snyder, D. (n/d). The NSA’s “General Warrants”: How the FoundingFathers Fought an 18th Century Version of the President’s IllegalDomestic Spying. San Francisco: Electronic Frontier Foundation.https://www.eff.org/files/filenode/att/generalwarrantsmemo.pdf28 / Global Information Society Watch Thematic reports / 29


prohibits the creation of law “respecting an establishmentof religion, or prohibiting the free exercisethereof; or abridging the freedom of speech, or ofthe press; or the right of the people peaceably toassemble, and to petition the Government for a redressof grievances” 5 – is often debated, but rarelyrestricted. It is a set of rights that is paramount inUS culture; as Supreme Court Justice Hugo L. Blackonce stated:First in the catalogue of human liberties essentialto the life and growth of a government of,for, and by the people are those liberties writteninto the First Amendment of our Constitution.They are the pillars upon which popular governmentrests and without which a government offree men cannot survive. 6Article 19 of the Universal Declaration of HumanRights similarly provides for the right to freedom ofopinion and expression, to “seek, receive and impartinformation and ideas through any media andregardless of frontiers.” 7Documents leaked by Edward Snowden in 2013have demonstrated the extraordinary breadth ofthe US’s and other governments’ mass surveillanceprogrammes, programmes which constitute an intrusioninto the private lives of individuals all overthe world.The violation of privacy is apparent: indiscriminate,mass surveillance goes against the basic,fundamental right to privacy that our predecessorsfought for. The negative effects of surveillance onthe fundamental freedoms of expression and associationmay be less evident in an era of ubiquitousdigital connection, but are no less important.In a 2013 report, Frank La Rue, Special Rapporteurto the United Nations on the promotion andprotection of the right to freedom of opinion andexpression, discussed the ways in which mass surveillancecan harm expression. He wrote:Undue interference with individuals’ privacy canboth directly and indirectly limit the free developmentand exchange of ideas. Restrictions ofanonymity in communication, for example, havean evident chilling effect on victims of all formsof violence and abuse, who may be reluctant toreport for fear of double victimization. 85 U.S. Constitution, Amendment I.6 Ball, H. (1996). Hugo L. Black: Cold Steel Warrior. Oxford: OxfordUniversity Press.7 Universal Declaration of Human Rights, article 19.8 United Nations Human Rights Council. (2013) Report of the SpecialRapporteur on the promotion and protection of the right tofreedom of opinion and expression, Frank La Rue. A/HRC/23/40.un.org/A/HRC/23/40The harmful effects of surveillance on expressionand association are undeniably linked – the rightto organise is imperative for political expressionand the advancement of ideas. In the US, althoughthe two rights are linked in the First Amendment,historically, they have sometimes been treatedseparately.In a landmark 1958 case, NAACP v. Alabama,the Supreme Court of the US held that if the stateforced the National Association for the Advancementof Colored People (NAACP) to hand over itsmembership lists, its members’ rights to assembleand organise would be violated. 9 This case set theprecedent for the Supreme Court’s foray into theconstitutionally guaranteed right to associationafter decades of government attempts to shun “disloyal”individuals.Justice John Marshall Harlan wrote for a unanimouscourt:This Court has recognized the vital relationshipbetween freedom to associate and privacyin one’s associations. Compelled disclosure ofmembership in an organization engaged in advocacyof particular beliefs is of the same order.Inviolability of privacy in group association mayin many circumstances be indispensable topreservation of freedom of association, particularlywhere a group espouses dissident beliefs. 10Today, the data collected by the NSA’s various surveillanceprogrammes poses a similar threat to thecollection of membership lists. The vast majority ofwhat the NSA collects is metadata, an ambiguousterm that in this case describes the data surroundingone’s communications. That is to say, if thecontent of one’s phone call is the data, the metadatacould include the number called, the time of thecall, and the location from which the call was made.The danger in metadata is that it allows the surveillerto map our networks and activities, makingus think twice before communicating with a certaingroup or individual. In a surveillance state, this canhave profound implications: Think of Uganda, forexample, where a legal crackdown on lesbian, gay,bisexual and transgender (LGBT) activists is currentlyunderway. Under surveillance, a gay youthseeking community or health care faces significantrisks just for the simple act of making a phone callor sending an email.In many countries, there has long been a legaldistinction between the content of a message (thatis, the message itself), and the “communications9 N.A.A.C.P. v. Alabama. 357 U.S. 449 (1958).10 Ibid.data”, or metadata. This distinction is based onthe traditional model of postal mail, where informationwritten on the outside of an envelope isdistinguished from the content of the envelope.This distinction is, however, rendered nearly meaninglessby modern surveillance methods, which cancapture far more than the destination of a communication,and en masse. 11In order to argue effectively for and reclaim theright to associate freely without surveillance, it isimperative that such a distinction be made. Digitalmetadata is different from analogue metadata andits wide-scale capture creates a chilling effect onspeech and association. It is time for fresh thinkingon the impact of the culture of surveillance on ourdaily habits.Changing culture, changing habitsThe way that we interact on the internet is undoubtedlychanging as a result of our knowledge of masssurveillance. Fortunately, fear and withdrawal arenot the only reaction to this knowledge; our habitsare changing as well. A September 2013 Pew surveyfound that 86% of internet users have taken stepsto “remove or mask their digital footprints” – stepsranging from clearing cookies to encrypting theiremail. A further 55% of users have taken steps toavoid observation by specific people, organisations,or the government. 12Corporations – lambasted for their alleged cooperationwith the NSA – are responding to theincreased public awareness of mass surveillance aswell. In early 2013, before the Snowden revelations,encrypted traffic accounted for 2.29% of all peakhour traffic in North America; now it spans 3.8%. InEurope and Latin America, the increase in encryptedtraffic is starker: 1.47% to 6.10% and 1.8 to 10.37%,respectively. 13It is also telling that journalism organisationshave stepped up in the wake of the Snowden11 Electronic Frontier Foundation, Article 19. (2014). Necessary& Proportionate International Principles on the Application ofHuman Rights to Communications Surveillance: Backgroundand Supporting International Legal Analysis. https://necessaryandproportionate.org/files/legalanalysis.pdf12 Rainie, L., Kiesler, S., Kang, R., & Madden, M. (2013). Anonymity,Privacy, and Security Online. Washington, D.C.: Pew ResearchCenter. www.pewinternet.org/files/old-media//Files/Reports/2013/PIP_AnonymityOnline_090513.pdf13 Finley, K. (2014, May 16). Encrypted Web Traffic More Than DoublesAfter NSA Revelations. Wired. www.wired.com/2014/05/sandvinereport/revelations, putting into place systems that willprotect future whistleblowers. Jill Abramson, formerexecutive editor of the New York Times, statedin 2013 that “[surveillance has] put a chill on reallywhat’s a healthy discourse between journalistsand our sources, and it’s sources who risk going toprison.” 14 This realisation has led several publications– including the Guardian and the WashingtonPost – to implement a whistleblower platform calledSecureDrop, which allows sources to share informationwith media organisations anonymously andsecurely.Similarly, the public discussion around the useof encryption is also growing, as is the funding anddevelopment of privacy-enhancing technologies. Governmentaland quasi-governmental organisations,such as the US State Department and BroadcastingBoard of Governors, as well as non-profits such asthe Freedom of the Press Foundation, have increasedfunding toward tools that can be used to thwart surveillanceattempts.The aforementioned Pew study found that 68%of internet users believe laws are insufficient in protectingtheir privacy online. 15 Numerous attemptshave been made globally to effect change throughlegal and political channels. The 13 Principles forthe Application of Human Rights to CommunicationsSurveillance, 16 developed prior to the Snowden revelations,provides a framework for policy making atthe state level. Many of the Principles’ 400-plus signatoriesare utilising the document in their policyadvocacy.As awareness of mass surveillance increasesamong the populace, it follows that new tactics foropposing it will arise. Given the complex nature ofdigital spying and the interlinked set of rights it affects,this is imperative. Ending mass surveillancerequires consideration not only of its effect on privacy,but its impact on expression and associationas well.14 Gold, H., & Byers, D. (2013, October 18) Abramson: ‘Nobody won’the shutdown; N.Y. Times: ‘Obama emerged the winner’. Politico.www.politico.com/blogs/media/2013/10/abramson-nobody-wonthe-shutdown-ny-times-obama-emerged-175413.html15 Rainie, L., Kiesler, S., Kang, R., & Madden, M. (2013). Op. cit.16 Access, Article 19, Asociación Civil por la Igualdad y la Justicia,Asociación por los Derechos Civiles, Association for ProgressiveCommunications, Bits of Freedom, Center for Internet &Society India…(2013, July 10). 13 Principles for the Applicationof Human Rights to Communications Surveillance. https://en.necessaryandproportionate.org/text30 / Global Information Society Watch Thematic reports / 31


Cyber security, civil society and vulnerabilityin an age of communications surveillanceAlex Comninos and Gareth SenequeJustus-Liebig University Giessen and Geist Consulting 1Comninos.orgIntroductionCyber security is increasingly important to internetusers, including stakeholders in governments, theprivate sector and civil society. As internet usersincrease, so does the amount of malware, 2 fuelledby ubiquitous smartphones and social networkingapplications offering new vectors for infection.Botnets – networks of infected devices controlledby malicious operators – are used as proxies tocommit criminal acts including fraud and identityor data theft. According to the antivirus companySymantec, in 2013 data breach incidents resultedin the exposure of 552 million personal identities. 3In May 2014, eBay announced that hackers hadgained access to the personal data of 145 millioncustomers and urged all customers to change theirpasswords. 4 Infrastructures connected to the internet,such as power grids, are also vulnerable, andseverely lacking security updates. A growing “internetof things”, which includes ubiquitous devicesfrom sensors in homes and cars to medical technology,presents a plethora of new vulnerabilities tocyber security incidents.Increasingly, states are establishing military“cyber units” or “cyber commands”, many of whichhave offensive hacking capabilities. 5 MichaelHayden, a former director of both the CIA and theNational Security Agency (NSA) has stated that Stuxnet,a state-sponsored computer worm discoveredin 2011 and designed to attack and incapacitate nuclearreactors in the Natanz facility in Iran, marked1 Alex Comninos is a doctoral candidate in the Department ofGeography at Justus-Liebig University Giessen; Gareth Seneque isa Unix architect at Geist Consulting.2 Malware is malicious software that includes viruses, Trojan horsesand spyware.3 Symantec 2014 Internet Security Threat Report, Volume 19. www.symantec.com/security_response/publications/threatreport.jsp4 Perlroth, N. (2014, May 21). eBay Urges New Passwords AfterBreach. New York Times. www.nytimes.com/2014/05/22/technology/ebay-reports-attack-on-its-computer-network.html5 Comninos, A. (2013). A cyber security agenda for civil society: Whatis at stake? Johannesburg: APC. www.apc.org/en/node/17320“the crossing of the Rubicon” (a point of no return)for the use of state-sponsored malware. 6 A numberof similar worms, some of which have implementedStuxnet’s source code, have arisen. 7Civil society organisations and human rightsdefenders are becoming victims of surveillancesoftware. Some of this software is sold to law enforcementand intelligence agencies in repressiveregimes. “Remote Access Trojans” can be boughtboth legally and on the black market, as well asdownloaded for free, and are used to control mobiledevices, laptops and computers remotely, capturingall the information input/viewed by the user. Suchsoftware has been used to target activists in Bahrainand Syria. 8Edward Snowden’s disclosures of documentaryevidence regarding mass surveillance by theNSA, Government Communications Headquarters(GCHQ) in the United Kingdom, and other intelligenceagencies of the “Five Eyes” 9 countries haveshown just how vulnerable the average netizen’scommunications are to interception and surveillance.The disclosures have also demonstrated howsurveillance activities can negatively affect the cybersecurity of all internet users.It is tempting to think that more “cyber security”would be a means of countering the global privacyinvasion caused by mass surveillance. However, cybersecurity discourse is dominated by states andcorporations and focuses mainly on their security,rather than the security of civil society and of internetusers. Civil society needs a vision of cybersecurity that puts the digital security of internetusers at the centre of its focus. Attaining cybersecurity that protects human rights, including the6 Healy, J. (2013, April 16). Stuxnet and the Dawn of AlgorithmicWarfare. The Huffington Post. www.huffingtonpost.com/jasonhealey/stuxnet-cyberwarfare_b_3091274.html7 Bencsáth, B. (2012). Duqu, Flame, Gauss: Followers of Stuxnet.Presentation at the RSA Conference Europe 2012, Amsterdam,the Netherlands, 10 October. www.rsaconference.com/writable/presentations/file_upload/br-208_bencsath.pdf8 McMillan, R. (2011, August 7). How the Boy Next DoorAccidentally Built a Syrian Spy Tool. Wired. www.wired.com/wiredenterprise/2012/07/dark-comet-syrian-spy-tool9 The “Five Eyes” countries are Australia, Canada, New Zealand,the United Kingdom and the United States, which are part of amultilateral agreement on cooperation in signals intelligence.right to privacy, while also ensuring an open and secureinternet, will not be possible unless dominantdiscourses on cyber security radically change.The problems with “cyber security”The term “cyber security” often lacks clear definition.It is used as an umbrella concept covering arange of threats and responses 10 involving nationalinfrastructure, internet infrastructure, applicationsand software, and users. Sometimes it is even usedto refer to the stability of the state and politicalstructures. The inexact terminology of cyber security“mixes legitimate and illegitimate concerns andconflates different types and levels of risk.” This“prevents genuine objective scrutiny, and inevitablyleads to responses which are wide-ranging and caneasily be misused or abused.” 11 Cyber security notonly leads to overly broad powers being given to thestate, it also “risks generating a consensus that isillusory” and not useful for the problems at hand. 12We need to carefully unpack the relevant issues anddevelop “a clear vocabulary of cyber security threatsand responses,” so as to enable “targeted, effective,and rights-respecting policies.” 13 If we do not, cybersecurity can be used by governments as a justificationto censor, control or surveil internet use.Viewing cyber security as an issue of nationalsecurity is perilous and unhelpful. We should distinguishbetween, and not conflate, on the one hand,protecting computers, networks and information,and on the other hand using technological tools toachieve security objectives. Using “cyberspace asa tool for national security, both in the dimensionof war fighting and the dimension of mass surveillance,has detrimental effects on the level of cybersecurity globally.” 14 When cyber security is framed asa national security issue, issues regarding technologyand the internet are securitised – brought ontothe security agendas of states. This may be counterproductive.The state, law enforcement, military andintelligence agencies may not have the best skills orknowledge for the job. State actors may have a con-10 Center for Democracy and Technology. (2013). Unpacking“Cybersecurity”: Threats, Responses, and Human RightsConsiderations. https://cdt.org/insight/unpacking-cybersecuritythreats-responses-and-human-rights-considerations11 Kovacs, A., & Hawtin, D. (2014). Cyber Security, Surveillance andOnline Human Rights. Discussion paper written for the StockholmInternet Forum, 27-28 May. www.gp-digital.org/publication/second-pub12 OECD. (2012). Non-governmental Perspectives on a NewGeneration of National Cyber security Strategies, p 6. dx.doi.org/10.1787/5k8zq92sx138-en13 Center for Democracy and Technology. (2013). Op. cit.14 Dunn Cavelty, M. (2014). Breaking the Cyber-Security Dilemma:Aligning Security Needs and Removing Vulnerabilities. Science andEngineering Ethics, April.flict of interest in securing information: militaries, forexample, may want to develop offensive weapons,while intelligence agencies may rely on breaking orcircumventing information insecurity in order to surveilbetter. Cyber security may also be used to protectstate secrets, and criminalise whistleblowers as cybersecurity threats. Focusing on the state and ‘‘its’’security, “crowds out consideration for the security ofthe individual citizen, with detrimental effects on thesecurity of the whole system.” 15Cyber security often disproportionately focuseson the protection of information, databases, devices,assets and infrastructures connected to the internet,rather than on the protection of connected users.Technological infrastructures and the assets of corporationsare put at the centre of analysis, rather thanhuman beings. Human beings are seen as a threat inthe form of bad “hackers” or as a weak link in informationsystems, making mistakes and respondingto phishing or “social engineering” attacks. 16 Puttinghumans at the centre of cyber security is important.A definition of cyber security as purely protecting informationavoids ethical challenges. Cyber securityshould not protect some people’s information at theexpense of others. It should also not protect informationabout state secrets in order to enable masssurveillance and privacy invasion of individual users.Cyber security and vulnerabilityCyber security discourse should focus more on informationsecurity vulnerabilities, rather than onthreats and responses. This focus would help todelineate what constitutes a cyber security issue,avoid cyber security escalating to a counter-productivenational security issue, and place a practicalfocus on the protection of all internet users.A security vulnerability, also called a “bug”, isa piece of software code that contains an error orweakness that could allow a hacker to compromisethe integrity, availability or confidentiality of informationcontained, managed or accessed by thatsoftware. 17 When a vulnerability is discovered, amalicious hacker may make an “exploit” 18 in order15 Ibid.16 Dunn Cavelty, M. (2014). Op cit. Wikipedia defines socialengineering as “psychological manipulation of people intoperforming actions or divulging confidential information.” https://en.wikipedia.org/wiki/Social_engineering_(security) A commonexample is phishing.17 For a definition upon which this is based, see Microsoft, Definitionof a Security Vulnerability: technet.microsoft.com/en-us/library/cc751383.aspx18 An exploit is a “is a piece of software, a chunk of data, or asequence of commands that takes advantage of a bug, glitchor vulnerability in order to cause unintended or unanticipatedbehavior,” and does not require advanced technical skills to use.https://en.wikipedia.org/wiki/Exploit_(computer_security)32 / Global Information Society Watch Thematic reports / 33


to compromise data or access to a computer. Malware– viruses and Trojan horses – require exploits(or collections of exploits) that take advantage ofvulnerabilities. Expertise in fixing vulnerabilitiesis improving but not keeping up with the pace ofthe growth. Compared to 15 years ago, all popularand contemporary desktop operating systems(Windows, Linux and Mac) offer regular automatedsecurity updates which fix or “patch” known vulnerabilities.While we are finding more vulnerabilitiesin code and viruses than ever before, we are alsogetting better at finding them. At the same time wekeep producing more software code, meaning thatthe net number of vulnerabilities is increasing. 19Viruses and botnets, including Stuxnet andother state-sponsored malware, require vulnerabilitiesto work. Finding and fixing vulnerabilitiescontributes to a safer and secure internet, counterssurveillance and can even save lives. For example, avulnerability in Adobe’s Flash software was recentlyused against dissidents in Syria. 20There are two categories of vulnerabilities, eachrequiring different user and policy responses: zerodaysand forever-days. Zero-days are vulnerabilitiesfor which there is no available fix yet, and may beunknown to developers. Forever-days are vulnerabilitieswhich are known of, and either do not havea fix, or do have a fix in the form of a patch or anupdate, but they are for the most part not appliedby users.Zero-day vulnerabilitiesWhen a zero-day is found, the original software developershould be notified so that they may find a fix forthe vulnerability and package it as a patch or updatesent out to users. Furthermore, at some stage, usersof the affected software that are rendered vulnerableshould also be informed, so they can understand ifthey are or have been vulnerable and take measuresto recover and mitigate for the vulnerability.Throughout the history of computers, “hackers” 21have sought to use technology in ways that were notoriginally intended. This has been a large sourceof technological innovation. Hackers have appliedthis logic to computer systems and have bypassed19 McGraw, G. (2012). Cyber War, Cyber Peace, Stones, andGlassHouses. Presentation at the Institute for Security, Technology,and Society (ISTS), Dartmouth College, Hanover NH, USA, 26 April.www.ists.dartmouth.edu/events/abstract-mcgraw.html , www.youtube.com/watch?v=LCULzMa7iqs20 Fisher, D. (2014, April 28). Flash zero day used to target victims inSyria. Threat Post. threatpost.com/flash-zero-day-used-to-targetvictims-in-syria21 “Hacker” is used here in its original usage to refer to people whoplayfully use technological systems, rather than in its currentpejorative and widely used usage.security and found vulnerabilities for fun, fame,money, or in the interests of a more secure internet.It is because of people that break security by findingvulnerabilities that we can become more secure.A problem for cyber security is that “good” (or “whitehat”) hackers or “security researchers” may not beincentivised to find zero-days and use this knowledgefor good. Rather than inform the softwarevendor, the project involved, or the general public ofa vulnerability, hackers may decide not to disclose itand instead to sell information about a vulnerability,or package it as an exploit and sell it.These exploits have a dual use: “They can beused as part of research efforts to help strengthencomputers against intrusion. But they can also beweaponised and deployed aggressively for everythingfrom government spying and corporate espionage toflat-out fraud.” 22 There is a growing market for zerodaysthat operates in a grey and unregulated manner.Companies sell exploits to governments and law enforcementagencies around the world; however, thereare concerns that these companies are also supplyingthe same software to repressive regimes and to intelligenceagencies. There is also a growing black marketwhere these exploits are sold for criminal purposes. 23Forever-day vulnerabilitiesForever-days (or “i-days”/“infinite-days”) are also aserious cyber security problem. Forever-day vulnerabilitieseither take a long time to get fixed, or neverget fixed, or are fixed but users do not update orpatch the relevant software. While they can affectinternet users, they can also affect industrial controlsystems (ICSs), which control infrastructuressuch as power grids and power plants, as well asmachinery in factories, for example, in pharmaceuticalplants. ICSs require large investments inequipment that is supposed to last for many years.Operators of ICSs usually cannot afford to updatetheir systems regularly. In addition to zero-days,well-documented forever-day vulnerabilities in Siemenscontrollers allowed the Stuxnet virus to infectthe Natanz nuclear reactors in Iran. 24 Forever-days22 Gallagher, R. (2013, January 16). Cyberwar’s gray market. Slate.www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.html; Grossman, L. (2014, July 21). World War Zero: How HackersFight to Steal Your Secrets. Time. time.com/2972317/world-warzero-how-hackers-fight-to-steal-your-secrets23 Gallagher, R. (2013, January 16). Op. cit.24 Zetter, K. (2011, August 4). Serious security holes found in Siemenscontrol systems targeted by Stuxnet. Ars Technica. arstechnica.com/security/2011/08/serious-security-holes-found-in-siemenscontrol-systems-targeted-by-stuxnetStuxnet also made use of fourzero-days; see Kushner, D. (2013, February 26). The Real Story ofStuxnet. IEEE Spectrum. spectrum.ieee.org/telecom/security/thereal-story-of-stuxnetin ICSs raise the spectre of “cyber war”, in which, forexample, “terrorists” could attack and cripple powerlines. The solution however requires softwareupdates, rather than military involvement.Windows XP is perhaps one of the most importantcyber security threats this year for government,civil society and critical national infrastructuresconnected to the internet. Many industrial controlsystems are running on Windows XP. The securityupdates for Windows XP expired this year, meaningthat computers running XP will be exposed to thousandsof vulnerabilities. 25 It is hard for governmentsand civil society to say goodbye to Windows XP, especiallyin the developing world, and in low-budgetenvironments. The software is easy to use, runs onold computers, can be customised, runs modern webbrowsers, and allows its users to fully participate inthe information society using a 13-year old operatingsystem. In April 2014, XP use still accounted for over18% of desktop PC use. 26 The UK and Dutch governmentsand some corporations have recognised theseverity of the problem, and are actually paying Microsoftfor private updates. 27The Heartbleed vulnerabilityApril 2014 marked an important watershed forawareness of vulnerabilities, with what has beendescribed as one of the most catastrophic securityvulnerabilities ever discovered: Heartbleed.Heartbleed was a vulnerability in an open sourcesoftware project called OpenSSL, which is usedto establish encrypted connections between websitesand browsers. According to Forbes magazine,“Some might argue that it is the worst vulnerabilityfound (at least in terms of its potential impact) sincecommercial traffic began to flow on the Internet.” 28The vulnerability allowed a potential hacker to stealprivate encryption keys from a web server, and bydoing so, to hijack login credentials or decrypt sensitiveinformation, leaving two-thirds of the web25 Windows XP Embedded (XPe), which should be the preferredoperating system for ICSs, should receive updates till 2016. Thereis a suggested but unofficial workaround to make XP receiveXPe updates, which may be useful for those with no other option(see: arstechnica.com/information-technology/2014/05/updateenabling-windows-xp-registry-hack-is-great-news-for-xp-die-hards).26 Newman, J. (2014, May 1). Windows XP refuses to go down withouta fight. PC World. www.pcworld.com/article/2150446/windows-xpusage-wont-go-down-without-a-fight.html27 Gallagher, S. (2014, April 6). Not dead yet: Dutch, Britishgovernments pay to keep Windows XP alive. Ars Technica.arstechnica.com/information-technology/2014/04/not-dead-yetdutch-british-governments-pay-to-keep-windows-xp-alive28 Steinberg, J. (2014, April 10). Massive Internet SecurityVulnerability – Here’s What You Need To Do. Forbes. www.forbes.com/sites/josephsteinberg/2014/04/10/massive-internetsecurity-vulnerability-you-are-at-risk-what-you-need-to-doopen to eavesdropping. 29 The vulnerability existedfor over two years, making a large proportion of theinternet vulnerable. Heartbleed has not just hadnegative effects. It is the first vulnerability with itsown logo, 30 and coverage of it extended far beyondtechnical audiences, engendering understandingof vulnerabilities among people who would usuallynot be aware of them. It has also resulted in morehuman and financial investment into OpenSSL developmentand alternatives. 31Open source software promises, in theory, tomake software less vulnerable, as the code is openfor anyone to review and to look for vulnerabilities.Open source software, however, will not providesecurity unless there are enough eyes on the code.Heartbleed was an open source project, and anyonecould review the code, but it was underfunded andunderstaffed, and there were not enough reviewersof the code from outside the project. Symptomaticof this, the update that would introduce Heartbleedwas finalised an hour before midnight on New Year’sEve 2011, and would go unnoticed for two years.The relevance of Snowden’s disclosuresto cyber securityThe scope and reach of the NSA’s surveillance is important.The NSA’s surveillance posture is – as hasbeen repeated by General Keith Alexander, and isreflected in the NSA slide in Figure 1 – to “collectit all”: 32 from undersea cable taps, to Yahoo videochats, to in-flight Wi-Fi, to virtual worlds and onlinemultiplayer games like Second Life and Worldof Warcraft. The NSA has at least three differentprogrammes to get Yahoo and Google user data.This shows that they try to get the same data frommultiple mechanisms. 33 With the GCHQ under theMUSCULAR programme it hacked into the internaldata links of Google and Yahoo 34 for information29 Goodin, D. (2014, April 8). Critical crypto bug in OpenSSLopens two-thirds of the Web to eavesdropping. ARS Technica.arstechnica.com/security/2014/04/critical-crypto-bug-in-opensslopens-two-thirds-of-the-web-to-eavesdropping30 heartbleed.com/heartbleed.svg31 There are two new “forks” or versions of OpenSSL that promise to bemore secure. One is called BoringSSL and is developed by Google,and one is called LibreSSL and is developed by the OpenBSDProject.32 Greenwald, G. (2014). No Place to Hide: Edward Snowden, the NSA,and the U.S. Surveillance State. New York, Metropolitan Books, p. 97.33 Schneier, B. (2014). NSA Surveillance and What To Do About It.Presentation at the Stanford Center for Internet and Society, StanfordCA, USA, 22 April. https://youtube.com/watch?v=3v9t_IoOgyI34 Gellman, B., & Soltani, A. (2013, October 30). NSA infiltrates linksto Yahoo, Google data centers worldwide, Snowden documentssay. The Washington Post. 30 www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-datacenters-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html34 / Global Information Society Watch Thematic reports / 35


Figure 1.The NSA’s collection posture: A top slide from a secret presentation by the NSA to the annualconference of the Five EyesFigure 2.This NSA slide demonstrates where Google’s private cloud meets the public internetNew Collection PostureWork with GCHQ,share with MisawaPartner it AllAnalysis of data atscale: ELEGANTCHAOSExploit it AllSniff it AllProcess it AllTours increasesphysical accessKnow it AllCollect it AllAutomated FORNSATsurvey - DARKQUESTIncrease volume ofsignals: ASPHALT/A-PLUSScale XKS and use MVRtechiquesSource: Greenwald, G. (2014). No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. New York: Metropolitan Books.Source: Washington Postthat it could mostly have gotten through the PRISMprogramme. In addition to highlighting the NSA’smassive institutional overreach and global privacyinvasion, Snowden’s disclosures also highlight themany points at which our data is insecure, and thevast numbers of vulnerabilities to surveillance thatexist throughout our digital world. However, whilethe NSA is the largest threat in the surveillancegame, it is not the only threat. Governments allaround the world are using the internet to surveiltheir citizens. Considering the rate of technologicalchange, it is not unforeseeable that the methods,tools and vulnerabilities used by the NSA will bethe tools of states, cyber criminals and low-skilledhackers of the future. Regardless of who the perceivedattacker or surveillance operative may be,and whether it is the NSA or not, large-scale, masssurveillance is a growing cyber security threat.It has also been disclosed that the NSA andGCHQ have actively worked to make internet andtechnology users around the world less secure. TheNSA has placed backdoors in routers running vitalinternet infrastructures. 35 The GCHQ has impersonatedsocial networking websites like LinkedIn inorder to target system administrators of internetservice providers. 36 The NSA has been working withthe GCHQ to hack into Google and Yahoo data centres.37 The NSA also works to undermine encryptiontechnologies, by covertly influencing the use ofweak algorithms and random number generatorsin encryption products and standards. 38 The NSAin its own words is working under the BULLRUNprogramme to “insert vulnerabilities into commer-35 Gallagher, S. (2014, May 14). Photos of an NSA “upgrade” factoryshow Cisco router getting implant. Ars Technica. arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-showcisco-router-getting-implant36 Faviar, C. (2013, September 20). Snowden docs now show Britain,not NSA, targeted Belgian telco. Ars Technica. arstechnica.com/tech-policy/2013/09/snowden-docs-now-show-britain-targetedbelgian-telco-not-nsa37 Gellman, B., & Soltani, A. (2013, October 30). Op. cit.38 Guess, M. (2013, September 11). New York Times providesnew details about NSA backdoor in crypto spec. Ars Technica.arstechnica.com/security/2013/09/new-york-times-provides-newdetails-about-nsa-backdoor-in-crypto-speccial encryption systems, IT systems, networks, andendpoint communications devices used by targets”and to “influence policies, standards and specificationsfor commercial [encryption] technologies.” 39The NSA is also believed to hoard knowledge aboutvulnerabilities rather than sharing them with developers,vendors and the general public, 40 as wellas even maintaining a catalogue of these vulnerabilitiesfor use in surveillance and cyber attacks. 41None of these activities serve to make the internetmore secure. In fact, they do the very opposite.39 New York Times. (2013, September 5). Secret Documents RevealN.S.A. Campaign Against Encryption. New York Times. www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsacampaign-against-encryption.html40 Electronic Frontier Foundation. (2014, July 1). EFF Sues NSA,Director of National Intelligence for Zero Day Disclosure Process.EFF. https://www.eff.org/press/releases/eff-sues-nsa-directornational-intelligence-zero-day-disclosure-process41 Appelbaum, J., Horchert, J., & and Stöcker, C. (2013, September29). Shopping for Spy Gear: Catalog Advertises NSA Toolbox. www.spiegel.de/international/world/catalog-reveals-nsa-has-backdoors-for-numerous-devices-a-940994.htmlAs US Congresswoman Zoe Lofgren commented:“When any industry or organisation builds a backdoorto assist with electronic surveillance into theirproduct, they put all of our data security at risk. If abackdoor is created for law enforcement purposes,it’s only a matter of time before a hacker exploits it,in fact we have already seen it happen.” 42The fact that the NSA is actively working to makethe internet insecure points to the contradictionsin its dual mandate: simultaneously securing andbreaking cyber security. On the one hand it is taskedwith securing information and communicationsnetworks (falling under its “Information Assurance”mandate), and on the other hand it is taskedwith surveilling information and communicationsnetworks (its “Signals Intelligence” mandate). 43Similar tensions exist within the US military, which42 National Insecurity Agency: How the NSA’s SurveillancePrograms Undermine Internet Security. Panel discussion at theNew America Foundation, 8 July 2014. https://youtube.com/watch?v=K1ox5vwnJZA43 Ibid.36 / Global Information Society Watch Thematic reports / 37


is tasked with both defending national networksfrom hacking attacks as well as with conducting offensivehacking attacks. The US “cyber command”,the military command for the “cyber domain”, isunder the stewardship of the NSA commander.This conflict of interest in the NSA’s dual role hasnot been addressed in current NSA reform. Taskedwith “national security”, intelligence agencies likethe NSA have a conflicting mandate that cannot enablethem to actually provide US citizens with cybersecurity, in the same way that states are for exampleable to provide us with physical security. It willalways be against the interests of intelligence agenciesto assure the provision of secure technologiesthat cannot be eavesdropped on. This is exacerbatedby a cyber security-surveillance industrialcomplex of government agencies and private contractorsselling hacking and surveillance products,with revolving doors between the two. We need tobe very wary of intelligence agencies being givenroles as stewards of cyber security.Similarly, we cannot look to corporations forprotection. Through mechanisms of intermediary liability,corporations are pressured by governmentsinto cooperating with governments in surveillanceprogrammes like PRISM, or the “Snoopers Charter”in the United Kingdom. 44 It would also not be withinthe interests of many tech companies to protectprivacy and security to the extent that data is fullyencrypted, not just during transit, but also in storage.Google’s “Chief Internet Evangelist” Vint Cerfstated at the Internet Governance Forum in 2011that this would not be in Google’s interest, as “wecouldn’t run our system if everything in it were encryptedbecause then we wouldn’t know which adsto show you.” 45RecommendationsCivil society needs to articulate an agenda for cybersecurity that puts the security of human beings atthe centre of the debate.Making cyber security a national security issuecan be counterproductive due to its potential forabuse. Cyber security also may be better dealt withby the technical community, the private sector andcivil society. The state and military may not alwaysbe best suited to dealing with cyber security, and44 Grice, A. (2014, July 11). Emergency data law: David Cameronplots to bring back snoopers’ charter. The Independent. www.independent.co.uk/news/uk/politics/emergency-data-lawgovernment-railroading-through-legislation-on-internet-andphone-records-9596695.html45 Soghoian, C. (2011, November 2). Two honest Google employees:our products don’t protect your privacy. Slight Paranoia. paranoia.dubfire.net/2011/11/two-honest-google-employees-our.htmlintelligence agencies may have a conflict of interestin ensuring cyber security.Civil society needs to be wary of putting toomuch trust in either governments or corporationsfor assuring cyber security. Responsibility for cybersecurity should be distributed and not concentratepower too much in one particular place. 46Cyber security starts at home. Security is acollective effort that comes with collective responsibilities.If we are insecure, if we do not encrypt ourcommunications, then those who we communicatewith are also insecure. We therefore have a responsibilitytowards ourselves, but also towards othersto secure our communications. All users should runmodern operating systems and software that receivesecurity updates, run an antivirus, and try toencrypt as much communications as possible.Widespread use of encryption and privacy tools.Encryption protects communications from a multitudeof cyber threats, including surveillance, theftand hacking. Encryption cannot fully protect usfrom surveillance, as it does not hide the metadata(for example, who the sender and recipient of theemail are). Through metadata, a picture of our associationsmay be drawn, and anonymity tools provideanother measure of protection from this. EdwardSnowden’s revelations have taught us that there aresome tools that do work. PGP encryption is effectiveat encrypting email communications. The anonymitytool TOR, if used correctly, will work to anonymisecommunications and provide an extra layer of privacyon top of encryption. The lengths to which theNSA and GCHQ have gone (mostly unsuccessfully)to crack TOR is evidence of this. These tools can becomplicated to use, but with a little training they arewithin the reach of many internet users. 47Encryption as resistance against mass surveillance.Encryption may not always work in thefuture, as quantum computers may decrypt ourstored communications. 48 Snowden’s revelationshave also shown us how easy it is for intelligenceagencies (like the NSA) to influence encryption46 Ron Deibert has made this argument in: Deibert, R. (2012).Distributed Security as a Cyber Strategy: Outlining aComprehensive Approach for Canada in Cyberspace. Calgary:Canadian Defence and Foreign Affairs Institute. www.cdfai.org/PDF/Distributed%20Security%20as%20Cyber%20Strategy.pdf47 Guidelines on securing oneself online are available atsecurityinabox.org, cryptoparty.org, or en.flossmanuals.net/basicinternet-security48 There are concerns around how encrypted information, capturedand stored, could in the future be decrypted as quantumcomputing advances (ushering in an age of “post-quantumcryptography”); however, this is a long-term consideration. See:Arcieri, T. (2013, July 9). Imperfect Forward Secrecy: The ComingCryptocalypse. Tony Arcieri. tonyarcieri.com/imperfect-forwardsecrecy-the-coming-cryptocalypsestandards and implementation. Vulnerabilities insoftware will always allow cryptography and anonymisationtools to be bypassed, 49 and it is alwayseasier to hack someone than to crack encryption.Widespread use of encryption, however, increasesthe cost of mass surveillance. It can be an effectiveway of containing and restricting mass surveillance,as it increases the cost to whomever is doing thespying, through the need for increased processing,capture and storage of data. Widespread useof encryption could force intelligence agencies likethe NSA or GCHQ to focus on targeted interception,rather than bulk collection. 50 Encryption is becomingincreasingly more widespread after Snowden’srevelations. Yahoo, late to encryption, has finallyturned on encryption as default for connections toits mail client. Both Google and Yahoo have begunencrypting internal links in their network. Widespreaduse of encryption and privacy tools does notjust protect us from the NSA; they also help to mitigatea whole range of cyber security threats, fromespionage to fraud to cyber attacks on activists anddissidents.The wider use of up-to-date free/libre and opensource software. The use of free/libre and opensource software (FLOSS or FOSS) is another wayin which we can increase our cyber security. FLOSSsoftware is open source, which means that thesource code is available for anyone to read. Vulnerabilitiescan be found more easily in open sourcecode than they can in proprietary software. It isharder for malicious actors to purposively insertvulnerabilities (“backdoors”) in FLOSS software.The example of Heartbleed has taught us that thereare not always enough eyes reviewing security-criticalsoftware code, and that human investment insecurity-critical open source software and in opensource code review is needed.We have also identified a common use casewhich highlights the potential benefits of a shift toopen source software: Windows XP. As Microsoftno longer provides security updates, XP users willbe open to thousands of vulnerabilities, the quantityof which will only grow over time. The push tomigrate users off this platform will continue, withgovernments/business (particularly in developingcountries) increasingly adopting FLOSS as an49 At the time of writing, researchers have revealed that there areserious vulnerabilities in the TOR, I2P and TAILS anonymisationtools, but have not revealed the details. Regarding TOR, thisis because of legal concerns, and regarding I2P and TAILS, theresearcher has not fully disclosed the details.50 Schneier, B. (2014, February 10). NSA Surveillance and What To DoAbout It. Presentation at MIT, Cambridge MA, USA, 10 February.bigdata.csail.mit.edu/node/154alternative. 51 GNU/Linux, a FLOSS operating system,can run on old computers and still receivesecurity updates, which are free of charge andshared between new and old systems. GNU/Linuxallows for security updates that are mainly softwarebased, and can mitigate the need for buying newhardware.More explicit focus needs to be placed on vulnerabilitiesin cyber security discourse. Securityresearchers need to be incentivised to disclose vulnerabilitiesin software and hardware to the vendorsinvolved or the users infected, rather than sellingthis information to intelligence agencies, cybercriminals and other malicious actors. An exampleof positive incentivisation may be “bug bounty”programmes, which reward security researcherswith fame, recognition and money for finding anddisclosing vulnerabilities to the software vendorsinvolved. Microsoft, Google, Twitter and many otherbig-tech companies are starting to employ suchprogrammes. As malicious actors may always offermore money for vulnerabilities, it may be necessaryto investigate regulating the market in zero-days. 52This should be done carefully, however, withoutcriminalising security researchers and putting themat risk for doing beneficial work.It is also essential for governments and civilsociety to also be concerned with forever-day vulnerabilities.The use of Windows XP should immediatelycease, and industrial control systems controlling nationalinfrastructures like power grids should beimmediately migrated to systems receiving modernsecurity updates, or firewalled or air-gapped fromthe internet.Cyber security is augmented by strong dataprotection rules. These rules should include requirementsthat companies or organisations encrypt andsecure data, should regulate the sharing of data withthird parties, and should have requirements thatcompanies inform clients and customers when thereare data breaches that have affected their security.Information sharing. The proposed CybersecurityInformation Sharing Act (CISA) in the US requiresprivate sector companies to hand over informationabout cyber threats to the Department of HomelandSecurity: According to The Guardian:51 See en.wikipedia.org/wiki/List_of_Linux_adopters for a list oforganisations who have moved over to Linux, an open sourceoperating system.52 A proposal for such regulation is outlined in Gaycken, S., &Lindner, F. (2012). Zero-Day Governance: an (inexpensive) solutionto the cyber security problem. Paper submitted to Cyber Dialogue2012: What Is Stewardship in Cyberspace?, Toronto, Canada,18-19 March. www.cyberdialogue.citizenlab.org/wp-content/uploads/2012/2012papers/CyberDialogue2012_ga-ycken-lindner.pdf38 / Global Information Society Watch Thematic reports / 39


It is written so broadly it would allow companiesto hand over huge swaths of your data – includingemails and other communications records– to the government with no legal process whatsoever.It would hand intelligence agenciesanother legal authority to potentially secretlyre-interpret and exploit in private to carry outeven more surveillance on the American publicand citizens around the world. And even if youfind out a company violated your privacy byhanding over personal information it shouldn’thave, it would have immunity from lawsuits – aslong as it acted in “good faith”. It could amountto what many are calling a “backdoor wiretap”,where your personal information could end upbeing used for all sorts of purposes that havenothing to do with cybersecurity.Information sharing, while infringing our privacy, isalso a threat to cyber security: as more informationis shared with third parties, it becomes harder tosecure. Furthermore, surveillance is not a solutionto the problems of cyber security, as this report hasshown. If we want to meaningfully talk about interventionsin information sharing and cyber security,then we should talk about vulnerabilities. Ratherthan information about “threats” or about thepersonal lives of internet users being shared, informationabout vulnerabilities that affect our securityneed to be shared with all stakeholders – governments,developers, vendors and internet users – ina responsible manner, so that this information cannotbe hoarded and used to weaken all of our cybersecurity.From digital threat to digital emergencyFieke JansenHivos, the Digital Defenders Partnershipwww.digitaldefenders.orgIntroductionIn recent years there has been a crackdown oninternet freedom and increased targeting of thecommunication of journalists, bloggers, activistsand citizens. During times of social or political crisis,communication lines have been shut down andcritical forms of expression are met with censorship,harassment and arrests. Our communication is undersurveillance, intercepted and collected withoutour knowledge or active consent, and is used for theprofiling of people and spying on networks by governmentsand commercial companies. These actsof censorship and targeted surveillance are underminingour freedom of speech and our basic humanrights, and lead to digital emergencies for thosewho are targeted. In this fast-changing politicaland technological environment there is an urgentneed to understand the risks, protect those criticalinternet users who are being targeted, and exposesurveillance practices.Challenges, threats and digital emergencyThe first time people started uttering the term“digital emergency” was when former Egyptianpresident Hosni Mubarak pulled the internet killswitch during the protests in 2011, leaving Egyptwithout internet communication. 1 However, digitalemergencies are not only related to an internet killswitch: for the Digital Defenders Partnership 2 adigital emergency is an urgent need for assistancearising from digital threats to the security of an individualor organisation. A digital threat can includecyber attacks, vulnerabilities to communicationinfrastructure, unsafe data use, compromising ofdevices, stealing of equipment, legal proceedings1 AlJazeera. (2011, January 28). When Egypt turned offthe internet. AlJazeera. www.aljazeera.com/news/middleeast/2011/01/2011128796164380.html2 Digital Defenders Partnership, a programme that aims to mitigatedigital threats to human rights defenders, bloggers, journalistsand activists in internet repressive and transitional environments.https://digitaldefenders.orgor weak digital security practices. There are threelevels at which to distinguish digital attacks andcommunication surveillance that can lead to a digitalemergency: infrastructure, censoring of contentand profiling of people.InfrastructureCommunication is often referred to as the interactionthat happens between people, a stream of wordswhether they take place on- or offline. Yet very fewof us realise that all digital communication runs ona physical communications infrastructure that consistsof several “layers” made, owned or operatedby different commercial and state entities. The Opensystems interconnection model distinguishes sevendifferent layers in the internet architecture thatrange from the physical layer (e.g. copper and fibreoptical cables) up to the application layer (e.g. httpsand email protocol). 3 Depending on a state’s technicalcapabilities, access to the infrastructure, as wellas to service providers, surveillance and censorshipmethods may differ. In some cases a governmentcan engage in sea-cable tapping, which requiresdirect access to the physical infrastructure layer,or use an application layer exploit, where internetor mobile traffic is monitored through exploiting avulnerability in the transport layer encryption (https),as in the case of Heartbleed. 4 Partial networkinterference, called throttling, is also possible.The fact that infrastructure is made, owned oroperated by different entities makes our communicationvulnerable to censorship and surveillance.Since Mubarak pulled the internet kill switch in2011, other mobile and internet blackouts in Pakistan,Syria and other places have become morevisible. These usually take place in times of military,political or social unrest. 5, 63 https://en.wikipedia.org/wiki/OSI_model4 The Heartbleed bug. heartbleed.com5 Article 19 (2012). Pakistan: Government must stop ‘kill switch’tactics. Statement by Article 19. www.article19.org/resources.php/resource/3422/en/pakistan:-government-must-stop-%27killswitch%27-tactics6 Franceschi-Bicchierai, L. (2013, August 29). Does Syria Have anInternet Kill Switch? Mashable. www.mashable.com/2013/08/29/syria-internet-kill-switch40 / Global Information Society Watch Thematic reports / 41


In April 2014 the Heartbleed vulnerability, a criticalflaw in OpenSSL, was discovered. As one analystput it: “[OpenSSL] is a software which is used tosecure hundreds of thousands of websites, includingmajor sites like Instagram, Yahoo, and Google.This security exploit can give attackers access tosensitive information like logins and passwords,as well as session cookies and possibly SSL keysthat encrypt all traffic to a site.” 7 Other than thesecurity hole there were two major problems withHeartbleed. The first was that the National SecurityAgency (NSA) in the United States knew aboutthis vulnerability for at least two years and used itto intercept communication traffic instead of fixingthis global security problem. 8 Secondly, after thevulnerability was discovered, the bigger internetcompanies fixed the problem quickly while internetcompanies with less security expertise laggedbehind, leaving their clients vulnerable for a longerperiod of time.It is important to realise that Heartbleed is onlyone example of a vulnerability used for monitoringof communication. At the end of 2013 the Germannewspaper Der Spiegel reported on the NSA’s TailoredAccess Operations unit (TAO). Der Spiegeluncovered that TAO has multiple methods to interceptcommunications between people, whichrequired them to install backdoors on, among others,internet exchange points (IXPs), internet serviceproviders (ISPs), modems, computers and mobilephones. To increase the ability to intercept communicationtraffic the NSA chose to compromise thesecurity of the entire internet and mobile infrastructurefor intelligence purposes. 9, 10 Both Heartbleedand Tailored Access Operations are examples of thegovernment using infrastructural vulnerabilities forsurveillance instead of fixing the problem, leavingus all more exposed to exploitation.Censoring of contentStates have different ways to censor content; technicalblocking, search result removal, take-down7 Zhu, Y. (2014, April 8). Why the web needs perfect forward secrecymore than ever. Electronic Frontier Foundation. https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy8 Riley, M. (2014). NSA said to have used Heartbleed bug forintelligence for years. Bloomberg. www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bugexposing-consumers.html9 Appelbaum, J., Horchert, J., & Stocker, C. (2013, December 29).Shopping for Spy Gear: Catalog Advertises NSA Toolbox. DerSpiegel. www.spiegel.de/international/world/catalog-reveals-nsahas-back-doors-for-numerous-devices-a-940994.html10 Appelbaum, J. (2013). To Protect and Infect: The militarization ofthe internet. Presentation given at the 30C3, Hamburg, Germany,29 December. https://www.youtube.com/watch?v=vILAlhwUgIUof content and induced self-censorship. 11 Technicalblocking can target specific websites, domains orIP addresses, or use keyword blocking which automaticallylooks for specific words and blocks accessto websites where these keywords are found. Governmentcan also request the blocking of specificsearch results. Google’s transparency report states:“Governments ask companies to remove or reviewcontent for many different reasons. For example,some content removals are requested due to allegationsof defamation, while others are due toallegations that the content violates local laws prohibitinghate speech or adult content.” 12 Take-downof content is used when states, companies and otherscan demand the removal of websites or contentthrough the court.However, in the last two years we have seenother ways in which non-state groups use the termsand conditions of social media platforms to takedown content. Syria activists believe that the SyrianCyber Army, a collection of computer hackers whosupport the government of Syrian President Basharal-Assad, 13 is using Facebook’s terms and conditionsto take down content published by the Syrianopposition. Facebook’s community standards areguidelines to protect the community and do notallow content that can be described as graphic content,nudity, bullying and more. 14 If a user believesthat a post on Facebook violates these terms theycan report it as abuse, which is called flagging. TheSyrian Cyber Army is allegedly using this complaintprocedure to flag content which shows humanrights violations by the Syrian regime as inappropriateand graphic content, after which it can betaken down. 15 This is particularly problematic sincethe Syrian opposition moved to social media after acrackdown on the traditional media – and the country’scitizens.There are also cases where a state does not needto have legal jurisdiction over social media sitesto request the take-down of content. In May 2014Twitter censored tweets in Russia and Pakistan. Inthe case of Pakistan, Twitter caved in to pressurefrom the government to censor specific tweets thatwere deemed blasphemous or unethical. In Russia,Twitter took down the content of a Ukrainian11 https://opennet.net/about-filtering12 Google. (2014). Transparency report: Requests to removecontent. https://www.google.com/transparencyreport/removals/government/13 https://en.wikipedia.org/wiki/Syrian_Electronic_Army14 https://www.facebook.com/communitystandards15 Pizzi, M. (2014, February 4). The Syrian Opposition is DisappearingFrom Facebook. The Atlantic. www.theatlantic.com/international/archive/2014/02/the-syrian-opposition-is-disappearing-fromfacebook/283562Twitter account which, according to Eva Galperin ofthe Electronic Frontier Foundation (EFF), is “plainlypolitical… These actions are highly problematic asindependent media in Ukraine is increasingly underattack.” 16 In both countries, Twitter does not haveformal representation and there is no legal jurisdictionover the service, yet still the service providerscomplied with government requests.Profiling of peopleMuch of our behaviour is already leaving digitaltraces – even actions that seem as harmless aswalking down the street. Traffic and surveillancecameras are monitoring us, our mobile phones areregistering our whereabouts every moment of theday and we voluntarily post our private lives on publicproprietary platforms. This might seem innocentat first, but there have been numerous instanceswhere a mobile phone has been used to locatesomeone, and online behaviour and information areused for profiling.During the protests in Ukraine in the beginningof 2014 a collective message was sent to mobilephone users near the scene of violent clashes inKiev: “Dear subscriber, you are registered as aparticipant in a mass riot,” it said. 17 In the end theprotestors toppled the regime of ex-president ViktorYanukovych, yet the records of who was near thesquare still remain. Mobile phone companies havethe capabilities to track and collect the following informationon you through your phone: phone calls,text messages, data services you use, and your approximatelocation, and may share that informationwith the government. A mobile is a goldmine of information:your phone book with all your contactsin it, call history, text messages, locations and previouslocations, data from any application you areusing, and photos and videos. In addition, governmentsand phone companies can see which phonesare close to yours, which other “people” or phonesare in the room.Regimes have also used malignant viruses toprofile political actors and their networks. The mostwell known cases are of the commercial malware16 Galperin, E. (2014, May 21). Twitter steps down from the freespeech party. Electronic Frontier Foundation. https://www.eff.org/deeplinks/2014/05/twitter-steps-down-free-speech-party17 Walker, S., & Grytsenko, O. (2014, January 21). Text messages warnUkraine protesters they are ‘participants in mass riot’; Mobilephone-users near scene of violent clashes in Kiev receive texts inapparent attempt by authorities to quell protests. The Guardian.www.theguardian.com/world/2014/jan/21/ukraine-unrest-textmessages-protesters-mass-riotHacking Team 18 and FinFisher 19 that were – andmight still be – deployed in countries like Ethiopia,Bahrain, Mexico and Turkmenistan. Privacy Internationalpublished one of FinFisher’s brochures, whichstates: “The product is known as FinFisher and isdelivered onto computers, it then harvests informationfrom the computer, from passwords and webbrowsing sessions, to Skype conversations. It caneven switch on a computer’s webcam and microphoneremotely.” 20ChallengesIn mitigating these different threats there are a numberof challenges we have encountered, specificallywhen you approach censorship and communicationssurveillance from a human rights defenders orjournalist perspective.The majority of digital threats are invisible andabstract. While a virus on your computer or phonecan grant someone access to your physical surroundingsby turning on the camera or microphone,we do not see it and therefore the threat remainsabstract. The second challenge is that secure communicationis always a trade-off between securityand convenience. Security measures are seen ascumbersome and a distraction from the prioritiesof the day. When in the trenches, short-term winsand threats are more pressing then the intangiblenature of communications surveillance and longtermexposure – especially when installing andusing certain tools can be more inconvenient andtime consuming than using unsecure communicationmethods.When a digital emergency happens, it is difficultto know where to turn, who to ask for help andhow to solve the problem. Very few organisationshave done work on the prevention of digital emergencies.If we live in an earthquake-affected area,we have flashlights, water and emergency plansready; but even with all the knowledge of differentdigital threats and communication surveillance,similar contingency plans to mitigate digitalthreats are few and far between. If NGOs, humanrights defenders or media organisations recognise18 Marczak, B., Guarnieri, C., Marquis-Boire, M., & Scott-Railton, J.(2014). Hacking Team and the Targeting of Ethiopian Journalists.Toronto: The Citizen Lab. https://citizenlab.org/2014/02/hackingteam-targeting-ethiopian-journalists19 Marquis-Boire, M., Marczak, B., Guarnieri, C. & Scott-Railton,J. (2013). For Their Eyes Only: The Commercialization of DigitalSpying. Toronto: The Citizen Lab. https://citizenlab.org/2013/04/for-their-eyes-only-220 https://www.privacyinternational.org/sii/gamma_group42 / Global Information Society Watch Thematic reports / 43


the problem and want to increase their security,they have few funds to spend on prevention or donot know where to start. There is a lack of technicalknowledge and skills in the human rights andmedia community.and establish some protocols and proceduresin case you are targeted. If you think you are sufferinga digital attack, turn to a trusted technicalexpert or international organisation or make aself-assessment. 22Intermediary liability and state surveillanceHow can you mitigate the threatsand where do you find support?There are a number of ways to be more preparedfor a digital emergency as an individual or organisation.Prevention is key: try to increase the overalldigital security awareness and practices of yourorganisations, 21 establish a relationship with atechnical person you trust and can turn to for immediateadvice, make a thorough threat analysis,21 Tactical Tech Collective and Front Line Defenders, Security in a Boxhttps://securityinabox.org/ and Electronic Frontier Foundation,Surveillance Self-Defense https://ssd.eff.org/riskConclusionThe field of digital emergency support for humanrights defenders, journalists and bloggers aroundthe world is still emergent. The intangible natureand rapidly changing technical environment makesit difficult to mitigate digital threats. It is crucial tounderstand what the different threats are and workon prevention. If you are in the midst of a digitalattack, turn to a trusted technical expert or internationalorganisation for support.22 Digital First Aid Kit digitaldefenders.org/wordpress/launch-ofthe-digital-first-aid-kitor on GitHub https://github.com/RaReNet/DFAKElonnai HickokCentre for Internet and Society (CIS) Indiawww.cis-india.orgIntroductionOn 30 June 2014, The Right to Privacy in the DigitalAge: Report of the Office of the United NationsHigh Commissioner for Human Rights (OHCHR) waspublished. 1 The Report recognises the relationshipbetween service providers and surveillance and theincreasing trend of privatised surveillance, noting:There is strong evidence of a growing relianceby Governments on the private sector to conductand facilitate digital surveillance. On everycontinent, Governments have used both formallegal mechanisms and covert methods to gainaccess to content, as well as to metadata. Thisprocess is increasingly formalized: as telecommunicationsservice provision shifts from thepublic sector to the private sector, there hasbeen a “delegation of law enforcement andquasi-judicial responsibilities to Internet intermediariesunder the guise of ‘self-regulation’ or‘cooperation’”. 2This report will explore how legal requirements,practices and policies pertaining to intermediary liabilityare feeding into this growing trend throughthe incorporation of requirements for intermediariesthat facilitate surveillance. In doing so, thisreport will explore aspects of intermediary liabilitypolicies and practices, and how these pertain to andenable state surveillance. Lastly, the report will lookat gaps that exist in policies pertaining to privacy,surveillance and intermediary liability.Intermediaries and privacyOnline communications, interactions and transactionsare an integral component of our everydaylives. As such, intermediaries – including, thoughnot limited to, search engines, social networks,1 www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf2 Ibid.cyber cafés, and internet and telecommunicationservice providers – play a critical role with respectto user privacy. As individuals utilise intermediaryplatforms on a daily and routine basis, from searchingfor information on the internet, to postingupdates to a social media account, to using voiceover-internet-protocol(VoIP) services to connectwith friends and colleagues, or using the servicesof a cyber café, intermediaries host, retain and haveaccess to vast amounts of personal data of theirusers across the world, irrespective of jurisdiction.In this context, company practices and a country’slegal regulations have a far-reaching impact on therights – specifically privacy and freedom of expression– of both national and foreign users.Intermediaries, governmentsand surveillanceThe Right to Privacy in the Digital Age also notesthat the internet and associated technologies allowgovernments to conduct surveillance on anunprecedented scale. This was highlighted by therevelations by Edward Snowden, which demonstratedthe scope of access that the United States(US) government had to the data held by internetcompanies headquartered in the US. The revelationsalso underscore the precarious position thatcompanies offering these services and technologiesare placed in. Though the scope and quantityof data collected and held by an intermediary varydepending on the type of intermediary, the servicesoffered and the location of its infrastructure, governmentshave recognised the important role ofintermediaries – particularly in their ability to assistwith state surveillance efforts by providing efficientaccess to vast amounts of user data and identifyingpotentially harmful or threatening content. Withinthis, there is a shift from reactive government surveillancethat is based on a request and authorisedorder, to partially privatised surveillance, with companiesidentifying and reporting potential threats,retaining information, and facilitating access tolaw enforcement. Indeed, the OHCHR in the Rightto Privacy in the Digital Age notes that the surveillancerevealed by Snowden was facilitated in part44 / Global Information Society Watch Thematic reports / 45


y “strategic relationships between Governments,regulatory control of privacy companies, and commercialcontracts.” 3Intermediary liability and state surveillanceAs described by the US-based Center for Democracyand Technology, 4 intermediary liability relatesto the legal accountability and responsibility thatis placed on intermediaries with respect to thecontent that is hosted and transmitted via theirnetworks and platforms. Specifically, intermediaryliability addresses the responsibility of companieswith respect to content that is deemed by the governmentand/or private parties to be objectionable,unlawful or harmful. The Center for Democracy andTechnology points out that, depending on the jurisdiction,intermediary liability requirements andprovisions can be used to control illegal contentonline, but also can be misused to control legal contentas well. As described by UK-based Article 19,provisions relating to intermediary liability can bebroken down into three basic models: strict liability,where intermediaries are fully liable for third-partycontent; safe harbour, where intermediaries can beprovided immunity from liability by meeting definedrequirements; and broad immunity, where intermediariesare given immunity for third party content. 5As pointed out by Frank La Rue in the Report of theSpecial Rapporteur on the promotion and protectionof the right to freedom of opinion and expression,legal frameworks that hold intermediaries (ratherthan the individual) liable for content, transfer therole of monitoring the internet to the intermediary. 6Some jurisdictions do not have specific legal provisionsaddressing intermediary liability, but do issuecourt or executive orders to intermediaries for therestriction of content, as well as placing obligations– including technical obligations – on service providersvia operating licences.Legal provisions and orders pertaining to intermediaryliability are not always limited toremoving or disabling pre-defined or specifiedcontent. Requests for the removal of content canbe accompanied with requests for user information– including IP address and basic subscriberinformation. Some jurisdictions, such as India, have3 Ibid.4 https://cdt.org5 Article 19. (2013). Internet Intermediaries: Dilemma of liability.London: Article 19. www.article19.org/data/files/Intermediaries_ENGLISH.pdf6 Frank La Rue, Report of the Special Rapporteur on the promotionand protection of the right to freedom of opinion and expression,United Nations General Assembly, 17 April 2013. www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdfincorporated retention mandates for removed contentand associated information in legal provisionsaddressing intermediary liability. 7 Other jurisdictions,like China, require service providers to havetracking software installed on their networks, collectand retain user identification details, monitorand store user activity, report illegal activity to lawenforcement, and have in place filtering software torestrict access to banned websites. 8Some jurisdictions are also recognising thatthe traditional means of seeking information fromintermediaries are inefficient and often slow – particularlyif the intermediary is foreign, and accessinginformation requires the government to follow aMutual Legal Assistance Treaty (MLAT) process. 9Perhaps in response to challenges posed byjurisdiction, some governments have sought “collaborations”with intermediaries to restrict illegaland offensive speech as well as identify perpetratorsof the same. For example, in 2007 in India, theMumbai Police negotiated with Google to establisha “direct line of contact” 10 with the company, which,according to news items, would allow access to IPaddresses of users posting “objectionable” contenton Google’s social networking site, Orkut. 11 Suchcollaborations combine elements of intermediary liabilityand surveillance, and can be prone to misuseif they lack apparent oversight, legislative groundingor accountability. In this context, intermediaryliability is not only about content online, but alsoencompasses the collection and disclosure of dataassociated with that content and of users producingand viewing such content.7 The Information Technology (Intermediaries Guidelines) Rules,2011, Rule 3(4). deity.gov.in/sites/upload_files/dit/files/GSR314E_10511(1).pdf8 Frydnamm, B., Hennebel, L., & Lewkowicz, G. (2007). PublicStrategies for Internet Co-Regulation in the United States, Europe,and China. Brussels: Université Libre de Bruxelles. www.philodroit.be/IMG/pdf/BF-LH-GL-WP2007-6.pdf9 Mutual Legal Assistance Treaties are formal agreements reachedbetween governments to facilitate cooperation in solving andresponding to crimes. A critique of the MLAT process has beenthat it is slow and inefficient, making it a sub-optimal choice forgovernments when faced with crimes that demand immediateresponse. For more information see: Kindle, B. (2012, February 14).MLATS are powerful weapons in financial crime combat, even forprivate sector. Association of Certified Financial Crime Specialists.www.acfcs.org/mlats-are-powerful-weapons-in-counter-financialcrime-combat-even-for-private-sectorSome intermediaries, suchas Facebook, have specified that foreign governments seeking useraccount data must do so through the MLAT process or letters ofrogatory. For more information see: https://en-gb.facebook.com/safety/groups/law/guidelines10 Pahwa, N. (2007, March 14). Updated: Orkut to Share OffenderData With Mumbai Police; Google’s Clarification. Gigaom. gigaom.com/2007/03/14/419-updated-orkut-to-share-offender-data-withmumbai-police-googles-clarifi11 Chowdhury, S. (2014, July 30). Mumbai Police tie up with Orkut tonail offenders. The Indian Express. archive.indianexpress.com/news/mumbai-police-tie-up-with-orkut-to-nail-offenders/25427Types of content and surveillance measuresCertain types of content – namely child pornography/adultcontent, national/cyber security andcopyright – can attract greater obligations on the intermediaryto proactively facilitate surveillance andin some cases take on the role of law enforcement orthe judiciary. The degree to which such obligationsare backed by legal provisions varies and can rangefrom statutory requirements, to policy initiatives,to forms of collaboration between governments, intermediaries,and self-regulatory organisation. Thetypes of obligations and measures also vary.Reporting of illegal content: Some of thesemeasures are focused on the reporting of illegalor prohibited content. For example, in the US, bylaw, service providers must report to law enforcementany and all information with regards to childpornography. This is mandated by the Protection ofChildren from Sexual Predators Act, 1998. 12 Similarly,in India, under the rules defining proceduralsafeguards for intermediary liability, intermediariesmust report cyber security incidents and sharerelated information with the Indian Computer EmergencyResponse Team. 13Voluntary disclosure of illegal content andactivity: Other measures support the voluntary disclosureof identified illegal content and activity andassociated information to law enforcement. For example,under the 2002 Cyber Security EnhancementAct in the US, law enforcement can encourage serviceproviders to reveal information pertaining to an“emergency matter”. The Act further provides theservice provider immunity from legal action if the disclosurewas made in good faith with the belief thatit was a matter of death or serious physical injury. 14Databases of repeat offenders: Requirementsthat governments are seeking to impose on serviceproviders may also directly conflict with theirobligations under national data protection standards.For example, in the context of proposedlegal requirements for identifying and preventingcopyright offenders under the UK Digital EconomyAct, in a public statement, the service provider Talk-Talk noted that the company would be required tomaintain a database of repeat offenders – an actionthat might be illegal under the UK Data ProtectionAct. 15 As of July 2014, service providers, rights hold-12 Frydnamm, B., Hennebel, L., & Lewkowicz, G. (2007). Op. cit.13 Information Technology (Intermediaries Guidelines) Rules 2011, Rule9. deity.gov.in/sites/upload_files/dit/files/GSR314E_10511(1).pdf14 Frydnamm, B., Hennebel, L., & Lewkowicz, G. (2007). Op. cit.15 Jackson, M. (2014, July 19). Update: UK ISPs Agree VoluntaryInternet Piracy Warning Letters Scheme. ISPreview. www.ispreview.co.uk/index.php/2014/07/big-uk-isps-agree-voluntary-internetpiracy-warning-letters-scheme.htmlers and the government have developed a form ofcollaboration where rights holders will “track” theIP addresses of suspected offenders. The addresseswill be shared with the applicable UK service provider,who will then send a series of warning noticesto the user. 16 This system is potentially dangerousas it allows for proactive monitoring of individuals’IP addresses by private parties (the rights holders)and then subsequent action by another privateentity (the service provider). At no point does thissystem define or envision safeguards, accountabilityor oversight mechanisms. 17Measures that facilitate surveillance: Otherrequirements do not directly impose surveillanceobligations on service providers, but can facilitatesurveillance. For example, in the UK, service providersmust now offer broadband filters for “adultcontent” automatically switched on. Users who donot wish to have the filter on are required to “optout” of the filter. 18 These measures can make it easyto track and identify which user is potentially viewing“adult content”.Types of intermediariesand surveillance measuresDepending on services offered and jurisdiction, intermediariescan be subject to differing types andscopes of surveillance requirements. For example:Cyber cafés: In jurisdictions like India, 19 cybercafés are faced with legal requirements that canfacilitate surveillance – such as the collection andretention of government-issued user identification,retention of user’s browser history, and provision ofassistance to law enforcement and other authoritieswhen required. Cyber cafés are also strictly subjectto the laws of the jurisdiction of operation.Service providers: Similarly, service providers,even when multinational, must abide by the lawswhere they are operating. Unlike intermediariessuch as multinational social networks or searchengines, service providers are subject to the requirementsfound in operating licences that pertain tointermediary liability and surveillance. For example,in India, internet and telecommunication serviceproviders are required to take “necessary measuresto prevent objectionable, obscene, unauthorised,16 Ibid.17 Jackson, M. (2013, August 9). UK Government to Finally RepealISP Website Blocking Powers. ISPreview. www.ispreview.co.uk/index.php/2013/08/uk-government-to-finally-repeal-isp-websiteblocking-powers.html18 Miller, J. (2014, July 23). New broadband users shun UK porn filters,Ofcom finds. BBC. www.bbc.com/news/technology-2844006719 Information Technology (Guidelines for Cyber Cafe) Rules 2011,Rule 4, Rule 5, Rule 7. ddpolice.gov.in/downloads/miscelleneous/cyber-cafe-rules.pdf46 / Global Information Society Watch Thematic reports / 47


or any other content, messages, or communicationsinfringing copyright, intellectual property etc. inany form, from being carried on [their] network, consistentwith the established laws of the country.”Furthermore, if specific instances of infringementare reported by enforcement agencies, the serviceprovider must disable the content immediately. 20 Inthe case of India, requirements for the provision oftechnical assistance in surveillance and retention ofcall detail records 21 and subscriber information arealso included in the operating licences for serviceproviders. 22Social networks: Social networks such asLinkedIn, Facebook and Twitter – which are oftenmultinational companies – are not necessarily subjectto the legal intermediary liability requirementsof multiple jurisdictions, but they are frequentlyfaced with requests and orders for user informationand removal of content requests. To address thesepressures, some companies filter content on a countrybasis. In June 2014 LinkedIn was criticised in themedia for complying with orders from the Chinesegovernment and filtering content in the region. 23Similarly, Twitter was criticised by civil society forwithholding content in Russia and Pakistan in May2014, though in June 2014 the company reversedits decision and reinstated the withheld content. 24Social media platforms are also frequently and increasinglyused by law enforcement and the statefor collecting “open source intelligence”. 2520 Licence Agreement for Provision of Unified Access Services AfterMigration from CMTS, Section 40.3. www.auspi.in/policies/UASL.pdf21 Call record details consist of information about a subscriber’suse of mobile and broadband networks and can include: callednumbers, subscriber name and address, date and time of the startand end of a communication, type of service used (SMS, etc.),international mobile subscriber identity, international mobileequipment identity, location details. For more information see:Afentis Forensics, “Telephone Evidence: Mobile telephone forensicexaminations, Billing Records, Cell Site Analysis”. afentis.com/telephone-evidence22 Licence Agreement for Provision of Unified Access Services AfterMigration from CMTS, Section 41.10. www.auspi.in/policies/UASL.pdf23 Mozur, P. (2014, June 4). LinkedIn Said it Would Censor in China.Now That It Is, Some Users are Unhappy. The Wall Street Journal.blogs.wsj.com/chinarealtime/2014/06/04/linkedin-said-it-wouldcensor-in-china-now-it-is-and-some-users-are-unhappy24 Galperin, E., & York, J. (2014, June 23). Twitter Reverses Decisionto Censor Content in Pakistan. Electronic Frontier Foundation.https://www.eff.org/deeplinks/2014/06/twitter-reversesdecision-censor-content-pakistan25 Open source intelligence has been widely recognised as anessential tool for law enforcement and security agencies. Opensource intelligence is derived from information that is publiclyavailable from sources such as the internet, traditional media,journals, photos, and geospatial information. For more informationsee: Central Intelligence Agency. (2010, July 23). INTellingence:Open Source Intelligence. Central Intelligence Agency. https://www.cia.gov/news-information/featured-story-archive/2010-featured-story-archive/open-source-intelligence.htmlTechnology, intermediary liabilityand state surveillanceWhen intermediaries implement legal requirementsfor the blocking or filtering of content, they do so byemploying different techniques and technologiessuch as key word filtering software, firewalls, imagescanning, URL databases, technologies that enabledeep packet inspection, etc. 26 Similarly, complyingwith legal mandates for interception or monitoringof communications also requires intermediaries toinstall and use technology on their networks. Aspointed out by La Rue, technologies used for filteringalso facilitate monitoring and surveillance asthey have the ability to identify and track words,images, websites and types of content, as well asidentify individuals using, producing or associatedwith the same. 27 For example, YouTube offers copyrightholders the option of YouTube’s “Content ID”system to manage and identify their content on theplatform. Actions that copyright owners can choosefrom include muting audio that matches the musicof copyrighted material, blocking a video from beingviewed, running ads against a video, and trackingthe viewer statistics of the video. These options canbe implemented at a country-specific level. 28Removing the service providerfrom surveillanceWhile some governments are placing obligationson intermediaries to assist with surveillance, othergovernments are removing such obligations fromservice providers through surveillance measuresthat seek to bypass service providers and allowgovernments and security agencies to directly interceptand access information on communicationnetworks, or measures that require service providersto allow security agencies a direct line intotheir networks. For example, India is in the processof implementing the Central Monitoring System,which is envisioned to allow security agencies todirectly intercept communications without the assistanceof service providers. Though this systemremoves obligations on service providers to assistand be involved in specific instances of surveillance,it also removes a potential safeguard – where26 Bloxx. (n/d). Whitepaper: Understanding Web FilteringTechnologies. www.bloxx.com/downloads/US/bloxx_whitepaper_webfilter_us.pdf27 Frank La Rue, Report of the Special Rapporteur on the promotionand protection of the right to freedom of opinion and expression,United Nations General Assembly, 17 April 2013. www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf28 YouTube, “How Content ID Works”. https://support.google.com/youtube/answer/2797370?hl=enservice providers can challenge or question extralegalor informal requests for surveillance. In the2014 Vodafone Law Enforcement Disclosure Report,the company notes that in select countries,law enforcement and authorities have direct accessto communications stored on networks. 29The question of jurisdictionJurisdiction and the applicability of local law is atension that arises in the context of intermediaryliability and surveillance. Some facets of this tensioninclude: to what extent do legal restrictionson content apply to multinational platforms operatingin a country? To what extent can states accessthe communications passing or being stored in itsterritory? And to what extent do domestic protectionsof fundamental rights – including freedomof expression and privacy – apply to foreigners aswell as nationals? The OHCHR in The Right to Privacyin the Digital Age shed some light on thesequestions, drawing upon a number of internationalinstruments and firmly asserting that any interferencewith the right to privacy must comply with theprinciples of legality, proportionality and necessity,regardless of the nationality or location of theindividual. 30 Tensions around mass surveillance offoreign citizens and political leaders, and a lack oflegal constructs domestically and internationallyto address these tensions, have led to questionsof direction and the future of internet governance– discussed at forums like NETmundial, whereprinciples relating to surveillance and intermediaryliability were raised. 31 Similarly, in March2014, the US announced plans to relinquish theresponsibility of overseeing the body tasked withregulating internet codes and numbering systems.This move has raised concerns about a backlashthat could result in the division and separationof the internet, facilitating mass surveillance andcontent control. 3229 www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html30 Report of the Office of the United Nations High Commissioner forHuman Rights: The Right to Privacy in the Digital Age, 30 June2014. www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf31 Powles, J. (2014, April 28). Big Business was the winnerat NETmundial. wired.co.uk. www.wired.co.uk/news/archive/2014-04/28/internet-diplomacy-netmundial32 Kelion, L. (2014, April 23). Future of the Internet Debatedat NetMundial in Brazil. BBC. www.bbc.com/news/technology-27108869State surveillance and intermediaryliability: The impact on the user and the roleof the companyGovernment-initiated content restrictions and surveillanceof individuals’ online communications,transactions and interactions have widely been recognisedas having a negative impact on users’ rightto privacy and a chilling effect on freedom of speech.Depending on the target and reasons, such actionsby governments can have deeper human rightsimplications – if, for example, dissenting voices, activistsand journalists are targeted. The gravity andclear human rights implications of actions relatedto intermediary liability and surveillance highlightthe complexity of these issues. Numerous cases existof individuals being identified and persecutedfor speech shared or communicated online, and theidentification of these individuals being facilitatedby internet companies. For example, Yahoo! hasbeen heavily criticised in the international mediafor providing the Chinese government in 2006 withuser account details and the content of communicationsof political dissident and journalist Shi Tao– allowing police to identify and locate Shi and subsequentlyimprison him for ten years. 33 Instancessuch as the Shi Tao case demonstrate the complexityof issues related to intermediary liability andsurveillance and raise questions about reasonableexpectations regarding internet company practicesand responses (particularly multinational companies),adequate national legislation, internationalguidelines, and appropriate public response. As notedin The Right to Privacy in the Digital Age, “theGuiding Principles on Business and Human Rights,endorsed by the Human Rights Council in 2011,provide a global standard for preventing and addressingadverse effects on human rights linked tobusiness activity. The responsibility to respect humanrights applies throughout a company’s globaloperations regardless of where its users are located,and exists independently of whether the Statemeets its own human rights obligations.” This is ahigh standard that intermediaries must adhere to.Some companies such as Google, 34 Facebook, 3533 MacKinnon, R. (2007). Shi Tao, Yahoo!, and the lessons forcorporate social responsibility. rconversation.blogs.com/YahooShiTaoLessons.pdf34 Google Transparency Report. www.google.com/transparencyreport35 Facebook Global Government Requests Report. https://www.facebook.com/about/government_requests48 / Global Information Society Watch Thematic reports / 49


Twitter, 36 Vodafone, 37 Microsoft, 38 Yahoo 39 and Verizon40 have begun to shed light on the amount ofsurveillance and content requests that they are subjectto through transparency reports. Companieslike Vodafone, 41 Facebook 42 and Twitter 43 also havepolicies in place for addressing requests from lawenforcement.ConclusionsAs demonstrated above, there is significant overlapbetween intermediary liability, privacy and surveillance.Yet jurisdictions have addressed these issuesseparately – often having independent legislationfor data protection/privacy, intermediary liabilityand surveillance. The result is that the present legalframeworks for intermediary liability, privacyand surveillance are governed by models thatdo not necessarily “speak to each other”. When36 Twitter Transparency Report. https://transparency.twitter.com37 Vodafone Disclosure to Law Enforcement Report. www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html38 Microsoft’s Law Enforcement Request Report. www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency39 Yahoo Transparency Report. https://transparency.yahoo.com40 Verizon’s Transparency Report for the first half of 2014.transparency.verizon.com41 Vodafone, Human Rights and Law Enforcement: An Overview ofVodafone’s policy on privacy, human rights, and law enforcementassistance. www.vodafone.com/content/index/about/about-us/privacy/human_rights.html42 Facebook, Information for Law Enforcement. https://www.facebook.com/safety/groups/law/guidelines/43 Twitter Guidelines for Law Enforcement. https://support.twitter.com/articles/41949-guidelines-for-law-enforcementrequirements that facilitate surveillance are embeddedin provisions and practices pertaining tointermediary liability, there is a risk that these requirementscan omit key safeguards to surveillancethat have been recognised as critical at the internationallevel, including necessity, proportionality,legality and legitimate aim. As La Rue stressed, andas emphasised in other international reports andforums, there is a need for governments to review,update and strengthen laws and legal standardsaddressing state surveillance. Ideally such a reviewwould also include legal standards for intermediaryliability.Where multi-stakeholder 44 and multilateral 45dialogues are resulting in incremental and slowprogress, some decisions by the Court of Justice ofthe European Union and European Parliament arecalling attention and efforts to the issue. 4644 Powles, J. (2014, April 28). Op. cit.45 RT. (2013, October 26). Germany, Brazil enlist 19 more countriesfor anti-NSA UN resolution. RT. rt.com/news/nsa-un-resolutiontalks-78846 Powles, J. (2014, April 28). Op. cit.Unmasking the Five Eyes’ global surveillance practices 1Carly Nyst and Anna CrowePrivacy Internationalcarly@privacy.org, annac@privacyinternational.orgThe revelations1 of the last year – made possible byNSA-whistleblower Edward Snowden – on the reachand scope of global surveillance practices haveprompted a fundamental re-examination of the roleof intelligence services in conducting coordinatedcross-border surveillance. The Five Eyes alliance –comprised of the United States National SecurityAgency (NSA), the United Kingdom’s GovernmentCommunications Headquarters (GCHQ), Canada’sCommunications Security Establishment Canada(CSEC), the Australian Signals Directorate (ASD),and New Zealand’s Government CommunicationsSecurity Bureau (GCSB) – is the continuation of anintelligence partnership formed in the aftermathof the Second World War. The patchwork of secretspying programmes and intelligence-sharing agreementsimplemented by parties to the Five Eyesarrangement constitutes an integrated global surveillancearrangement that now covers the majorityof the world’s communications. Operating in theshadows and misleading the public, the Five Eyesagencies boast in secret how they “have adapted ininnovative and creative ways that have led some todescribe the current day as ‘the golden age of SI-GINT [signals intelligence]’.” 2This report summarises the state of understandingabout the Five Eyes global domination ofcommunications networks, and explains the mostconcerning surveillance capabilities developed bythe intelligence agencies. It also explores the implicationsof expanded surveillance powers for therights to privacy and free expression, and the freeflow of information and ideas throughout globalcommunications networks. Finally, it canvassessome of the ways that Privacy International is seek-1 This paper is based substantially on “Eyes Wide Open”, a reportpublished by Privacy International in November 2013, available at:https://www.privacyinternational.org/reports/eyes-wide-open2 NSA SIGINT Strategy, 23 February 2012, available at: www.nytimes.com/interactive/2013/11/23/us/politics/23nsa-sigint-strategydocument.html?ref=politics&gwh=5E154810A5FB56B3E9AF98DF667AE3C8ing to unpick the Five Eyes alliance and argues forthe restoration of privacy and security in digitalcommunications.The Five EyesBeginning in 1946, an alliance of five countries(the US, the UK, Australia, Canada and New Zealand)developed a series of bilateral agreementsover more than a decade that became known asthe UKUSA (pronounced yew-kew-zah) agreement.This established the “Five Eyes” alliance for thepurpose of sharing intelligence, but primarily signalsintelligence (hereafter “SIGINT”). The closerelationship between the five states is evidenced bydocuments recently released by Snowden. Almostall of the documents include the classification “TOPSECRET//COMINT//REL TO USA, AUS, CAN, GBR,NZL” or “TOP SECRET//COMINT//REL TO USA,FVEY”. These classification markings indicate thematerial is top-secret communications intelligence(aka SIGINT) material that can be released to theUS, Australia, Canada, UK and New Zealand. Notablywhile other alliances and coalitions exist, suchas the North Atlantic Treaty Organization, none ofthe documents that have thus far been made publicrefer to any of these arrangements, suggesting theFive Eyes alliance is the preeminent SIGINT collectionalliance.The Five Eyes agencies are playing a dirty game.They have found ways to infiltrate all aspects ofmodern communications networks: forcing companiesto hand over their customers’ data under secretorders, and secretly tapping fibre optic cables betweenthe same companies’ data centres anyway;accessing sensitive financial data through SWIFT,the world’s financial messaging system; spendingyears negotiating an international agreement toregulate access to the data through a democraticand accountable process, and then hacking the networksto get direct access; threatening politicianswith trumped-up threats of impending cyber warwhile conducting intrusion operations that weakenthe security of networks globally; and sabotagingencryption standards and standards bodies, therebyundermining the ability of internet users tosecure information.50 / Global Information Society Watch Thematic reports / 51


The Five Eyes is a close-knit group. The levelof cooperation under the UKUSA agreement isso complete that “the national product is oftenindistinguishable.” 3 This has resulted in formerintelligence officials explaining that the close-knitcooperation that exists under the UKUSA agreementmeans “that SIGINT customers in both capitalsseldom know which country generated either theaccess or the product itself.” 4 In addition to fluidlysharing collected SIGINT, it is understood that manyintelligence facilities run by the respective Five Eyescountries are jointly operated, even jointly staffed,by members of the intelligence agencies of FiveEyes countries. Each facility collects SIGINT, whichcan then be shared with the other Five Eyes states.Code-named programmes that have been revealedto the public over the last decade go someway to illustrating how the Five Eyes alliance collaborateson specific programmes of activity andhow information is shared. One important exampleis the TEMPORA programme, revealed by Snowden.By placing taps at key undersea fibre-optic cablelanding stations, the programme is able to intercepta significant portion of the communications that traversethe UK. The Guardian has reported that 300analysts from GCHQ and 250 from the NSA weredirectly assigned to examine material collected. 5TEMPORA stores content for three days and metadatafor 30 days.Once content and data are collected, they canbe filtered. The precise nature of GCHQ’s filtersremains secret. Filters could be applied based ontype of traffic (e.g. Skype, Facebook, email), origin/destination of traffic, or to conduct basic keywordsearches, among many other purposes. Reportedly,approximately 40,000 search terms have been chosenand applied by GCHQ, and another 31,000 by theNSA to information collected via TEMPORA. GCHQhave had staff examining collected material sincethe project’s inception in 2008, with NSA analystsbrought to trial runs of the technology in summer2011. Full access was provided to NSA by autumn2011. An additional 850,000 NSA employees andUS private contractors with top-secret clearance3 Aldrich, R. (2004). Transatlantic intelligence and securitycooperation. International Affairs, 80(4), 731-753. www2.warwick.ac.uk/fac/soc/pais/people/aldrich/publications/inta80_4_08_aldrich.pdf4 Lander, S. (2007). International intelligence cooperation: An insideperspective. Cambridge Review of International Affairs, 17(3), p.487.5 The Guardian quotes an internal GCHQ report that claims“GCHQ and NSA avoid processing the same data twice andproactively seek to converge technical solutions and processingarchitectures.” It was additionally reported that the NSA providedGCHQ with the technology necessary to sift through the materialcollected.reportedly also have access to GCHQ databases.GCHQ received £100 million (USD 160 million) in secretNSA funding over the last three years to assistin the running of this project. 6A core programme that provides filtering capabilityis known as XKEYSCORE. It has beendescribed by internal NSA presentations as an“analytic framework” which enables a single searchto query a “3-day rolling buffer” of “all unfiltereddata” stored at 150 global sites on 700 databaseservers. 7 The NSA XKEYSCORE system has sites thatappear in Five Eyes countries. 8 The system indexesemail addresses, file names, IP addresses and portnumbers, cookies, webmail and chat usernamesand buddylists, phone numbers, and metadata fromweb browsing sessions including searches queried,among many other types of data that flow throughtheir collection points.While UKUSA is often reported as having createda “no spy pact” between Five Eyes states,there is little in the original declassified documentsfrom the 1940s and 1950s to support such a notion.Crucially, first and foremost, no clause exists thatattempts in any form to create such an obligation.As best as can be ascertained, it seems there is noprohibition on intelligence gathering by Five Eyesstates with respect to the citizens or residents ofother Five Eyes states. There is instead, it seems,a general understanding that citizens will not bedirectly targeted, and where communications areincidentally intercepted, there will be an effort tominimise the use and analysis thereof by the interceptingstate. Outside the Five Eyes, everyone elseis fair game, even if they have a separate intelligence-sharingagreement with one or several FiveEyes members. 9The rights implicationsThe world has changed dramatically since the1940s; then, private documents were stored in filingcabinets under lock and key, and months could passwithout one having the need or luxury of making aninternational phone call. Now, private documentsare stored in unknown data centres around the6 MacAskill, E. (2013, November 2). Portrait of the NSA: no detailtoo small in quest for total surveillance. The Guardian. www.theguardian.com/world/2013/nov/02/nsa-portrait-totalsurveillance7 The Guardian (2013, July 31). XKeyscore presentation from 2008.www.theguardian.com/world/interactive/2013/jul/31/nsaxkeyscore-program-full-presentation8 Ibid., p. 5.9 Poitras, L. et al. (2013, July 1). How the NSA targets Germanand Europe. Spiegel Online. www.spiegel.de/international/world/secret-documents-nsa-targeted-germany-and-eubuildings-a-908609.htmlworld, international communications are conducteddaily, and our lives are lived – ideas exchanged, financialtransactions conducted, intimate momentsshared – online.With the advent of the internet and new digitalforms of communication, now most digital communicationstake the fastest and cheapest routeto their destination, rather than the most direct.This infrastructure means that the sender has noability to choose, nor immediate knowledge of, theroute that their communication will take. This shiftin communications infrastructure means that communicationstravel through many more countries,are stored in a variety of countries (particularlythrough the growing popularity of cloud computing)and are thus vulnerable to interception by multipleintelligence agencies. From their bases within theterritory of each country, each Five Eyes intelligenceagency collects and analyses communications thattraverse their territory and beyond.An analysis of the legal provisions in each of theFive Eyes countries reveals that they fall far shortof describing the fluid and integrated intelligencesharingactivities that take place under the ambit ofthe Five Eyes arrangement with sufficient clarity anddetail to ensure that individuals can foresee theirapplication. 10 None of the domestic legal regimesset out the circumstances in which intelligenceauthorities can obtain, store and transfer nationals’or residents’ private communication and otherinformation that are intercepted by another FiveEyes agency, nor the circumstances in which any ofthe Five Eyes states can request the interception ofcommunications by another party to the alliance.The same applies to obtaining private informationsuch as emails, web histories, etc., held by internetand other telecommunication companies. Carefullyconstructed legal frameworks provide differinglevels of protections for internal versus externalcommunications, or those relating to nationals versusnon-nationals.The Five Eyes agencies are seeking not only todefeat the spirit and purpose of international humanrights instruments, they are in direct violation oftheir obligations under such instruments. The rightto privacy is an internationally recognised right. 11The way the global communications infrastructureis built requires that the right to privacy of commu-10 Privacy International. (2013). Eyes Wide Open. https://www.privacyinternational.org/reports/eyes-wide-open11 Article 17 (1) of the International Covenant on Civil and PoliticalRights provides: “No one shall be subjected to arbitraryor unlawful interference with his privacy, family, home orcorrespondence, nor to unlawful attacks on his honour andreputation.”nications be exercised globally, as communicationscan be monitored in a place far from the locationof the individual to whom they belong. When anindividual sends a letter, email or text message, ormakes a phone call, that communication leaves theirphysical proximity, and travels to its destination.In the course of its transmission the communicationmay pass through multiple other states and,therefore, multiple jurisdictions. The right to privacyof the communication remains intact, subjectonly to the permissible limitations set out underhuman rights law. Accordingly, whenever Five Eyescountries interfere with the communication of anindividual, thus infringing upon their privacy, theyinvoke jurisdiction over that individual, and have tocomply with human rights obligations accordingly.The practice of mass surveillance detailed in theSnowden documents is contrary to internationallaw. The Special Rapporteur on the promotion andprotection of the right to freedom of expressionand opinion, for example, has described the invasivenessof mass interception of fibre-optic cables:“By placing taps on the fibre optic cables, throughwhich the majority of digital communication informationflows, and applying word, voice and speechrecognition, States can achieve almost completecontrol of tele- and online communications.” 12The Special Rapporteur reasons that “[m]assinterception technology eradicates any considerationsof proportionality, enabling indiscriminatesurveillance. It enables the State to copy and monitorevery single act of communication in a particularcountry or area, without gaining authorization foreach individual case of interception.” 13Taking actionThe intelligence agencies of the Five Eyes countriesconduct some of the most important, complexand far-reaching activities of any state agency, andthey do so behind the justification of a thicket ofconvoluted and obfuscated legal and regulatoryframeworks. The laws and agreements that make upthe Five Eyes arrangement and apply it to domesticcontexts lack any semblance of the clarity or accessibilitynecessary to ensure that the individualswhose rights and interests are affected by them areable to understand their application. Their actionshave been justified in secret, on the basis of secretinterpretations of international law and classified12 Report of the Special Rapporteur on the promotion and protectionof the right to freedom of expression and opinion, Frank La Rue, 17April 2013, A/HRC/23/40, para. 38. www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf13 Ibid., para. 62.52 / Global Information Society Watch Thematic reports / 53


agreements. By remaining in the shadows, our intelligenceagencies – and the governments who controlthem – have removed our ability to challenge theiractions and their impact upon our human rights. Wecannot hold our governments accountable whentheir actions are obfuscated through secret dealsand covert legal frameworks. Secret, convoluted orobfuscated law can never be considered law withina democratic society governed by the rule of law.We must move towards an understanding ofglobal surveillance practices as fundamentally opposedto the rule of law and to the well-establishedinternational human right to privacy. In doing so, wemust break down legal frameworks that obscure theactivities of the intelligence agencies or that preferencethe citizens or residents of Five Eyes countriesover the global internet population. Trust must berestored, and our intelligence agencies must bebrought under the rule of law. Transparency aroundand accountability for secret agreements is a crucialfirst step.Privacy International has spent the last year tryingto unpick the Five Eyes alliance. We have sentfreedom of information requests to intelligenceagencies in each of the five countries, seeking accessto the secret agreements that govern the FiveEyes. We have brought legal cases against Britain’sGCHQ for mass surveillance and hacking activities,and have sought avenues to take similar complaintsin other jurisdictions. We filed a complaint underthe OECD Guidelines for Multinational Enterprisesagainst the seven telecommunications companiesfacilitating UK interception of fibre-optic cables. Wehave written to the Australian Inspector-General ofIntelligence and Security asking her to commencean investigation into the ASD, and to the US TreasuryDepartment and to every data protectionauthority in Europe seeking an investigation intothe SWIFT hacking.Now we are calling for the UN to appoint a SpecialRapporteur on the right to privacy, to ensurethat privacy and surveillance issues stay high on theagenda in the Human Rights Council. Support ourwork here: www.privacyinternational.org.Country reports54 / Global Information Society Watch Introduction / 55


Slaying the monsterThe country reports gathered here have been writtenat a critical time: new threats of terrorism incountries such as Kenya, the intensification of regionalconflicts and wars, the economic isolationof Russia, and a drift towards authoritarianism inmany states. Alarming parallels in Japan are madebetween the rise of totalitarianism ahead of WorldWar II and what is happening now in that country;and there is a sense many have that regional conflictsmight spin even more out of control.At the centre of this is the need for governmentsto control their futures, and to maintain power oversituations that threaten to become ungovernable.One way they do this is through surveillance. Thismakes these country reports – and the thematic reportsthat you have just read – highly political. Theycome in the wake of WikiLeaks revelations, and EdwardSnowden’s public exposure of United States(US) spying and the so-called “Five Eyes network”,linking some of the most powerful countries in aglobal surveillance programme. They reinforce theidea that human rights are under threat globally.Common to most of the country reports publishedhere is that states – frequently with thecooperation of business – are acting illegally:their actions are neither in line with national constitutionalrequirements, nor with a progressiveinterpretation of global human rights standards.While many profess to be standard bearers of democracy,they are in fact acting illegitimately – theyno longer carry the mantle of public good or operatein the best interests of their citizens that havevoted them into power. For instance, in South Korea,“Communications surveillance, in particular, whichhas insufficient legal control given the rapid developmentof the internet and mobile technologies,has largely extended the power of the police andthe intelligence agency beyond the law.”Despite the media attention that Snowden’s revelationsreceived, the public at large remains numbto the problems of surveillance, through ignorance,or, in some instances, complicity. In Turkey, “If youdo nothing wrong, if you have no illegal business,don’t be afraid of wiretapping,” a government ministersaid there.This attitude of “only bad people should worry”completely misses the point of mass surveillance: itis ubiquitous, widespread, and involves everyone,whether or not you are a “threat to the state”, orengaged in criminal activities. This includes legislationallowing authorities to bug an entire room, andcapture the conversations of innocent bystanders,or to monitor the public en masse if there is a potentialthat a suspect happens to be amongst thatpublic.Moreover, as numerous reports point out, definingwho is or is not a “threat to the state” isobviously a slippery concept, and depends on theregime in power, democratically elected or not. Today’sfriend is tomorrow’s enemy. In Pakistan, in thewords of the chairperson of Aware Girls:I was shocked when I was told that I and mysocial media communications had been undersurveillance for last three years... In my communicationwith the agencies it was clear that mywork for peace and human rights was seen as“anti-state”, and I was seen as an enemy ratherthan an activist.And for those who imagine a benign governmentonly interested in their welfare, Syria shows how,during a national strike, even the children and familiesof striking union members were surveilled:Firstly, the police acquired all the mobile communicationrecords of union members and theirfamilies, including schoolchildren, and trackedthe real-time location of their mobile phones– the mobile service providers had offered toprovide this at ten-minute intervals for severalmonths.In fact surveillance can put the security of the averagecitizen constantly under threat – and can oftenhave even more dire implications for the vulnerable.Without public awareness of this, and transparencyin surveillance programmes, a real erosion of humanrights occurs.Sometimes surveillance legislation is rushedthrough without proper parliamentary discussion,process or media attention. Legislation shifts and56 / Global Information Society Watch country reports / 57


changes, frequently to suit the new needs of thesurveillance regime, and only sometimes are therevictories for privacy rights, and for transparency– perhaps the most notable being the EuropeanUnion (EU) cancelling its data retention directive,with a mixed knock-down effect on national legislationamongst EU members.Argentina shows that even if governmentsare open about their new programmes to captureand centralise data – in this case biometric data– and emphasise the positive aspects of these programmes,the potential for this to be used in thefuture in ways that violate the rights of ordinarycitizens is extraordinary. Without citizen-drivenlegislation, and public oversight, democracies areunder threat (the story of Frankenstein’s monstercomes to mind here).Syria points out that less-democratic stateshave little impetus to not surveil their citizens. Ifso-called democracies like the US and the UnitedKingdom with all their rights and privileges andsturdy legal systems can get away with it, how canwe expect struggling democracies not to do thesame? Those in totalitarian regimes, the countryreport argues, suffer a kind of double surveillance,and are subject to the spying by world powers andtheir own governments: “It is not unrealistic toimagine this to turn into a global overlapping ‘spaghetti’of surveillance programmes where everyoneis spying on everyone else.”The complicity of business in all of this needs tobe directly addressed by civil society. While someservice providers seem to be making attempts attransparency by releasing statistics of governmentrequests for information, many – or most – are not.Ostensibly, they feel no obligation to, with humanrights not a primary concern. For instance, MTN’s involvementin Cameroon requires attention. Beyondservice providers and intermediaries – who appearto prefer “business as usual” rather than to rock theboat – the technology companies that make surveillancetools in the first place are a big part of theproblem. Obscenely, in Nigeria, there is the allegationthat the systems employed there were “tested”on Palestinians.Marketing data – tracked and acquired withoutpermission from the public – is also a form of surveillance,and one that now involves our children.That this is often done with a smile and a wink bycompanies who, if they wish, can on-sell data aboutour daily habits and behaviours as cheaply as mobilephone numbers to whomever – including states,and other business – shows how far business hasslipped from anything resembling an interest inconsumer rights. Stronger advocacy is needed inthis regard, both from consumer rights and humanrights groups.As Senegal points out, it is not only states thatdo the surveillance. There are numerous cases ofcompanies illegally spying on their employees,whether through monitoring correspondence oreven telephonic communications. Surveillance happensin restaurants, nightclubs, outside shops, incameras mounted on the neighbour’s wall – littleattention is given to the right to privacy in these instances,or the need to alert the public to the factthat they are being watched.Secrecy is at the core of surveillance – whetherby states or businesses. It is why it works, andwhy it is a direct threat to our fundamental rights.It is no use to states or to businesses if those beingsurveilled know about it. To achieve this, newtechnology needs to be continually developed andsold to governments (and others). Australia arguesthat Snowden’s revelations have resulted in an increaseddrive towards surveillance, not less: “Sincethe Snowden leaks, public reporting suggests thelevel of encryption on the internet has increasedsubstantially. In direct response to these leaks, thetechnology industry is driving the development ofnew internet standards.”So how do we slay Frankenstein’s monster?The country reports make several suggestionsin this regard. A citizen-driven, balanced approachto legislating surveillance is necessary, with therecognition that some measure of surveillance is inthe interests of public safety (against violence andcrime, including the protection of children againstpornography and child trafficking). Lebanon putsthis clearly: “Many argue that online privacy is a humanright, while others insist that it is a negotiatedcontract between the state and its citizens – a contractin which citizens exchange some of their datain return for national security.” (Secrecy is, in otherwords, different to the need for state secrets). CostaRica argues that citizen oversight in the implementationof national databases and of surveillanceprogrammes is also necessary. Users of the internetcan practice safer communications using encryptiontechnology, and other behaviour changes whengoing online – such as paying more attention to thekind of information they share with businesses orindividuals.The idea of the internet as a free, open spacethat promotes democracy needs to be revisited.“In mainland China the internet and everything init can reasonably be viewed as public space – thatis, ultimately belonging to the state,” the authorcontends. In the UK, the Government CommunicationsHeadquarters (GCHQ) – the counterpart of theNational Security Agency (NSA) in the US – has said:“[W]e are starting to ‘master’ the Internet… And ourcurrent capability is quite impressive… We are in aGolden Age.” In this context, as in Switzerland, privacybecomes a “privilege”, not a right.Elsewhere, activists are going “offline” out ofnecessity and safety. In Indonesia, Papuan activistssay: “Now I only trust face-to-face communication.I rarely use the telephone to talk about sensitiveissues.”Privacy, transparency and accountability are keywords. They are also old struggles. In this sense theterrain has not changed. But these country reportssuggest the terrain might just have got rockier, andthe path much more perilous.58 / Global Information Society Watchcountry reports / 59


ARGENTINA“Your software is my biology”: 1 The mass surveillance system in ArgentinaNodo TAUFlavia Fascendini and María Florencia Roveriwww.tau.org.arIntroduction1In 2011 Argentine President Cristina Fernández deKirchner created, through an executive decree, 2 afederal biometric system for the identification ofcitizens, named SIBIOS (Sistema Federal de IdentificaciónBiométrica para la Seguridad). It wasdeveloped, according to the decree, to provide acentralised system of information regarding individualbiometrics registers. This would be used forappropriate testing when identifying people andfaces, optimising the investigation of crimes andsupporting national security.The adoption of this measure involved very little– almost no – public discussion, except for a few civilsociety organisations that warned the governmentabout the risks involved in these kinds of surveillancemethods, and their implications for people’sright to privacy.Two strong arguments emerged:• There is a risk involved in this information beingin the hands of a government in a democratic regime.In Argentina this argument is made withinthe context of the dictatorial governments thecountry experienced following military coups,the last of them extending from 1976 until 1983.• The low level of public awareness regarding thepossible violation of human rights related to theimplementation of the system revealed the absenceof social debate around the violation ofhuman rights related to information and communicationstechnologies (ICTs).Policy and political backgroundArgentina is recognised worldwide for being oneof the first countries to adopt biometric technologiesas a form of recognition of individuals’ legal1 Cippolini, R. (2010, November 29). Tu software es mi biología.Cippodromo. http://cippodromo.blogspot.com/2010/11/tusoftware-es-mi-biologia.html2 Decreto 1766/2011. www.infoleg.gob.ar/infolegInternet/anexos/185000-189999/189382/norma.htmidentity. In the late 1800s, an Argentine police officernamed Juan Vucetich established the firstsystem of fingerprint identification 3 and started theuse of fingerprint evidence in police investigations. 4In Argentina, the national identification document(DNI is its acronym in Spanish) is the onlypersonal identification document individuals areobliged to have. Its format and use have beenregulated since 1968 by Law No. 17671 5 for the Identification,Registration and Classification of NationalHuman Potential, which also created the NationalRegistry of Persons. It is issued to all people bornin the country, and to foreigners who apply for aresidence permit, once the National Directorateof Immigration considers that the applicant meetsthe necessary requirements to that end. Since November2009, and as part of the digitalisation ofnational documents, a new national identificationdocument was issued as a plastic card.In Argentina, data protection has both constitutionaland legislative protection. The constitutionstates in Article 43 that any person can file an actionof habeas data “to obtain information on thedata about himself, and its purpose, registered inpublic records or databases, or in private recordsor databases intended to supply information; andin case of false data or discrimination, this actionmay be filed to request the suppression, rectification,confidentiality or updating of said data. Thesecret nature of the sources of journalistic informationshall not be impaired.” 6At the same time, Law 25.326 7 on the Protectionof Personal Data (2000) deals with the administrationof public and private databases that includepersonal information. The legislation preventsany entity from handing over personal data unlessit is justified by legitimate public interest. The3 Biography of Juan Vucetich, Visible Proofs. www.nlm.nih.gov/visibleproofs/galleries/biographies/vucetich.html4 Pirlot, A. (2013, December 10). Ignoring repeated warnings,Argentina biometrics database leaks personal data. PrivacyInternational. www.privacyinternational.org/blog/ignoringrepeated-warnings-argentina-biometrics-database-leaks-personaldata5 Act Nº 17.671. infoleg.mecon.gov.ar/infolegInternet/anexos/25000-29999/28130/texact.htm6 en.wikipedia.org/wiki/Habeas_data7 www.infoleg.gov.ar/infolegInternet/anexos/60000-64999/64790/texact.htmlaw created the National Directorate for PersonalData Protection. Legal experts consider this lawan advanced one, because its regulation was prioreven to some technologies being used in practice.The Argentine version of habeas data is consideredone of the most complete to date.However, as mentioned by the Associationfor Civil Rights, Argentina “also suffers from achronic lack of control over its intelligence agencies.Every now and then, the accounts of publicofficials, politicians and journalists are hacked andscandal erupts. These abuses are the result of anIntelligence Law for which parliamentary oversightmechanisms simply don’t work.” 8Also relevant to the analysis is the Anti-TerroristAct No. 26.268, 9 driven through in 2007 withoutparliamentary debate, which aims to punish crimesof terrorism. The Act defined a duplication of penaltiesfor any offence contained in the Criminal Codeif committed by an organisation or individual whoseeks to create terror among the population or“compel a government to take action or refrain fromtaking it.” This definition could be applied to certainlabour or social-related demands. That is whyhuman rights organisations fear that the Act servesto criminalise social protest. In addition to this legalframework that could allow the criminalisationof social protest, the biometric system could offera tool that aggravates the risk. After the pressureand debate generated around the treatment of theAct, the executive agreed to include a point thatestablishes that “the aggravating circumstancesprovided do not apply where the act or acts in questiontake place in the performance of human and/or social rights or any other constitutional right.” 10A biometric system for the identificationof citizensSIBIOS, which was developed with the technologicalcooperation of the government of Cuba, 11is a centralised database that is fed by informationcollected by the National Registry of Persons(RENAPER - Registro Nacional de las Personas). RE-NAPER is responsible for issuing national identitydocuments and passports, a task which used to bethe responsibility of the Federal Police. It collectsthe fingerprints, a photograph and the signature of8 Álvarez Ugarte, R. (2013, October 30). Argentina’s new biometricID system ignores right to privacy. IFEX. www.ifex.org/argentina/2013/10/30/new_surveillance9 infoleg.mecon.gov.ar/infolegInternet/anexos/125000-129999/129803/norma.htm10 Act 26.734. infoleg.mecon.gov.ar/infolegInternet/anexos/190000-194999/192137/norma.htm11 vimeo.com/77142306every citizen who is obtaining an identity documentor passport.After that, RENAPER provides the biometric informationnecessary for the Automated FingerprintIdentification System (AFIS) as well as the facesused by the Federal Police to satisfy the requirementof identification made by users of SIBIOS.The AFIS started with a database of eight millionbiometric records collected when the police used toissue identity cards and passports.The Ministry of Security has the authority overthe application of the system, which can be used bythese organs of the state: the Federal Police, the ArgentineNational Gendarmerie, the National CoastGuard, the Airport Security Police, the National Directorateof Immigration and the National Registryof Persons. The national government also encouragesprovincial entities to use the system, through theFederal Programme of Partnership and Assistancefor Security. 12The National Office of Information Technology(ONTI), under the direction of the Chief of the Cabinetof Ministers, provides advice related to requiredstandards, equipment compatibility and softwareand hardware platforms. Since 2011, the team implementingthe SIBIOS system has been workingclosely with the National Institute of Standards andTechnology (NIST) in the United States, in orderto keep the Argentine software in line with NIST’sstandards.The main governmental argument to justify theuse of this system is that it is supposed to provide“a major qualitative leap in security in the fightagainst crime,” 13 a very sensitive issue for citizensthese days and clearly the main issue on the publicagenda.A promotional video 14 of SIBIOS – launchedby the government – highlights the importance ofidentity databases in a positive way. “If we knowmore about who we are, we can take better care ofourselves,” states the introduction to the video. Itargues that faces, fingerprints and signatures arethree essential elements of identity and they shouldbe managed by a very efficient system. It also mentionsthat in the future the system could integrateother data such as voice, iris scans and DNA.The video describes the AFIS as a technologyused to identify physical characteristics and humanbehaviour. It also mentions the importance of SIBI-OS for the identification of people without identity12 infoleg.mecon.gov.ar/infolegInternet/anexos/215000-219999/218789/norma.htm13 Official presentation of SIBIOS. https://www.youtube.com/watch?v=9goN2MR1TR414 vimeo.com/7714230660 / Global Information Society Watch argentina / 61


documents in accidents, economic crimes includingphishing, or human and – specifically – childtrafficking. It also mentions that the physiognomicrecognition of individual’s faces that this systemuses allows for the projection of how people’s faceswill change over time.The government maintains that the implementationof this system also strengthens migratorycontrols in order to ensure that every person thatenters the country is the same person that leaves it.Besides this, the system increases the chances ofclarification of solving crimes, providing greater scientificsupport in the resolution of criminal cases.Even though the system is considered a stepforward as a government resolution to act on thesesensitive matters, implementing it could entailsome dangers, depending on how it is used in thefuture:• SIBIOS collects information from all Argentinenatural citizens, as well as foreign residentsin the country, by means of the first article ofDecree 1501/09. 15 Some of the data collectionstandards also apply to foreign individuals whodo not have a national ID such as tourists ortravellers in transit who arrive in the country.This actually means that the scope of the datacollection exceeds even the 41.09 million inhabitantsof Argentina.• SIBIOS will be fully “integrated” with existingID card databases, which aside from biometricidentifiers include the digital image, civil status,blood type and key background information collectedsince the person’s birth. Apparently thereis an intention to increase the amount of datacollected. Recently a legislator presented a billthat proposes including palm prints among theregistries for the system. 16• The main criticism of the system is that it contradictsprivacy norms and also has implicationsin terms of the citizens’ security, since there areno clearly established mechanisms of controlfor the system. In this sense, the local organisationFundación Via Libre, with the support ofthe Electronic Frontier Foundation (EFF), raisedthe alarm about the implementation of SIBIOSand the risk it implies for people’s privacy. TheEFF has been warning for a long time about howdamaging it is for a free and democratic societyto aspire to having “perfect surveillance”. Alongthe same lines, the founder of WikiLeaks, Julian15 infoleg.mecon.gov.ar/infolegInternet/anexos/155000-159999/159070/norma.htm16 www.diputados.gov.ar/proyectos/proyecto.jsp?id=159974Assange, said that Argentina – although not onthe scale of China and the United States – has“the most aggressive surveillance regime in allof Latin America.” 17As mentioned before, the concerns in terms of SIBI-OS relate not only to the power created through datacentralisation, but also to different issues regardingits implementation and use. The decree that allowsthe implementation of SIBIOS does not include adequatemechanisms of control and protection ofsensitive personal data. The functions assigned tothe coordination unit created to manage the systemare not clear and it is not an autonomous body.There has also been no public discussion aboutthe conditions under which public officials will haveaccess to the data. Yet this type of mass surveillancecan have serious repercussions for those whoare willing to voice political dissent. The risk is evenworse considering other public policies and privateinitiatives related to monitoring public spaces –such as monitoring streets using video cameras 18 inthe most important cities of the country 19 or implementinga biometric system for the identification ofpeople at football games when there is violence. 20According to Eduardo Bertoni, an Argentine lawyerspecialised in freedom of expression and ICTissues, the deficiencies in the institutional designwhen it comes to implementing SIBIOS could increasethe dangers already predicted by the criticsof the system’s implementation. 21 Another aspecthighlighted by Bertoni 22 is the so-called “right toanonymity”, considered as one of the basic guaranteesof democracy, because it allows the expressionof opinion without fear of reprisal. Consequently,this right also enables freedom of expression.ConclusionsIf we consider SIBIOS a tool implemented for theinvestigation of crimes, the system is a good resource.However, the issue of the sensitivity of the17 Interview with Julian Assange by Infobae. www.youtube.com/watch?v=If7MbOvuEbg18 Ramallo, F. (2013, August 29). Porteños bajo el foco delas cámaras de vigilancia. Infotechnology.com. www.infotechnology.com/comunidad/Porteos-bajo-el-foco-delas-camaras-de-vigilancia-como-funciona-el-sistema-demonitoreo-20130826-0004.html19 CEMAC (Centro de Monitoreo y Atención Ciudadana) www.rosario.gov.ar/sitio/lugaresVisual/verOpcionMenuHoriz.do?id=8726&idLugar=398820 AFA Plus. www.afaplus.com.ar/afaplus21 Bertoni, E. (2013, December 15). Una herramienta peligrosa. LaNación. www.lanacion.com.ar/1647828-una-herramienta-peligrosa22 Interview with Eduardo Bertoni by Infobae, 24 April 2014. www.palermo.edu/derecho/up-en-los-medios/gobernanza-global-deinternet.htmldata, and the ways it is used in the investigation ofcrimes, should be decided in a participatory way ina democratic society. The lack of legislative debatedue to the fact that the creation of SIBIOS was decidedby a presidential decree leaves the issue outof the reach of public opinion.There was little consultation before the implementationof SIBIOS with non-governmental andindependent entities – which is usually a positivefeature of the current government when it comesto shaping policies and legislation that impact onbasic human rights. Because of this, there are extremelylow levels of awareness of the risks entailedin the collection of such an amount of private datathat remains in the hands of the state and within thereach of public security bodies.Even though the rights to privacy and data protectionare enshrined in international law and inthe Argentine constitution, national IDs and similarmethods of data centralisation increase state capacityfor intrusive surveillance. In this sense, therationalisation for the collection of biometric datain a nationwide ID scheme should be examined toavoid the unnecessary collection, processing, retentionand sharing of this very sensitive data.Regarding transparency in the implementationof the system in Argentina, the measure wasofficially announced in the media at the time itwas launched, described as being a technologicalimprovement to help fight crime and as an actionframed within the overall modernisation of thestate. Since both arguments strike the general publicas advancements, this might have negativelyaffected open, intensive and thought-provoking debatearound the real implications of the measure.Action steps• In this context, the following action steps can berecommended in Argentina:• Demand more transparency and accountabilityfrom the government in terms of the use of thebiometric information, including who has accessto it.• Develop campaigns targeting legislators in orderto inform them of the controversial aspectsthe issue raises in relation to human rights.• Create awareness campaigns for citizens sothey are informed of the risks this initiative poseswhen it comes to personal data, privacy andsurveillance.• Conduct comparative research on the successand failures of similar systems in other countrieswhere they have been implemented.62 / Global Information Society Watch argentina / 63


AustraliaInternet the panopticon: Exhibition and surveillanceAndrew Gartonwww.agarton.orgIntroductionThe story of the internet is imbued with our desireto tell each other stories – the campfire of our timesas artist/musician Laurie Anderson 1 harvested fromher iconic imagination. It is from such like minds –exploratory, free-thinking and socially conscious– that the earliest of computer networks rebuiltthemselves upon and throughout the emergent internet,an internet of like minds that would inform,inspire and challenge the power structures thatthreatened the well-being of people, their cultureand the flora and fauna on the precipice of extinction.That is the ideal many of us held onto as wetravelled the world bringing modems to where theywere needed, to where they were wanted. Thingsdid not work out as we had envisaged, but we heldour ground.This report discusses the privacy and online securityconcerns of 13 Australians, two Malaysiansand an ex-pat living in the United States (US), allof whom have journeyed the internet in uniqueways, some since its inception and others in morerecent times. They are all colleagues of mine, mostof whom I have worked with or met through onlinemedia projects over the past 25 years. I wanted toknow how we were doing as an online community,given both our aspirations at the outset and the revelationsthat continue to haunt our presence online,and that of the global internet community.As early as 1986 a panel at the annual conferencefor computer graphics, SIGGRAPH, 2 predictedthat creative and social uses of computing wouldovertake scientific and technological uses withinten years. Not a bad piece of crystal-ball gazing.We thought, or at least I thought, this would be a1 McCorduck, P. (1994). America’s Multi-Mediatrix. Wired, March.archive.wired.com/wired/archive/2.03/anderson.html2 SIGGRAPH, founded in 1974, is an international community ofresearchers, artists, developers, filmmakers, scientists andbusiness professionals who share an interest in computer graphicsand interactive techniques. www.siggraph.org/about/about-acmsiggraphgood thing. In 1989 Ian Peter, co-founder of Australia’sPegasus Networks, sought affordable globalcommunications for everyone. I liked the sound ofthat and hopped on board. Online activist MystaSquiggle was keen to connect “activists and peoplewith odd interests, including whistleblowing.”Seemed to fit with our work at Pegasus Networks.We sought to make this happen.Dr. June Lennie, convenor of a Queensland ruralwomen’s network, “saw the internet and emailas potential means of supporting and empoweringwomen and reducing the isolation of women in ruraland remote Queensland.” Her critique of networks,“that computers were linked to masculine discoursesof technology which tended to exclude womenand created barriers to the effective use of computersby women,” was taken up with vigour throughthe Association for Progressive Communications’Women’s Networking Support Programme (APCWNSP), which in the early 1990s Pegasus Networkshad also contributed to.NGO worker Sandra Davey saw the early internetinforming, empowering and connecting us, whileothers, such as musician Andrew Sargeant, aspiredto “play Doom online with four players via BBS 3 on28.8k dial-up connection.” Andrew’s BBS networkswould often dovetail with ours. Those kids playingDoom, some of whom I would meet, would aspireto be informed and empowered and stimulate connectedcommunities, just as Sandra foresaw.It was sounding pretty good. However, whetherit be game play, whistleblowing or affordable communicationsfor everyone, the promise was nomatch for the threat that lay ahead. I myself humblypredicted that repression – or power structures forthat matter – would be no match for an informed citizenry.4 In fact, the backlash to our efforts has beenso all consuming, so pervasive, that 25 years laterSquiggle considers the only remaining level playingfield is an internet with no privacy whatsoever!3 Bulletin Board Services (BBS) were computers reachable by wayof a direct phone call via a modem. BBS software provided theuser, once a call was successfully made, with access to publiclyaccessible files and real-time text-based chat.4 Garton, A. (1993) The Net: Promise or Threat? 21-C, 12, Autumn1994.Who cares about online privacy?Apart from Squiggle, who proposes an internetbereft of privacy, my colleagues care deeply abouttheir privacy. Closer to home, do Australians careabout theirs?A survey conducted by the Office of the AustralianInformation Commissioner (OAIC), with resultspublished in October 2013, unreservedly clarifiedthat Australians of all ages do care about theirprivacy, specifically around improper informationsharing, collection and processing by businessesand government agencies. 5Bruce Baer Arnold, assistant professor at theSchool of Law at the University of Canberra, summarisedthese findings by describing that someAustralians “aren’t engaging with businesses theyconsider untrustworthy. Some are complainingabout privacy abuses... some young people claimtheir privacy is important but still engage in ‘toomuch sharing’ on social networks such as Facebook.”In general, consumers “have a perceptionthat governments actually don’t care much aboutthe privacy of ordinary people.” 6 So what does thegovernment care about?What does the government care about?Well, surprise surprise. The Australian governmentwants to know what its citizens are doing. All of itslaw enforcement bodies are keen to support a mandatorydata-retention scheme. And they are usingEdward Snowden’s revelatory leaks as an excuseto increase privacy encroachments in Australia. Anextract from the Australian Security Intelligence Organisation’s(ASIO) response to the Senate Inquiryinto the Telecommunications (Interception and Access)Act 1979 reads:These changes are becoming far more significantin the security environment followingthe leaks of former NSA contractor EdwardSnowden. Since the Snowden leaks, public reportingsuggests the level of encryption on theinternet has increased substantially. In directresponse to these leaks, the technology industryis driving the development of new internetstandards with the goal of having all Web activityencrypted, which will make the challenges oftraditional telecommunications interception for5 OAIC. (2013). Community Attitudes to Privacy survey ResearchReport 2013. www.oaic.gov.au/privacy/privacy-resources/privacyreports/oaic-community-attitudes-to-privacy-survey-researchreport-20136 Baer Arnold, B. (2013, October 9). The Australian public caresabout privacy: do politicians? The Conversation. theconversation.com/the-australian-public-cares-about-privacy-dopoliticians-19033necessary national security purposes far morecomplex. 7This is the first time in Australia that the allegeduptake of encryption software as a consequence ofa whistleblower’s leaks is used as an argument topush for legislation that would effectively see ASIOspy on most, if not all Australian citizens. Chris Berg,director of policy at the Institute of Public Affairs,says “the Snowden angle is a new one, demonstratingthe rhetorical leaps that agencies such as ASIOare willing to make to grab new powers.” 8The internet, and offspring technologies, havebecome the one-stop-shop for knowing all thingsabout everyone. It forgets little to nothing. Therewas a time when the Australian government couldnot care less about the internet. In the early 1990sthe government and many NGOs were still comingto grips with fax machines. Faxes presented theirown challenges at a time when many of us wereencouraging Australian progressives and communityorganisations online, as well as critical humanrights observers and indigenous community supportadvocates across Southeast Asia and thePacific Islands. We were seen as odd and idiosyncratic.At that time the early internet was about ascomplex to most people as a VHS 9 remote control.However, in spite of the internet, the Australiangovernment has kept a close watch on its citizensfor some years. In fact, a “multilateral agreementfor cooperation in signals intelligence between theUnited Kingdom, the United States, Canada, Australia,and New Zealand”, otherwise known as theFive Eyes, originated in 1941. Originally referred toas the UKUSA Agreement, it was allegedly a secrettreaty hidden from parliamentarians until 1973,when it became known to the prime minister of theday, Gough Whitlam. Whitlam went on to discoverthat a secret surveillance station known as PineGap, located in the Northern Territory, was allegedlyoperated by the US Central Intelligence Agency(CIA). Strongly opposing the use of Pine Gap by theCIA, Whitlam fired the then head of ASIO beforehe himself was controversially dismissed as primeminister by order of the Governor-General Sir JohnKerr in 1975.7 ASIO submission to the Senate inquiry into a comprehensiverevision of the Telecommunications (Interception and Access) Act1979, February 2014. goo.gl/6wbcqh8 Berg, C. (2014, March 18). ASIO: Fixing one massive privacybreach with a second massive privacy breach. Freedom Watch.freedomwatch.ipa.org.au/asio-massive-privacy-breach-secondmassive-privacy-breach9 The video home system (VHS) is a consumer-level analoguerecording videotape-based cassette standard developed by VictorCompany of Japan. en.wikipedia.org/wiki/VHS64 / Global Information Society Watchaustralia / 65


In subsequent years both funding to and thepowers of ASIO have increased at an unprecedentedpace, 10 including amendments to the ASIO act,giving it the wherewithal to spy on anyone involvedin WikiLeaks. 11 Moves to impose judicial oversighton ASIO, based on the recommendations of tworeports – one by the Council of Australian Governments– were presented to the government inDecember 2013. This has all but been shelved bythe present government, which has substantially increasedresources to both ASIO and the AustralianSecret Intelligence Service (ASIS). 12 Additionally,ASIO’s relationship with US agencies has deepened.Documents from the US National SecurityAgency (NSA), 13 dated February 2011, describe theever-widening scope of the relationship Australiahas with them, in particular assistance with the increasedsurveillance of Australian citizens. 14 It hasalso been revealed that a secret 2008 documentstates Australia’s Defence Signals Directorate offeredto share with its major intelligence partners,namely those that make up the Five Eyes, informationcollected about ordinary Australians. 15Did we get the internet we wanted?Many of us sought a means to inform the largestnumber of people about local and internationalevents that were overlooked by mainstream media.Self-professed “geek” and businesswomanJuliette Edwards put her efforts into a vision of a“more open-minded global community with lessfear and more tolerance of others’ differences.”Sandra Davey experienced an internet that didconnect “like-minded peeps throughout the worldand it was all about action. The internet informed10 Keane, B. (2011, July 5). ASIO gets its new powers – and no one willtell us why. Crikey. www.crikey.com.au/2011/07/05/asio-gets-itsnew-powers-and-no-one-will-tell-us-why11 Intelligence Services Amendment - “Wikileaks Amendment”,speech by Senator Scott Ludlam, 4 July 2011. greensmps.org.au/content/speeches/intelligence-services-amendment-wikileaksamendment12 Garnaut, J. (2014, July 10). ASIS and ASIO to get injection of fundsto fight threat from Middle East. The Sydney Morning Herald www.smh.com.au/federal-politics/political-news/asis-and-asio-to-get-injection-of-funds-to-fight-threat-from-middle-east-20140710-zt3dm.html13 Greenwald, G. (2014). No Place to Hide: Edward Snowden, theNSA, and the U.S. Surveillance State. New York, MetropolitanBooks.14 Farrell, P. (2014, May 13). Australia asked Americans for more helpto spy on Australian citizens. The Guardian. www.theguardian.com/world/2014/may/13/australia-americans-help-spy-terrorsuspects15 MacAskill, E., Ball, J., & Murphy, K. (2013, December 2). Revealed:Australian spy agency offered to share data about ordinarycitizens. The Guardian. www.theguardian.com/world/2013/dec/02/revealed-australian-spy-agency-offered-to-share-dataabout-ordinary-citizensus, empowered us, connected us,” while founder ofthe Australian Centre for the Moving Image and nowpainter John Smithies foresaw the opportunitiesthat “graphics and audio standards” afforded theimminent development of technologies that wouldsee an internet populated by video.Like many who sought to change the way wegovern, feed and sustain ourselves, through equitablemeans that would feed a population moretolerant of each other, more conscious of the worldwe inhabit and eat from, we seem to have createdthe ultimate in panopticons.John’s vision of video everywhere is one of themiracles of the internet, while the altruistic expectationsare being fought over day in day out. In somerespects we seem to have also found a world increasinglyless tolerant of each other.With everyone online serving up individualopinions, the notion of an informed public makinginformed decisions is increasingly questionable.But as tragedies, such as the 2009 Black SaturdayBush Fires in Australia, bring people of all persuasionstogether to find a common bond and commonground, international events are no doubt drivingthe like-minded together in ways we have yet totruly know.We are the exhibitors in a surveillance society, avirtual panopticon that documents our movementsfrom street corner cameras to MAC 16 address readers,from ATMs 17 to border controls, modulatingour personality profiles with billions of “likes” and“tweets” and the content that billions more sharewillingly on cloud servers that may as well be as porousas polymeric foams! The internet is young andnaïve. Perhaps so are we... and many are sufferingfor it. May it not be so for much longer.Do we need to be watched?We all want to reach in and across the net to informourselves, to share in confidence intimate momentsbetween friends and family, whether it be in anemail or photos and videos within social networks.Some of us would like to find new audiences forour personal endeavours, whether it be research,poetry, knitting or stamp collecting... and we findinspiration in others we might meet in those spacesand the ones we find in between. This is the kind ofinternet I had sought to contribute to; not one that16 A media access control address (MAC address) is a uniqueidentifier assigned to network interfaces, such as the networkingcomponents of a smartphone, by the manufacturer of anetwork interface controller (NIC), and is stored in its hardware.en.wikipedia.org/wiki/MAC_address17 An automatic or automated teller machine (ATM) is an electronicinterface common to banking services.finds one self-censoring within known commons,whether it be public or privately owned.Self-censorship can be a great tool whenwanting to find common cause with people of wideranginginterests. However, within the context ofmass surveillance, self-censorship is, as Ian Peterdescribes, “an affront to human dignity.” Ian goeson to suggest that “humans have worked togetherbefore to limit excesses in the common good.Clearly we have excesses here and we need necessaryand proportionate principles to be applied tosurveillance.”Only those who are committing serious internationallyrecognised crimes ought to be fearful ofsurveillance. The rights of the rest of us need to berespected. Confidentiality, as Peter puts it, is “importantto social discourse and as a part of freedomof expression.” Anonymity protects the outspokenin politically volatile countries; however, June Lennieagrees with the idea that “not allowing peopleto post messages anonymously could reduce theamount of abuse that happens online these days.”Whether we continue to abuse each other or findcommon cause to rail against those who would stiflefree expression and inquiry remains to be seen.As I write, the present Liberal/National coalitiongovernment in Australia has cancelled the contractof the Australia Network, the public broadcast unitthat served the Asia-Pacific region, resulting in 80job losses in both the Asia Pacific News Centreand Australian Broadcasting Corporation (ABC)International. 18 Constraints to independent mediain Australia are being gruffly imposed, with theAustralia Network being the first to be axed, andfurther cuts to the national broadcaster, the ABC, 19expected. It is no secret that Rupert Murdoch hashad a hand in these changes, 20 furthering the notionthat Australia is following the US in whatever meansnecessary to undermine the egalitarian principlesof democracy, replacing it with an oligarchy.Turning the panopticon back in on itselfVested interests in the internet and its ever-increasingoutreach through devices that we useevery day are no doubt watching and recording our18 Australian Associated Press. (2014, July 14). ABC to lose 80 staffin Melbourne due to budget cuts, union confirms. The Guardian.www.theguardian.com/media/2014/jul/14/abc-to-lose-80-staff-inmelbourne-due-to-budget-cuts-union-confirms19 Dempster, Q. (2014, June 4). What we will lose if we destroy thepublic broadcaster. Crikey. www.crikey.com.au/2014/06/04/whatwe-will-lose-if-we-destroy-the-public-broadcaster20 Dyer, G., & Keane, B. (2013, December 3). The ABC v theMurdochs: your guide to the battlefields. Crikey. www.crikey.com.au/2013/12/03/the-abc-v-the-murdochs-your-guide-to-thebattlefieldsevery movement. Photographer Werner Hammerstingldescribes the internet as “a place where it’snot always easy to escape the data harvesting andprofiling that’s now omnipresent.” Sandra Davey“can’t stand the idea of bots and humans compilingdata” about her – behind-the-scenes features thatshe has not given any permission for. “It irks me, itupsets me,” she says. “I do the best I can to preventthat, but I fear for how much is already known aboutme out there somewhere.”Turning the panopticon in on itselfCan we turn the panopticon in on itself? Does the internetstill give us the means to create the world wewould like to live in? Can we do so in a world where,as Sandra describes, the next generation that hopsonline after us “has little understanding of whatthey’ve given away, barely without a thought”? Asa woman, Davey is “deeply fearful and concernedabout what has happened to thousands of younggirls who have traded their utmost privacy for instantaneousgratitude, fun, play or recognition.”Broadcaster and writer Nyck Jeans suggeststhat we can turn the panopticon back in on itself.There is always “the potential that those who challengethe system CAN gain access, educate us,subvert and shift world opinions through the verysame methods the ‘powers’ use to peek into livesand seek control via knowledge of private habitsand political affiliations.”Governments are behaving badly, but we needgovernance structures to deal with the inequities,to tackle the oligarchs and hold security servicesaccountable. The internet has proved to be so powerfula means to make such a thing possible that ithas been turned against us. But for those of us whohelped to create it, we know that we have the means,and those in the coming generations who have thetechnical means and political willpower can and willuse the promise of an internet commons.“Governments,” Matt Abud says, “often can,and will, use their tools for anti-democratic stateagendas, and they’ll manipulate the crime rhetoricto advance towards other, unconnected goals.”Even so, Matt continues, we still need governmentsto tackle organised crime. “It needstransparent oversight of accountable regimes, ratherthan only taking power away from regimes. That’sthe conundrum.”Our voices, our intentions, our loves and passionsmay be heard and recorded, but do we remainsilent, do we contest the commons the internetpromised?66 / Global Information Society Watch australia/ 67


Media theorist and writer Paul Brown remindedme of this poem by Martin Niemöller: 21First they came for the Socialists, and I did notspeak out –Because I was not a Socialist.Then they came for the Trade Unionists, and Idid not speak out –Because I was not a Trade Unionist.Then they came for the Jews, and I did not speakout –Because I was not a Jew.Then they came for me – and there was no oneleft to speak for me.21 en.wikipedia.org/wiki/First_they_came_It is not uncommon....It is not uncommon that I hear the sound of childrencrying in my sleep. The world has become, JulietteEdwards says, our prison. We are reading daily ofthe poor behaviour of governments and their securityservices the world over, in particular theOrwellian NSA and their contempt for any publicoversight or scrutiny.Every day we are seeing footage from warzones and outright, brazen atrocities perpetratedby powerful governments and their elites on civilianpopulations increasingly marginalised by ineptinternational response; and the castration of independentmedia and the victimisation of journalists.A year since Snowden’s infamous revelations, onewonders if anything has changed. The screws aretightening and I still hear the sound of children cryingas I sleep.“If there is anything important in all the massesof noise,” suggests Andrew Sargeant, “it would belike finding a haystack, inside a needle, inside ahaystack.”BahrainThe struggle of online activists against surveillance technologyAli AbdulemamIntroductionBahrain is a tiny island in the Persian Gulf, ruled bythe Al-Khalifa family since 1783. The population ofBahrain stands at 1,314,089: 1 46% are Bahraini andthe rest are foreigners, mainly workers.The illiteracy rate stands at 1.13% of the population(2013). 2 At 87%, Bahrain has the highestinternet penetration rate amongst Arab countries 3and also has the highest Twitter usage. 4 Informationand communications technologies (ICTs) are veryimportant both to foreigners and the Bahrain economy,which is dependent on financial services andoffshore banks. The internet became available inthe country in 1994, making Bahrain one of the earliestArab countries in the region to have internet.Since the start, civil society activists have usedthe internet for their activities and communications– leading to the first arrest of an online activist in1998, the censoring of sites and, recently, spying onactivists through advanced surveillance technology.Civil society organisations depend on the internetfor advocacy, as the traditional media is eitherowned by the regime, or is controlled through publishinglaw. 5 Publishing stories or media releaseson the internet is a way for activists to go viral inBahrain.Policy and political backgroundBahrainOnline.org 6 (BOL) was the first site to be createdand funded by online activists. It was startedin 1998 during the implementation of the StateSecurity Law 7 (from 1975 to 2001), which allowedthe government to arrest anyone for three yearswithout proper investigation or trial. This was alsoduring the Dignity Uprising in Bahrain 8 (1994-2000),1 https://www.cia.gov/library/publications/the-world-factbook/geos/ba.html2 www.alwasatnews.com/3654/news/read/699870/1.html3 www.alwasatnews.com/4070/news/read/823318/1.html4 www.alwasatnews.com/3825/news/read/742134/1.html5 iaa.bh/ar/arpolicyRules.aspx6 en.wikipedia.org/wiki/Bahrain_Online7 www.legalaffairs.gov.bh/LegislationSearchDetails.aspx?id=5682#.U9EIU4BdUZE8 en.wikipedia.org/wiki/1990s_uprising_in_Bahrainwhich led to dozens of deaths and thousands of politicalprisoners. For more than 100 years Bahrainhas been known to experience uprisings every 10years. The regime is also widely known for its humanrights violations, torture, discrimination andtotalitarianism.BOL was the main source for opposition opinionsand in 2001 during the National Action Charter 9(NAC), a reform project launched by the new emir,BOL hosted an online debate to discuss it – andsimilar online discussions have continued since itslaunch. This has caused a shift from BOL just reportingon stories, to acting as a public opinion maker,often critical of the government.Campaigns have been launched on the website,and videos and photos of protest activities or humanrights violations posted online. The fact thatthe regime could no longer control the flow of informationand news led to the arrest of activists whoran the site in February 2005. 10 The site was blockedin 2002, although massive public interest in the siteremained.Online resistanceIn March 1999 the previous emir of Bahrain diedsuddenly and his son succeeded him to the throne.At that time the Dignity Uprising was struggling,after most of its activists on the ground had beenarrested. There was also no political will to moveforward with reform, the state security law and itsmen were controlling the island, and the economywas in difficulties.At that time BOL started to become popular andreceived more attention from people trying to findnews from different, credible sources.When the new emir came to power, he promisedreal reform, allowing people to have their full rights,including freedom of expression, and shifting thepower to the people. Basically, he promised to modernisethe country. People believed him, and startedto debate the NAC. Many started to share their opinionson BOL, using anonymous names which gavethem some privacy and security.9 en.wikipedia.org/wiki/National_Action_Charter_of_Bahrain10 Committee to Protect Journalists. (2005, March 14). Attacks on thePress 2014: Bahrain. Committee to Protect Journalists. www.cpj.org/2005/03/attacks-on-the-press-2004-bahrain.php#more68 / Global Information Society WatchBahrain / 69


BOL’s credibility grew, even though it was runby an unknown group. The government started topay attention to it in order to get a sense of howcitizens felt about the reform project. However,when differences arose between the governmentand the opposition regarding the new constitutionthat had been issued by the king without referenceto the opposition, BOL played a huge role inrevealing the difference between a constitutionalmonarchy and what the king was offering with hisnew constitution. Articles were printed from the siteand distributed. This again helped BOL to becomea credible resource, especially when the oppositiondepended on it to post messages.In 2002, during the first election and the opposition’scall for a boycott, BOL was the only mediaoutlet supporting the boycott. This led to the arrestof three activists who used to run the site. They wereimprisoned for a period of two weeks on the chargeof insulting the king, broadcasting hate speech andposting false news.During this time BOL moved from being an onlineplatform to playing a role “on the ground”,arranging protests, visiting hospitals and even issuingmedia releases when important things werehappening. BOL was covering the protests live, andposting pictures of events that may not have appearedin the traditional media. At times it wroteinvestigative stories about corruption. This led tothe site being blocked in 2002.Blocking BOL showed how loyal people in Bahrainwere to the site. They shared proxies betweenthem and members wrote a script to open the site.They used Dynamic DNS to create redirected links.When the links were censored, members shared adocument on how to create your own link with readers.This kept BOL up and running, and, with 80,000hits a day, it became the most read site in Bahrain.This was the first hint of how people couldtrain themselves to use new technology to avoidcensorship in Bahrain. During the arrest of the administratorsof BOL, the members organised severalprotests themselves, asking for the release of theadministrators, and the dropping of charges againstthem. This led to widespread coverage in the media,and the release of the administrators without trial. 11During the arrest of the BOL administrators, thegovernment discovered that they lagged behind intechnical knowledge, and that they had failed tounderstand the nature of the internet. They startedto use new tools to censor the opposition websites.But, again, people learned how to bypass the newcensorship technology.11 https://www.youtube.com/watch?v=-GrIfNi74hwIn February 2009, a member of BOL using thenickname “äÇÒß ÇáãáÇÆßÉ” 12 posted the full listof the names of the employees of the National SecurityApparatus (NSA). Two months later, 13 on 14May, Hasan Salman was arrested and charged with“publishing secret information over the internet”. 14In September 2009 Hasan was sentenced to threeyears by the High Criminal Court. 15 He was recentlyreleased.After this incident, and the same year, theTelecommunications Regulatory Authority (TRA)issued new regulations for internet service providers(ISPs) 16 saying that all ISPs should retain theircommunications logs for three years, as well asproviding technical access for the NSA to monitor orblock online communications in Bahrain. This regulationwas greeted with huge opposition from themedia, NGOs and members of parliament. However,it seems it will be implemented soon. 17In 2010, when the government arrested humanrights activists, public figures and bloggers (includinga BOL administrator for the second time), theNSA confronted them with printouts of SMS textmessages and emails, even though their deviceshad not been confiscated by the authorities. 18The only explanation for this is that the governmenthad bought new surveillance technology, andinstalled it at all the ISPs. This includes the BahrainInternet Exchange (BIE), as stated by Mai Al Khalifa 19in her first resolution in 2009 as minister of cultureand media. This forced all ISPs to provide access tothe government to block websites by installing thenecessary equipment. This resolution was receivednegatively by NGOs and online activists.When the Arab Spring started, the youth triedto organise themselves in a movement to push forwardwith reform. BOL was the platform used to talkabout the idea, 20 plan it, 21 organise it, and cover it,second by second. They called this push the Day ofRage and issued media releases stating their demands.22 Because people started to learn online12 bahrainonline.org/showthread.php?t=22931613 freehasan.wordpress.com/2009/05/15/arrest14 freehasan.wordpress.com/calendar15 freehasan.com/?p=31016 www.tra.org.bh/media/document/PublishedLawfulAccessRegulation-1.pdf17 www.alwasatnews.com/2393/news/read/44106/1.html18 Silver, V., & Elgin, B. (2011, August 22). Torture in Bahrainbecomes routine with help from Nokia Siemens. Bloomberg. www.bloomberg.com/news/2011-08-22/torture-in-bahrain-becomesroutine-with-help-from-nokia-siemens-networking.html19 www.alwasatnews.com/2323/news/read/33266/1.html20 bahrainonline.org/showthread.php?t=25898521 bahrainonline.org/showthread.php?t=25946822 bahrainonline.org/showthread.php?t=259370security tactics the government could not recogniseor arrest the people behind the uprising.When the crackdown started in Bahrain, theinternational media turned its back on what wasgoing on in the country. Only the internet and theyouth who believed they could bring about changekept the uprising alive, and now after three and ahalf years the movement in Bahrain is still alive becauseof them.In 2012, Alaa Alshehabi, 23 among other activists,received suspicious emails from someone claimingto be from Al Jazeera. The attachment was infectedwith the FinFisher virus, sold by a UK-based company.An investigation by BahrainWatch.org led tothe discovery of others infected by the same spytool and raised awareness in Bahrain about the newtechnology that the government was using to attackactivists.BahrainWatch.org found that after the releaseof their IP Spy 24 report, no new activists were targeted.The investigation also found that the awarenessof online security by activists is high, and that evennon-activists have started to download encryptiontools and more secure instant messaging.ConclusionsIn February 2014, the king ratified a law that severelypunished those who insulted him, with from threeto seven years imprisonment and a fine of up to USD1,000. The problem is not with insulting the king asmuch as with the way the government is using thelaws to take revenge on the opposition. Recentlymore than 15 people are either in prison or awaitingtrial for using the internet. Some of them areaccused of insulting religious symbols or figures,and some of them for insulting the king or the primeminister.We also came across stories that people hadbeen fired from their work because they had “liked”an article on Facebook, while others had their telephonesstolen because pictures or a chat had beenfound on them.Freedom of expression is defined as a universalhuman right which is needed by all human beings,and it should be protected by governments. Bahrainhas ratified laws which should protect freedom ofexpression, but in reality the opposite happens:those laws are used as “political revenge”, as theUN spokesperson said at the Human Rights Councilin Geneva. Bahrain failed to obey 176 recommendationsby the Human Rights Council in May 2012.23 Doward, J. (2013, May 12). UK company's spyware 'used againstBahrain activist', court papers claim. The Guardian.24 https://bahrainwatch.org/ipspyInternationally respected NGOs are keepingpressure on the Bahraini government to free bloggers,photographers, and human rights and politicalprisoners, as well as to stop human rights violations,but nothing is changing. Bahraini activists aresimultaneously receiving international awards eventhough they are still in jail under fake charges, likeAhmed Humaidan, who has been imprisoned for 10years.If the international community cannot putpressure on the regime to start reform to meetthe demands of the people in Bahrain, at least weshould put pressure on companies to stop sellingsurveillance technology to Bahrain that is used toviolate human rights. When spy tools are sold tothe government, human rights defenders will haveto work harder, they will not be able to move freely,they will not be able to communicate and documentstories, and they will always feel as if their ICT devicesare a weapon being used against them.We should not accept the argument that companiesare not responsible for the way their productsare used; they know that some countries have a badhuman rights record and a long history of attackingactivists. This technology will definitely be used toviolate human rights.Action stepsThe state of Bahrain is using laws to repress remainingfreedoms as a method of “political revenge”.Selling it technology that allows it to do this is notmaking the world a better place. With more than20 online activists and photographers in jail rightnow, and more than 15 journalists and bloggers livingin exile, we should launch a global campaignagainst selling surveillance technology to Bahrain.We should also argue that the companies that sellthis technology to governments should uninstall itremotely. By sharing information with the public onthe kind of technology used, and through offeringtraining, citizens can learn how to protect themselvesonline.Over the past 16 years the people of Bahrainhave managed to teach themselves how to avoidcensorship or use secure routes for their online activities.But we should not rely on them continuingto understand the new surveillance technology enteringthe market, and being able to fight it.70 / Global Information Society WatchBahrain / 71


BANGLADESHOnline spaces, privacy and surveillance in BangladeshBytes for All BangladeshPartha Sarker and Munir Hasanwww.bytesforall.orgIntroduction“In enabling the creation of various opportunitiesfor communication and information-sharing, the Internethas also facilitated the development of largeamounts of transactional data by and about individuals.This information, known as communicationsdata or metadata, includes personal information onindividuals, their location and online activities, andlogs and related information about the e-mails andmessages they send or receive.” This communicationsdata is “storable, accessible and searchable,”and when it is combined and aggregated and usedby the state, it can be “both highly revelatory andinvasive.” 1Ever since electronic media were opened toprivate sector involvement in the early 1990s, successiveBangladeshi governments have encouragedthe development of an open internet access andcommunication regime in the country. Bangladeshcurrently has 33 million internet users, representingalmost 20% of the total population, and ranks 138thout of 190 countries in the Household Download Indexcompiled by Net Index. 2 The World EconomicForum’s 2013 Global Information Technology Report3 ranked Bangladesh 114th out of 144 countriesworldwide, with poor scores for its infrastructureand regulatory environment, even though an affordableand competitive communication serviceis generating exponential growth for users. In addition,localisation and the availability of phoneticBangla software have contributed to the developmentof local blog and content hosting services. 41 Frank La Rue, the United Nations Special Rapporteur on thepromotion and protection of the right to freedom of expression andopinion, in his landmark report on state surveillance and freedom ofexpression during the 23rd session of the UN Human Rights Councilin Geneva in April 2003. www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf2 www.netindex.com/download/allcountries3 www.weforum.org/reports/global-information-technologyreport-20134 Freedom House. (2013). Freedom on the Net 2013: Bangladesh.www.freedomhouse.org/report/freedom-net/2013/bangladesh#.U4aWAfldXsFThe current government in Bangladesh has a planto establish what it calls a “Digital Bangladesh by2021”, with the aim of integrating internet accesswith development efforts in various sectors.But with widespread digital communicationcomes a greater threat to security and privacy, anduncertainty on how state and other institutions willaddress those issues while protecting the rights ofindividuals.Globally there are two models available to protectcitizens. One is the authoritarian model, wherethe problem is addressed through the developmentof a surveillance regime with filtering at thecontrol points or on the backbone of the internet,and monitoring of the use of computers. A more liberalapproach, on the other hand, is to make peopleaware of the risks, to develop their capacities andto set down punitive measures that require properevidence and respect individual rights. 5 Bangladeshis often swinging between these two models, andthere is a sense in which it is addressing the situationon an ad hoc basis.Policy and political backgroundCommunication content can reveal a range of sensitiveinformation about an individual, including aperson’s identity, behaviour, associations, physicaland medical data, race, colour, sexual orientation,national origins and viewpoints. Or it can showtrends in a person’s location, movements, interactionor behaviour patterns over a period of timethrough metadata or other forms of data associatedwith the original content. Therefore, this requiressignificant protection in law.Internationally, regulations concerning governmentsurveillance of communications vary inapproach and effectiveness, often with very weakor non-existent legal safeguards. 6 The Constitutionof Bangladesh touches on the issues of privacyand individual security in several places. Article 115 Hassan, M. (2012, June 30). Cybercrime: Implementation mustto achieve Vision 2021. The Daily Star. archive.thedailystar.net/law/2012/06/05/analysis.htm6 Rodriguez, K. (2013, February 13). Surveillance Camp IV:Disproportionate State Surveillance - A Violation of Privacy.Electronic Frontier Foundation. https://www.eff.org/deeplinks/2013/02/disproportionate-state-surveillance-violationprivacysays that the republic shall be a democracy in whichfundamental human rights and freedoms and respectfor the dignity and worth of humans shall beguaranteed. Article 43 states that every citizen hasthe right to be secured in his or her home againstentry, search and seizure, and the right to the privacyof his or her correspondence and other meansof communication, unless there are any reasonablerestrictions imposed by law in the interests of thesecurity of the state.In Bangladesh cyber crime is addressed withreference to several laws, including the Informationand Communication Technology Act, 2006; the PenalCode, 1860; the Pornography Act, 2012; and theBangladesh Telecommunication Act, 2001.The Bangladesh Telecommunication (Amendment)Act, 2006, allows agencies to monitor theprivate communications of people with the permissionof the chief executive of the Ministry of HomeAffairs, under a special provision for the security ofstate and public order. This act was again amendedin 2010, enabling officials to intercept the electroniccommunications of any individual or institution inorder to ensure the security of the state or publicorder. 7The act was further amended in 2013 by grantinglaw enforcers the right to arrest any personwithout warrant, and by making the crimes nonbailable.Section 57 of the ordinance states that ifany electronically published material causes anydeterioration of law and order, tarnishes the imageof a person or the state, or hurts the religious sentimentof people, then the offender will be punishedfor a maximum of 14 years imprisonment. 8The Bangladesh Telecom Regulatory Commission(BTRC) also has the authority to tap and monitorphone calls if deemed necessary. The commission’sInternational Long Distance TelecommunicationsSystem Policy 9 has enabled the country to set upthree private international gateways, six interconnectionexchanges and one international internetgateway. This policy says the operators of these willarrange the connection, equipment and softwareneeded for online and offline monitoring, and willprovide access for “lawful interception” by law enforcementagencies. All operators are also requiredto provide the records of call details (voice and7 Privacy International. (2012). Bangladesh: Legal framework.https://www.privacyinternational.org/reports/bangladesh/iilegal-framework8 Daily Star. (2013, October 9). ICT (Amendment) Act, 2013: Right toInformation and Freedom of Expression under Threat. ASK. www.askbd.org/ask/2013/10/09/ict-amendment-act-2013-informationfreedom-expression-threat9 www.btrc.gov.bd/sites/default/files/ildts_policy_2010_english_0.pdfdata) whenever necessary. The BTRC may also setup a monitoring centre at the country’s submarinecable landing station which connects Bangladesh’sinternet backbone to the rest of the world.In January 2012, the BTRC created an 11-memberBangladesh Computer Security Incident ResponseTeam (BD-CSIRT) to look into the issues of cybercrime. This team was mandated to use wiretappingand internet surveillance if necessary. The governmenthas also set up a “cyber tribunal” as perSection 68 of the ICT Act of 2006 to deal with cybercrime-related issues. The Right to Information Ordinanceof 2008 was modified and gazetted in 2009.This ordinance has a provision for the proactive disclosureof information ensuring better transparencyin the administration, but the amended ICT Act of2013 may discourage the administration to discloseany information fearing the application of Section57 of ICT Act. 10An insight into the chronological events:A saga of lone or dissenting voicesAs discussed, the legal framework (such as the ICTAct and its 2006 and 2010 amendments) allowslaw enforcement agencies to monitor and interceptprivate communication. Therefore, communicationsurveillance probably happens at a level weare not aware of. There was a report 11 recently thatBangladesh is buying advanced communication surveillanceequipment, which certainly validates thissupposition. This came out more publicly in 2007when, in a circular, the BTRC requested all internetservice providers (ISPs) to submit the names, addresses,logins, location and other usage statisticsof their users. 12 What they did with that informationis still unknown. It has been reported that the BTRCoften serves informal orders to different domesticservice providers to provide information or blockcertain content – the ISPs are legally bound to dothis through their licence and operations agreementswith the BTRC.However, there is the problem of cyber crimetoo. For example, a number of district web portalsthat were inaugurated by the prime minister inJanuary 2010 were hacked immediately afterwards.10 Siddiqui, M. S. (2013, September 29). ICT Act and freedom ofexpression. Financial Express. www.thefinancialexpress-bd.com/old/index.php?ref=MjBfMDlfMjlfMTNfMV85Ml8xODUxMDM=11 Privacy International. (2014, May 5). Who is selling surveillanceequipment to a notorious Bangladeshi security agency? IFEX.www.ifex.org/bangladesh/2014/05/05/security_agency_surveillance12 Rezwan. (2007, October 5). Internet user profiling and surveillanceprocess initiated in Bangladesh. Global Voices Advocacy. advocacy.globalvoicesonline.org/2007/10/05/internet-user-profiling-andsurveillance-process-initiated-in-bangladesh72 / Global Information Society Watch bangladesh / 73


Different government and media websites, includingthose of leading newspapers, are attacked quitefrequently. 13The use of social media is growing exponentially.Facebook, for example, is one of the mostvisited websites in the country, attracting more than10% of the nation’s total internet users. The platform– or different pages within the platform – hasbeen blocked several times in Bangladesh. In 2013a Facebook report showed that the Bangladeshigovernment requested the profile information of12 users. 14 A newspaper report suggests that thegovernment asked Facebook on three occasions toremove content from its site. 15 Popular video platformYouTube has been blocked repeatedly in recenttimes. First it was blocked in March 2009 after a recordingof a meeting between the prime ministerand army officers was published on the site. Theblock was lifted several days later. YouTube wasblocked again in September 2012 following a controversialvideo clip on Islam – the block was laterlifted in June 2013.Although the reason given for the latter blockwas that the post hurt religious sentiment, manybelieve that the actual purpose was to exert morecontrol over online content and behaviour. Whatwas more worrying was the perspective of a Bangladeshicourt which expressed the desire to findways of facilitating future blocks of websites andpages. 16 The court ordered the shutdown of fiveFacebook pages and a website for content deemedblasphemous towards Islam, while demanding thatcontent hosts and creators be brought to justice for“uploading indecent material.”Hurting religious sentiment is increasinglybecoming a major issue when it comes to surveillance.Authorities seem to be ill prepared, both atthe policy and implementation level, to define theissue properly. In October 2012, in the southeasterndistrict of Ramu, temples in Buddhist neighbourhoodswere attacked and vandalised following anallegation that the Facebook profile of a Buddhistshowed an anti-Islamic image, inciting local Mus-lims to retaliate. 17 Similarly, in another incident inNovember 2013, vandals attacked Hindu housesand properties claiming that a local Hindu boy haduploaded something derogatory towards Islam onhis Facebook profile, although this was later deniedby the person in question. 18Social media played an important role in mobilisingtens of thousands of people who gatheredat Shahbagh Square in Dhaka in February 2013.This was in protest against a light court sentencegiven to Abdul Qader Mollah, an alleged war criminalof the 1971 liberation war. Social, cultural andpro-independence political forces later joinedand strengthened the non-violent demonstration,causing some observers to compare it to the 2011protests in Egypt’s Tahrir Square. But, in response,Mollah’s supporters rallied against what they calleda conspiracy by “atheist bloggers”. On 15 February2013 armed assailants followed, attacked and killeda blogger, one of the organisers of the Shahbaghdemonstration, outside of his home. 19 This showshow people see security threats as linked to onlineactivism, and how surveillance and monitoring arealso happening between citizens.Many argue that the government uses securityas an excuse to tame dissenting voices, and Section57 of the ICT Amendment Act of 2013 gives enoughpower to the government to arrest and confine anyonewithout a warrant. Online activists are alreadyfinding themselves in an uncomfortable zone regardingthe ICT Act amendment, and the ways inwhich it allows surveillance of communications. Inone instance, a professor at a public university wassentenced to a six-month jail term by a court for failingto appear in court (due to the fact that he wasin Australia at the time) to stand trial regarding hisFacebook statement against the prime minister. 20In another incident, a college student was arrestedafter posting some “derogatory comments” aboutthe prime minister and her late father, Bangladesh’sfounding leader, Sheikh Mujibur Rahman. Theseincidents and the government response createdheated debate, both online and offline. 21The government, on the other hand, sensesa real threat. It cites the example of a failed coupconspiracy in 2012, where a group of ex-militaryofficials used Facebook as the platform to prepareand plan to oust the government. 22 No wonder thegovernment’s response was to create the BD-CSIPTto identify the websites and persons or institutionsthat engage in activities that can be seen as harmfulto the state, society, political and religious beliefs –whether using mobile phones, a simple website, orsocial media. 23Action steps: What’s next?Bangladesh still does not have any proper legalframework to protect privacy and to counteractsurveillance. Communication surveillance happensboth officially and unofficially without muchchallenge. Civil society has a bigger role to playin this context. Civil society organisations canraise awareness among citizens and can push thegovernment to educate and empower people onissues of privacy, cyber crimes, etc. This is preferableto the authoritarian approach of blockingor filtering content, or conducting surveillance. Acomparative study on what other countries havedone and what they have achieved could be a usefulbackground resource to create this awarenessand understanding. Activists can prepare guidelineson user rights and obligations and what canbe done if someone feels violated by communicationsurveillance. Civil society also needs to speakup on the unconstitutional provisions in the ICTAct amendment and other legal provisions that allowsurveillance.13 Freedom House. (2013). Op. cit.14 Reuters. (2013, August 28). Bangladesh sought data on12 users: Facebook. bdnews24.com. bdnews24.com/bangladesh/2013/08/28/bangladesh-sought-data-on-12-usersfacebook15 Daily Star. (2014, April 13). Govt asks Facebook to remove 3contents, www.thedailystar.net/govt-asks-facebook-to-remove-3-contents-1997916 Rezwan. (2012, March 24). Bangladesh: Court Orders ShuttingDown of Facebook Pages for Blasphemous Contents. Global Voices.globalvoicesonline.org/2012/03/24/bangladesh-court-ordersshutting-down-of-facebook-pages-for-blasphemous-contents17 Freedom House. (2013). Op. cit.18 Topu, A. H. K. (2013, November 3). Hindus attacked in Pabna. TheDaily Star. archive.thedailystar.net/beta2/news/hindus-attackedin-pabna19 Freedom House. (2013). Op. cit.20 Samad, S. (2012, January 4). Bangladesh teacher awardedimprisonment for Facebook status. Bangladesh Watchdog.bangladeshwatchdog.blogspot.in/2012/01/bangladesh-teacherawarded-imprisonment.html21 Ray, A. (2012, February 17). Bangladesh: Government observationof Facebook ignites debate. Global Voices. globalvoicesonline.org/2012/02/17/bangladesh-facebook-under-governmentscanner-ignites-online-debate22 BBC News. (2012, January 19). Bangladesh army ‘foils coup’against Sheikh Hasina. BBC News. www.bbc.co.uk/news/worldasia-1662785223 Times of India. (2012, January 26). Bangladesh unveils cyberwatchdog. The Times of India. timesofindia.indiatimes.com/tech/it-services/Bangladesh-unveils-cyber-watchdog/articleshow/11640219.cms74 / Global Information Society Watch bangladesh / 75


BoliviaDigital violence: Communications surveillance and the protectionof privacy on the internet in BoliviaFundación REDESJ. Eduardo Rojaswww.fundacionredes.orgA national approach to digital violenceDigital violence 1 is defined here as the exercise ofpower that violates the human rights of a person ora group of people using new communications technologies.This new concept is harnessed to protecttwo types of “legal rights”: on the one hand patrimonialproperty rights, namely protection againstcyber crime involving technological equipment,databases and the internet’s critical infrastructure;and on the other hand personal property rights,which are focused on protecting people’s rightswhen it comes to technology and databases.Until now, Bolivia has no record of formal discussionsdealing with the mass surveillance ofcommunications and privacy protection. As in manycountries, there was media coverage of the Wiki-Leaks case and Snowden’s whistleblowing againstthe National Security Agency’s (NSA) espionage.In June 2012, 2 a number of female members of parliamentaccused the executive of phone-tappingmembers of the opposition. However, there is no recordthat shows that any legal complaint has beenfiled, or is in process.The most important initiative on communicationssurveillance and privacy protection in Bolivia,based on the multi-stakeholder approach, formallygot under way during the first half of 2014. Threeclearly identified groups of governmental actorspromoted the enactment of laws in the LegislativeAssembly. These laws touch upon privacy protectionand communications surveillance on the internet inan indirect fashion.a) Initiatives led by the Ombudsman of Bolivia,in collaboration with social organisations, promotedthe following laws: a comprehensive law1 Since 2010, the REDES Foundation has published researchon “Towards a transdisciplinary approach to informationsociety violence” in order to categorise online violence usingnew technologies in Bolivia, including mass communicationssurveillance and the violation of privacy on the internet.2 www.la-razon.com/index.php?_url=/suplementos/la_gaceta_juridica/Derecho-intimidad-privacidad-Constitucion_0_1627037350.htmlguaranteeing women a life free of violence (ActNo. 348; Article 7, paragraphs 4 and 5 refer tomedia violence); Act 243 against harassmentand political violence towards women (Article 8,paragraph N, speaks about the disclosure of thepersonal information of women politicians).b) Initiatives led by the Ministry of Government incollaboration with stakeholders, including theOmbudsman. Two laws were passed: a law onpublic security and a national system for a saferlife. Act No. 264, Chapter IV, Articles 47 to 52,amongst other things, regulate the installationof surveillance cameras and set out agreementswith internet service providers (ISPs) on the useof information technologies when it comes topublic safety issues. Furthermore, Act 263, thelaw against human trafficking, in Article 323deals with the production, consumption and possessionof child pornography. Article 41 explicitlyrefers to telephone tapping, under a court order.c) Initiatives led by the TelecommunicationsRegulatory Authority, which, since June 2014,organised a National Campaign to PreventDigital Violence in Bolivia. 3 The main expectedoutcome of the campaign is the enactment ofa bill on prevention of digital violence in Bolivia,developed through a multi-stakeholderapproach.All three groups of stakeholders expressly requestedadvice from the REDES Foundation to understandand address digital violence. Firstly, between 2012and 2014, the Ombudsman’s Office requestedtraining for civil society actors, national police, governmentministries, the Ministry of Justice and thePublic Prosecutor. This involved capacity buildingto fight human trafficking and protect victims, usingnew technologies. They also requested the trainingof more than 16 actors who are part of the NationalRoundtable Against School Violence.Secondly, between late 2013 and mid-2014, theMinistry of Interior, through the National DirectorateAgainst Human Trafficking and the National Departmentof Public Safety (in charge of the installation3 The Telecommunications and Transport Authority (ATT) explicitlyadopted the categorisation developed by the REDES Foundation inDecember 2013.of surveillance cameras throughout the country) requestedtechnical support. This was to ensure thefulfillment of people’s rights in the formulation oflaws and regulations related to monitoring and theprotection of privacy in police investigations, and theeradication of human trafficking networks.Finally, the third group asked the REDES Foundationin May 2014 for technical assistance in orderto develop a national campaign to prevent digitalviolence called No caigas en la red (“Don’t fall intothe web”). This has been implemented at a nationallevel since 12 August 2014. The main result of thiscampaign, apart from building awareness, will bethe formulation of a bill on the prevention of digitalviolence in Bolivia, which will also address theneeds of the two previous groups.Raising awareness amongst nationalauthoritiesIt is important to highlight that that the actors involvedin the current processes (regarding the rules that willallow monitoring of internet communications) are uninformedabout the internet governance model.The publication of specialised material oninternet governanceSince 2010, the REDES Foundation has promotedawareness of the internet governance paradigmthrough the publication of the following material:• A Map of Internet Governance, created by theDIPLO Foundation with the financial support ofthe vice-presidency and the REDES Foundation.• The Internet Ecosystem, authored by the InternetSociety with the financial support of thevice-presidency and the REDES Foundation.• Transition from IPV4 to IPV6, authored by LAC-NIC with the financial support of the REDESFoundation.• Human Rights on the Internet, authored by theAssociation for Progressive Communications(APC), with financial support from the NationalICT Network and the REDES Foundation.This material is currently being used to createawareness in the government, the private sector, internationalcooperation agencies and general users(including parents) interested in the eradication ofinternet violence.High-level meetings on the principles of internetgovernanceWe held workshops and conferences with the followinghigh-level authorities:• Representatives of the Ombudsman SpecialAffairs Department, following an agreementsigned between this institution and the REDESFoundation in 2012.• Members of the National Committee for Awarenessof School Violence, in 2012.• Members of the National Committee against HumanTrafficking, in 2013 and 2014. This includedholding conferences and workshops concerningthe recruitment of victims and prosecutionof internet crimes against children, using newtechnologies.• The municipal governments of La Paz, Santa Cruzand Cochabamba, in 2014. This involved holdingconferences and workshops on the prevention ofdigital violence against children and teenagers.• The National Director of the Anti-Trafficking inPersons Unit, in May and July 2014. This involvedholding meetings about the design of a bill tocontrol internet content. These are consideredhistoric meetings, due to the fact that authoritiesgained knowledge about net neutrality, internetgovernance, self-regulation, human rights on theinternet, respect for privacy, and the sanctity ofcommunications. Furthermore, they gained knowledgeabout the nature of international efforts oninternet self-regulation and global progress regardingfreedom of expression over the internet.• The Telecommunications and TransportationAuthority (ATT), to deal with cases of digitalviolence, between late 2013 and 2014. The meetingsaddressed cases of digital violence, witha focus on the importance of aligning the newtelecommunications regulations with the selfregulationand internet governance approach.Two approaches to build regulations relatedto communications surveillance in BoliviaSince 2010, there has been a diversity of legal instrumentsregarding public violence and publicsecurity, which tackle communications monitoring.Two approaches can be clearly identified:Legislation on national security, public safetyand child protection: Initiatives on this matterare discussed above in this report. They deal withactions to penalise and punish different crimes involvingpublic security and the criminalisation ofviolence against women and children. This involvestaking into account the dissemination of content intraditional media and on the internet, but the approachis not directly related to the internet, andclearly lacks the inclusion of internet governanceand human rights principles affecting the web.76 / Global Information Society Watch bolivia / 77


Legislation on the prevention of digital violence:This process, led by the Telecommunications Authority,formally began in 2014 with technical assistance fromthe REDES Foundation. Its approach is to bring theactors and initiatives mentioned above in this report together.It also raises the issue of digital violence in theinternet governance context. The authority has instructedthe REDES Foundation to develop the bill consideringthe new paradigm of internet self-regulation.Action steps: A bill to prevent digital violenceand address mass surveillance of internetcommunicationsBetween August and November 2014 we will designthe Law for the Prevention of Digital Violencein Bolivia. It is important to highlight the preventiveapproach we are using, to open a new era of internet-relatedlegislation we call “regulation ex-ante”(i.e. before unlawful acts occur). It also increasesthe responsibility of actors in the internet ecosystemregarding the prevention and eradication ofdifferent forms of internet violence, including masssurveillance and the violation of privacy.Preventing digital violence involves three majorcategories of actors:• Cases of digital violence by the state: These includecases of digital surveillance, spying andharassment within the state apparatus, by thestate on companies, and by the state on citizens.• Cases of digital violence by companies: Theseinclude cases of digital surveillance, spyingand harassment within companies, actions bycompanies that affect the state, and actions bycompanies that affect citizens/users of digitalcommunications services.• Cases of digital violence by people: These includecases of digital surveillance, spying andharassment by organised criminal groups onordinary people, and cases of violence betweenindividuals (bullying, coercion, mail and wirefraud, child pornography, password theft, impersonationand identity theft, plagiarism, etc.).Preventing digital violence requires multi-sectoralcoordination between government actors, namelythe Ministry of Interior, the Vice-Ministry of Telecommunications,the Telecommunications andTransportation Authority, the Vice-Presidency of theState, the Agency for the Development of the InformationSociety in Bolivia, the Ministry of Education,the Ministry of Communication, and municipal governments.They protect human rights on the internetand prevent all forms of violence online, includingthrough respect for privacy and the requirement ofa court order for surveillance of communications,and through always respecting what is stated in theconstitution.When it comes to civil society, key actors arethe Ombudsman of Bolivia, the National ICT Networkof Bolivia, the REDES Foundation, parents’associations, and the internet and mobile phoneusers’ associations. They all protect privacy, freedomof expression and the responsible use of theinternet among users of value-added services. Theypromote the creation of a responsible digital cultureand freedom of speech on the web.Internet service providers (ISPs) and mobileservices in Bolivia, including companies like ENTEL,Viva and Tigo, need to work in coordination with theregulator and receive technical support from theREDES Foundation. This area of work involves ensuringnetwork neutrality, communications privacy,and the impartiality of ISPs and mobile communicationscompanies. It also involves consumerprotection and the preservation of the multi-stakeholderbusiness model.Addressing the monitoring of communicationsand the protection of privacy is currently movingforward in Bolivia under the larger umbrella ofdigital violence. This approach allows us to unitescattered initiatives, and to promote communicationsmonitoring on the grounds of public security,state security and child protection.The categorisation of digital violence committedby states, companies and individuals allowsus to organise and coordinate the national regulatoryframework in line with the constitution, whichprotects privacy and freedom of expression. It alsoallows us to contextualise this debate within theparadigm of internet governance and the need todevelop a new preventive law drawing on the multistakeholdermodel.Developing a digital violence prevention bill allowsdelegating new functions and responsibilitiesto all actors that are part of the internet ecosystem,including government actors, private users, civilsociety, international cooperation agencies and thetechnical community.Bolivia is facing a new opportunity to developbills under the paradigm of “ex-ante regulation”and to develop co-responsibility between all actorsunder the model of self-regulation. The challengeis out there, and it is a civil society actor that isproviding technical assistance to guarantee an approachthat ensures that no arbitrary action is takenagainst internet or mobile phone users in Bolivia.Bosnia and HerzegovinaThe continuum of surveillance in Bosnia and HerzegovinaOneWorld Platform for Southeast Europe(OWPSEE) FoundationValentina Pellizzer and Aida Mahmutovicwww.oneworldsee.orgIntroductionDissent has its grounding in the understanding ofindividuals, groups or communities about theirentitlement to rights. When it comes to privacy, security,and the internet in general, citizens in Bosniaand Herzegovina are still far from considering themselvesentitled to rights. Yet like anyone else in theworld they actively use technology and social mediato get informed and communicate with friends.Activists use the internet and in particular socialnetworks such as Facebook to engage the generalpublic and to organise protests against the politicalestablishment. For many who do not know muchabout Bosnia and Herzegovina, the immediateassociation is with the Balkans War of the 1990sand the fall of Yugoslavia. For human rights activists,Bosnia and Herzegovina holds the title of themost corrupt country in the western Balkans. It isalso the only country in the region which still has tosign the pre-accession agreement to the EuropeanUnion due to a stalemate on constitutional reformand the unwillingness of its politicians to negotiatenecessary cross-party agreements and to gobeyond rigid ethnic quotas. A good example of thissituation is the country’s failure to comply with theanti-discrimination decision of the European Courtof Human Rights in the case of Sejdic-Finci 1 regardinghis eligibility for official posts. This meant fiveyears of deadlock on constitutional reforms, andleft citizens of Bosnia and Herzegovina trapped inthe narrow and discriminatory framework of theDayton Peace Agreement. 2Policy and political backgroundThe primary purpose of the Bosnia and Herzegovinalegislative and administrative system is to enforce1 Wakelin, E. (2012, October 31). The Sejdic and Finci Case: MoreThan Just a Human Rights Issue? E‐International Relations. www.eir.info/2012/10/31/the-sejdic-and-finci-case-more-than-just-ahuman-rights-issue-for-bosnia-and-herzegovina2 The General Framework Agreement for Peace in Bosnia andHerzegovina, 1995. www.ohr.int/dpa/default.asp?content_id=380the rigid ethnic divisions in the country set up bythe Dayton Peace Agreement, rather than developingpolicies and laws which respond to the needsof the country and its people. This ethnic structureconstantly traps any new policy, law or decision thatneeds to be taken or developed in futile disputesabout jurisdiction among the existing 14 governmentalor legislative levels: the state, two entities,one district and ten cantons.The agency for the information society wassupposed to be the state’s concrete mechanismfor developing, coordinating and overseeing theinformation and communications technology (ICT)sector, as described in policy and strategy documentssigned by the Council of Ministries in 2004.But this never happened, with the effect that thesector lacks a serious and consistent developmentstrategy.Dependent on a plethora of bodies and authoritieswhose mandates are often not understood,citizens struggle to believe in or even follow thework they do, and very often remain passive spectatorsof violations.The bodies with competences on security, privacyand surveillance at state level are the PersonalData Protection Agency (AZLP, Agencija za zaštituličnih podataka u Bosni i Hercegovini); 3 the Agencyfor Identification Documents, Registers and DataExchange (IDDEEA, Agencia za identifikacione dokumente,evidenciju i razmjenu podataka); theMinistry of Security; the sector for combating terrorism,organised crime, corruption, war crimes andmisuse of narcotics; the sector for IT and telecommunicationsystems; the entity ministries of interiorand the Brcko district; police apparatuses at entityand cantonal level; and the judiciary. In 2008 theRepublic of Srpska created its own agency for theinformation society to act as a central body for policyand regulation on ICTs and the internet.From wiretapping to the internet:Someone is listening to us…When we started to research the right to privacy andsurveillance in Bosnia and Herzegovina, we suddenlyrealised how short our memory sometimes3 www.azlp.gov.ba/o_agenciji/nadleznosti/default.aspx78 / Global Information Society WatchBosnia and Herzegovina / 79


is. We immediately came across dozens of articleson wiretapping and illegal interception by variousintelligence agencies, among others.We suddenly realised that privacy in Bosnia andHerzegovina is more threatened than we thought,and that the internet simply serves as a new wayin which information can be obtained, in violationof privacy rights. When talking to civil societyrepresentatives and participants in workshops ononline safety for youth and women, their answersconfirmed the assumption that there is almost anon-existent level of awareness on the right to privacyand information amongst the average citizen.In 2011 Nezavise Novine, 4 a daily newspaperfrom Republic of Srpska published a list with morethan 5,000 phone numbers under surveillance bythe security intelligence agency OSA and the StateAgency for Investigation and Protection (SIPA).Among people wiretapped from 2008 to 2010 weresecurity experts, lawyers and representativesfrom the civil society sector. The newspaper at thetime defined this as a cancer that started in Sarajevo,and spread to the rest of the country. It alsoaccused the international community of being involved.Journalists were also reporting that Bosniaand Herzegovina intelligence was targeting internationaldiplomats, and that in 2009 during his visit tothe country, the director of the US Federal Bureau ofInvestigation (FBI) had asked that top officials fromthe Ministry of Security be dismissed.In 2013 Zoran Čegar, chief of the police intelligencedepartment in Bosnia and Herzegovina,admitted that the online communications of thousandsof citizens, among them politicians, theirwives and lovers, were intercepted with the purposeof blackmailing them. In both cases the public wasnot informed of any action taken, whether arrestsor sanctions.In March 2014 new leaks on the illegal interceptionof communications and wiretapping ofjournalists at the newspaper Oslobodjenje and theweekly paper Bosni Herzegovina Dani emerged. Excerptsfrom conversations between Zivko Budimir,president of the Federation of Bosnia and Herzegovinaand Avdo Avdic, editor-in-chief of FederalTelevision, appeared on the internet. Vesna Budimir,the deputy state prosecutor and a candidate forappointment to the Supreme Court, also informedprosecutors that his communications had been illegallymonitored and intercepted.4 A. Ducic,Telekomi kriju podatke o prislu\u353\’61kivanju, DnevniAvaz, 2014. www.avaz.ba/vijesti/teme/telekomi-kriju-podatke-oprisluskivanjuThere is a pattern to all these scandals: the existenceof parallel systems for intelligence structuresthat control legitimate security institutions – the resultof former war intelligence agencies that neverquite went away, and were not brought under thecontrol of the new system.Regardless how many reforms and new bodiesare created, the constant practice of spying onpeople survives, and the authorities – as well asother interest groups – access the data held by publicassets such as telecoms providers without courtorders. Eavesdropping appears to be routine, whichgives political leaders and their parties material forblackmailing and intimidating rival politicians, theirpartners and journalists. As Petar Kovacevic, directorof the Agency for Personal Data Protection, saidin an interview: “In 2007 the Council of Ministersformed a Joint Committee for the lawful interceptionof telecommunications, which has the authority toadopt procedures that govern the operation of telecomsoperators.” In this way it annulls the power ofthe Agency. It is important to know that the currentchairperson of this committee is the deputy ministerof security. When, in 2013, the agency checkedon the three telecoms operators (BH Telekom d.d.Sarajevo, Telekom Srpske a.d. Banja Luka, and JPHrvatske Telekomunikacije d.d. Mostar), to verifythe lawfulness of personal data processing, andto understand if interception was taking placeusing court orders, the operators simply did not allowaccess to documents, claiming that they were“confidential”. As a result the agency could not determineanything.Personal data protection can easily be consideredby many as irrelevant to public interest andreserved for police investigation. This was the casethis year during riots and protests in Sarajevo (February2014) where media footage and video footagefrom CCTV cameras was acquired by police authoritiesin order to identify people suspected of havingcaused damage to public property, and who wereaccused of “terrorism”. Yet personal data protectionall of a sudden became an inviolable humanright when citizens asked to access and use thesame CCTV footage to identify a court police driverwho hit a protestor. Privacy rights are also beingused as a way to avoid answering requests basedon the access to information act, and to not provideinformation to investigative journalists or citizensregarding the salaries of public officers, amongother things. As confirmed by the Agency for PersonalData Protection’s report: “It is not rare thatpublic administrative bodies use personal data protectionor decisions by the Agency to hinder accessto information to which citizens have a right, or tocover up certain irregularities in their work.” 5Since existing legislation is not in line withEuropean standards, authorities can easily find excusesto maintain the status quo. 6 In particular, theLaw on Communications does not follow Europeanstandards because parliament failed to approve theamendments proposed in 2010. Other relevant lawsare the Law on Personal Data Protection, alreadymentioned; the Law on the Protection of SecretState Information; a set of related provisions in thefour existing criminal codes; and laws on criminalprocedure, which all define the crime of unlawfullyprocessing personal data.Since public statements on transparency remainon paper rather than in practice, the role and workof the Agency for Personal Data Protection becomesessential, not only to establish the rule of law, butalso to provide citizens with an independent bodythat they can turn to.Citizens who have asked the agency to intervenehave won all five cases of video surveillanceagainst the Federation Ministry of Veterans andPeople Disabled in the Defence and Liberation War,the Federation Ministry of Finance, an elementarymusic school in Ilidza, the Golden Grain Bakery inBratunac, G-Petrol Ltd. in Sarajevo, and a residentialbuilding at 17 Armije Street in Tuzla. The rationale inall cases was almost the same: video surveillancewas being used against its declared function ofsecuring property, and used instead as a means ofintimidation, blackmailing and controlling employees.In the case of the music school, the headmasterallowed footage of the teachers’ staff room to beuploaded to YouTube, and then used the ensuingscandal to dismiss a disobedient teacher who hadbeen videotaped. The agency’s decision was thatpeople clearly need to know when areas are undersurveillance, and who to contact for informationregarding video surveillance. Video surveillance installedwithout knowing to whom it belongs, whocan see the recordings, or who can hand these recordingsto third parties, is unacceptable.5 Report by the Agency for Personal Data Protection, 2013.6 The Report states: “The rules of the Council of Ministers aboutthe participation of the Agency for Personal Data Protection inrelevant legislative processes are not satisfactory. The principle ofpurposeful use and by-laws regulating the protection of personaldata by the police have still not been fully implemented. TheLaw on Personal Data Protection does not apply to the Bosniaand Herzegovina Intelligence and Security Agency. Overall,preparations for personal data protection are still at an earlystage. It is necessary to ensure the independence of the Agency forPersonal Data Protection.” European Commission Progress Reportin Bosnia and Herzegovina, 2012.ConclusionsOver the years politicians have continued to usewhatever a system allows to suit their own particularpurposes. Ministries have changed, headsof security agencies and the police have been replaced,but the same scenario plays out with newpeople under surveillance, the same scandals butdifferent names – and no solutions. The Agencyfor Personal Data Protection has introduced a newconcept to authorities and even if it is fragile, it istrying to establish its reputation on new ground. Ina closed system such as the one in Bosnia and Herzegovina,it is really important to refer substantiallyto legality, adequacy and proportionality, and introducethe concept of user notification.Bosnia and Herzegovina, similar to all new democracies,has wonderful copy-and-paste laws inplace, but they are mostly never implemented. Thereal power remains outside institutions, while rhetoricis used during official visits and good-soundingstatements are produced easily. The participationof Bosnia and Herzegovina as a state in the globalconversation around internet rights is non-existent,and security is understood in a very conservativeway. The first action plan for children’s online safetyis a perfect example, with a blacklist, measures forparental control, internet service provider (ISP) responsibilityand other conservative measures.Traditional actors seem not to grasp the urgencyand the necessity of moving beyond the usualscheme of endangered human rights. Technologyand the regulation of telecoms remain a distantworld approached only in terms of the potential forcorruption, and privatisation.There is a world of non-traditional activism thatis represented by internet users which can recognisethe connection between technology, onlineplatforms and tools, and the policy and legislationsurrounding them. This is unique.Action stepsParticipatory awareness campaigns that use visualtools are key to helping citizens value their personalinformation and data and to pressurise institutionsto fulfil their role when it comes to privacy rights.Since its inception, the Agency for Personal DataProtection has slowly been receiving more expertinput and extended its controls over institutionaldecisions. There is still a need to build a bridgebetween the work of the agency and the averagecitizen and to translate the complexity of personaldata processing into personal stories.Public opinion in Bosnia and Herzegovina hadbecome so disillusioned about its ability to bring80 / Global Information Society Watch Bosnia and Herzegovina / 81


about change. The silent majority is afraid to takerisks, because it would be defending something itdoes not really understand, or is genuinely scaredabout the repercussions. In this as in other issues,it is important to leave behind the feeling of anoverwhelming and invincible Big Brother that cansee and control everything. To do this it is importantto talk outside of the usual circles of activists, andalso to produce and distribute information in a formatthat citizens can understand and use.The internet has proved to be a space wherepeople convene and take action in creative andpersonal ways, and more than ever has become theplace where actions start: content is easily distributedand memes are generated. With a mobile phonepenetration rate of 90.8%, an internet penetrationof 56.96%, and a total of 2,188,429 internet usersin 2013, this is the place where ongoing awarenesscampaigns can generate ad hoc coalitions ready totake up the challenge of creating a positive senseof privacy. This can help build campaigns againstthe continuum of surveillance and its pervasive expansionunder the paternalistic vest of protectingvulnerable communities.brazilMarco Civil: A Brazilian reaction to surveillance on the internetBrazilian Institute for Consumer Defense (Idec)Veridiana Alimontiwww.idec.org.brBill No. 2126/2011 in Brazil, known as the BrazilianCivil Rights Framework for the Internet (inPortuguese: Marco Civil da Internet), was finallypassed by the Brazilian Senate on 22 April 2014,and sanctioned the following day by PresidentDilma Rousseff at the opening ceremony of NETmundial.1 With this, the bill became Federal Law No.12965/2014, which is the result of widespread mobilisationby civil society searching for a guaranteeon internet rights – a mobilisation which resulted inan innovative participatory movement in the Brazilianlaw-making process.The three key pillars of the Marco Civil– net neutrality,intermediary liability aligned with freedom ofexpression, and data protection and privacy – encouragedpeople to link themselves to the mobilisationcampaign and overcome great resistance in the NationalCongress of Brazil. The purpose of this report isto highlight the relevant points in the process of preparationand approval of the law, as well as to discussthe rules related to the three pillars, while emphasisingdata protection and privacy. A description of themain challenges to be faced after the approval of thelaw is also provided at the end of the report.A bill of rights for the internet with civilsociety playing a leading roleThe idea of a civil rights framework (“Marco Civil”)for the internet in Brazil gained momentum in thecontext of society’s reaction against regulation ofthe net focused on the persecution and punishmentof its users. Bill No. 84/99, debated for almost 10years in the National Congress, channelled much ofthis opposition when it was returned from the Senateto the Chamber of Deputies because it proposedvery restrictive regulations. 2 Activists and civil so-1 The Global Multistakeholder Meeting on the Future of InternetGovernance, held on 23-24 April in Brazil. www.netmundial.br2 See more about Bill No. 84/99 and the beginning of the MarcoCivil at Pereira, C., Maciel, M., & Francisco. P. (2011). Marco Civil daInternet: uma questão de princípio. Revista poliTICS. https://www.politics.org.br/sites/default/files/poliTICS_n07_souza_maciel_francisco.pdfciety organisations joined in a broad online andoffline campaign 3 that attacked the bill and its conceptionof net regulation, placing pressure on thepresident then in office, Luiz Inácio “Lula” da Silva,and changing the approach of the federal governmenton the subject.In the absence of any other relevant legal framework,the Brazilian legal system considers criminallaw the last resort in the regulation of conduct. Civilsociety further consolidated the idea that beforecyber crimes can be legislated, it is necessary toguarantee rights and define liabilities on the net.A civil rights framework was necessary for the internetin Brazil. The federal government took overthe project and, in partnership with the Center forTechnology and Society of the Law School at theFundação Getúlio Vargas (CTS/FGV), conducted anonline public consultation in two phases.The public consultations occurred between2009 and 2010 and resulted in approximately 2,000comments from many different sectors. In bothphases a participatory online platform was used,allowing views and comments on the contributionsalready received. One of the important referencesin the draft of the text was the Internet Governanceand Use Principles, established by a resolution ofthe Brazilian Internet Steering Committee (CGI.br).After the public consultation, the wording of the billwas concluded by the executive branch and it wassent to the Chamber of Deputies, the lower houseof Congress, in 2011. Brazil at the time was alreadyunder President Dilma Rousseff.A special committee was created to discuss thebill, and Congressman Alessandro Molon was appointedas rapporteur. He held a series of publichearings and seminars, as well as a fresh round ofonline public consultations.From July 2012 the report was ready to be votedon by the Chamber of Deputies, but there weremany pressures that led to repeated delays. Thestrongest came from telecommunications companies,but negotiations were also necessary whenit came to the issue of copyright with Rede Globo,a powerful media group in Brazil, and with sectorsengaged in the fight against cyber crime regarding3 The campaign was known on the net as Mega No (“Mega Não”).82 / Global Information Society Watch brazil / 83


the matter of the retention of log files. EdwardSnowden’s espionage claims directly involving theBrazilian government, in the second half of 2013,brought Rousseff into the discussion, and pulledthe Marco Civil back onto the legislative agenda.The executive branch determined discussionof the bill in Congress to be of “constitutional urgency”,and it came to lock the agenda of votes inthe lower house on 28 October 2013 (in line with theBrazilian constitution, if a bill granted “urgency”has not been voted on within 45 days, deliberationon all other legislative matters is suspended inthat house of Congress until voting is concluded).Nevertheless, resistance, a congressional recessand political manoeuvring delayed its approvalfor almost five more months – until it was finallyapproved on 25 March 2014. In the Senate, the pressurefor approval, the proximity of the NETmundialevent, and a composition of senators more favourableto the government helped the voting to takeless than one month. Through all this, mobilisationof civil society through online campaigns, messagesbeing sent to members of Congress, increasedpublic awareness through social media networks,public events and lectures, and the physical presenceof activists in the halls and plenary sessions ofthe National Congress, were fundamental. 4Data protection and privacy:One of the pillars of the Marco CivilPrivacy protection and personal data protection are,separately, two of the principles provided for by lawto regulate the use of the internet in Brazil (in Article3). The clauses in the Marco Civil dealing withthese protections were strengthened after EdwardSnowden’s public allegations of mass surveillance,and an important set of such provisions are set forthin Article 7 of the law. Such provisions ensure theinviolability and secrecy of the flow of communicationson the internet and of stored private data,except if disclosure is required by court order. Theinviolability and secrecy of data and communicationsare rights guaranteed under the BrazilianFederal Constitution, but the judiciary understandsthat such provisions are only applicable to the flowof communications, not to communications that arestored. The Marco Civil represents a breakthroughin the protection of stored data.4 Idec made an online tool available that sent thousands of emailsto members of the House of Representatives; Avaaz collected350,000 signatures supporting the Bill through online petitions.Numerous organisations and activists mobilised using theseand other tools forming a cohesive and coordinated front. See:marcocivil.org.brAnother advance concerns the more detailedprovision of the law that requires express (notimplied) consent from the subject for the future collection,use, storage and handling of personal data,which should be given separately from any othercontractual clauses. In addition, the user must haveaccess to clear and complete information aboutthe processes of storage, including the system ofprotection of connectivity logs and data recordingaccess to applications. The disclosure of personaldata to third parties may only occur if there is expressconsent, informed and free. Subject to theprinciple of purpose, the same article provides thatpersonal data may only be used for purposes thatjustify their collection, when not prohibited by law,and are specified in the services agreement or theterms of use of internet applications.As a corollary to Article 7, Article 8 of the MarcoCivil states that the guarantee of the right to privacyand freedom of expression in communicationsis a prerequisite for the full exercise of the right toaccess the internet. Accordingly, any contractualclause in breach of these provisions, such as thoseinvolving harm to the inviolability and privacy ofcommunications on the internet, will be considerednull and void.In order to fight the surveillance reported bySnowden, Article 11 determines that Brazilian lawrelated to privacy must be respected by internetconnectivity and applications providers when collectingpersonal data, logs and communicationscontent when this occurs in the country or involvesa terminal located in Brazil. This obligation also appliesto legal entities domiciled abroad, providedthat they offer services to the Brazilian public orthat any member of their business group has a businessunit in the country.Part of the law is also aimed at establishing parametersfor the retention and availability of logs forconnectivity and access to applications. Generally,the obligation to make these logs available dependson a court order. As regards retention, the Marco Civilprovides for two cases in which it can occur. The first,in Article 13, refers to connectivity logs (date and timeof beginning and end of a connection, its durationand the IP address). The system administrator mustkeep them private, and in a controlled and safe environment,for a period of one year, according to theregulations. The second, in Article 15, refers to logsof access to applications (date and time of use of anapplication from a particular IP address). In the caseof applications whose providers are legal for-profitentities, the retention of these logs shall be compulsoryfor six months, also pursuant to the regulations.Initially provided for as optional, the compulsorycharacter of the retention was a late change to thebill, the result of pressure from the federal police andrelated sectors, causing great controversy amongcivil society organisations. Finally, it is important tomention that connectivity providers are prohibitedfrom storing access to applications logs, and may notstore these together with connectivity logs.The provisions commented on here do not compriseall the Marco Civil rules applicable to privacyand personal data, but represent many of them. 5There are also two other pillars of the law that areworth noting.One is net neutrality, which is guaranteed asone of the principles governing the use of the internetin Brazil. In order to give effect to it, Article 9establishes that the entity responsible for transmission,switching or routing must treat any data packsequally, irrespective of content, origin and destination,service, terminal or application. The article alsoforbids these entities from blocking, monitoring, filteringor analysing the contents of the data packs.Two exceptions are provided, and these may resultin discrimination or the degradation of data traffic:i) due to technical requirements necessary for theadequate supply of services and applications, andii) for prioritising emergency services. Even in thesecases, there are conditions that providers mustmeet, such as refraining from doing harm to usersand not engaging in anti-competitive conduct. Exceptionswill be regulated by presidential decree,after input from the National TelecommunicationsAgency and CGI.br. While telecommunications companieshave managed to include the principle thatgrants “freedom of business models” among theprinciples of law, it is the only clause which includesthe phrase “provided they do not conflict with otherprinciples under this law” – including net neutrality,detailed in Article 9.Another important pillar is the issue of intermediaryliability with respect to third-party content.According to the general rule laid down in Article 19of the law, civil liability for third-party content mayonly occur if the provider of applications fails to complywith a court order requiring the removal of thecontent. This provision is to ensure due process, aswell as the competent judicial scrutiny on the variousrights involved in removal requests. There are,however, two exceptions worth noting. In the caseof content protected by copyright, until a specific5 For further analysis, see Doneda, D. (2014). Privacy and dataprotection in the Marco Civil da Internet. www.privacylatam.com/?p=239; an unofficial translation of the law is available at:thecdd.wordpress.com/2014/03/28/marco-civil-da-internetunofficial-english-translationprovision of law is adopted for the application of thisrule, the current Brazilian Copyright Act remainsapplicable, which allows a much more restrictive approachto access to knowledge. The second exceptionis the notice and takedown for breaches of privacy bydisclosure of nudity or private sexual acts without theconsent of the participants. However, the notificationmust be made by the participant or his/her legalrepresentative, aiming to avoid moralistic and judgmentalcensorship which is not rare at all on the net.Action stepsThe reaction that initially consolidated the idea of acivil rights framework for the internet in Brazil wasstrengthened with the release of the documentsleaked by Snowden. The idea that the regulationof the internet should move away from a persecutory,surveillance approach in order to guaranteethe right to privacy and other rights has been reinforced.However, such a conception of internetregulation cannot settle without considerable difficulties– and the Marco Civil is an expression of this.Despite the mobilisation, civil society was not ableto contain the pressure for mandatory retention oflogs. However, it did succeed in restricting the timeperiod that logs could be retained – a period shorterthan the authorities wanted.The regulation on the retention of logs, especiallylogs that record a user’s access to applications, mayfurther limit the types of service providers requiredto retain logs and improve transparency and controlmechanisms related to data retention. Moreover, aspecific bill on protection of personal data is expectedto be sent to the Brazilian Congress soon. Thiscan minimise the problematic aspects of the MarcoCivil which, in general terms, introduces importantregulations for the protection of user’s privacy onthe internet into Brazilian legislation. Beyond thispoint, the law has other important advances, notablythe provisions on net neutrality and intermediaryliability. In both cases, the guarantee of rights wasset against commercial interests and the threat ofcensorship. In the future, we can expect pressureto continue to build with regard to exceptions to netneutrality, and changes to the Copyright Act, which isalso expected to be sent to Congress.If disputes follow the approval of the MarcoCivil, including the challenges surrounding its effectivenessand continuity, it is certain that thesedisputes will at least begin from an informed perspective.This includes considering the internet asa rights-based issue, essential to the exercise ofcitizenship, and which requires the guarantee ofprivacy and freedom of expression.84 / Global Information Society Watch brazil / 85


BulgariaZigzagging awayBlueLink.netPavel Antonovwww.bluelink.netIntroductionOver 40 representatives of internet service providers(ISPs) gathered on 10 June 2014 in theimposing grey building of Bulgaria’s Ministry ofInterior (Mинистерство на вътрешните работи– MVR). The meeting was called by the State Agencyof Technical Operations (Държавна агенция„Технически операции“ – DATO) and did not goeasy, according to a report by Bulgaria’s authoritativebusiness weekly Capital. ISPs were askedto provide DATO and the State Agency for NationalSecurity (Държавна агенция „Националнасигурност“ – DANS) with unlimited real-time accessto all internet traffic, with data storing options.Apart from concerns that the cost of equipment andtechnology necessary for fulfilling such a requestmight be too high, especially for smaller providers,it raised alarm for at least two more reasons:it confronted recent civil society accomplishmentsagainst excessive surveillance in Bulgaria; and thepiece of European Union (EU) law that it was legallygrounded in had just been abolished by the Union’shighest court in Luxemburg.This report seeks to explain the political andpolicy context that perpetuates internet surveillanceby Bulgaria’s security services and averts civilsociety’s efforts to limit them. The following analysisis based on unstructured online interviews andquery responses from internet rights activists, ISPproprietors and members of the “Free and NeutralInternet” Bulgarian language group on Facebook 1during April-May 2014.Policy and political backgroundIn fact, DATO’s surveillance requirements wereanything but new. They were added to Bulgaria’s ElectronicCommunications Act (Закон за електроннитекомуникации – ZES) back in 2010 to comply with theEU’s Data Retention Directive 2006/24/EC. The formerEU Data Retention Directive was originally transposedinto MVR’s Ordinance 40 as early as 2008, but its texts1 https://www.facebook.com/groups/bginternetfreedomregarding access to stored information were cancelledby Bulgaria’s Constitutional Court in 2009 and consecutivelyadded to ZES. Remarkably, Ordinance 40 wasnever cancelled and is still technically in force, includinga requirement for ISPs to send yearly reports to theMinister of Interior.The ZES surveillance provisions oblige telecommunicationsoperators to ensure real-timepossibility for security services to “capture” electronicmessages, “monitor” communication continuously,and access “data related to a certain call”. If real-timeis not possible, ISPs should provide requested dataas soon as possible. They need to also maintain specialinterfaces that allow the transferring of capturedelectronic communication to DATO and DANS, followingspecifications approved by DATO’s chair. ISPsare expected to both provide details about every calland its content, and establish the identity of theirusers. But no one ever put pressure on ISPs to actuallyimplement these requirements, so they never did– apart from the country’s three GSM (mobile) operators,Capital reported. 2A separate Special Surveillance Devices Act adoptedin 1999 stipulates that surveillance requestscan be filed by MVR, DANS or a prosecutor’s office.Then a district judge’s approval is required beforeDATO implements them.On 8 April 2014 the European Court of Justiceinvalidated the EU’s Data Retention Directive becauseit contradicts the Union’s human rights andpersonal protection principles. 3 But how to complywith the ruling was left up to each member state todecide. And while none of the political parties representedin Bulgaria’s parliament have made a moveto ease ZES’s draconic e‐surveillance requirementssince April, all of a sudden in June DATO called upISPs asking them to tighten their implementation.The “state” of state securityIt was not a coincidence that the awkward meetingbetween ISPs and law enforcement agencies tookplace in the once notorious building which used to2 Mihaylova, P. (2014, June 20). Op. cit.3 Court of Justice of the European Union. (2014, April 8). Pressrelease №54/14: The Court of Justice declares the Data RetentionDirective to be invalid. curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdfhost the most redoubtable units of the Committeefor State Security – Bulgaria’s equivalent of the KGBduring the authoritarian rule of 1944-1989. Hauntedby memories of mass surveillance and terror fromthese times, Bulgaria’s civil society has been alertfor over two decades against the activities of theformer and present – supposedly reformed – securityand enforcement agencies of its democraticgovernment. And for a good reason: the former regime’sstate security staff, agents and informantshave held a tight grasp of Bulgaria’s post-socialistpolitics, governments, business and mass media. 4As a result, over the years, the public saw variousinitiatives fail or get significantly watered down, 5while individuals and groups linked to the formerstate security apparatus almost inevitably held politicaland economic power.Instead of getting its security services reformedand accountable, Bulgaria’s democratic institutionsseemed to be getting subdued and further infiltratedby them, their non-transparent and manipulativemethods, and their abusive and controlling culture.The country’s late accession to the EU in 2007 didnot bring the expected improvements, and progressmonitoring reports by the EU indicate systematicproblems with the independence of the judiciaryand corruption of authorities and law enforcement, 6while Freedom House reports reflect a declinein freedom of speech and human rights, amongothers. 7Civil society to the rescueFor a while the third sector compensated to someextent for the decline of democratic institutions.Empowered by the increasing availability of highspeedinternet in Bulgaria, social networks likeFacebook and Twitter, or local networking sitessuch as Association for Progressive Communications(APC) member BlueLink.net, 8 mass protestsin 2012 forced Bulgaria to retract from signing4 Hristov, H. (2013). Държавна сигурност и влиянието върхуполитическия елит по време на прехода [State security andits influence over the political elite during the time of transition].Report presented at the East Europe’s Transition in the Documentsof Communist Secret Services conference held by the Committeefor disclosing and announcing affiliation of Bulgarian citizens to theState Security and Intelligence services of the Bulgarian People’sArmy, Sofia, Bulgaria, 26 November. www.comdos.bg/media/Novini/Doklad-Hr.Hristov-26-11-2013.doc5 Ibid.6 European Commission. (2014, January 22). Report from theCommission to the European Parliament and the Council: OnProgress in Bulgaria under the Co-operation and VerificationMechanism. ec.europa.eu/cvm/docs/com_2014_36_en.pdf7 Freedom House. (2014). Freedom of the Press Report: Bulgaria.www.freedomhouse.org/country/bulgaria8 www.bluelink.netthe Anti-Counterfeiting Trade Agreement (ACTA). 9Suggestively, its centre-right government at thetime was led by Prime Minister Boyko Borissov, whohad started his political career as Chief Secretaryof MVR and held a police general’s rank. In spite ofbacking off from ACTA, Borissov’s government wasaccused of excessive and often illegitimate use ofelectronic surveillance. 10 Allegedly, the main illicitsurveillance culprit was Borissov’s interior ministerat the time and trusted in-party ally Tsvetan Tsvetanov.A former Police Academy gymnasticsinstructor, Tsvetanov was criticised for – and eventuallycharged with – sanctioning allegedly illiciteavesdropping by security services. 11An escalating row of public protests over a pilingnumber of environmental and social problemseventually forced Borissov’s government prematurelyout of power in February 2013. Soon after,senior prosecutors investigated MVR to discovera lack of clear rules on the use of surveillance anddereliction of duty by senior officials, and facedobstruction by an official who allegedly destroyedevidence. 12 Already in opposition, Tsvetanov wastaken to court on various counts related to the useof surveillance equipment and eavesdropping; finalrulings are pending. Raychin Raychev, chair of Future21 Century Foundation and an internet rightsactivist based in Plovdiv, found it only natural thatthe internet and other surveillance peaked duringthe rule of Borissov. He blamed the phenomenon onthe mentality and origin of key government figuresand Borissov himself; then their snobbishness andeagerness to show off.Mounting criticism created an expectation thatthe government of Bulgaria’s Socialist Party andMuslim minority-based Movement for Rights andFreedoms that took power after preliminary electionswould significantly tighten up surveillanceprocedures and decrease surveillance practices.But an analysis by the Sofia City Court released inFebruary revealed a disappointing discovery: phoneand internet tapping requests were actually on therise during the next government’s tenure in office.9 Chipeva, N. (2012, February 11). Thousands march in Bulgariancities against ACTA: Photo gallery. The Sofia Echo. sofiaecho.com/2012/02/11/1764539_thousands-march-in-bulgarian-citiesagainst-acta-photo-gallery10 Nikolov, K. (2013, April 20). Гарантирано от ГЕРБ: Пъленпроизвол с подслушването [Guaranteed by GERB:Completely Arbitrary Surveillance]. Mediapool. www.mediapool.bg/garantirano-ot-gerb-palen-proizvol-s-podslushvanetonews205487.html11 Leviev-Sawyer, C. (2013, April 16). Borissov and GERB backTsvetanov in eavesdropping controversy. The Sofia Globe.sofiaglobe.com/2013/04/16/borissov-and-gerb-back-tsvetanov-ineavesdropping-controversy12 Ibid.86 / Global Information Society Watchbulgaria / 87


The Court reported some 8,345 requests for phoneand internet traffic surveillance filed during 2013by the police and DANS, with each request containingtens of phone numbers and IP addresses. 13The number appeared to have grown significantlycompared to 2011, when the requests were 6,918,although court refusals had also increased from12% in 2012 to 14.3% in 2013.The number of cases where law requirementswere neglected is on the rise, confirmed Atanas Chobanov,a Paris-based investigative journalist andco-publisher of BalkanLeaks.eu and whistleblowingonline journal Bivol.bg. He sees the genesis of theproblem in the fact that the secret services have accessto the technical possibilities for surveillanceand it is easier for them to use it, in spite of usingother methods for investigation which are supposedto be used first. As a WikiLeaks’ Bulgarian partner,Bivol.bg revealed in 2013 that Bulgaria’s governmentis among the clients of FinSpy – a softwareproduct by Dreamlab and Gamma International,specialised for internet and phone surveillance. 14Internet surveillance is as serious as it was inthe beginning of the previous government’s term,commented Delian Delchev, a senior networkingengineer and IT consultant based in Sofia. Delchev,who is the administrator of the Free and NeutralInternet Bulgarian language group on Facebook,assessed all recent attempts to reform surveillancemechanisms as incomplete, including the separationof DATO from MVR’s structure and allowingDANS, the military and customs to request surveillancerequests directly. Another reason for concernfor Delchev is the political appointment of DATO’schair, whose position is not subject to any public orcivic scrutiny and accountability.The increase in the number of requests was notthe only sign of policy zigzagging over e‐surveillance.In May 2014 state prosecutors suddenly burst into theoffices of DATO and DANS to investigate the legalityof their surveillance methods and practices. 15 Just amonth later DATO suddenly became eager to get ISPsto fulfil their surveillance obligations under ZES.13 Sofia News Agency. (2014, February 17). Number of SurveillanceRequests in Bulgaria on the Rise. Novinite.com. www.novinite.com/articles/158260/Number+of+Surveillance+Requests+in+Bulgaria+On+the+Rise14 Bivol. (2013, September 4). WIKILEAKS: БЪЛГАРИЯ РЕАЛНОИЗПОЛЗВА ШПИОНСКИЯ СОФТУЕР FINSPY [WikiLeaks:Bulgaria effectively uses FinSpy spying software]. Bivol.bg.https://bivol.bg/finspy-bulgaria.html15 Angarev, P., & Dachkova, D. (2014, May 16). Прокуратуратаизненадващо влезе в спецслужбите заради подслушването[Prosecutors surprisingly entered into special services because ofsurveillance]. Sega. www.segabg.com/article.php?id=698787Respecting laws and changing lawsIn spite of all this most ISPs fulfil their obligations underZES article 250a consciously and respect the law,said Assen Totin, a former ISP manager, now workingfor a small telecommunications operator. It is smaller“one-block LAN [network]”-type providers who turna blind eye to the law, not making any effort to complywith it. “Not because they embrace the EuropeanCharter for Human Rights, but because most Bulgariansthink that the laws apply for everyone else butthem – and it is a pity that no one can bring themback to shape,” Totin commented. The EU’s DataRetention Directive may be invalidated, but Bulgarianlaw provisions that comply with it are still validand no serious operator could unilaterally decide tostop complying with them, Totin explained. Failure todo so might lead to substantial fines of up to USD68,400 – a serious amount even for large players.Benefits from non-compliance are questionable, withsubstantial possibilities for negative consequencesin terms of bad public relations, said Totin.But as an industry insider he sees clearly howhard it is for providers to comply with e‐surveillanceobligations. Larger operators receive some tens ofrequests for data access every day. Handling themrequires a great resource of people, labour and soon, especially given that in order to “cover” a specificsubject of “operational interest”, much moreinformation is often required than actually needed.For example, instead of simply asking whether Xwas in area Y at a given point in time, a request arrivesthat information of all users who appeared inthe area should be handed over. And little of therequested information is acceptable as legitimateproof by Bulgarian courts, Totin explained. The Committeefor Protection of Personal Data (Комисиятаза защита на лични данни – KZLD) is the bodyauthorised under ZES to keep track of ISPs’ compliancewith this part of the law – namely, whether dataunder article 250a is accessible only for the appropriatepersons, whether it is destroyed afterwards andso on. ISPs account in front of KZLD on a yearly basis.Totin thinks that the committee did a lot to makethe life of ISPs easier, and listened to most recommendationsby larger operators and by the Societyof Electronic Communications – one of the professionalassociations in the sector – particularly withregard to legitimising refusals of access to informationwhereby a request did not meet the requisites ofthe law, and also in defending the ISPs’ position thatthey should not interpret the data provided.A representative of another trade association,the Society of Independent Internet Suppliers, wasquoted by Capital as saying that DATO’s requestsare unconstitutional and in breach of EU law andindividual privacy rights, and that ISPs might suethe state in the International Human Rights Court inStrasbourg over them. As former associate to the Sofia-based Centre forthe Study of Democracy, Totin believes that abidingby applicable law is a must in a democratic society,and that there are legitimate ways to change abad law. A couple of days after the EU court’s decisionwas announced, Totin sent a complaint to theOmbudsman’s Office as a private individual, askinghim to alert the Constitutional Court. OmbudsmanKonstantin Penchev was quick to act and a case isnow pending at the Constitutional Court for the cancellationof the ZES requirements affected by thecancelled directive. 16 There is a proposal to get anopinion from the Communications Regulation Committee(Комисия за регулиране на съобщенията– KRS) and all interested parties might send theiropinions to them. Eventual success in the ConstitutionalCourt might be of substantial importance fordemonstrating the superiority of public interest overapplicable law.ConclusionsFor 25 years since 1989, Bulgaria’s political and economiclandscape remains marked by power structureslinked to the security services of the former authoritarianregime. The style and methods of the former statesecurity persist in today’s unreformed security andenforcement agencies that tend to practise excessiveand often unnecessary internet surveillance. Internetsurveillance is over-regulated, with different regulationsappearing in various legal texts, and regulatedby different bodies. Policy zigzagging and conflictingsignals sent by different institutions and politicians– depending if they are in opposition or in power – createsthe sense that no significant motivation to limitinternet surveillance exists in Bulgaria’s governing circles.With business, politics, mass media and justicemarked by corruption, non-transparency and lack ofpublic accountability, civil society remains often themost viable guardian of privacy and human rightsonline. EU institutions, a few independent journalismpublications, and the few functioning democratic institutions,such as the Ombudsman, also play their part.The cancellation of the EU’s Data Retention Directiveby the European Court of Justice offers Bulgariaand all member states a great opportunity to redesigntheir national legislations so that internet surveillance16 Mihaylova, P. (2014, June 20). Op. cit.should not hamper fundamental rights of privacy andfreedom of expression. But the resistance of conservativestructures linked to the state security apparatusslows down and often reverses such changes. A paralysinglegal and administrative framework imposesnew technological and financial burdens on ISPs whoare willing to comply with data retention and surveillancerequirements. The idea of refusing to complywith the applicable law’s draconian requirement isnew to most ISPs, but there is already the thoughtof legally challenging the obsolete national law provisions.Conscious citizens and internet connectivityproprietors abide by the law, but are willing to take legalaction to remove the obsolete legal texts that forcethem to spy on internet and phone users.Action stepsSome steps that could lead Bulgaria to resolvingthe problems with excessive and sometimes illicitinternet surveillance include:• An in-depth assessment of the existing administrativeand legal framework to establishall norms and agencies that regulate internetsurveillance.• Conceptualising a complex set of changes thatwould lead to minimising the number of surveillancerequests and strengthening the abilityof both special services and ISPs to cooperateeffectively.• Having Ordinance 40 of MVR ultimately cancelled.• Raising public awareness of the negative implicationsof excessive internet surveillance andcreating political demand for limiting it; limitationsthat politicians need to comply with whenthey get elected.• Building broad coalitions of actors who are interestedin limiting internet surveillance, includingISPs, human rights advocates, pro-democracythink tanks and other groups that could participatein decision making when it comes to surveillance.• Removing the internet surveillance provisionsrelated to the former EU Data Retention Directivefrom ZES.• Concentrating efforts on policy advocacy at theEU level to obtain a favourable replacementfor the cancelled Data Retention Directive thatwould have a lasting impact over internet surveillancepolicies at national and EU level.88 / Global Information Society Watchbulgaria / 89


Burundi and East AfricaGovernment surveillance in East AfricaCollaboration on International ICT Policy in Eastand Southern Africa (CIPESA)Lillian Nalwogawww.cipesa.orgIntroductionInternet access and use of its related technologiescontinue to grow in East Africa. This can be partlyattributed to the undersea cables that establishedlanding sites along the Kenyan and Tanzaniancoasts between 2009 and 2010, 1 consequentlyopening up the region to increased bandwidth andspeeds. Other factors include a reduction in accesscosts and the proliferation of mobile phones.Currently Kenya leads in internet access with21.2 million users, or 52.3% of its total population, 2compared to 8.67% in 2008, 3 while in Tanzania internetusers were reported at 9.3 million at theend of 2013 4 compared to 4.9 million in 2010. 5Meanwhile, internet usage also increased in landlockedUganda, Rwanda and Burundi. By the end of2013, Uganda’s internet penetration stood at 20%compared to 12.5% in 2010, while that of Rwandacurrently stands at 19.5%, having doubled from2010. Meanwhile, Burundi and Ethiopia have thelowest proportion of internet users, at 1.32% and1.5% 6 of the population, respectively.Policy and political backgroundWhile East Africa has enjoyed relative stability, therehave been cases of unrest in Burundi, Rwanda, Ethiopia,Uganda and Kenya in recent years. Tanzaniacontinues to be the most peaceful country, whileKenya has recently been hit by terror attacks and1 Song, S. (2014, March). African Undersea Cables. ManyPossibilities. https://manypossibilities.net/african-underseacables2 Communications Commission of Kenya. (2013). Quarterly SectorStatistics Report: Second Quarter of the Financial Year 2013/14.www.ca.go.ke/images/downloads/STATISTICS/Sector%20Statistics%20Report%20Q2%202013-14.pdf3 www.itu.int/en/ITU-D/Statistics/Documents/statistics/2014/Individuals_Internet_2000-2013.xls4 Tanzania Communications Regulatory Authority ( 2013).Telecom Statistics, www.tcra.go.tz/images/documents/telecommunication/telecomStatsDec13.pdf5 www.itu.int/en/ITU-D/Statistics/Documents/statistics/2014/Individuals_Internet_2000-2013.xls6 Ibid.earlier in 2007-2008, by election-based violence.The instability which the countries have experiencedmakes promoting national unity and nationalsecurity, including fighting terrorism, pertinentconcerns in the region. Despite this, the region hasrecognised that information and communicationstechnologies (ICTs) can be used to advance governanceand development. Governments in all thesecountries have enacted national ICT policies andother legal and regulatory frameworks to furtherfacilitate and foster development in the digital age.Many of them have formed ICT Ministries – althoughthey still make only negligible funding to these ministriesand ICT development in general.Between 2010 and 2014, various laws were introducedand have been criticised for curtailingonline freedoms in these countries. 7 Often guisedunder the pretext of promoting national securityand fighting cyber crime, these laws allow for interceptionof communications, censorship or themonitoring of online user activity. In many instances,the laws contradict the rights provided for innational constitutions.All countries in East Africa have legal provisions,reinforced by state agencies, that enable the lawfulsurveillance and monitoring of communications.These include the Regulation of Interception of CommunicationsAct, 2010 in Uganda; the Rwanda 2013Interception of Communication Law and 2001 LawGoverning Telecommunications; the Kenya Informationand Communications (Amendment) Act 2013 8and National Intelligence Service Act (Act No. 28 of2012); 9 and the Prevention of Terrorism Act, 2002 10in Tanzania. In Ethiopia, the Telecom Fraud OffenceProclamation No. 761/2012 11 allows for state moni-7 CIPESA. (2014). State of Internet Freedoms in East Africa 2014:An Investigation into the Policies and Practices Defining InternetFreedom in East Africa. www.cipesa.org/?wpfb_dl=768 The Kenya Information and Communications AmendmentAct 2013. www.cck.go.ke/regulations/downloads/KenyaInformationandCommunications_Amendment_Act2013_.pdf9 Communication for Implementation of the Constitution. (2012). TheNational Intelligence Service Act, 2012. www.cickenya.org/index.php/legislation/acts/item/241-the-national-intelligence-serviceact-201210 The Prevention of Terrorism Act, 2002. www.immigration.go.tz/downloads/Tanzania_Prevention%20of%20Terrorism%20Act%202002%20.pdf11 Abyssinia Law. (2012). Telecom Fraud Offence Proclamation, No.761/2012. www.abyssinialaw.com/uploads/761.pdftoring of telecom subscriber information, and twoagencies reconstituted in 2013 – the National Intelligenceand Security Service (NISS) and InformationNetwork Security Agency (INSA) 12 are actively involvedin monitoring citizens’ communications.In Burundi, Article 29 of its 2013 Media Lawmakes it mandatory for news agencies, includingonline publications, to disclose certain informationto the regulatory body, the National CommunicationCouncil (CNC). In Uganda, the Anti-Pornography Act,2014 and Anti-Homosexuality Act, 2014 have beencriticised for placing tough provisions on intermediariesregarding content hosted on their networks.Violators face hefty fines or even risk losing theirlicences. 13Ambiguous laws fuelling digital surveillancein East AfricaInternet rights violations in East Africa can be tracedback as early as 2006 when the Ugandan governmentordered the blocking of two websites. One ofthem, www.radiokatwe.com, a political news andcommentary website, was accused of publishinganti-government gossip, 14 while the other, www.monitor.co.ug, the online version of the independentnewspaper Daily Monitor, was temporarilyblocked on the eve of the 2006 elections in a bidto stop it from publishing independent polling results.15 Other governments have since then followedsuit by frequently blocking or filtering website contentdeemed to be critical of their actions.In Tanzania, at least five cases of website blockingand interference have been reported. In 2009,the www.zeutamu.com blog was shut down andits author was arrested for publishing allegedlydoctored photos of the Tanzanian president, whilein 2011 the Tanzanian government was reported tohave tried to clone the website of jammiforums.com, a discussions group, in an attempt to controlits content. 16 Earlier in 2008, the founders of Jammiforums,then called Jamboforums.com, werearrested and detained for one day, the website’s12 chilot.files.wordpress.com/2013/10/national-intelligence-andsecurity-service-re-establishment-proclamation-english.pdf13 APCNews (2014, May 19). New laws in Uganda make internetproviders more vulnerable to liability and state intervention.APCNews. https://www.apc.org/en/news/new-laws-ugandamake-internet-providers-more-vulne;Nafuka, J. (2014, April 22).New laws in Uganda restrict citizens’ rights. CIPESA. www.cipesa.org/2014/04/new-laws-in-uganda-restrict-citizens-rights14 Privacy International. (2006). Uganda: Privacy issues. https://www.privacyinternational.org/reports/uganda/iii-privacy-issues15 The Monitor (2006, February 26). Government jams Monitor radio,site. UPC. www.upcparty.net/memboard/election7_260206.htm16 Allen, K. (2011, June 16). African jitters over blogs and social media.BBC News. www.bbc.co.uk/news/world-africa-13786143#story_continues_1computers were confiscated by the authorities, andtheir website was shut down for five days. 17 In October2013, the Tanzanian newspaper Mwananchi wasordered to stop publishing online following a threemonthban over “seditious” content. 18Ethiopia has the most tightly controlled telecomssector, and ranks lowest with regard tointernet access. It, however, tops the list for havingthe most blocked websites in the region. Theseinclude the websites of human rights defenders,opposition parties, bloggers, news agencies – AlJazeera, Al Arabiya and the Washington Post – andseveral social media platforms. 19In Rwanda, the government ordered the blockingof the website for the Umuvugizi newspaperin 2010. 20 It is also reported that several websitesbelonging to opposition members and other citizensdeemed critical of the Rwandan governmentcontinued to be blocked between 2010 and 2013. 21Burundi joined the league with one reported caseinvolving the blocking of the comments section onwww.iwacu-burundi.org, when the media regulatordeemed some readers’ comments to be a “threat tonational security”. 22State actors in some of these countries havemade public announcements expressing their intentionto monitor online users’ communications. InUganda, for instance, on 30 May 2013, the securityminister announced plans to monitor “social mediausers who are bent to cause a threat to nationalsecurity.” 23 In the same year, Facebook reportedthat two requests were received from the Ugandangovernment regarding details of one its users. 24 Al-17 Balancing Act. (2008). Tanzanian Government detains two websiteeditors. Balancing Act. www.balancingact-africa.com/news/en/issue-no-395/internet/tanzanian-government/en#sthash.AHUhqz7O.dpuf18 The Citizen. (2013, October 1). Government now bans ‘Mwananchi’website. The Citizen. www.thecitizen.co.tz/News/Governmentnow-bans--Mwananchi--website/-/1840392/2014814/-/item/0/-/ph66mgz/-/index.html19 CIPESA. (2014). State of Internet Freedoms in Ethiopia 2014.opennetafrica.org/wp-content/uploads/researchandpubs/State%20of%20Internet%20Freedoms%20in%20Ethiopia%202014.pdf20 Reporters Without Borders. (2010, June 11). Persecutionof independent newspapers extended to online versions.Reporters Without Borders. en.rsf.org/rwanda-persecution-ofindependent-11-06-2010,37718.html21 Freedom House. (2013). Freedom on the Net 2013. http://freedomhouse.org/report/freedom-net/2013/rwanda#.U9KP9rH8uoM22 Reporters Without Borders. (2013, May 31). Burundi - Mediaregulator suspends comments on press group’s website. ThomsonReuters Foundation. www.trust.org/item/20130531164503-qium7/?source%20=%20hppartner23 CIPESA. (2013, June 10). Uganda’s assurances on social mediamonitoring ring hollow. CIPESA. www.cipesa.org/2013/06/ugandas-assurances-on-social-media-monitoring-ring-hollow24 https://govtrequests.facebook.com/country/Uganda/2013-H290 / Global Information Society Watch Burundi and East Africa / 91


though both requests were rejected by Facebook, thestate-owned newspaper Sunday Vision reported thata former head of political intelligence in the president’soffice was arrested on suspicion of being theowner of the Facebook account “Tom Voltaire Okwalinga”,which is strongly critical of the government. 25In Burundi, Ethiopia and Rwanda, online usersare constantly intimidated and arrested overcontent posted online, often cited as threateningnational security or inciting violence among the public.Ethiopia has been faulted by many digital rightsdefenders and to date tops the list of African countriesthat are constantly intimidating, monitoring,intercepting communications and issuing criminalsanctions against users who post content online. 26In April 2014, six members of the blogging group“Zone9” and three freelance journalists associatedwith the group were arrested following accusationsof working with foreign organisations and rightsactivists through “using social media to destabilisethe country.” 27 Rwanda is also reported to activelyintercept communications, as was seen in 2012 whenrecords of emails, phone calls and text messages ofopposition activists were produced in court as evidence.28 Another incident was recorded in April 2014,when private messages exchanged via WhatsAppand Skype between a local journalist and musicianwere produced as evidence in court during a treasontrial. 29According to research conducted by the Collaborationon International ICT Policy for East andSouthern Africa (CIPESA), in Kenya, Tanzania,Burundi and Rwanda, governments’ interest in citizens’social media activity has also been motivatedby the need to combat online hate speech. Althoughhate speech is a genuine concern, measures takento combat it are often said to violate online user privacyand freedom of expression. 30 Kenya is reportedto have blocked access to one website, www.ma-shada.com, for its failure to moderate hate speechahead of the 2013 elections. 31 In 2013, the Kenyangovernment was also looking for 14 bloggers forallegedly posting hate speech messages, with onearrested and charged under Section 29(b) of the KenyaInformation and Communications Act, 2013, forposting an “offensive tweet”. 32Kenya, Tanzania and Uganda have each beenreported to have made requests to internet intermediariesto release information on particular users’details. In 2012, Google listed Kenya among theeight African countries which had requested particularsabout its users. The Kenyan request, whichwas rejected, involved the removal of content froma blogger site following a court order in a defamationcase. 33 Similarly, in the last quarter of 2013,Kenya topped the list of African countries that maderequests to the search company. A total of eightrequests were made, with Google fully or partiallycomplying with 63% of these. 34Telecom giant Vodafone, in its first Law EnforcementDisclosure Report released in June2014, revealed that the governments of Kenya andTanzania actively monitored its subscribers’ communicationsby issuing data requests to the telecomcompanies. 35 Tanzania was reported to have madethe highest number of requests in all of the Africancountries for which Vodafone provided statistics –98,785 requests. Statistics about requests made inKenya could not be revealed due to legal restrictionsin the country. 36 Lawful interception of communicationsis provided for in Tanzania under Section 9 ofthe Electronic and Postal Communications Act 2010and Section 31 of the Prevention of Terrorism Act,2002; and in Kenya under the National IntelligenceService Act, 2012, and Section 27 of the Kenya Informationand Communications (Amendment) Act2013. However, Vodafone also noted that it hadnot received any demands for technical assistanceto enable interception of communications in thesecountries. 37ConclusionsThe increase in internet access speed, reductionin internet costs and proliferation of easy-to-usedigital tools have led to a shift in the way citizensand governments engage with each other and shareinformation in East Africa. However, this is beingthreatened by clauses in legal and regulatoryframeworks in these countries.Although there is indeed cause for governmentsto protect national security and fight cyber crime,creating a balance between promoting national securityand protecting internet rights, including therights to information, freedom of expression, privacyand data protection, is becoming controversialin many respects. As seen in the cited violations, legalframeworks are being used to arrest, intimidate,monitor and intercept communications of sometimesinnocent online users expressing legitimateopinions. Moreover, the legal frameworks oftencurtail constitutionally guaranteed rights. It is alsofeared that these laws and their associated violationsare triggering self-censorship, a practice thatmay limit internet growth and have a chilling effecton freedom of association, even in the offline world,in these countries. 38In all the six focus countries, data protection andprivacy laws do not exist, despite mandatory userregistration exercises for voice and data communicationsand lawful interception of communications.This is coupled with a general lack of knowledge onwhat constitutes internet freedoms and limited capacityand skills by both state and non-state actorsto safeguard internet freedoms. 39Action stepsAn urgent call to advocate for the amendment oflaws and regulations that curtail freedom of expressiononline, user privacy and the right to informationneeds to be made in all these countries. Countriesshould commit to the implementation of progressivelaws that allow for the enjoyment of internetrights. There needs to be a push for meaningfulmulti-stakeholder participation in policy-makingprocesses to deter the passage of regressive laws.Capacity building for both state and non-stateactors needs to be undertaken to empower themwith the necessary knowledge and skills on internetrights. This will allow state actors to understandwhat constitutes internet rights so that they are betterplaced to handle cases arising from perceivedviolations. Non-state actors including human rightsactivists, digital rights defenders, bloggers andjournalists need capacity development in the areaof digital safety. Among other things, they needskills to better understand legal provisions so thatthey do not fall on the wrong side of the law.There is a need for more openness from all actors– including state agencies, telecom companiesand content hosts – in disclosing information aboutonline freedom violations. State agencies shouldbecome more transparent by sharing findings frominvestigations and prosecutions of digital offenceswith the public. All telecom companies shouldtake Vodafone’s lead by revealing all governmentrequests for intercepting, monitoring or censoringcommunications. This will serve as a best practiceand also create more awareness about statesurveillance.25 CIPESA. (2014). State of Internet Freedoms in Uganda 2014.opennetafrica.org/wp-content/uploads/researchandpubs/State%20of%20Internet%20Freedoms%20in%20Uganda%202014.pdf26 CIPESA. (2014). State of Internet Freedoms in Ethiopia 2014.opennetafrica.org/wp-content/uploads/researchandpubs/State%20of%20Internet%20Freedoms%20in%20Ethiopia%202014.pdf27 Addis Standard. (2014, April 28). Ethiopia files charges againsta group of bloggers, journalists detained over the weekend.AllAfrica. allafrica.com/stories/201404281454.html28 Freedom House. (2013). Op. cit.29 The East African. (2014, April 26). Phone evidence used in terror,treason case. The East African. www.theeastafrican.co.ke/news/Phone-evidence-used-in-terror/-/2558/2294196/-/klwpvi/-/index.html30 CIPESA. (2014). State of Internet Freedoms in East Africa 2014:An Investigation into the Policies and Practices Defining InternetFreedom in East Africa. www.cipesa.org/?wpfb_dl=7631 Diaspora Messenger. (2013, January 30). Kenya’s popular forumMashada.com shut down in hate speech Crackdown. DiasporaMessenger. diasporamessenger.com/kenyas-popular-forummashada-com-shut-down-in-hate-speech-crackdown32 Jambo. (2013, May 15). Robert Alai arrested for alleged “libelous”twitter post. Jambonewspot.com. www.jambonewspot.com/robertalai-arrested-for-alleged-libelous-twitter-post/33 CIPESA. (2013, September 9). Online freedoms under siege asAfrican countries seek social media users’ information. CIPESA.www.cipesa.org/2013/09/online-freedoms-under-siege-as-africancountries-seek-social-media-users-information/#more-162334 Google. (2013). Google Transparent Report – Kenya. http://www.google.com/transparencyreport/userdatarequests/KE/35 Vodafone. (2014). Law Enforcement Report. http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html36 Kalemera, A., & Nanfuka, J. (2014, July 2). Vodafone revealsgovernment requests for subscriber information. OpenNet Africa.opennetafrica.org/vodafone-reveals-government-requests-forsubscriber-information37 Vodafone. (2014). Country-by-country disclosure of lawenforcement assistance demands. www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement/country_by_country.html38 CIPESA. (2014). State of Internet Freedoms in East Africa 2014:An Investigation into the Policies and Practices Defining InternetFreedom in East Africa. www.cipesa.org/?wpfb_dl=7639 Ibid.92 / Global Information Society Watch Burundi and East Africa / 93


cameroonThe stammerings of Cameroon's communications surveillancePROTEGE QVSylvie Siyam and Serge Dahowww.protegeqv.orgIntroductionThe Republic of Cameroon is a country in the westcentral Africa region. It is bordered by Nigeria, Chad,the Central African Republic, Equatorial Guinea, Gabonand the Republic of Congo.In this country of nearly 21,700,000 people, 1of which 1,006,494 are internet users 2 (representingroughly 5% of the population), according to theInternational Telecommunication Union (ITU), it isa real challenge to identify the presence of communicationsmonitoring by the state. Nonetheless,we know that under the guise of national securityand intelligence gathering, citizens’ computersand internet communications are spied on by thegovernment.This was demonstrated when MTN’s Twitter servicein Cameroon was shut down on 8 March 2011.Wary about the role played by Twitter and other socialnetworks in sparking an Egypt or Tunisia-styleuprising, the government blocked MTN’s Twitterservice 3 for security reasons during what were latercalled “hunger riots” in our country.Policy and political backgroundSince independence, Cameroon’s successive constitutionshave proclaimed its people’s commitment tohuman rights as set out in the United Nations UniversalDeclaration of Human Rights and the AfricanCharter on Human and Peoples’ Rights. Our countryis also party to major international and regional humanrights conventions, including the InternationalCovenant on Civil and Political Rights (ICCPR).At the national level, the preamble to theconstitution declares the Cameroonian people’s1 countryeconomy.com/demography/population/cameroon2 www.internetworldstasts.com. According to the World Bank,internet users are people with access to the worldwide network.This may include users who access the internet at least severaltimes a week and those who access it only once within a period ofseveral months.3 MTN is a mobile telephone company that in March 2011 was thesole Twitter service provider in Cameroon.commitment to the freedom of communication andexpression.Many laws and decrees dealing with freedomof communication and expression and with telecommunicationsand communications exist inCameroon, some of which impact on surveillance:• Law N° 98/014 of 14 July 1998, which regulatestelecommunications.• Law N° 2004/016 of 22 July 2004 creating theNational Commission on Human Rights andFreedoms. The commission is an independentinstitution set up to promote and protect humanrights in the country. Though important, none ofits statutory provisions hint at the surveillanceof communication.• Law N° 2010/021 of 21 December 2010 governingelectronic commerce.• Law N° 2010/013 of 21 December 2010 governingelectronic communications in Cameroon.• Law N° 2010/012 of 21 December 2010 on cybersecurity and cyber crime. The latter “governs thesecurity framework of electronic communicationnetworks and information systems, definesand punishes offences related to the use of informationand communication technologies inCameroon.” While this law was hailed by someas a much-needed step in the right directionto curb Cameroon’s nascent or burgeoning cybercrimes industry, others have criticised it forbeing light on internet security and heavy onsanctions, particularly with regard to sanctioningonline expression.• Decree N° 2002/092/PR of 8 April 2002 creatingthe National Agency for Information andCommunications Technologies (ANTIC). TheANTIC was created to facilitate and acceleratethe uptake of ICTs in Cameroon so that they cancontribute to the development of the country.• Decree N° 2012/180/PR of 10 April 2012 assigningnew missions to the ANTIC, including theregulation of electronic security activities andthe regulation of the internet in Cameroon. Withthis decree, the ANTIC became the key actor interms of restrictions imposed by the governmenton the free flow of online information.• Decree N° 2013/0399/PM of 27 February 2013establishing the modalities of protection forelectronic communications consumers. Thisdecree clearly states that when it comes to electronicservices, the consumer is entitled to havehis or her protection kept private.“Weeding them out”:Evidence of surveillance in CameroonThere are few credible reports that the governmentmonitors email or other internet- related activitiesin Cameroon. However, as certainly as everywherethroughout the world, Cameroon’s administrationdoes spy on citizens’ emails to checkmate the activitiesof unscrupulous people capable of threatening itsinternal security. In 2009, the government launched acampaign aimed at capturing the personal informationof mobile phone holders, allegedly “to ban theunfair use of the mobile phone [in a way that can prejudice]law and public order and … citizens’ safety.”The government’s monopoly over all mobileand internet infrastructures through its sole, stateownedtelecom operator, CAMTEL (CameroonTelecommunications), facilitates communicationssurveillance. During an interview given to the onlinemedia outfit Cameroon-Info.Net, 4 Woungly Massaga,a Cameroonian dissident, stated his phoneshave always been tapped.On 19 March 2014, the general manager of theANTIC gave an interview to the government’s dailynewspaper Cameroon Tribune during which he furtherprovided details on how social networks andwebsites are watched in Cameroon. To deal with illintentionedpersons and the terrorist groups whouse social networks to recruit followers and spreadpropaganda, he said, “The ANTIC uses state-ofthe-arttools or cutting-edge tools to permanentlywatch social networks. This consists of browsingthe various profiles on the social networks to detectillicit content representing a potential threat for thenational security and the image of Cameroon, andto weed them out.” 5When it comes to websites, the ANTIC uses atechnical platform that scans web content usingkeywords to detect those inciting hatred, being4 Ngangué, Y. (2014, May 19). Interview de Woungly Massaga,Homme politique et nationaliste Camerounais: “Le Cameroun estune véritable bombe à retardement”. Cameroon-Info.Net. www.cameroon-info.net/stories/0,61441,@,cameroun-20-mai-2014-interview-de-woungly-massaga-homme-politique-et-nationalist.html5 Cameroon Tribune. (2014, March 29). [Interview] Cameroun: DrEbot Ebot Enow Directeur Général de l’Agence Nationale des TIC.Afro Concept News. www.afroconceptnews.com/2014/03/29/interview-cameroun-dr-ebot-ebot-enow-directeur-general-delagence-nationale-des-ticslanderous, or representing a danger for the state.Though it is still unclear which technologies areused to monitor telecoms activity in Cameroon, 6 theinterview shed light on the process that led to theshutting down of MTN’s Twitter service in Cameroonfrom the 8 to the 18 March 2011 during peacefulprotests. Prior to that, on 22 February 2011, Camerooniangovernment spokesperson Issa TchiromaBakary summoned journalists to his office for a mediabriefing in which he issued a warning directedat Cameroonians in the diaspora using social mediatools such as Facebook and Twitter to call fora march to end the 29-year rule of President PaulBiya. The protest was to coincide with an opposition-ledmarch in Douala to honour demonstratorskilled by security forces during February 2008 antigovernmentprotests.A coalition of organisations led by Privacy International,Access and the Electronic FrontierFoundation has outlined a set of 13 InternationalPrinciples on the Application of Human Rightsto Communications Surveillance. 7 These includeproportionality, competent judicial authority, dueprocess and user notification. Did the blocking ofMTN’s Twitter 8 service meet these requirements?At the time Twitter was blocked, only around 50people 9 were affected by the suspension of MTN’sservice – so was it worth blocking it? This raises theproportionality principle: was there a high degreeof probability that a serious crime was about to becommitted by MTN’s Twitter users?The principles state: “Determinations relatedto communications surveillance must be made bya competent judicial authority that is impartial andindependent.” Cameroon of course lacks a judicialmechanism to protect people from unlawful governmentsurveillance. As a consequence, no judicialwarrant was obtained to shut down MTN’s service.Another of the 13 Principles that was ignored bythe government is the “due process” principle thatrequires states to respect and guarantee individuals’human rights by ensuring that lawful proceduressurrounding communications surveillance are properlyrecorded and available to the general public.Cameroonian Minister of Communications and6 It is worth pointing out that the Chinese telecom giants ZTE andHuawei, major players in the African and global telecom industry,are CAMTEL’s telecom equipment suppliers in Cameroon.7 https://en.necessaryandproportionate.org/text8 The Twitter via SMS service offered by MTN Cameroon, one of threetelecommunications operators in the country, allowed anyone witha regular phone to punch in a code and start receiving tweets forfree.9 The deal between MTN Cameroon and Twitter was concludedon December 2010 when the smartphone adoption and internetpenetration rates were relatively low in Cameroon.94 / Global Information Society Watch cameroon / 95


government spokesman Issa Tchiroma told AgenceFrance Presse that “it was the government’s jobto protect the nation,” and that the Twitter servicewas blocked “for the highest interest of the state.”While this may be true, Cameroon is party to theInternational Covenant on Civil and Political Rights(ICCPR), and Article 19 of the ICCPR guarantees the“freedom to seek, receive and impart informationand ideas of all kinds, regardless of frontiers.” Article9 of the African Charter on Human and Peoples’Rights, to which our country is also party, guaranteesthat every individual shall have the “right toreceive information” and “to express and disseminatehis opinions within the law.” The government’sjob is not only “to protect” the nation, but also toprotect and guarantee its citizens’ rights, and one ofthe most fundamental of these is the right to communicate– the internet has become a key means bywhich individuals can exercise their right to freedomof opinion and expression. 10Concerning the “user notification” principle,individuals should be notified of a decision authorisingcommunications surveillance with enoughtime and information to enable them to appeal thedecision. An 8 March 2011 tweet by Bouba Kaele,marketing manager of the Cameroon division ofMTN, announced that “[f ]or security reasons, thegovernment of Cameroon requests the suspensionof the Twitter SMS integration on the network.” MTNlater confirmed the suspension without explanation:“Twitter SMS Connectivity Service suspendedfrom March 07, 2011 till further notice.” As a result,Twitter users were not informed prior to the serviceshutdown and the suspension caught them bysurprise. The shutdown prompted an outcry fromReporters Without Borders, which condemned thelack of transparency surrounding the block andfeared its implications for online freedom of expressionin Cameroon. They said: “We hope the blockingof Twitter via SMS is not a prelude to other kinds ofcensorship of mobile phone services or tighter controlson the internet. Everything suggests that theauthorities are trying to stop microblogging. We deplorethe apparent readiness to impose censorshipfor the least reason, especially when the target isthe peaceful expression of opinions.” 11ConclusionNearly every country in the world recognises theright to privacy explicitly in its constitution. At aminimum, these provisions include rights of inviolabilityof the home and secrecy of communications.Though it exists, communications surveillance,as far as we know, is not pervasive in Cameroon.Nevertheless, from our story, we learned that thegovernment decision did not take into account people’slegitimate and fundamental right to freely seekand receive information or to communicate. Mostagree that national security 12 and the fight againstterrorism might justify restrictions on the free flowof online information. However, these restrictionsmust be founded upon evidence that there is a highdegree of probability that a serious crime will becommitted.Cameroon’s MTN Twitter shutdown can also beseen as a reminder that we lack both judicial andlegislative mechanisms to protect people from unlawfulgovernment surveillance. Then, what are thereactions of different stakeholders since “the samerights that people have offline must also be protectedonline”? 13Officials have always been wary about the internetand other social networks, for they allowindividuals to express their ideas and opinionsdirectly to a world audience, and easily to eachother. Since the Arab Spring – and mostly in Africa– the possibility of the internet and social medianetworks empowering citizens and the media inmobilisation is considered a real threat by somegovernments. However, civil society has so far paidlittle attention to the issue of surveillance, giventhat very few cases have been reported. Communicationssurveillance is also disconnected from thedaily concerns of the Cameroonians, given that only5% of the population are internet users.Finally, MTN is a South African-based mobile operator,and although this report does not addressthis issue directly, the complicity of foreign companiescolluding in state monitoring activities needsto be addressed.Action stepsWith the increasing sophistication of informationtechnology, concerns over privacy violations arenow greater than at any time in recent history. So itis legitimate to express fears about a possible encroachmenton privacy. Therefore, we suggest thefollowing action steps in Cameroon:• Laws that already exist that protect the rightsto freedom of expression and privacy should beimplemented in order to prevent abuse of emergencypowers that can shut down networks orintercept communications.• Cameroon’s parliament must appoint an intelligenceand security committee to overseeintelligence and security activities that reportsdirectly to parliament.• Parliament could also appoint an independentintelligence service commissioner and a communicationsinterception commissioner amongformer senior judges whose reports, once again,should be addressed directly to the parliament.• Legal safeguards to limit the scope and determinethe grounds of possible surveillance andinstitutions and officials competent to authoriseand carry out communications surveillanceshould be developed.• The National Commission on Human Rights andFreedoms should be empowered to make surethat surveillance occurs only as provided in law,that it occurs only when necessary and that it isproportionate to the aim being achieved.• The government must communicate with thepublic on how it uses its surveillance powers.This reporting should include the number ofdata requests made to telecommunications operatorsand to other mobile and internet serviceproviders, and the number of individuals or accountsthat were implicated. 14• The developers of surveillance tools should takeimmediate steps to address their misuse. Thismay require them to be more transparent, andto develop internal company policies againstmisuse by governments or other stakeholders.10 UN Human Rights Council, “The promotion, protection andenjoyment of human rights on the Internet”, Resolution 20 (2012),UN Doc A/HRC/20/L.13.11 Reporters Without Borders. (2011, March 22). Governmentblocks Twitter via SMS service. IFEX. www.ifex.org/cameroon/2011/03/25/twitter_blocked12 Communications surveillance might also endanger the socialpeace, as was the case in Cameroon some two years ago whenWikiLeaks, the famous leaks website, reported the tribaliststatements of former justice minister Amadou Ali regardingPresident Paul Biya’s succession.13 According to the resolution adopted on 5 July 2012 by the UNHuman Rights Council.14 Human Rights Watch. (2014). “They Know Everything We Do”:Telecom and Internet Surveillance in Ethiopia. www.hrw.org/reports/2014/03/25/they-know-everything-we-do « they knoweverything we do »96 / Global Information Society Watch cameroon / 97


canadaSurveillance and metadata collection in CanadaAlternativesCatherine Pappas and Stephane Couturewww.alternatives.caIntroductionFollowing revelations from US spy contractor EdwardSnowden, it has become increasingly clear thatCanada’s intelligence agencies are routinely collectingpersonal data from a variety of sources for bothpolitical and economic reasons. In October 2013,a journalist associated with the British newspaperThe Guardian, Glenn Greenwald, exposed how theCommunications Security Establishment of Canada(CSEC) was monitoring Brazil’s mining and energyindustries, possibly on behalf of Canadian mining corporations.A few weeks later, new documents leakedto the Canadian Broadcasting Corporation (CBC)revealed that the Canadian government allowedthe US National Security Agency (NSA) to conductwidespread surveillance while world leaders met atthe 2010 G8 summit in Huntsville and G20 summit inToronto. But allegations earlier this year about CSECspying on airline passengers have hit closer to home,creating a great deal of concern over the nature of thegovernment’s surveillance activities.Using the case of CSEC’s collection of metadatathrough public airport Wi-Fi networks as a concreteexample, this report will provide an analysis of thepolitical and legal framework for understandingprivacy and data protection laws and regulations inCanada in the age of ubiquitous surveillance. Lookingat changes in technology, laws and regulationsas well as political practices, it will try to show howsome of today’s trends have potentially serious implicationsfor Canadian democracy.Policy and political backgroundPrivacy in Canada is a fundamental but not an absolutehuman right. The right to privacy has alwaysbeen measured with respect to other rights or societalgoals, such as prevention of crime and the needto protect national security. But in the post 9/11 era,anti-terrorism legislation reduced judicial controlsand eliminated or weakened oversight. Combinedwith fast technological transformations, this has undoubtedlyundermined the application of Canadianprivacy and data protection laws and regulations.Today, many fear that the country is at a turning pointwith regard to the protection of privacy.In December 2001, the “omnibus” Anti-terrorismAct (Bill C-36) reasserted the CSEC’s authority,redefined its mandate and concealed it in law as anautonomous entity directly accountable to the NationalDefence Minister. Its budget grew from 96.3million Canadian dollars in 1999 to an estimated829 million dollars in 2014. 1 Most importantly perhaps,Bill C-36 introduced a new provision thatallowed CSEC to request ministerial authorisationfor intercepting private communications for foreignintelligence purposes, 2 giving the agency greaterlegal cover to undertake its actions.Over the last decade, there have also been manyattempts to implement new laws that would grantadditional powers and tools to collect data and conductinvestigations using new digital technologies.Introduced as a way to modernise investigativetechniques (Bill C-74, in 2005), to combat criminalelectronic communications (B-52 in 2010), childpornography (Bill C-30 in 2012), or cyber bullying(Bill-C13, in 2014), these so-called lawful accessprovisions would force telecommunications operatorsand internet providers to disclose informationabout subscribers without the need for a warrantor a judicial order and, in some cases, without thepermission to notify them about the data collection.Faced with overwhelming opposition from Canadians,so far, none of these bills have been adopted.CSEC and the expanding scope ofsurveillance through metadata collectionA key policy issue given prominence these daysis the legality of the Canadian government’s vastmetadata collection programmes. On 30 January2014, a document initially leaked by Snowden andobtained by CBC News 3 revealed that CSEC has1 Office of the Parliamentary Budget Officer. (2014). Main estimates2014-15. www.pbo-dpb.gc.ca/files/files/2014-15_Main_Estimates_Report_EN.pdf2 Parliament of Canada. (2001). Statutes of Canada 2001: Bill C-36.www.parl.gc.ca/content/hoc/Bills/371/Government/C-36/c-36_4/c-36_4.pdf3 Weston, G. (2014, January 31). CSEC used airport Wi-Fi to trackCanadian travellers: Edward Snowden documents. CBC News.www.cbc.ca/news/politics/csec-used-airport-wi-fi-to-trackcanadian-travellers-edward-snowden-documents-1.2517881been collecting metadata to monitor the activitiesof public airport wireless internet users. The leakeddocument describes the data collection project thatoccurred for over a two-week period in a major Canadianairport. With this data, CSEC was able totrack travellers several days after they left the airportand connected their wireless devices to otherWi-Fi systems in Canadian cities or US airports. Itcould also track back the travellers’ whereaboutsthe days before their arrival at the airport. IP profilingwas then used to map travel patterns andgeographic locations over a period of time.The leaked document described the CSEC operationas a trial run of a powerful new softwareprogramme, developed jointly by CSEC with thehelp of the NSA, that could track “any target thatmakes occasional forays into other cities/regions.”Although the authorities in charge of the Wi-Fisystems have denied providing any data to thegovernment, one analyst suggests that it was “presumablyobtained with the cooperation of Canada’smajor telecom companies.” 4 The leaked documentalso mentions a “proof of concept” – possibly aprevious pilot project – in which a modest-sizedcity was “swept” and a telecommunications systemproviding services to some 300,000 users was accessed.The CBC report on the leak also mentionsintentions of sharing technologies and data collectedwith official spying partners.This Snowden leak on CSEC’s metadata collectionprogramme came several months after theCanadian daily, the Globe and Mail, revealed thatCSEC has been collecting Canadian metadata on“telephone and internet traffic records”. 5 Accordingto documents obtained by the newspaper, metadatacollection programmes were authorised undertwo ministerial directives (in 2005 and 2011) on thecollection and use of metadata. In light of these revelations,many suspect that the Wi-Fi data collectionprogramme is not an isolated case and that informationcontinues to be collected from other publicWi-Fi hubs across the country indiscriminately, overlonger periods of time, and without our knowledge,to create metadata trails of individual users. 64 Geist, M. (2014, February 4). Against Oversight: Why Fixing theOversight of Canadian Surveillance Won’t Solve the Problem.Michael Geist. www.michaelgeist.ca/2014/02/csec-surveillanceproblem5 Freeze, C., & Stueck, W. (2013, October 22). Civil liberties groupslaunch lawsuit again. The Globe and Mail. www.theglobeandmail.com/news/national/canadian-eavesdropping-agency-facinglawsuit-from-civil-liberties-group/article149840746 McGuire, P. (2014, February 4). The Harper government insists it’slegal to collect metadata. VICE Canada. www.vice.com/en_ca/print/the-harper-government-insists-its-legal-to-collect-metadataCSEC has been legally mandated to “acquireand use information from the global informationinfrastructure for the purpose of providing foreignintelligence,” to “provide advice, guidance andservices to help ensure the protection of electronicinformation and of information infrastructures ofimportance to the Government of Canada,” and to“provide technical and operational assistance tofederal law enforcement and security agencies inthe performance of their lawful duties.” 7 The agencyalso shares information it collects or acquires withthe other members of the Five Eyes Intelligencecommunity, that is, the US, the United Kingdom(UK), Australia and New Zealand. 8CSEC’s operations remain one of Canada’s bestkept secrets. Contrary to other law enforcement andintelligence agencies, such as the Canadian SecurityIntelligence Service (CSIS – similar to the CIAin the US) and the Royal Canadian Mounted Police(RCMP), CSEC is not designated as an agency underthe Access to Information Act and the PrivacyAct and, because of this, does not allow independentoversight by the Information Commissionerand the Privacy Commissioner. 9 Its only oversightis from the CSEC Commissioner, a watchdog rolecurrently held by retired Québec judge Jean PierrePlouffe, who reports to and is accountable to theMinister of Defence. According to Wesley Wark, anexpert on national security, intelligence and terrorism,“the performance of the CSEC Commissioner’sfunction has been hamstrung by an inability tocommunicate to the Canadian public and by thelong-drawn-out battle to bring sufficient agreedclarity to CSEC’s legal mandate with regard to theinterception of private communications under Ministerialauthorization.” 10Often described as the digital envelope that carriesthe actual content over networks, metadata isnot data per se, but refers to all the information usedto identify, manage, describe or route data over agiven network. Metadata can contain the date, time,duration and location of a communication, phonenumber or internet protocol address, as well as theID of the sender and the recipient. Even if metadata7 Communications Security Establishment Canada (CSEC). (2013).What we do and why we do it. www.cse-cst.gc.ca/home-accueil/inside-interieur/what-nos-eng.html8 en.wikipedia.org/wiki/Five_Eyes9 Cavoukian, A. (2003). National Security in a Post-9/11 World: Therise of surveillance… the demise of privacy? Toronto: Informationand Privacy Commissioner/Ontario. www.ipc.on.ca/images/Resources/up-nat_sec.pdf10 Wark, W. (2012). Electronic Communications Interception andPrivacy: Can the imperatives of privacy and national securitybe reconciled? Ottawa: Office of the Privacy Commissioner ofCanada. cips.uottawa.ca/wp-content/uploads/2012/04/WARK_WorkingPaper_April2012.pdf98 / Global Information Society Watch canada / 99


does not reveal the content of a conversation, themassive collection of metadata and its cross-linkingcan reveal much of the values, relationships andactivities of an individual. Experts argue that metadatacan provide the agency with a fairly accuratesnapshot of an individual user, but the governmentcontinues to deny that metadata collection violatesprivacy rights, playing on the dichotomy betweencontent and metadata to justify its programme andsideline privacy concerns. “Metadata is informationassociated with a telecommunication… and not acommunication,” stated a briefing note to the thenDefence Minister Peter McKay in 2011, right beforehe approved the ministerial directive on 21 November2011. 11According to CSEC governing legislation moreover,the programme is allegedly conducted underits foreign intelligence mandate and CSEC cannottarget Canadians or persons in Canada. On 29January 2014, following the airport Wi-Fi metadatacollection, the chief of CSEC, John Forster, arguedthat the agency’s activities are only directed “atforeign entities, and not at Canadians or anyonein Canada,” 12 although he later stressed thatCSEC “is legally authorized to collect and analyzemetadata.” 13Civil society actors and advocates for the privacyrights of Canadians, on the other hand, worrythat this and other operations led by CSEC lack publicaccountability or oversight and do not respectits mandate. Interviewed by the CBC, the provinceof Ontario’s Privacy Commissioner Ann Cavoukianstated that “this resembles the activities of a totalitarianstate, not a free and open society.” 14But civil society criticism of CSEC operationsis not new. In October 2013, the British ColumbiaCivil Liberties Association (BCCLA), a Canadian nonprofitadvocacy group, filed a lawsuit aimed at CSECfor “illegal search and seizure”, requesting that theagency stop certain surveillance activities. 15 The BC-CLA argued that the agency’s metadata collection11 Freeze, C. (2013, June 15). How Canada’s shadowy metadatagatheringprogram went awry. The Globe and Mail. www.theglobeandmail.com/news/national/how-canadasshadowy-metadata-gathering-program-went-awry/article12580225/?page=all12 Forster, J. (2014, January 29). Letter to the Editor re: Globe andMail editorial, January 29, 2014. Communications SecurityEstablishment Canada (CSEC). www.cse-cst.gc.ca/home-accueil/media/media-2014-01-29-eng.html13 CSE. (2014, January 30). CSE statement re: January 30 CBC story.Communications Security Establishment Canada (CSEC). www.cse-cst.gc.ca/home-accueil/media/media-2014-01-30-eng.html14 Weston, G. (2014). Op. cit.15 British Columbia Civil Liberties Association. (2013). Civil claimto the Attorney General of Canada, 22 October. bccla.org/wpcontent/uploads/2013/10/2013-10-22-Notice-of-Civil-Claim.pdfprogramme authorised by the minister revealedprivate information about Canadians or persons inCanada, which infringes Article 8 of the CanadianCharter of Rights and Freedoms, guarding againstunreasonable search and seizure. 16 OpenMedia, aCanadian advocacy group very active on internetand information and communications technology(ICT) policies, has also supported the BCCLA’s claimand launched a campaign against spying onCanadians. 17ConclusionThe metadata collection case raises many questionspertaining to privacy rights in Canada. First,it shows that CSEC activities are far more expansivethan previously believed. CSEC seems to becollecting metadata widely with the help of majortelecommunications companies. In Canada, publicagencies and private businesses have traditionallybeen subject to different privacy laws. The tighterprivacy laws governing the state were meant toprotect Canadians from pervasive surveillance. Butnow that information openly flows from one side tothe other without this being regulated by our privacylaws (as the government allegedly acquiredsome of the bulk data from telecommunicationscompanies without a legal warrant), it raises deepconcerns for accountability. In addition to this, theintroduction of new lawful access legislation givinglaw enforcement officials warrantless accessto private online information poses an even greaterthreat to democracy and civil liberties in Canada. Apositive note in this story is a recent judgment bythe Supreme Court that ruled the disclosure of privateonline information to government and policewithout a warrant was unconstitutional, making astep in the right direction for the protection of privacyrights in Canada. 18Secondly, the case described above highlightsthe inability of Canadian laws and regulations todeal with metadata. As Canadian technology policyanalyst Michael Geist has suggested, the fact thatthe government insists on the legality of the programmemight indicate that the problem lies inthe law itself rather than its application, as muchof the legal framework fails to acknowledge thebroader privacy implications of metadata. Thereare also considerable discrepancies in the definitionof “personal information” found in privacylaws governing the private and public sector, as16 Ibid.17 https://openmedia.ca/csec18 R. v. Spencer, 2014. scc-csc.lexum.com/scc-csc/scc-csc/en/item/14233/index.dowell as within federal and provincial privacy legislation.19 Furthermore, over the years, technologicaltransformations have weakened many of the barriersthat were used to protect the privacy rights ofCanadians and have rendered obsolete some privacylaws and regulations. Discussions surroundingthe legality of the metadata collection programmehave therefore been based on interpretation anddiffering views without having a clear legal frameworkto work from.A third area of concern is with the very mandatefor Canada’s spy agency. It has become increasinglydifficult to delineate the borders of a telecommunicationsnetwork based on national boundaries. Fromthis perspective, how can one guarantee that thiswidespread collection of metadata remains withinthe geographic boundaries of CSEC’s mandate?Action stepsThere have been several positive steps taken by differentlegislative bodies in Canada to reassert theprivacy rights of Canadians. The Senate StandingCommittee on National Security and Defence, forinstance, is examining CSEC’s programme and potentialareas of reform. Civil society groups, on theother hand, are leading campaigns that press forgreater protection of privacy rights and open debateon the limits of metadata collection and geography.In May 2014, a coalition of civil society groups andacademics released the Ottawa Statement, whichsets out recommendations aimed at putting a stop19 Lyon, D. (2014). Transparent Lives: Surveillance in Canada.Edmonton: Athabasca University.to government spying on innocent Canadians. 20 Butstill much remains to be done for protecting the privacyrights of Canadians, including:• Engaging in a full, transparent and participatorypublic process in order to ensure that lawsand regulations pertaining to privacy and theprotection of data are in compliance with theCanadian Charter of Rights and Freedoms andacknowledge the United Nations’ reaffirmationof privacy as a fundamental human right.• Cultivating a better understanding and considerationof the privacy implications of metadata,in particular the way massive collection andcross-linking of this information can revealmuch of the values, relationships and activitiesof an individual.• Ensuring greater oversight of the operationsof CSEC and other surveillance agencies inCanada.• Putting an immediate halt to plans for introducingfurther lawful access provisions thatwould allow for authorities to access metadatathrough telecommunications agencies withoutany warrant.• Strengthening the involvement of civil societyin favour of privacy rights through public campaigning,advocacy and education.20 OpenMedia.ca. (2014, May 22). Canada’s leading privacy expertsunite behind Ottawa Statement, offer high-level proposals to reinin mass surveillance. OpenMedia.ca. https://openmedia.ca/news/canada%E2%80%99s-leading-privacy-experts-unite-behindottawa-statement-offer-high-level-proposals-rein-mass100 / Global Information Society Watch canada / 101


chileMonitoring backONG Derechos DigitalesJuan Carlos Larawww.derechosdigitales.orgIntroductionDespite being a small country, Chile has shownstrong signs of being a friendly country for commerceand entrepreneurship, especially when itcomes to foreign investment. This was a major trendthat started under the military dictatorship, increasingover the last 25 years. A national commitment topeace, internally and externally, has allowed Chileto stand as a beacon of free trade, social peace, andsteady economic growth.In this environment, it is understandable thatfrom a policy-making perspective, emphasis isgiven to the best possible conditions for entrepreneursto carry out their business. This has includedprivatisation and low taxes, as well as loweringother barriers to commerce. Many say an ambienceof social peace allows for better economic security.The low barriers to commerce and sense of security,along with the free market environment, extendto what has been considered one of the most importantcommodities of the economy of the 21stcentury: personal information.While the world debates the nature of and needfor the collection of personal data by governments,Chile still does not consider data privacy a matterof great concern. Unfortunately, this has led to anenvironment where commerce is king, even whenit comes to handling the personal data of Chileancitizens. Are they safe from the processing of databy national and even foreign companies? Are Chileanssafe from private surveillance, and how dointernational principles apply when it is businesses,not governments, that are behind the processing ofdata?BackgroundChile has been singled out as one of the countrieswith the most progressive laws regarding the internet.This includes a net neutrality law, and acopyright law that allows for notice and takedownof infringing content only when there is a court order.Several administrations have also attemptedto create a “digital agenda” to promote the use oftechnology, and in doing so foster economic growth.From a social standpoint, Chile stands out forbeing a peaceful nation in comparative terms, bothin its relationship to its neighbours, as well aswithin the country. No important terrorist network,whether national, foreign or international, has beenreported to carry out activities within the Chileanborders. Intelligence activity is focused on the possibilityof social unrest and, especially, on drugcartels operating within the country.On the other hand, the Chilean government hasnot been especially concerned with data privacy.Chile stands out from all other Latin American countries(except for El Salvador) because of its lack ofconstitutional protection of personal data, and alack of proper legal channels for addressing differentviolations of data protection laws. And whilepractices in relation to the protection of personal informationare seemingly changing in state agencies(as around the world), there have been instancesof the violation of privacy rights, but without thesehaving much impact on policy or law.Privacy and data: When businesses havemore power than statesAs with any other regulatory framework that attemptsto represent different interests, Chileandata protection laws occur in an environment wherethe interests of information privacy are not onlyunclear, but also unbalanced. This is not becauseof anything the state has done (at least, not in analarming way). Chile has enacted some of the mostprogressive legislation addressing difficult issuesrelated to technology, as the copyright reform 1 andnet neutrality 2 laws have shown. Pioneering attitudesfrom Chilean legislators were already seenregarding data privacy: in 1999, Chile became thefirst Latin American country with a comprehensivedata protection law. 3 However, the existence of sucha law is not necessarily synonymous with a completesystem of safeguards for either personal dataor even privacy in general, for different reasons.1 Law No. 20.435, 4 May 2010.2 Law No. 20.453, 26 August 2010.3 Law No. 19.628, 28 August 1999.First, the national data protection law is notstrictly in line with constitutional guarantees asprovided by the 1980 constitution, drafted duringthe military dictatorship that put in place Chile’svery liberal economic system. The constitutionrecognises several fundamental rights, includingthe protection of private life and the protection ofprivate communications, but not the protection ofpersonal data (unlike almost every other country inthe region). These rights are enforceable not onlyagainst breaches by the state, but also against attacksor threats by private entities. And becausepersonal data is not part of the constitutionalframework, constitutional action can be carriedout against breaches of private life or private communications,yet not against the gathering andprocessing of personal data. Because of this, reliancefor protection must be placed upon the lawdirectly.Second, Chile’s data protection law providesthe framework for all processing and treatment ofpersonal data, whether by public or private entities,while also respecting the rights recognised in theconstitution. From a state intelligence perspective,most efforts have been linked to the collection andprocessing of all kinds of information with clearfocuses: the so-called war on drugs, the preventionof attacks by (very minor) anarchist groups;the assessment of public perceptions regardingdiplomatic or political events; and the control ofindigenous communities in the southern region ofthe country. 4 However, the last issue is quite sensitiveto changes in executive power: the currentlocal authority empathises with much of the localindigenous community, 5 while the former authoritycondemned their most violent actions as terrorist(with the disagreement of the judiciary). 6Third, Chile’s privacy rules, covering personallife, private communications and personal data,have all seemingly placed both the interests of freetrade and the interests of security above other interests.This is most evident in three aspects, which we4 An elderly couple died in a fire in their countryside house,allegedly started by members of a Mapuche indigenouscommunity. This led to criticism of the National Intelligence Agencydue to a lack of information provided prior to the attack. Pinochet,J. (2013, November 9). La inteligencia en Chile en los tiemposde Snowden. La Tercera. diario.latercera.com/2013/11/09/01/contenido/reportajes/25-150344-9-la-inteligencia-en-chile-en-lostiempos-de-snowden.shtml5 Chile’s latest change in government brought a new authority tothe region, Francisco Huenchumilla, who is of Mapuche origin andwho, unlike his predecessors, has called for a peaceful solution tothe unrest, and an end to the classification of Mapuche activists as“terrorists”.6 Although prosecution of violent acts in Araucanía has beenpursued under the Anti-Terrorism Law, the courts havesystematically rejected this classification.will look at in greater depth below later, that serveas examples of a national attitude towards privacy:one, by broadly allowing practices of private surveillance,for alleged security purposes, in placessuch as the workplace; two, by legally allowingcopyright holders to send alleged online copyrightinfringers private notices using IP addresses; andthree – and most problematically – by legally allowingany person or company to collect and processpersonal information, as long as they abide by thelegal framework established by the data protectionlaw. To this, we might add the legal permission tosend unsolicited commercial offers (including spamemail).No control over personal data(except for companies)Chile’s data protection law allows the handling ofpersonal data by any person or company, publicor private, including the creation and transfer ofdatabases containing personal data. This is whyit is considered a set of rules for enabling the freeflow of information between database traffickers.And although the law recognises a series of rightsfor an individual’s data, these rights must be exercisedthrough the civil courts of law, in lengthy andexpensive proceedings, which constitute an insurmountablebarrier for the average citizen. The lackof a data protection authority adds a lack of institutionalstrength to an already ineffective piece oflegisation. In fact, to date, after the law has beenin force for more than 14 years, following this routehas resulted in no sentences for the unlawful handlingof personal data. Paradoxically, it has alsomeant that Chilean companies are not eligible tooffer certain kinds of services that require intensivehandling of personal data, since the country cannotguarantee an adequate level of protection of personaldata as required by the European Union.This state of affairs has allowed personal informationto circulate freely in Chile, and legally,through multiple companies dedicated to thehandling of personal data. This data is frequentlyexchanged among companies that offer commercial,financial, health and telecommunications services,among others, seriously affecting the right toa private life guaranteed by the constitution. Theexistence of a unique ID number for each citizenhas only made it easier to identify a set of databelonging to an individual, in practice replacing aperson’s name as an identifier in several informationsystems.In short: Chile’s privacy and personal data protectionrules place those interests under the control102 / Global Information Society Watch chile / 103


of private companies. Examples of this are many.Large amounts of personal data leaked from publicservices 7 or mishandled by banks and other privatecompanies 8 could be subject to commercial trafficamong private companies, and these practices havenot been subject to legal penalties.In 2009, a lawyer publicly accused her medicalinsurance company of handing over her medicalinformation, including her medical history and diagnosis,to a chain of pharmacies. She discoveredthe following when purchasing medication in one oftheir stores: the pharmacy not only had her nameand profile, but also knew her medical condition,supposedly protected not only by data protectionlaws, but by laws guaranteeing medical privacy. Thesystem allowed the pharmacist to suggest medicalproducts for this person. However, while the administrativeauthority fined two insurance companies,these companies claimed that exchanging this informationwas not only legal but also widespread,customary, and even necessary. 9 In April 2013, yearsafter this scandal, a different insurance companyproudly announced a new agreement with similargoals with a different pharmaceutical chain. 10 The13 International Principles on the Application of HumanRights to Communications Surveillance 11 havebeen drafted and signed by hundreds of institutionsand individuals from all corners of the world, demandingstate action under strict rules of necessity,proportionality, transparency, accountability, legalityand more. But it is hard to assess the damagethat can be caused when, in fact, there are privatecompanies with more information at their disposalthan even the state has or could have, for the merefact that commerce is an interest whose strength farsurpasses the interests of national security.7 Cooperativa.cl. (2014, March 27). Investigan copia irregularde la base de datos del Registro Civil. Cooperativa.cl. www.cooperativa.cl/noticias/pais/servicios-publicos/registro-civil/investigan-copia-irregular-de-la-base-de-datos-del-registrocivil/2014-03-27/093754.html8 Álvarez, C. (2012, July 3). Banco de Chile reconoce error: enviódatos personales a otros clientes por correo electrónico.Biobiochile.cl. www.biobiochile.cl/2012/07/03/banco-de-chilereconoce-error-en-envio-de-datos-personales-a-traves-de-correoelectronico.shtml9 Jara Roman, S. (2009, May 26).Isapres hacen susdescargos en polémica por intercambio de informacióncon farmacias. Terra. economia.terra.cl/noticias/noticia.aspx?idNoticia=200905261057_INV_7809885410 Diario Financiero. (2013, March 27). Isapre Cruz Blanca sellaalianza con Farmacias Ahumada. Diario Financiero.11 https://en.necessaryandproportionate.org/textConclusionsOver the last several months, a great deal of publicattention has been focused on the capacities ofstates to gather and process personal informationand to conduct communications surveillance, whichsome have justified in the aftermath of terrorist attacksthat have replaced Cold War fears in the publicconscience. Such overreach of intelligence services,however, does not seem as easily justified by stateswhich do not face the threat of war, or have morepeaceful international relations. But in either case,personal information is still an important resourcefor different objectives.Chile has a personal data law which from the beginningseemed to be tailor-made for big companies,and which calls into question the ability of Chile’s legislatorsto address the problems that the informationage raises for the protection of fundamental rightsand freedoms. In practice, this means that personaldata in Chile is not as much under the control of thestate as it is in “no man’s land”, due to a weak set ofrights and paltry enforcement mechanisms. This situationforces those who are affected to go to court togain any effective penalties for abuses. These abuses,because they happen under the opaque practicesof private companies, are beyond public scrutiny.Several reforms to the law are currently beingdiscussed, while some others have resulted in minoradjustments. So far, no reform bill includes thecreation of an agency for the protection of personaldata, which would give citizens effective tools toprotect themselves from the constant abuses thatexist today; nor does any bill address the free-for-allin personal information databases that is currentlypart of the system. Numerous groups with corporateinterests seek to maintain the status quo, on thegrounds that they are defending the free flow of information,and are against all obstacles that a moreeffective system would create for entrepreneurship.How do principles of state surveillance applywhen it is not the action of the state that endangersor threatens the interests of privacy? Unfortunately,they do not impact directly as well as they do indirectly,by reaffirming the need for privacy safeguardsin any environment where the right to privacy is endangered(or any other fundamental right, for thatmatter). Because companies are, in this area, evenmore powerful than the state in their ability to affector impact on the population, actions aimed at thestate, while always convenient to ensure fundamentalrights and freedoms, seem less urgent than todemand a constitutional and legal framework thatensures such freedoms are also not subject to thewhims of private companies.Action stepsThe protection of fundamental rights and freedomsin this day and age demands action not only toconfront powerful states, but also to confront increasinglycomplex and powerful private entities.This requires strong action from civil society to, inthe first place, educate and empower people in therights that they hold, in order to enforce them andmake others respect them.Secondly, and addressing both private andstate power, campaigns should push for the implementationof changes to the law that recognise andenforce stronger privacy rights in different areas– not only to enact the principles that should framestate action for security purposes, but also to createrules that prevent abuse by private agents.Thirdly, constant effort is needed to ensure thatany legal provisions are fully compliant with internationalhuman rights standards and the constitutionalframework of Chile. This means, monitor back: demandinformation from public entities through transparencymechanisms, and demand active public oversight ofthe action of private agents regarding personal informationand private communications. Such strongaction will allow citizens to keep in check the threats toprivacy that are wrongly touted as legal or necessary.104 / Global Information Society Watch chile / 105


CHINADiscourse deferred: PRC netizens swap public microblogs for the not-soprivatedigital dinner tableDanweiHudson LockettDanwei.comIntroductionBefore the internet, complaints about sensitive issuesin mainland China were confined largely tosmall private gatherings – often around the dinnertable, away from prying cadres’ ears. Today, to betterunderstand the role that online surveillance maynow play in the People’s Republic of China (PRC),it must be analysed in the context of a broader informationcontrol apparatus and the mainland’sunique social media environment.With foreign social media platforms like Twitterblocked on the mainland, homegrown microblogs,or weibo ( 微 博 ), finally came into their own in theearly 2010s as a de facto public sphere. The rapidspread of information on Sina Corp’s Weibo ( 新 浪微 博 ) microblog platform concerning the 2011 Wenzhouhigh-speed rail crash (see GISWatch 2011), 1together with its subsequent role in the scandalleading to the ouster of top leadership candidate BoXilai (see GISWatch 2012), 2 drove that point furtherhome for the ruling Chinese Communist Party (CCP).Even Sina’s in-company censorship efforts seemedunable to quiet the beast it had birthed.Two new actors have since swung a pair ofsledgehammers to the knees of mainland microblogs,forever changing the country’s onlineecosystem. The first is the popular app WeChat(branded locally in Mandarin as Weixin 微 信 , or“micro-message”) developed by Tencent HoldingsLimited. WeChat began as a smartphone instantmessagingservice, but soon evolved into a versatileprivate social networking platform and communicationstool whose functions even included limitedpublic microblogging. By the end of 2013 it hadunseated Sina’s Weibo as the social networkingplatform of choice.The second actor is current CCP General Secretaryand PRC President Xi Jinping, who was1 www.giswatch.org/en/country-report/civil-society-participation/china2 www.giswatch.org/en/country-report/internet-and-corruption/chinaelevated to the former office in November 2012, andassumed the latter as a matter of course in March2013. Xi wasted little time in launching a renewedcrackdown on dissent – a key front of which was theunruly and critical online chatter that his predecessorshad left unquashed. He would confront it withgusto.BackgroundSurveillance of the internet’s Chinese-languagepublic face has become increasingly sophisticatedas the CCP has sought to use it both as a means tokeep tabs on public opinion and a tool to monitorand control speech. Officials are typically mum onthe more Orwellian aspects of this effort, but local,privately owned companies such as XD Tech ( 线 点科 技 ) openly offer mass surveillance, analysis andkeyword alert services to both central and localgovernments. XD Tech, which opened for businessin Beijing in 2005, lists two of the most importantparty organs among its clients: the General Officeof the CCP’s Central Committee, and the powerfuland secretive Central Organisation Departmentresponsible for choosing where Party officials areposted for every step in their careers. Other majorclients include the Public Security Department ofGuangdong Province, state-owned Bank of Chinaand all three mainland telecom operators (alsostate-owned).However, survey results published in March2014 commissioned by the BBC World Serviceshowed that 76% of Chinese respondents saidthey felt free from government monitoring – thehighest proportion of any country polled. 3 Unlikecensorship, the surveillance of private information,especially when stored server-side rather than onuser devices, can be difficult to verify. 4 Evidence ofgovernment surveillance of WeChat and other suchprivate communication platforms was previously3 Globescan. (2014, March 31). One-in-Two Say Internet Unsafe Placefor Expressing Views: Global Poll. Globescan. www.globescan.com/news-and-analysis/press-releases/press-releases-2014/307-one-in-two-say-internet-unsafe-place-for-expressing-views-globalpoll.html4 The Citizen Lab. (2013). Asia Chats: Analyzing Information Controlsand Privacy in Asian Messaging Applications. https://citizenlab.org/2013/11/asia-chats-analyzing-information-controls-privacyasian-messaging-applicationsharder to come by. But a few days before Xi Jinping’sascent to CCP leadership in late 2012, dissident HuJia posted on Twitter (translated):Tencent-developed “WeChat” is extraordinarilypopular on the mainland. Domestic SecurityPolice use it to investigate communications betweenmainland dissidents. The voice messages,text and pictures we use WeChat to send all godirectly into Domestic Security’s technical investigationsystem, and are just as easily monitoredas phone calls and text messages.That week Hu Jia told the South China Morning Postthat he had long expected his phone calls and textmessages to be tapped by state-owned telecomproviders, but previously assumed that WeChatwas not compromised. Now he claimed DomesticSecurity officers had recited, word for word, privatevoice-message exchanges between him and hisfriends shortly after they had occurred on WeChat.He said friends had also been interrogated aboutWeChat conversations that took place only an hourearlier, and gave an example of Domestic Securityofficers using information from voice messages totrack him in real time when he and a friend tried tochange a meeting’s venue at the last minute.Part 1: Twilight of the microblogs (2013)Once Xi became general secretary his administrationwasted little time in launching vigorouscrackdowns on both official corruption and dissent.The two drives conflicted when a group called theNew Citizens’ Movement pushed for officials to declaretheir assets and follow rule of law as outlinedin the PRC’s constitution. These calls, online and off,were silenced, and the group’s leaders detained orarrested and brought to trial under various pretexts.That August, one year since WeChat’s userbase had surpassed Sina Weibo’s, Tencent addedmicroblog-like “public” accounts to its now flagshipservice/software. Standard private accountswere still limited in how many people could join agiven “friend circle” (100, as of this writing), but allusers could now follow unlimited public accounts,each of which could send one message a day to allsubscribers.Then, on 10 September, the Supreme People’sCourt and the Supreme People’s Procuratorate issueda landmark joint interpretation of PRC criminallaw that gave further firepower to censorship efforts:authors of any Weibo or WeChat posts thathad been “re-tweeted” 500 times or viewed 5,000times would be legally liable for any misinformationor illicit content authorities found therein.While such rulings are not binding precedents thatdetermine subsequent court decisions in the PRC,the message was clear: posts containing unsanctionedinformation or opinions could result in realpunishment.In fact, a name-and-shame campaign targetingSina Weibo’s most influential verified users (“BigVs”) was already underway. In late August, Chinese-American angel investor and Weibo heavyweightCharles Xue was arrested in Beijing on charges ofsoliciting a prostitute. But in an on-air confessionbroadcast nationwide, a handcuffed Xue spokeonly of his regret over abusing his power to spreadmisinformation and rumours among his 12 millionfollowers. This intensified crackdown added momentumto already powerful market forces: Weiboactivity further waned as WeChat’s moon waxedgibbous.Critical online discourse went to ground at theapparently more private WeChat, but the Octoberarrest of venture capitalist Wang Gongquan, a backerof the New Citizens Movement, soon called theplatform’s privacy into question. When Sina shutteredhis Weibo account with 1.5 million followersin 2012, Wang shifted to a standard WeChat accountto continue his activism. However, the more privatenature of this venue did not stop authorities fromdetaining and then formally arresting Wang the followingyear on charges of disturbing public order.A report by the Public Opinion Monitoring Centreof the state-run People’s Daily announced on30 October that the campaign against Big V’s hadsucceeded – the government had retaken onlinespace for the Party. The state-run Beijing YouthDaily capped the year off on 13 November by claimingSina had taken action against 103,673 accountsfor flouting online behaviour guidelines announcedthat summer, through measures ranging fromtemporarily restricting users’ ability to post to permanentaccount deletion.Part 2: Dawn of the digital dinner table (2014)After a few months’ lull, Xinhua reported on 27February that Xi Jinping was now heading “a centralinternet security and informatisation leadinggroup” and had that day presided over its firstmeeting. (Xi has become the leader of other such internalleadership committees since his ascent, andhas established other new ones for policy changeand domestic security.) A same-day report on CCTVsaid Xi had emphasised the need for a firm hold onthe guidance of public opinion online.Then on 13 March, WeChat saw its first realpurge: Tencent deleted at least 40 critical public106 / Global Information Society Watch china / 107


accounts, some with hundreds of thousands of subscribers.On 15 March, the South China MorningPost reported that according to an unnamed industrysource, a team of government censors werestationed at Tencent’s Guangzhou office for a weekbefore the crackdown; censors instructed thecompany to practice self-censorship on accountsposting “sensitive content on national politics”, andnamed certain accounts that had to be shuttered.But as March dragged on a major labour disputein Southern China would provide contrastingexamples of WeChat’s potential in both grassrootsorganising and surveillance. Tens of thousands ofworkers for shoe manufacturer Yue Yuen used We-Chat to coordinate a crippling strike in Guangdongwithout help from their sanctioned, government-runprovincial union; meanwhile police detained labouradvocate Lin Dong from the Shenzhen ChunfengLabour Dispute Service Centre on the grounds thathe had posted inaccurate information online. Thecentre’s director Zhang Zhiru told the South ChinaMorning Post that Lin had only sent a private We-Chat group message to 11 people about the issue,and had noted the information was unverified.While the strike was ultimately successful and Linwas released after 30 days in custody, the biggestguns were still waiting in the wings.On the morning of 27 May authorities announceda social media crackdown one week beforethe 25th anniversary of the 4 June massacre thatended the Tiananmen Square protests.The specialmonth-long operation specifically targetingWeChat and similar apps would be carried out bymajor government organs including the State InternetInformation Office, the Ministry of Industry andInformation Technology, and the Ministry of PublicSecurity. Their stated focus was on public accountswith social mobilisation power. Less attention wasgiven to a new development in how Tencent wouldapproach the social feature that had long been oneof WeChat’s central conceits: private friend circles.After WeChat was explicitly named at thecrackdown’s outset, Tencent and six competitorsquickly published a list of 10 proposed industry“initiatives” to help create a “clean internet”; theseincluded a new commitment to further scrutiniseprivate groups. The companies called on industrypeers to “intensify management of friend circlesand regulate related functions, intensify the inspectionand management of friend circles’ content, andresolutely shut down accounts that transmit illegaland harmful information via friend circles.”Tencent then announced on 10 June that duringthe year’s first six months it had already shuttered20 million private WeChat accounts with the help ofauthorities, in addition to 30,000 public accounts ithad deemed fraudulent. In announcing the move,dubbed “Operation Thunder”, Tencent claimed theaccounts had been guilty of engaging in phishingschemes or prostitution. That day it also announcedthat the search engine Sogou ( 搜 狗 ) of the eponymouscompany it had acquired last year was nowcapable of searching public WeChat accounts, allowingusers to look them up and browse theirposts’ contents.Almost as an afterthought the campaign turnedits eyes to Apple: the Ministry of Industry and InformationTechnology announced it would take newmeasures to regulate the company’s iMessage service.A group chat function similar to WeChat’s friendcircles was added to the Apple instant-messagingapp in October 2011; Chinese tech industry newssite Techweb reported the new measures wouldinclude tools to monitor and prevent spam messages,which it claimed had cost users millions ofRMB. Finally, following a pro-democracy march inHong Kong on 1 July that drew a historic turnoutof hundreds of thousands according to organisers,messaging apps Line and KaoKao Talk beganexperiencing issues, with the former rendered completelyinaccessible.ConclusionsSurvey results indicate a widespread belief that surveillanceon the mainland does not affect or botherwith most people’s affairs. Until recently even experienceddissidents believed themselves free fromsnooping eyes and ears on WeChat. Hu and Wang’scases show us that assumptions about what isprivate online in the PRC do not always hold true,particularly when one uses a supposedly privatespace to organise. In mainland China the internetand everything in it can reasonably be viewed aspublic space – that is, ultimately belonging to thestate.Operation of online communications platformsby private companies is a privilege, not a right. Thethreat of its rescindment will compel corporationsto comply with state demands lest they lose permissionto stay online. Sina’s failure to effectivelyclamp down on recusant expression eventuallyprompted more severe government action, thoughuser migration to WeChat was already well underwaybefore this. By more promptly complying withgovernment directives and effectively dealing preemptivelywith areas of potential concern, Tencentmay be able to keep WeChat from coming to thesame grisly end.Much still depends on how netizens take advantageof WeChat’s many functions. The massiveMarch strike in Guangdong shows that even friendcircles limited to 100 members can spread informationrapidly enough between overlapping groups tomobilise tens of thousands, while labour advocateLin Dong’s detainment shows that even very smallscalegroup communication can serve as a pretextfor detention if one helps effectively focus and directthe momentum of such large-scale movements.But even Tencent’s in-company surveillance andcontrol efforts may not be as all-powerful as thepast year seems to imply. In light of how private PRCcompanies already provide surveillance services individuallyto different sectors of the government andParty, the publicly projected monolithic censorshipand surveillance effort of Xi’s administration maybelie an unseen and far more piecemeal approach.For now, though, critical conversations onlinehave taken refuge in a space that those around beforethe internet may find familiar: a sort of a digitaldinner table, albeit one where conversations aremuch more easily listened in on. Complaints willcontinue in semi-private, but this suits the CCP justfine: where before all eyes were struggling to followa flurry of public microblogs, now only the party haspotential access to a comprehensive view of onlinediscourse that could ultimately strengthen its holdon power. While it may not be able to fully stampout dissent, neither does the party seem likely toface a Snowden of its own any time soon.Of course, few saw the fall of Bo Xilai coming,either – aside perhaps from Bo’s former right-handman Wang Lijun, who fled to the closest US consulatewhen he feared his old boss might have himkilled, a stack of classified documents in hand foruse as a bargaining chip (see again GISWatch 2012).Action stepsThe following action steps can be suggested forChina:• The same basic precautions recommendedagainst National Security Agency (NSA) surveillanceall hold true in the PRC: cryptographicanonymity tools are necessary for true privacyin communication. However, unlike in the US,public debate and opposition to the state’s surveillanceof its own citizens appears impossiblewithout broader public consciousness of theseendeavours and systemic political changes.• Applications and online services made by PRCcompanies whose servers are on the mainlandcan be considered to be at least potentiallycompromised.• Mobile communication seems particularly vulnerableto surveillance, and likely cannot berelied on for anonymity; this is doubly true if auser is a dissident or known member of advocacyor activist groups that serve organisationalpurposes.• While not touched on above, foreign news organisationsand businesses are often subjectto state-directed hacking efforts in the PRC.WeChat and other such local networking apps,while convenient, essentially create a detailedrecord of user activity and contacts that canhelp undermine other efforts to maintain privacyand confidentiality.108 / Global Information Society Watch china / 109


colombiaHacking information on the peace talks in ColombiaColnodoAriel Barbosa (with the collaboration of Olga Paz)www.colnodo.apc.orgIntroductionColombia is a country with one of the highest internetpenetration rates in Latin America. This is dueto governmental policies and high investment fromthe private sector, aimed at opening and consolidatingnew markets.One of the most recognised ministries in thecurrent government, based on its initiatives andsuccess, is the Ministry of ICTs. One of its leadinginitiatives is the Vive Digital Programme, whichaims to expand not only ICT infrastructure but alsothe demand for internet services in the country. Oneof the outcomes of this strategy is that Colombiahas more mobile phones than inhabitants and morethan 60% of the population are internet users.Although there has been great progress in providinginternet access, services, applications andcontent, the country is still behind in defining adequatepolicies in order to strike the right balancebetween state surveillance and the right to privacyof citizens. Many recent cases have demonstratedthe lack of effective policies and regulationscontrolling information and data storage, and appropriatepenalties in cases where information hasbeen illegally disclosed and obtained from citizensand public servants. Some of these cases are: the“chuzadas” 1 (particularly phone hacking) carriedout by the former Security Administrative Department(DAS); Operation Andromeda; the hacking ofphones and computers of participants in the agrarianstrike of 2013; and, most recently, the hackingof phones and computers to sabotage the recentpresidential election campaign.Faced with these events, which caused greatconcern among the public, the government decidedto draft a cyber security and cyber defence policy.The first step taken was to seek the technical assistanceof the Organization of American States (OAS),which recommended the inclusion of civil society indefining the policy. However, the complete text of1 “Chuzada” is a term used in Colombia when someone secretly tapsa phone line without consent.the policy has not been disclosed to the public andthere is growing fear that it will only be disclosedwhen finalised, without the participation of civilsociety, which would help prevent imbalances betweencitizen rights and state surveillance.Policies and regulation on cyber securityand cyber defenceIn comparison to other countries in the region, Colombiahas made great progress in its technologicaland technical capacity, closing the gap with developedcountries. However, regarding institutionalcoordination and operations there is still much tobe done in terms of design and implementation.One of the first policies outlining the guidelinesfor cyber security and cyber defence dates from 14July 2011 (National Council for Economic and SocialPolicy – CONPES 3701). 2 This policy includesthe national and international background, andspells out the regulations in the country regardingthese issues. Based on this policy, the Cyber JointCommand, the Cyber Police Centre, the ColombianInformation Security Coordination Centre (CSIRT)and the Response Group for Cyber Incidents in Colombiawere created. These entities work togetherwith the Army Technical Intelligence Central (Citec)and the Police Intelligence Directorate (Dipol).Following the first state phone hacking scandal,known as “chuzadas” and carried out by the DAS,the national government closed DAS and passedthe Intelligence Bill, which became law on 17 April2013.This law was put to the test following a secondscandal known as “Andromeda”, which revealed thefailures in enforcing the law, mainly by members ofthe army who over several months spied illegallyon civil servants and important public figures. In2014, the government began to draft the cyber defenceand cyber security policies, a process in whichseveral civil society organisations (among themColnodo) asked to be involved – as recommendedby the OAS.2 www.mintic.gov.co/portal/604/articles-3510_documento.pdf“Buggly”, the “Ethical Hacking Community” centre where the Andromeda operation was carried out. photo: eltiempo.comPeace talks in ColombiaSince the 1950s at least three generations of Colombianshave endured an internal conflict in thecountry caused by the huge inequality in the distributionof wealth – a conflict whose main actors havebeen different guerrilla groups and the country’sarmed forces.In October 2012, President Juan Manuel Santosconfirmed that the government was holding peacetalks with FARC, the largest guerrilla group in thecountry, and the oldest in the world. The news wasreceived both with optimism and scepticism giventhe failed attempts at peace talks in the past withthe same guerrilla group during former presidentAndrés Pastrana’s administration (one of the mostinfamous incidents during those talks, which tookplace in January 1999, is known as “the emptychair”, referring to the absence of the FARC commander,Manuel Marulanda). 3This cycle of internal conflict and failed peacetalks allowed intelligence agencies free rein,and some of their activities have not been fullyidentified.Andromeda, a front for illegal surveillanceof the peace talksThe distrust surrounding the peace talks wasconfirmed when on 3 February 2014, the weeklymagazine Semana, which has one of the highestcirculations in the country, published an article3 es.wikipedia.org/wiki/Di%C3%A1logos_de_paz_entre_el_gobierno_Pastrana_y_las_FARCexposing “a military intelligence front where not allactivities were legal” 4 that started operating onemonth before President Santos initiated the newpeace talks. The investigation revealed how the militaryintelligence set up a front for their operations,and used this as a base to illegally surveil membersof the government and public figures involved in thepeace talks.The surveillance base was located in a buildingin a residential neighbourhood in Bogota. Onthe second floor, above a restaurant on the groundfloor, there was a so-called “Ethical Hacking Community”centre, offering courses on website designand information security and publications on how tospy on a chat site and how to create and detect webattacks, among others.This centre had been legally opened and wasregistered in the Bogota Chamber of Commerceon 12 September 2012. Semana’s investigationrevealed a series of illegal phone and computerhackings carried out by members of the nationalarmy, and a military hacking information centre locatedin a room known as the “Grey Room”. 5The name of this secret operation was “Andromeda”,and an official from the Number OneArmy Technical Intelligence Battalion (Bitec-1) wasin charge of the operation. This battalion is part ofCitec, recognised for its success in fighting the FARCby infiltrating their communications – in the past4 www.semana.com/nacion/articulo/alguien-espio-losnegociadores-de-la-habana/376076-35 www.semana.com//nacion/articulo/la-sala-desde-donde-sehacian-las-chuzadas-del-ejercito/376079-3110 / Global Information Society Watch colombia / 111


this had led to the freeing of kidnapped citizens.However, Semana had evidence of how it was alsocarrying out espionage activities that compromisednational security, and was engaged in the illegalphone hacking of recognised public figures. Theseactions were carried out by members of the army,but also by students, hackers, and participants inso-called Campus Parties (an annual event devotedto technological innovation, digital culture and research).They were not only paid, but handsomelyrewarded depending on the political weight of thepublic figure and the difficulty of gaining access totheir information.After the Semana revelations, President Santosconsulted internally, and, given the lack of clarity onthe issue, asked for a public enquiry to determine“which dark forces are spying on our negotiators inHavana,” where the talks are being held. “They aretrying to sabotage the peace process. We need toknow if (…) there are loose cannons in the intelligenceagencies,” he declared.The Andrés Sepúlveda case: Intelligenceinformation gathered in the middle of thepresidential election campaignCampaigning for presidential elections began in2013, but gained momentum in 2014. The firstround of the presidential elections took place onSunday 25 May. Six candidates from different politicalparties took part in the presidential race. One ofthem was President Santos, who was looking for reelection.His most important contender was OscarIván Zuluaga, who was the candidate for the DemocraticCentre – the political party of former presidentAlvaro Uribe – and who publicly expressed his disagreementwith the peace talks in Havana.The presidential elections were dogged by yetanother espionage scandal. The national newspaperEl Tiempo revealed that at the beginning ofMay 2014, 6 a man called Andrés Sepulveda had confessedbefore a prosecutor and a deputy attorneygeneral to his involvement in hacking informationon the peace talks, and how it was about to be soldto the National Intelligence Directorate (DNI).One of the most disturbing events in thoseweeks was the broadcasting of a video 7 in whichSepúlveda introduces himself as a contractor for cybersecurity and social networks and discloses partof the information illegally obtained to Zuluaga. 8The strategy, from what can be seen in the video,was to publish the information obtained from militarysources through the website dialogosavoces.com and a Twitter account (https://twitter.com/dialogosavoces)in order to attack the peace talks andthe government.However, it is difficult to determine if theserevelations affected the election process, and thevoting. After the scandal was revealed by El Tiempo,the first round of presidential elections led toa run-off between Santos and Zuluaga. Santos wasre-elected with a 5% advantage over his rival.Drafting the Cyber Security and CyberDefence Policy in ColombiaSimultaneously, and partly because of these issues,Colombia has been drafting a Cyber Securityand Cyber Defence Policy, which began just whenthe Andromeda scandal was revealed. 9 For thispurpose, a commission was formed, but withoutthe active participation of civil society groups inColombia. This commission has been limited to governmentalofficials, national experts in informationsecurity and representatives from the private sectorwith crucial infrastructure, such as the financial andenergy sectors.In March 2014 the non-profit organisations Dejusticia,the Karisma Foundation, the Foundationfor Press Freedom (FLIP) and Colnodo sent an openletter to President Santos 10 asking that they be includedin the surveillance commission. The aimof the organisations was for human and internetrights, specifically the right to privacy, to be representedin the policy-making process.The Colombian government requested technicalassistance from the OAS, whose report was presentedon 4 April 2014. Its main recommendationwas to create an entity that would oversee the operationsof agencies in the armed forces in chargeof cyber security, and which would report directlyto the president. The OAS also recommended thatthis agency should be directed by a civilian and nota military person, 11 and that the government shouldaim to “harmonise the Colombian legislation withinternational legislation (Budapest Convention),particularly on issues of criminal procedural law.”This would enable the implementation of clearpolicies to prevent human rights violations and toprotect the country’s sovereignty.The OAS has contributed an interesting perspectiveto the conception of the Cyber Securityand Cyber Defence Policy, since it openly declaresthe importance of incorporating the Budapest Conventionin the policy in order to balance nationalsecurity issues with the defence of human rights.The Andromeda and Andrés Sepúlveda informationhacking cases have yet to come before thecourt. These cases exposed the flaws in the IntelligenceLaw (1621 of 17 April 2013) and ultimately thelaw failed the test. The reason is partly the lack ofa centralised body directly responsible to the president,as proposed by the OAS.Action stepsCivil society organisations should stay actively involvedin the design of policies on cyber security andcyber defence in Colombia in order to keep a balancebetween the defence of the state and privacyrights. It goes without saying that the governmentshould create spaces for civil society participation.The mission of civil society is to ensure thatwhen laws are created, limits must be defined, aswell as to remind the government that its utmost priorityis to protect its citizens. The government needsto ensure that laws are “necessary and proportionate”according to the 13 International Principles onthe Application of Human Rights to CommunicationsSurveillance 12 – particularly when the crucialpeace negotiation process, which has been goingon for two years, could be gravely affected.It is important for these new laws to considerthe following points:• Communications metadata could be more relevantthan content.• To collect information without permission is acrime, even if no one gets to use the information.• When information about a citizen is requestedto solve a court case, it should be because it isnecessary, adequate and proportionate.• It is important to strike a balance between privacyand cyber defence. That is, the right toprivacy is equal to the right to build safe communicationssystems.6 www.eltiempo.com/politica/justicia/los-archivos-del-hackersepulveda-acusado-de-espiar-proceso-de-paz/139722557 www.semana.com/nacion/articulo/el-video-del-hacker-con-oscarivan-zuluaga/388438-38 www.eltiempo.com/politica/justicia/los-archivos-del-hackersepulveda-acusado-de-espiar-proceso-de-paz/139722559 www.enter.co/chips-bits/seguridad/ciberdefensa-colombiapolitica10 colnodo.apc.org/destacamos.shtml?apc=l-xx-1-&x=377711 www.elespectador.com/noticias/judicial/colombia-no-se-rajo-eltema-de-ciberseguridad-y-ciberde-articulo-48583112 https://en.necessaryandproportionate.org/text112 / Global Information Society Watch colombia / 113


CONGO, republic ofCivil society and cyber surveillance in the Republic of CongoAZUR DéveloppementRomeo Mbengouwww.azurdev.orgIntroductionInformation and communications technologies(ICTs) now hold an important place in our daily lives.They are the source of many benefits, includingeasy and rapid exchanges and communication, datastorage, and the digitisation of administrative procedures.However, technologies must be respectfulof the privacy of users. This obligation applies to all,with few exceptions, and both to institutions and toindividuals.Yet, according to the revelations of EdwardSnowden on the work of the US National SecurityAgency (NSA), it has now been established thatwe are not protected from spying eyes. Everythingwe do is monitored and followed by others for onereason or another. This is cyber surveillance: thatis to say, the technical control of electronic communications.Some use it as a means to spy onwhat others are doing to prepare for any eventuality;others in order to do harm. Whether for onereason or another, cyber surveillance, except incases where it is permitted by law, is harmful forusers because it is a violation of fundamental humanrights, including the right to have your privacyrespected.As a world phenomenon, cyber surveillanceis ignored by some, its threat is minimised byothers, and it is even non-existent in some countries.So, what is the situation in the Republicof Congo? How does civil society consider cybersurveillance? Several Congolese civil society organisationsuse ICTs in their everyday work. Dothey feel monitored on the web? What about theCongolese legislation?These are the questions that this report willtry to answer. To do this, it is important to providean overview of the legal framework for ICTsin Congo, before analysing civil society awarenessof cyber surveillance in the country. This hasbeen done through interviews with civil societyorganisations.Overview of the legal framework for ICTsThe legal framework for ICTs in the Congo currentlyincludes:• The Congolese Constitution of 20 January 2002,which states in Article 19 that “everyone hasthe right to freely express and disseminate hisopinions in speech, writing, image, or any othermeans of communication...” Article 20 says that“the secrecy of correspondence, telecommunicationsor any other form of communicationcannot be violated except in the cases providedby law.”• Law No. 8-2001 of 12 November 2001 on thefreedom of information and communication.This law guarantees the freedom to access informationand communicate, including on theinternet.• Law No. 9-2009 of 25 November 2009 regulatingthe electronic communications sector. Thislaw describes the conditions for the installationand operation of networks and electroniccommunications services. In Article 6 it statesthat “electronic communications activities arepracticed freely in accordance with the terms ofthe legislation and regulations.” This law, whichalso deals with the protection of users’ privacy,prohibits cyber surveillance. Article 125 states:“It is unlawful for any person other than the usersto listen to, record, or store communicationsand traffic data related to them, or submit it toany other means of interception or surveillancewithout the consent of the users concerned, exceptwhen legally authorised to do so…” 1• Law No. 11-2009 of 25 November 2009 establishingthe regulatory agency of postal andelectronic communications. In Article 5 it statesthat the agency promotes and protects theinterests of users in the field of postal and electroniccommunications.Other laws are being drafted, including a law on theprotection of personal data, a law on cyber security,a law on the fight against cyber crime, a frameworklaw on the Congolese information society and1 Law No. 9-2009 of 25 November 2009 regulating the electroniccommunications sector.digital economy, and a plan for national broadbanddevelopment in the Congo.Use of ICTs by civil societyCongolese civil society organisations are workingin several areas, including the defence and promotionof human rights in general, the preservation ofthe environment, the fight against poverty, the fightagainst corruption, the fight against HIV/AIDS, andthe promotion of ICTs.These organisations, such as the CongoleseObservatory of Human Rights (OCDH), have workedand are working on sensitive issues concerning humanrights, and, in the course of their work, theyuse ICTs. Some organisations have computers onwhich they can store sensitive data resulting fromthe analysis or investigation of violations of humanrights. This data could include email addresses andphone numbers. The phone is the most frequentlyused way to contact a civil society organisation inthe Congo. Very few organisations maintain a website,a blog or a Facebook account.Analysis of cyber surveillance in the CongoInterviews with civil society organisations involvedin human rights and ICTs conducted for this reportsuggest that many are unaware of cyber surveillance.They also pointed to the lack of a governmentpolicy on cyber surveillance, and the lack of an independentbody securing personal data.Civil society’s understandingof cyber surveillanceAs suggested, it appears that a number of civilsociety organisations in the Congo have no clearunderstanding of cyber surveillance. This is largelydue to them not having, for the most part, extensiveknowledge of and experience in using computersand the internet. Given that they are seldom presentedwith circumstances that could draw theirattention to cyber surveillance, several organisationsdo not suspect any surveillance, interceptionor control over the internet.Loamba Moke, president of the Association forHuman and Prisoners’ Rights (ADHUC), commented,“The concept of cyber surveillance is unfamiliar tous. It is unclear whether our email communicationsare intercepted or stored, and we don’t know howto secure our data on the internet.” In other words,they do not have the expertise necessary to securetheir communications, but are also unable to detectthe interception or monitoring of their electroniccommunications. A similar point of view is held byWilfrid Ngoyi Nzamba, executive secretary of theCongolese Association of ICT Consumer Productsand Services, who argues that there is a clear lack ofevidence on the existence of cyber surveillance. Hestates that “there is no cyber surveillance in Congo”– but for him the reasons include the fact that thereare few people qualified to carry out surveillance ina country where there are still a lot of “computer illiterate”citizens among the population.However, other organisations are more aware ofdigital security. This is the case with the Organisationfor the Development of Human Rights in Congo(ODDHC), which conducted training on digital securityfor human rights defenders with the support ofthe Multi-Actor Joint Programme (PCPA) in March2013. According to Sylvie Mfoutou Banga, presidentof the ODDHC, “The risk of the piracy of informationfrom human rights advocates has led us to developthis training on human rights and digital security.”Several topics were discussed during the workshop:how to create safe passwords, how to download andinstall free antivirus protection off the internet, andhow to work on the internet without leaving digitaltraces. Regarding phones, Mfoutou does not knowif her phone is tapped.Another organisation, the Group of Journalistsfor Peace (GJP), has received training on the securecommunications software FrontlineSMS and FrontlineCloud.Tools like these “allow members of anNGO to communicate safely,” said Natalie ChristineFoundou, the president of GJP. In 2013, AZUR Développement,in collaboration with the Associationfor Progressive Communications (APC), organisedtraining on the protection of privacy in the managementof online data on women and girl victims ofviolence. 2Lack of a common national policyon data protectionIn the current institutional set-up, there is no commonpolicy on data management, protection andprivacy. Each institution or agency, both private andpublic, is obliged to manage its data in such a waythat no data theft can happen. However, the reasonwhy there is no common policy on data protection issimple: email services and websites are not hostedin Congo, but abroad, particularly in France and theUnited States. Only over the past three years havethere been efforts to set up the Congolese Agency forInternet Naming (ACNIC). This new organisation willnow manage the internet country code domain ‘’.cg’’.“If Congolese civil society or any other person issubject to control or cyber surveillance, this wouldnot be on the part of national authorities, but rather2 www.violencedomestique-congo.net114 / Global Information Society Watch CONGO, republic of / 115


foreign institutions; and they will be monitored notas Congolese civil society necessarily, but as Yahooor Google users,” said Davy Silou, a computerengineer and independent consultant. He also mentionedthat some computers used by civil societyare often not secure, and do not use the originallicences.In addition, training in ICTs must remain a priorityfor the Ministry of Posts and Telecommunications,responsible for new technologies, and the Ministryof Higher Education, as a national data protectionprogramme will require a high level of skills. Thereis still no computer course in the one and onlypublic institution for higher education, the MarienNgouabi University of Brazzaville. Investment in researchand development are insufficient to be ableto develop skilled human resources in the ICT sectorin Congo. Cisco courses are offered at an approximatecost of 40,000 FCFA (USD 80) per module.ICT incubator projects are insufficient. The companyVMK created the Bantu Hub, a technology hublocated in Brazzaville, which serves as a sharedworking space and an incubator for business startups.Bantu Hub hosts various activities that help toshare knowledge and learning about ICTs.Lack of an independent body ensuringdata protection and civil libertiesThe Republic of Congo also lacks an independentbody for the protection of personal data and individualfreedoms on the internet in Congo.Article 130 of Law No. 9-2009 of 25 November2009 regulating the electronic communicationssector, appears to offer an opportunity for abuse.According to a provision, “for the purposes of defenceand security, the fight against paedophilia andterrorism, network operators open to the public orelectronic communications operators are required…to store the data for electronic communications. Individuallydesignated and authorised governmentalagents who have a special responsibility for thistask may require operators and persons to sharethe data that has been stored and processed.” 3The difference is that in other countries, citizenidentification files are protected by independentbodies such as the National Commission for Computingand Civil Liberties (CNIL) in France, to ensurethat electronic communications and data are at the3 Law No. 9-2009 of 25 November 2009 regulating the electroniccommunications sector.service of the citizen, and that his or her privacyand personal freedoms are not violated. This is notyet the case for the Republic of Congo. Under theseconditions, one may wonder if Congolese citizensand civil society in particular are actually safe fromintrusion or control on the part of public and privateauthorities.ConclusionIn light of the previous analysis, while the legalframework does not encourage the practice ofdata protection, it is clear that it is also difficult toidentify or document if cyber surveillance is takingplace. The skills at the disposal of civil society arevery limited to do this. It is therefore important toequip Congolese civil society organisations withknowledge of security tools to prevent intrusioninto or control of their communications. Beyondcivil society, the government should invest enoughin training, research and development in order todevelop capacity in the field of ICTs, including ensuringdata protection.Action stepsIn order to do the above, the implementation of thefollowing recommendations may be necessary.The government should:• Adopt laws on the protection of personal data.• Establish an independent body for overseeingthe management of personal data.• Create a computer training and internet coursein higher education.• Invest in ICT research and development.Civil society should:• Create awareness and train civil society on cybersurveillance.• Build the capacity of civil society organisationsso they can secure their personal data.• Advocate for the adoption of a more protectivelegal framework for civil liberties on theinternet.International partners and organisations should:• Provide financial and technical resources to civilsociety for awareness-raising programmes andtraining on internet safety.Costa RicaUniversal health data in Costa Rica: The potential for surveillancefrom a human rights perspectiveCooperativa Sulá BatsúKemly Camacho and Adriana Sánchezsulabatsu.comIntroductionIn May and June 2014, the guild for primary andsecondary teachers in Costa Rica embarked on alengthy strike over errors in the payment of theirwages – the result of problems in the managementof their personal data. The strike led to a lot of restlessnessover the management of public computersystems in general, and showed the social, economicand political consequences of technologicalapplications. National interest in the administrationof personal data in public information systems suchas health records grew.Since the mid-20th century, Costa Rica has hada universal health care system based on a citizenpartnership (or solidarity) model. In terms of data,every citizen of the country has a record containingtheir personal and health information. To date,most of these files are still paper-based, so thatevery time a patient is seen in consultation by theCosta Rican Social Security System (CCSS), the doctorshould have a physical folder that includes all ofthe patient’s medical history.It is easy to imagine the consequences that themanual handling of this information can generatein terms of errors, delays, loss of data and incompletetest results. Because of this, there has beenan increase in legal actions brought before the ConstitutionalCourt by Costa Ricans claiming that theirright to health has been compromised. Addressingthis issue is particularly important in a national contextwhere there is strong pressure for privatisation.Looking for a comprehensive and long-termsolution, the Constitutional Court issued a ruling directingthe CCSS to solve this problem by issuing asingle electronic health record (EDUS) in 2012. Thisdecision is supported by a bill passed by the LegislativeAssembly in 2013, where the project has beendeclared a national project, and a period of fiveyears given for its development. EDUS is describedin the bill as follows:The Single Electronic Health Record is the repositoryof patient data in digital form, storedand exchanged securely, and that can be accessedby multiple authorised users. It containsretrospective, current and prospective informationand its main purpose is to support theefficiency, quality and integrity of health care. 1Due to the universal nature of the Costa Rican healthcare system, we can say that when EDUS is implementedit will be a national treasure of informationand useful data for decision making in public health.It will help to improve the efficiency of the service,and support transparency, accountability and citizenoversight. However, EDUS may also be of highvalue to multiple interests outside the public healthcare system, such as private medical enterprises,insurers, employers, pension operators, banks,security agencies, advertising companies, the policeand the judiciary, among others. Therefore, theimplementation of EDUS by the CCSS is undoubtedlyan important step towards strengthening theright to health among the Costa Rican population,but also represents a major national challenge interms of the potential of this information for citizensurveillance, where the security and privacy of personaldata are compromised.Although pilots of some parts of the project 2have started already, EDUS is still in the design anddevelopment phase. This is the right time to generatea national discussion – which has not happened– about what the electronic records may representwhen it comes to public surveillance. With thispurpose in mind, discussions have been held withnational stakeholders: civil society, academia, lawyers,doctors, system designers and the CCSS. Theyhave different perspectives on the issue, which arereflected in this report.A human rights approachThis report focuses on citizen surveillance from ahuman rights perspective. It is considered a citizen’sright to know how our data is managed, whatinformation is generated from it, and for whom.Given this approach, it is crucial that Costa Ricansparticipate in defining how the health record is1 Opinion prepared by the Commission on Science, Technology andEducation of the Legislative Assembly (2010-2014), July 2011.2 Mainly at the primary care level (according to the proposed plan).See: portal.ccss.sa.cr/EDUS_WEB/edus/EDUS.html116 / Global Information Society Watchcosta rica / 117


uilt, which data will be available in the digital files,who will have access to what data, what policiesand procedures are governing the privacy and securityof the information, and how to ensure that thisinformation will not be used for surveillance andother private purposes. It is also necessary to definethe mechanisms of public oversight to ensureprocesses and agreements on the management ofthe information are implemented properly.With the understanding that this is a highlytechnical process, both from the information technologyperspective and from a medical point ofview, citizen participation in building EDUS hasbeen absent so far. The process has been definedas a specialised health and computing process, notas a process that has to do with citizen information.The analysis of EDUS must be performed fromdifferent perspectives, which are interrelated andindivisible:From the perspective of the right to healthAs indicated in the bill, the implementation of EDUSis an essential condition to improve the exercise ofthe right to health in Costa Rica:The application of this technology in the CCSSaims to reduce waiting lists in health care services,improve the quality of care and eliminateduplication of administrative procedures relatedto the data of the insured…The current fragmentation of health data canbe solved through the standardisation andintegration of information resulting from theintegration of programming languages, technologyplatforms and operating costs in a singlesystem. 3From discussions with stakeholders, several importantchallenges have been identified:• There is a great risk in seeing EDUS as the magicsolution to the fundamental problems of theCCSS. But as noted by the Comptroller Generalof the Republic, following the implementation ofthe information system, a complete reorganisationof the institution must be undertaken, sothat this public investment does not become anunnecessary expense.• There is resistance to change by a large groupof health care workers in general and doctors inparticular, who consider EDUS a system that canbe used to control their performance.3 Affirmative opinion prepared by the Commission on Science,Technology and Education of the Legislative Assembly (2010-2014),July 2011.• Cost and time represent a major risk to projectsuccess. Some of those consulted feel that thereis a lack of good analysis of what this means now,and what it will mean in the future for CCSS, andraise concerns that EDUS may unbalance CCSS’sbudget if a good projection is not made.• The success of EDUS will be determined byother national issues that are not under the controlof the CCSS, such as access to the internetthroughout the country.• The need to think about other models where theelectronic health record is administered by eachcitizen (as with personal bank accounts) hasbeen proposed.From the perspective of citizen oversightof the health care systemHaving a system such as EDUS would have a highvalue for the control and supervision of health services,as well as accountability and transparency inthe provision of universal service. A condition forthis to be possible is to have accessible, updatedand available information to enable citizens tolearn, evaluate and propose actions to strengthenthe universal health care system.At present there is no information on the functioningof the health care system available forpublic examination. Those interested in exercisingthis role as citizens must look at various files (oftenwith little information), request authorisationto access public information, and learn to analysecomplex and disconnected data.Until now, the development process of EDUShas not referred to the integration of informationmodules that allow citizen oversight. Civil societyhas not developed or proposed actions in thisregard and seems to be unaware of the positive impactthis can have on universal service and citizensurveillance.From the perspective of citizen surveillanceIn terms of citizen surveillance, it is important tomention that when the EDUS bill was discussed, theCommission on Technical Affairs of the LegislativeAssembly addressed the confidentiality of data forthe first time as a human rights issue that must beregulated. It indicated that the technological solutionchosen for the creation of the records shouldhave certain characteristics, including security:“The electronic record and the software solutionsthat interact with it must meet the criteria establishedfor this purpose in the scientific, ethical andadministrative technology field, in order to ensureintegrity, confidentiality and availability in the use,Table 1.Summary of discussions on EDUS with key stakeholdersRight to healthCitizen surveillanceProgressGreater control and monitoring of the provisionof health care servicesGreater efficiency in health care servicesWould strengthen universal serviceThere is a good data protection lawFavours an analysis of the health care system fordecision makingFacilitates accountability and transparencyRisksFacilitates the prioritisation of care according tohealth conditionsInformation should belong to the people, notthe health care system.To ensure universality it is essential thatall citizens have equal access to their electronicrecords, no matter where they aregeographically.Doctors are seeing electronic records as a wayto control their performance. There is resistanceto change.The financial cost of the project is very high andthe state does not have the resources to developit. It also has associated long-term coststhat are not contemplated.Implementation time is very short for the completesystem.Need for thorough reorganisation of CCSS.Technological solution is seen as the magicsolution.Source: Prepared by the authors.management, storage, maintenance and ownershipof the data included in the clinical record.” 4However, in conversations for the preparation ofthis report, the issue of data security from the pointof view of system functionality (user profiles relatedto access rights, for example) was emphasised, insteadof the issue of citizen surveillance, which isnot seen as an important issue in the developmentof EDUS. Nevertheless, you can think of citizen surveillancefrom two angles:4 Replacement text for Article 5 of the bill, proposed by theCommittee on Technical Issues of the Legislative Assembly, 2012.Allows greater control and oversight by citizensIt is an opportunity to have an open databaseavailable to the publicRegulation:Despite the good data protection law, the regulationsand accompanying implementation at national levelare weak.Technology policies, agreements and conditions forthe safeguarding of health data are unclear.There is no specific legal framework for healthrecords.Internal process:There are different views within the CCSS on what todo in terms of technological development in general,and specifically when it comes to EDUS.There is a need to update staff at CCSS on thegovernance of health technologies, security and dataprivacy, open government and citizen surveillance.Development process:The CCSS, which oversees the implementation ofEDUS, has emphasised the functional aspect of thesystem rather than the security and privacy of dataand the potential of citizens monitoring the data.Civil society, health actors and decision makers arenot informed about the development process of EDUS,nor have they discussed aspects of security, privacyand surveillance in these instances.• The provision of health data for surveillancefrom the private sector, whose interests are verydiverse, ranging from strengthening the privatehealth schemes that compete with universalpublic service, to designing advertising campaignsfor specific target audiences.• The availability of health data for surveillanceby the state, whose current and future interestsmay also be very different, starting with publicsafety to the repression of social and popularmovements.118 / Global Information Society Watch costa rica / 119


The information in the health record belongs by lawto the CCSS. Currently the EDUS process involvesdevelopers, database administrators (responsiblefor the “data centre”), support staff and healthpersonnel who have access to different groups ofdata, which are handled in line with confidentialityclauses. The policies or regulations that will constitutethe legal framework for the management andprotection of the health records are not yet defined.The existing regulatory framework dates from 1999and corresponds to physical files. While there is avery good law for data protection in Costa Rica, itsregulations and implementation remain weak.According to the stakeholders interviewed forthis report, in the CCSS there are multiple visions ofwhat should be done in terms of the developmentof information and communications technologies(ICTs), as well as computer systems, includingEDUS. A discussed and shared policy, updated inthe light of major issues such as the governance ofhealth technologies, citizen surveillance, open government,security and data privacy, and the use ofcloud technology, among many other urgent technologicalconsiderations, is not available.Discussions with stakeholders show that addressingcitizen surveillance has not been a priorityin the development of EDUS up until now. This iscompounded by the lack of understanding of thetopic and the risks entailed at the technical andpolitical levels. It is possible that the issue of surveillancemight not be a priority, because it is notvisible.One can tell that the development of EDUS iscaught between two forces: On the one hand thepolitical pressure and the mandates of the ConstitutionalCourt, the Legislative Assembly and theComptroller General’s Office in terms of the right tohealth; and on the other hand, the need for clearlydefined policies, the strengthening of knowledgeand skills, and citizen participation to address thesystem from perspectives that go beyond the technicalaspects of computing.Action stepsTo address the issue of citizen surveillance in CostaRica, the following steps are proposed:• Continue the discussion with academia, theCCSS, civil society and other stakeholders tostrengthen understanding of the topic of citizensurveillance in Costa Rica, specifically in thecase of EDUS.• Civil society should participate in forums wherethe issue is being addressed (CCSS, the legislature,the Medical Association and the BarAssociation, among others).• Raise awareness in community health committeesand associations on the subject of healthinformation systems.• Create opportunities for citizen participation inthe design, development and implementation ofEDUS so that it is not perceived as a technicalissue but as a matter dealing with the right toinformation.• Strengthen the training of staff in the judiciary,the CCSS and the legislature on issues such ascitizen surveillance, security and data privacy.• Strengthen the technical capacity of health staffon the development of public information systemsand the importance of managing privacyand data security, as well as the risk of citizensurveillance.EgyptEgypt’s internet surveillance: A case of increasing emergencyLeila Hassaninlhassanin@gmail.comIntroductionAfter the overthrow of Hosni Mubarak, Egypt’s presidentfor 30 years, on 11 February 2011, the countryhas been in political, social and economic turmoildue to an unstable transition that is still unfolding.Under Mubarak’s regime the information and communicationstechnology (ICT) sector had been aflagship for the Egyptian economy since the early2000s. To promote its growth and competitiveness,the sector has been modernised and liberalised tothe extent of becoming one of the most deregulatedand promising economic sectors in Egypt. 1The government’s plan was to make Egypt a regionaland global ICT outsourcing hub, on par withleading Asian countries. Egypt positioned itself asan international call centre and competed with Gulfcountries in its contribution to Arab content localisationand development. In addition, the countryhosts the SEA-ME-WE2, a central communicationnode linking the Middle East, Southeast Asia andEurope. The IT sector was a potential labour marketfor many income-seeking youth in Egypt who wereencouraged to acquire IT skills from networking andprogramming to hardware assembly and ICT customerservicing.In June 2013, 36 million Egyptians, or 43% ofthe population, were online – an increase of 4.79million from 2012. Mobile diffusion has literallygone through the roof, at 116%, i.e. 98.8 million in2013. 2 Egypt’s population was officially estimatedat 85 million in 2013. 3 This means that many adultEgyptians own more than one mobile phone. Smart-1 For a more detailed account on Egypt’s ICT infrastructure, seeHassanin, L. (2008). Egypt. In APC, Global Information SocietyWatch 2008: Access to infrastructure. www.giswatch.org/countryreport/2008/egypt2 Ahram Online. (2013, October 28). Egypt Internet users reach 36million in June 2013: MCIT. Ahram Online. english.ahram.org.eg/NewsContent/3/12/84996/Business/Economy/Egypt-Internetusers-reached--million-in-June--MCI.aspx3 World Population Review: worldpopulationreview.com/countries/egypt-populationphone diffusion, however, was estimated at only 5%in 2013, on the lower end in the region. 4With all this computer, mobile and internet diffusion,online spaces were also being used in waysthat the government did not like. Bloggers andpolitical activists began using mobile phones to organisestrikes and demonstrations. Social networksrallied youth to common political causes and blogswere used to vent discontent and alert the publicand international media to infringements – political,socioeconomic, gender-related or any other.The Egypt country report in GISWatch 2009: Accessto online information and knowledge givesexamples of online activism and the government’ssurveillance and control of bloggers and activists. 5The same tactics are still being employed, althoughsince February 2011 more repressive measures suchas widespread arrests and military trials of activistsand bloggers have been taking place.Internet surveillanceIn this report, internet surveillance is defined as“the monitoring of the online behavior, activities, orother changing information, usually of people, andoften in a surreptitious manner. It most refers to theobservation of individuals or groups by governmentalorganizations.” 6Surveillance includes scanning internet use,but is often conducted in a more intrusive mannerinvolving interception of electronically transmittedinformation online through special equipmentand software. Surveillance is done by direct humanobservation and automated means. Softwarecaptures internet traffic and analyses it. Remote accessto individual computers and mobile phones isalso widely used. Online open-source intelligence(OSINT), using information available through socialmedia, blogs, forums and so forth, is another importantmeans of information sourcing. In Egypt this isdone primarily by the government.4 Ipsos. (2013). Presentation at ArabNet, Beirut, Lebanon, 25 March.www.slideshare.net/IpsosMENA/ipsos-arab-net-presentationbeirut-20135 Hassanin, L. (2009). Egypt. In APC, Global Information SocietyWatch 2009: Access to online information and knowledge. www.giswatch.org/country-report/20/egypt6 IT Law Wiki: itlaw.wikia.com/wiki/Internet_surveillance120 / Global Information Society Watch egypt / 121


Egypt has not been identified as an “enemy ofthe internet” by Reporters Without Borders in their2014 report, despite the known internet surveillanceof perceived critics and enemies of incumbentpower holders.Under Mubarak there was an unspoken rule of“let the people vent” as long as there was no outspokencriticism or “foul language” used againstthe president, his family, or any leading politicalfigure. Citizens, and more specifically journalistsand opposition figures, were allowed to voice criticismon socioeconomic and political issues. It wasperceived as a political tool to disperse pent-upfeelings against an authoritarian regime, and therebyprevent a more damaging building up of politicaldissatisfaction. Surveillance and control were targetedat specific individuals. As the events of the25 January Revolution showed, this tactic did nothelp to dispel deep-set opposition to the Mubarakregime.Yet overall access to websites was kept open,aside from repeated legal attempts to clamp downon pornographic sites. Islamists have been tryingsince 2009 to ban porn sites through legal rulings,the latest of which was on 30 March 2012. 7 Theseefforts, however, were opposed, mostly by theMinistry of Communications and Information Technology(MCIT), as unenforceable for technical andfinancial reasons. 8It should be pointed out that the average Egyptiansurfing the internet has more freedom thanher or his user counterpart in the United States,for example. There is scant commercial and businesssurveillance, and online information is notwidely used commercially. There have also been nonoted stories of employers using online informationagainst their employees or prospective job seekers.The emergency law and internet surveillanceEgypt is in a period of political and socioeconomictransition after the popular revolution in early 2011.The initial aspiration for a more democratic systemhad failed due to a vacuum of order and security.The lawlessness that Egypt was subjected to afterMubarak’s stepping down from power led to7 OpenNet Initiative. (2012, March 29). Egypt’s government plansto block all online pornography. OpenNet Initiative. https://opennet.net/blog/2012/03/egypts-government-plans-banpornography-online;Associated Press (2012, November 7). Egyptprosecutor orders ban on online pornography. USA Today. www.usatoday.com/story/news/world/2012/11/07/egypt-ban-onlinepornography/16898478 El-Dabh, B. (2012, November 11). Ministry of Communicationsdetails difficulties in porn ban. Daily News Egypt. www.dailynewsegypt.com/2012/11/11/ministry-of-communicationsdetails-difficulties-in-porn-banwidespread public acceptance of a military holdover the country. President Abdel Fattah El-Sisihas been elected with the hope that he leads witha strong hand. Yet his political power is still in theprocess of consolidation, with the prospect of aclampdown on some of his most vocal and dangerousopponents continuing.Internet surveillance in Egypt is closely tiedto the “emergency law”, Law No. 162 of 1958. 9 Accordingto Sadiq Reza, Egypt’s rulers have usedemergency rule “to assert and maintain control overthe Egyptian populace at large.” This allowed themto establish a government based on emergency ruleusing exceptional measures of surveillance andcontrol. The legal institution of emergency powersand their enforcement have been “a vehicle for thecreation of the modern Egyptian state and a tool forthe consolidation and maintenance of political powerby the government,” allowing the suppression ofopposition. 10The emergency law’s main stipulations are statedin its third article. The law gives the governmenta wide margin of control that is loosely defined asfollows:• To restrict people’s freedom of assembly, movement,residence, or passage in specific timesand places; arrest suspects or [persons who are]dangerous to public security and order [and] detainthem; allow searches of persons and placeswithout being restricted by the provisions of theCriminal Procedure Code; and assign anyone toperform any of these tasks.• To order the surveillance of letters of any type;supervise censorship; seize journals, newsletters,publications, editorials, cartoons, and anyform of expression and advertisement beforethey are published, and close their publishingplaces.• To determine the times of opening and closingof public shops, and order the closure of someor all of these shops.• To confiscate any property or building, order thesequestration of companies and corporations,and postpone the due dates of loans for whathas been confiscated or sequestrated.• To withdraw licences of arms, ammunition, explosivedevices, and explosives of all kinds,order their confiscation by the government, andclose arms stores, and9 www.scribd.com/doc/3122113310 Reza, S. (2007). Endless Emergency: The case of Egypt. , 10(4),532-553. www.bu.edu/law/faculty/scholarship/workingpapers/documents/RezaS031208rev.pdf• To evict people from areas or isolate these areas;regulate the means of transport throughthese areas; and limit the means of transportbetween different regions. 11How does the Egyptian emergency law compare withthe 13 International Principles on the Application ofHuman Rights to Communications Surveillance? 12The emergency law seems to be diametrically opposedto the latter.The emergency law has been used almostuninterruptedly since 1981 in Egypt. With the ascendanceof the Supreme Council of the Armed Forces(SCAF) from February 2011 to June 2012, the law continuedto be in operation. After President Mubarakwas deposed, the SCAF became the governing bodyon 13 February 2011 to oversee the transfer of powerto a civilian government elected by the people.The SCAF was created in 1968 by President AbdelNasser to coordinate military strategies and operationsduring wars; it was not foreseen that it wouldbecome a national governing body. However, duringits six-month rule it managed to solidify its new politicalrole through constitutional amendments.During the SCAF’s rule there were several declarationsthat the emergency law would come to anend, 13 but this never happened. 14 The SCAF found itmore convenient to have the emergency law at handto engineer its political hold over the country.With the election of President Mohamed Morsias the Muslim Brotherhood government representativefrom 30 June 2012 to 3 July 2013, the emergencylaw was also found useful to control unrest andopposition. Notably, in two cases: once to subdueviolence in public places in the port cities of Ismailia,Suez and Port Said; 15 and the second time as anexcuse to fight “thuggery” – but it was also used tosilence the media. 16The emergency law came into full power anduse with Morsi’s removal by the army under GeneralAbdel Fattah al-Sisi on 3 July 2013. The interim governmentthat ruled for 11 months used widespread11 Emergency Law, Law No. 162 of 1958.12 https://necessaryandproportionate.org/text13 Ahram Online. (2012, May 31). Egypt state of emergency endsfor the first time in 30 years. Ahram Online. english.ahram.org.eg/NewsContent/1/64/43368/Egypt/Politics-/Egypt-state-ofemergency-ends-for-first-time-in--y.aspx14 Shenker, J. (2011, September 16). Egyptians rally in TahrirSquare against return of emergency laws. The Guardian. www.theguardian.com/world/2011/sep/16/egyptians-rally-tahrirsquare-laws15 BBC. (2013, January 28). Egypt unrest: Morsi declares emergencyin three cities. BBC. www.bbc.com/news/world-2122464316 Ahram Online. (2012, August 28). President Morsi consideringnew emergency laws: Justice Minister. Ahram Online. english.ahram.org.eg/NewsContentP/1/51440/Egypt/President-Morsiconsidering-new-emergency-laws-Jus.aspxsurveillance, control and detention againstmembers of the Muslim Brotherhood and youthprotestors in the 25 January Revolution. Accordingto WikiThawra, security forces arrested more than41,000 Egyptians for political transgressions 17 afterMorsi’s removal. 18 The arrests were mainly of MuslimBrotherhood supporters, liberal youth and othersecular political opponents.El-Sisi had just been declared president when itwas leaked that the Ministry of Interior had advertisedan international tender for the surveillance ofsocial networking sites frequented by Egyptians. 19Nearly simultaneously, Bassem Youssef, the leadingEgyptian comic, who rose to fame with his politicalsatire on YouTube after the 2011 revolution, endedhis TV show citing unbearable pressure on himselfand his family. 20ConclusionEgypt is going through unprecedented times: the recentpast is not pointing to a more open, transparentpolitical system. There is popular backing, after threeyears of debilitating unrest and chaos, for a strongarmedgovernment – even at the expense of personalfreedoms. In addition, the government is also waggingthe fundamentalist threat card and justifyingthe emergency laws and online surveillance andcontrol as a means to protect its people. In the foreseeablefuture, online surveillance and control willbe stepped up by the El-Sisi government. The trackingof and crackdown on dissidents will intensify.From a non-governmental perspective, at leastfor now, Egyptians are not seriously in danger of beingmined online for commercial and business dataand information. As to the availability of websites ingeneral, it remains to be seen if they will continueto enjoy the relatively open internet access they historicallyhad in terms of access.However, politically speaking, Egypt seems tobe looking at a lengthy period of instability withcontinuous repression of “divergent elements”. Thismeans ongoing online surveillance, among othermore traditional surveillance methods. Legally,surveillance has been justified by the government17 From 3 July 2013 to 15 May 2014.18 WikiThawra: Statistical Data Base of the Egyptian Revolution.wikithawra.wordpress.com/author/wikithawra19 Gamal el-Deen, K. (2014, June 3). Egypt to impose surveillanceon social networking sites. PressTV. www.presstv.ir/detail/2014/06/03/365344/egypt-to-impose-surveillance-onsocial-networking-sites20 Hendawi, H. (2014, June 2). Egyptian satirist Bassem Youssef endshis TV show. The Boston Globe. www.bostonglobe.com/news/world/2014/06/02/egyptian-satirist-bassem-youssef-ends-hisshow/7tKEX0yMhjKFVsYcSy0jgL/story.html122 / Global Information Society Watch egypt / 123


since 1958 as an attempt to secure the country internallyfrom Islamists and externally from its mainenemies, Israel and Iran, and their cronies.This “state of emergency” was lifted after 11February 2011, when Mubarak was deposed, but reinstatedin September 2011 by the SCAF. The stateof emergency gives the government a free hand tosuppress meetings, demonstrations and strikes andallows imprisonment, confiscation and detentionwithout a warrant or additional legal justification. Italso gives a green light to any form of online surveillanceand control.With El-Sisi as president, there does not seemto be any reason why the emergency law shouldcease. On the contrary, with the Islamist threat, thenew government has more of an alibi to extend it.Egypt’s new government is also using the argumentthat in Europe and the United States, widespreadinternet surveillance of citizens is happening. 21Action stepsFree online speech is not looking at a promising nearfuture in Egypt. With enormous political, economicand social challenges at play, it is not foreseeablethat the emergency law, and consequently internetsurveillance, will be reined in any time soon. In fact,recent indications point to the opposite.Are there any concrete new actions steps? Notreally. What can be said is that:• Journalists, bloggers and civilians have beentrained by various international organisations,including Reporters Without Borders, on communicationand data protection for years. 22• Individual surveillance circumvention is notoriouslyhard and leaky. Egypt is among manycountries that face online surveillance and,even with more stable political systems, governmentstend to raise the spectre of “terrorism” tojustify widespread surveillance, as has been thecase with the National Security Agency (NSA) inthe US. As the surveillance technology is easilyacquired by government agencies and ishard to detect by civilians, it remains doubtfulthat online surveillance will decrease. In addition,internet service providers (ISPs), searchengines, social networks and the like are underlegal pressure to comply with governmental requestsfor data disclosure.What does that mean for the activist? The usual catand mouse game of trying to come up with codesand dodging being tracked by encrypting connections.Any code or tracking evasion will be found outsooner or later, so the name of the game is to stayahead, change often – or maybe it is time to look fora less surveilled communication channel?EthiopiaThe potential impact of digital surveillance on the uptakeand use of the internet in EthiopiaEthiopian Free and Open Source Software Network(EFOSSNET)Abebe Chekolabechekol@yahoo.comIntroductionEthiopia is the oldest independent country in Africaand one of the oldest in the world. 1 Politically, Ethiopiais a federal republic under its 1994 constitution.The current ruling party, the Ethiopian People’sRevolutionary Democratic Front (EPRDF), has governedEthiopia since 1991. Since taking power, theEPRDF has led ambitious reform efforts to initiatea transition to a more democratic system of governanceand decentralise authority. Although stillconsidered one of the world’s poorest countries, thesecond most populous nation in Africa has recordedfast growth over the last five years. In 2012/2013, itseconomy grew by 9.7%, which made it one Africa’stop-performing economies. 2The latest survey from the World Economic Forumputs Ethiopia at 130th out of 148 countries in itsNetworked Readiness Index. 3 The index measuresthe ability of economies to leverage informationand communications technologies (ICTs) to boostcompetitiveness and well-being. Internet usage inEthiopia is still in its infancy, with less than 1.5% ofEthiopians connected to the internet and fewer than27,000 broadband subscribers countrywide.In the context of the International Principles onthe Application of Human Rights to CommunicationsSurveillance, 4 this report assesses the ICT developmentpolicy and legal environment in Ethiopia, andhow digital surveillance could impact on this.Policy and legal frameworksArticle 26 of the 1994 Ethiopian Constitution stateswith regard to the “Right to Privacy”: “All personshave the right to the inviolability of their letters,post and communications by means of telephone,telecommunications and electronic devices.” Itfurther states: “Public officials shall respect andprotect these rights. They shall not interfere withthe exercise of these rights except in compellingcircumstances and in accordance with specificlaws which aim to safeguard national security, publicsafety, the prevention of crime, the protectionof health, morals and the rights and freedoms ofothers.”There are, therefore, specific laws that allowpublic officials to interfere with the exercise of therights of individuals granted in the constitution.These laws are as follows:Anti-Terrorism Proclamation No. 652/2009. 5Article 14 of the Anti-Terrorism Proclamation, on“Gathering Information”, proclaims: “To preventand control a terrorist act, the National Intelligenceand Security Service may, upon getting a court warrant:a) intercept or conduct surveillance on thetelephone, fax, radio, internet, electronic, postaland similar communications of a person suspectedof terrorism; b) enter into any premise in secretto enforce the interception; or c) install or removeinstruments.”Prevention and Suppression of Money Launderingand Financing of Terrorism Proclamation No.780/2013. 6 Under “Investigative Techniques”, part4 of Article 25 of this Proclamation declares: “Forthe purpose of obtaining evidence of money launderingor financing of terrorism or tracing proceedsof crime, the judicial organs may authorize crime investigationauthorities, for a specific period, amongothers, to access computer systems, networks andservers; and to place [an individual] under surveillanceor to intercept communication; and tointercept and seize correspondence.”Telecom Fraud Offence Proclamation No.761/2012. 7 Under this law, evidence gatheredthrough interception or surveillance in accordancewith the Criminal Procedure Code and other rel-21 Amnesty International. (2014, June 4). Egypt’s plan for masssurveillance of social media an attack on internet privacy andfreedom of expression. Amnesty International. www.amnesty.org/en/news/egypt-s-attack-internet-privacy-tightens-noose-freedomexpression-2014-06-0422 Reporters Without Borders. (2014). Enemies of the Internet 2014.12mars.rsf.org/wp-content/uploads/EN_RAPPORT_INTERNET_BD.pdf1 www.ethioembassy.org.uk/fact%20file/a-z/history.htm2 World Bank. (2012). World Atlas. www.worldatlas.com/aatlas/world.htm3 Bilbao-Osorio, B., Dutta, S., & Lanvin, B. (Eds.) (2014). The GlobalInformation Technology Report 2014: Rewards and Risks of BigData. Geneva: World Economic Forum, INSEAD, and JohnsonGraduate School of Management, Cornell University.4 https://en.necessaryandproportionate.org/text5 Federal Democratic Republic of Ethiopia. (2009). Anti-TerrorismProclamation No. 652/2009.6 Federal Democratic Republic of Ethiopia. (2013). Proclamation onPrevention and Suppression of Money Laundering and Financing ofTerrorism, Proclamation No. 780/2013.7 Federal Democratic Republic of Ethiopia. (2012). Telecom FraudOffence Proclamation No. 761/2012.124 / Global Information Society Watchethiopia / 125


evant laws will be admissible in court in relation totelecom fraud offences.Key issuesThere has been a proliferation of counter-terrorismlegislation globally following 9/11, which isconsidered a turning point in the history of counterterrorism.8 As indicated above, Ethiopia also passedan anti-terrorism law in July 2009. Since its promulgation,this law and its application have beencontroversial. A recent BBC article 9 published on25 March 2014, referring to a Human Rights Watch(HRW) report on Ethiopia, reported the Ethiopiangovernment’s use of imported technology (mainlyfrom European and Chinese firms) to undertakesurveillance on the phones and computers of itsperceived opponents. The report points out thatgiven that all phone and internet connections inEthiopia are provided by a state-owned company,the government has the power to monitor communicationsand have access to all call records of alltelephone users in the country. This includes accessto recorded conversations that can be usedin the interrogation of suspects. According to theHRW report, the government has extended its surveillanceto Ethiopians living overseas. Ethiopiansliving abroad (mainly in the United Kingdom and theUnited States) have accused the government of usingspy software on their computers.In terms of the legality and legitimate aim ofsuch action, the government has issued the anti-terrorismlaw on the grounds of the clear and presentdanger of terrorism in Ethiopia, coupled with the inadequacyof ordinary laws to deal with this reality.Furthermore, it also argues that the United NationsSecurity Council resolution 1373 (2001) requirescountries (including Ethiopia) to pass the law. 10However, given the fact that digital surveillance is ahighly intrusive act that interferes with the rights toprivacy and freedom of opinion and expression, theproportionality of its application is feared to underminethe democratic process.The Ethiopian Television and Radio Agencyhosted a debate 11 in August 2013 among politicalparties on a range of issues relating to the Ethiopiananti-terrorism law and its application. While8 Kassa, W. D. (2013). Examining Some of the Raisons D’Être for theEthiopian Anti-Terrorism Law. Mizan Law Review, 7(1).9 BBC. (2014, March 25). Ethiopia uses foreign kit to spyon opponents – HRW. BBC. www.bbc.com/news/worldafrica-2673043710 United Nations Security Council Resolution 1373 (2001), adoptedby the Security Council at its 4385th meeting, on 28 September2001.11 www.youtube.com/watch?v=-g5JhwpAt4Uthe incumbent ruling party argues the legitimacyof this law on the grounds of the clear and presentdanger of terrorism in Ethiopia, the oppositionparties argued the impact of this law on democraticrights and processes in the country. Furthermore,this can be considered a means of popularising thelaw to create awareness among the wider public,given there is little evidence of the level of awarenessamong the public in general on the use andscope of digital surveillance techniques and powersstated in the law. There is also little awareness bothamong civil society and the legislature of internationalprinciples such as user notification, whereindividuals should be notified of a decision authorisingcommunications surveillance with enoughtime and information to enable them to appeal thedecision, or the need for independent public oversightmechanisms.With regard to the international principle on theintegrity of communications and systems, wherestates should not compel service providers or hardwareor software vendors to build surveillance ormonitoring capability, the anti-terrorism law declaresin Article 14 that “any communication serviceprovider shall cooperate when requested by the NationalIntelligence and Security Service to conductthe interception.”A recent article in Addis Fortune 12 reflects concernfor privacy and data protection amidst thegrowing use of the internet in Ethiopia and globaldigital intrusion. In this context, the internationalprinciple on safeguards for international cooperationsuggests applying the higher level of protectionfor individuals where there are agreements betweenstates. Furthermore, the international principle onsafeguards against illegitimate access suggeststhat states should enact legislation criminalisingillegal communications surveillance by public andprivate actors. In both instances, there is concernthat Ethiopia does not have a legal framework thatcould make authorities liable for a breach of userdata and cross-border cyber-security issues. Thisoccurs in the context of a lack of concern fromEthiopian internet users on the subject, and is oneimportant gap that needs to be addressed by thegovernment. Such a gap is also noted in the Informationand Communication Technology Policy of2009, which clearly recognises the need, amongother cyber-oriented laws, to issue a data protectionlaw.12 Yilma, K. (2012, June 5). Unprepared Ethiopia faces privacyintrusion. Addis Fortune. addisfortune.net/columns/unpreparedethiopia-faces-privacy-intrusionAs the number of internet users increases overtime – the government plans to increase it to 3.69million by the end of the Growth and TransformationPlan (GTP) period in 2015 13 – the data privacy ofinternet users in Ethiopia will undoubtedly becomecrucial if this sector is to contribute its share to theeconomy. A recent report from the McKinsey GlobalInstitute 14 indicates that, as in many countries in Africa,the internet’s contribution to Ethiopia’s grossdomestic product (GDP) is 0.6%, which is low comparedto the leading countries of Senegal (3.3%)and Kenya (2.9%). Ethiopia falls under the categoryof countries that perform below their weight, alongwith Angola, Algeria and Nigeria.It would therefore be important to assess theimplications of digital surveillance on the growthof ICT-based services such as e‐commerce 15 ande‐government, 16 which are both key sectors givenprominent attention in the implementation of thenational ICT policy in Ethiopia. The Ministry ofCommunications and Information Technology iscurrently implementing the e‐government strategy,which aims to develop more than 200 e‐services(currently in different phases of implementation)and get 20% of government departments online. 17There is also evidence of the growing use of ICTs inbusiness, with internet use in companies in Ethiopiarated at 3.6 on a 0 to 7 index range. 18 It is thereforeimportant to review the impact of laws on the growthand use of the internet in various sectors.For example, although the proclamationon the “Prevention and Suppression of MoneyLaundering and Financing Terrorism” does not explicitlyaddress e‐commerce, there is a need toassess whether the provisions of the law have animpact on e‐commerce broadly and electronic fundtransfers specifically. Similarly, e‐government couldbe affected by the legislation mentioned above inboth positive and negative ways, which requiresfurther investigation. While the intense focus onimproving data collection and information practicesand systems may contribute to the establishmentof government-wide technical standards and bestpractices that could facilitate the implementation13 Ibid.14 McKinsey & Company. (2013). Lions go digital: The Internet’stransformative potential in Africa. Johannesburg: McKinsey GlobalInstitute.15 Commercial transactions on the internet, whether retail businessto-customeror business-to-business or business-to-government,are commonly called electronic commerce, or “e-commerce”.16 E-government involves using information technology, andespecially the internet, to improve the delivery of governmentservices to citizens, business, and other government agencies.17 McKinsey & Company. (2013). Op. cit.18 Ibid.of new and existing e‐government initiatives, itcould also promote the use of secure web portalsto help ensure the data integrity of transactions betweenthe government and citizens and business.However, concerns about the potential abuses ofdata collection provisions could jeopardise citizenenthusiasm for carrying out electronic transactionswith the government.With the evolution of the internet and digitalcommunications, new trends are emerging andregulatory interventions are becoming even morecomplex in the context of these emerging issues– such as the revelations of widespread internetsurveillance, human rights imperatives, the line betweenprivacy versus security, and managing criticalresources that make the internet possible. In thisregard, governments should demonstrate greatertransparency as regards their practices in the collectionof personal data, taking into account theconsiderations of national security, citizen rightsand public accountability.ConclusionsThe World Summit on the Information Society(WSIS) Action Plan recommends “cooperationamong the governments at the United Nations andwith all stakeholders as appropriate to enhanceuser confidence, build trust, and protect both dataand network integrity; consider existing and potentialthreats to ICTs; and address other informationsecurity and network security issues.” Though belatedin realising the legal framework in changingcircumstances, such as the growing ubiquity of theinternet, the Ethiopian government has recentlystarted working on these issues. Laws that regulateonline behaviour and transactions are in thepipeline. A cyber-crime law, drafted by the InformationNetwork Security Agency, and an e‐commercelaw, drafted by the Ministry of Communicationand Information Technology in collaboration withthe United Nations Economic Commission for Africa(UNECA), are examples. In this regard, theConference of African Union Ministers of Justiceadopted the African Union Convention on Cybersecurityand Personal Data Protection in May 2014.The Convention, which was drafted by UNECA incollaboration with the African Union Commission,and which has been reviewed through a series ofsub-regional consultations with regional economiccommunities, is expected to be tabled before theAfrican Union Heads of State and Government forratification later this year. The Convention coversfour areas, namely cyber security, combating cybercrime, electronic transactions (e‐transactions), and126 / Global Information Society Watch ethiopia / 127


data protection and privacy. Countries will thereforebe expected to amend their cyber security anddata protection laws to bring them in line with theConvention.This will help harmonise the existing legislationdiscussed above with respect to digitalsurveillance. While many of the provisions relatedto the surveillance and investigatory powers of lawenforcement have raised concerns within the privacyand civil liberties communities, there is alsothe potential impact that this harmonisation canhave on the growing use and application of ICTsin business through e‐commerce, and governmentservices through e‐government. The challenge isto strike the balance on the use and application ofthese laws between the need for counter-terrorismmeasures and the imperative the respect to rightsgranted in the constitution.Action stepsWhile close to 90 countries have so far issued dataprotection laws, Ethiopia has not. It is noted abovethat the Information and Communication TechnologyPolicy of 2009, however, clearly recognises theneed, among other cyber-oriented laws, to issue adata protection law. 19 Therefore there is a need forEthiopia to develop a data protection and privacylaw that can harmonise existing laws that affectthese rights.However, as much as establishing the requisitelegal framework, raising public awareness abouthuman rights and fundamental freedoms is verycrucial. The Ethiopian Human Rights Commissionis one stakeholder in this area in Ethiopia. It wasestablished by law with the objective of “educatingthe public with the view to enhance its tradition ofrespect for and demand for the enforcement of humanrights [through the public] acquiring sufficientawareness regarding human rights.” The Commissionneeds to scale up its efforts in an era wherethe human right to privacy is being strongly challengedwith the evolution of new and emergingtechnologies – and new state imperatives, such ascountering terrorism.The laws related to cyber crime and e‐commerceneed to be reviewed, not only to attune them toemerging challenges, but to address the challengesof data protection and privacy in order to build confidenceand trust in the use of ICTs in general andthe internet in particular.19 Yilma, K. (2012, June 5). Op. cit.GambiaCommunications surveillance in the Gambia: Trends and tricksFront Page InternationalDemba Kandehwww.frontpageinternational.wordpress.comIntroductionSurrounded by Senegal on three sides and theAtlantic Ocean to the west, The Gambia is the tiniestcountry in mainland Africa. 1 It is home to 1.8million people with a land mass of about 11,300square kilometres. The majority of the populationare farmers with a literacy rate of about 38%. Sinceindependence from Britain in 1965, The Gambia sofar has had two presidents: Dawda Kairaba Jawara,who led the country to independence and remainedin power until he was overthrown in a “bloodlesscoup” in July 1994, followed by then-Lieutenant YahyaAJJ Jammeh. 2Jammeh’s government criticised Jawara for hisslow economic progress in general, and, in a questto avert what it called “retrogression”, investmentin information and communications technologies(ICTs) was considered key. 3 Given the opportunitypresented by an already relatively good telecommunicationnetwork, the government and the UNDevelopment Programme (UNDP) launched TheGambia’s Internet Initiative project in 1998. 4 Theproject was aimed at opening a gateway to connectThe Gambia to the internet, and to build a nationalbackbone and points of presence (POPs) aroundthe country to provide high-speed internet accessto major centres. It also sought to encourage andnurture competition and private sector participationin internet provision. This programme wasmonitored by a USD 100,000 three-year supportproject. Project assessment reports for the period1998-2002 showed that major developments hadnot just been made in internet connectivity, butthat it “increased ICT investment and start-up operations,creating a context of advanced access and1 History World, History of The Gambia. www.historyworld.net/wrldhis/plaintexthistories.asp?historyid=ad472 BBC News, The Gambia country profile. www.bbc.com/news/world-africa-133765173 Status of ICT Access, Usage and Exploitation in The Gambia, FinalReport, September 2007, available at the Gambia National Library.4 NIC Gambia. www.nic.gm/htmlpages/gm-internet.htmtechnological capacity.” 5 However, more than a decadelater, all indications are that those gains werenever consolidated.Policy and political backgroundThe internet and other public utilities are regulatedunder The Gambia Public Utilities RegulatoryAuthority Act 2001. 6 The Act, among other things,called for the creation of a public utilities regulatorybody. Consequently the Public Utilities RegulatoryAuthority (PURA) was established to regulate theactivities of service providers of some public utilitiesin various sectors of the economy. The Act toestablish the authority only came into force towardsthe end of 2003, while PURA was formallyset up a year later, in 2004. The establishment ofPURA was supported by a study on the appropriateregulatory framework for the sector, which includedprivate sector participation, and was funded bythe Public Private Infrastructure Advisory Facility(PPIAF) through the World Bank. Nevertheless, expertopinion on PURA in the telecoms sector seemsdivided, with many being pessimistic of the body’scapabilities vis à vis its responsibilities. “PURA isnot equipped enough to live up to its challengeof ensuring the proactive and effective implementationof sound policies governing the regulatedsectors, such as telecommunications, among others,in a predictable, equitable and transparentmanner,” said an expert on the sector who preferredanonymity.The government of The Gambia, through theMinistry of Communication Infrastructure and InformationTechnology, pays a lot of attention to ICTsand works toward growth in the sector, most notablywhen it comes to information technologies (IT).The government believes IT can be of great valuein various economic sectors of the country if usedwisely, especially for decision making. However, it isevident that the state is fearful of the consequencesof the free and uninterrupted flow of information,especially through the use of new technologies – a5 Pro-PAG/CUTS Partnership. (2008). Strengthening Constituenciesfor Effective Competition Regimes in Select West African Countries:Preliminary Country Paper (PCP) – The Gambia.6 www.pura.gm128 / Global Information Society Watchgambia / 129


fundamental reason for the tight regulation of thesector.Communication surveillance in The GambiaDuring May 2006, the government obtained thenames, addresses, phone numbers and emailaddresses of all subscribers of a very popularcontroversial online news site. 7 The governmentdescribed the Freedom Newspaper subscribers as“informers”, and went on the rampage to arrestand detain them. Several people, most of themjournalists, human rights activists and politicians,were arrested and detained for weeks, but releasedwithout any court charges. Reports emerged laterthat the person who hacked into the Freedom Newspapersite was a British Telecom client using the IPaddress of an internet user based in the UK city ofSouthampton. The hacker erased all of the paper’scontent and replaced the welcome page with a messagepurportedly signed by Pa Nderry M’bai, thepublisher and editor. The message said: “I have decidedto stop producing the Freedom Newspaper asI have pledged an allegiance with my brother EbouJallow to join the APRC election campaign.” A formerarmy captain, Jallow used to be the spokesmanfor President Jammeh’s military junta. The APRC isthe president’s party, the Alliance for Patriotic Reorientationand Construction.M’bai is a self-exiled Gambian journalist. 8 Helaunched the Freedom Newspaper in early 2006. Itis very critical of Jammeh and his government. M’baiused to work for the then tri-weekly newspaper, ThePoint (now a daily paper), co-founded by slain Gambianjournalist Deyda Hydara.The fake message added: “This is a list of thepeople that were supplying me with information.” Itwas followed by the names and details of all thosewho had set up user accounts for the site. With helpfrom the US company that hosts the site, and fromReporters Without Borders, M’bai managed to regaincontrol of the site.Following the hacking, on 24 May 2006, underthe headline “Freedom Newspaper informersexposed”, the pro-government Daily Observer newspaperpublished M’bai’s photo on its front page,describing his paper as “subversive”.This was met with an outcry from activists. “Thiscase of hacking is serious and revolting,” a statementreleased by Reporters Without Borders said,7 The Daily Observer. (2006, May 24). Gambia: Freedom NewspaperInformers Exposed. AllAfrica. allafrica.com/stories/200605250666.html8 Reporters Without Borders. (2006, May 30). Online newspaperhacked, editor smeared and subscribers threatened. ReportersWithout Borders. archives.rsf.org/article.php3?id_article=17842adding that the climate in which Gambian journalistswork is totally poisonous.“Not only was the reputation of a journalist besmirchedbut a large number of internet users havebeen put in danger. And it is absolutely astoundingthat the Daily Observer became an accomplice bypublishing the list of these so-called informers anddescribing them as ‘subversive’,” it further noted.Since this incident in 2006, the government hasworked tirelessly to help tighten its control over thetelecommunications sector as it grows. The servicesof experts, analysts and consultants from farand wide were contracted with a view to produce a“legal and regulatory framework” that keeps a firmgrip on this emerging sector. The government’s effortshave since yielded dividends, and a numberof policies and programmes were introduced witha view to enhance growth in the sector. The mostimportant in our context among the “innovations ofthe government” was the enactment of the Informationand Communications Act 2009. 9The Information and Communications Act (ICA)2009 was adopted with a view to addressing theconvergence of the telecommunications, broadcastingand information technology sectors, includingthe internet. It is important to note key contents ofthe law. The ICA has 252 provisions and is dividedinto five chapters: preliminary matters; the regulationof information and communication systemsand services; information society issues; regulatoryprovisions for broadcasting content; and miscellaneousmatters. In addition to telecommunicationsand broadcasting regulation, the Act also effectivelydeals with cyber crime and the processing of personaldata.The ICA places the regulation of the telecommunicationsand broadcasting sectors under PURA.A detailed analysis of the ICA and other medialaws in The Gambia by Article 19, an independentinternational NGO focusing on freedom of expressionand media issues, illustrates deep flaws in thelegal framework. Article 19 noted at the outset thatentrusting the same entity with the regulation ofsectors as widely different as water and electricityservices and the telecommunications sector is confusingand undesirable. It therefore recommendedthe creation of a separate public authority withpowers to regulate the telecommunications andbroadcasting sectors.Article 19 highlighted as its main concern thatthe ultimate authority in respect of telecommunicationsand broadcasting licensing is the minister (i.e.the executive). It pointed to problematic clauses9 www.wipo.int/wipolex/en/details.jsp?id=10478in sections 7(2), 22, 23, 27, 215, 226, 230 and 232to 236 in this regard. Section 230(1), for example,provides that “the Minister, on the advice of theAuthority, shall issue broadcasting licences in sufficientnumbers to meet the public demand forbroadcasting services.”Similarly, sections 232 to 236 provide that uponrecommendation by the Authority, the Minister“may” renew, revoke or suspend a broadcasting licence.PURA therefore merely has an advisory role,while the ultimate decision-making power restswith the minister. This, however, contradicts internationalstandards on freedom of expression, whichrequire that all public bodies exercising powers inthe areas of broadcast and/or telecommunicationsregulation be institutionally independent so as toprotect them from undue political or commercialinterference.But what is more serious in our case is Section138 of the ICA, which gives sweeping powersto the national security agencies and investigatingauthorities to monitor, intercept and store communicationsin unspecified circumstances. The sectionfurther provides that the minister may require informationand communication service providers to“implement the capability to allow authorised interceptionof communications.”While Section 138 essentially raises issues ofprivacy of communications, and the protection ofprivate life more generally, it has serious implicationsfor communications. It seems to legitimisegeneral public concerns over the privacy of their“private” communication. This raises more seriousissues of surveillance in a country that is alreadynotorious for violations of basic human rights. Andindeed, even in places such as The Gambia whereinternet penetration is more limited than in moredeveloped countries, particularly in the West, theability of individuals to freely communicate on theinternet, using email, social media networks orother web platforms, has become an essential aspectof our daily lives. There are four times morepeople on the internet 10 in The Gambia today thanthe population of the capital city of Banjul. 11 In thiscontext, unchecked internet surveillance or “monitoring”but also the monitoring of communicationin general is perhaps one of the greatest dangers toprivacy both online and offline.Privacy activists and other rights defenders willtherefore argue that any restriction on freedoms10 Trading Economics, Internet users in Gambia (2011). www.tradingeconomics.com/gambia/internet-users-wb-data.html11 Access Gambia, Population Figures for Gambia. www.accessgambia.com/information/population.htmlmust be strictly measured against the three-parttest laid down under international law. Those limitationsmust be clearly defined by law, pursue alegitimate aim and be proportionate to the aim pursued.The interception of private communications inparticular should be limited only to the investigationof serious criminal activity.One can safely argue that despite the need toinvestigate serious crimes, there is an obvious dangerthat such unchecked and open powers given toa powerful arm of government (the executive) canbe easily abused unless clearly constrained by law.We can conclude that the provisions of the ICA ingeneral and this section in particular substantiallyfail to meet the requirements of international law asindicated above.For Article 19, given the breach of the requirementof legal certainty, it is impossible to predictunder Section 138 in which circumstances theauthorities may intercept or monitor communications.12 The only exception to this is perhapsSub-section 2, which bizarrely provides that a useror subscriber fearing for his life or physical integritymay authorise such interception, rather than a judicialauthority. This is also a very extreme situation,and unwarranted.It is clear that Section 138 does not providefor monitoring or interception to be authorisedonly by a judge nor that it should at all times be incompliance with the requirements of necessity orproportionality. Against this background, the factthat information and communication service providersmay be required by the minister to “implementthe capability to allow authorised interception” isnot just less than ideal, but detrimental to the freeflow of communications and privacy.On 3 July 2013, the National Assembly amendedthe ICA, stipulating a 15-year jail term or a fine ofthree million Gambian Dalasi (GMD) (approximatelyUSD 75,000), or both a fine and imprisonment, forthe offence of spreading “false news” against thegovernment or its public officials on the internet. 13While the amendment imposes penalties for “instigatingviolence against the government or publicofficials,” it also targets individuals who “caricatureor make derogatory statements against officials” or12 Article 19. (2012). The Gambia: Analysis of Selected Laws on Media– Overview. www.article19.org/resources.php/resource/3043/en/the-gambia:-analysis-of-selected-laws-on-media13 Article 19. (2013, July 10). The Gambia: New internet law furthersgovernment crackdown on free expression. Article 19. www.article19.org/resources.php/resource/37152/en/the-gambia:--new-internet-law-furthers-government-crackdown-on-freeexpression#sthash.qisIlU1J.dpuf130 / Global Information Society Watch gambia / 131


“impersonate public officials.” Activists and rightsgroups have criticised the amendments severely. 14The National Assembly had previously come underheavy criticism from activists and rights groupsfor an amendment of Section 114 of the CriminalCode which raised the jail term of six months or afine of GMD 500 (about USD 17), or both, up to fiveyears or a fine of GMD 50,000 (about USD 1,700) forpersons convicted of giving false information to apublic official. 15According to Article 19, the legal framework forICTs, including private communications, should notallow state authorities to assume sweeping powersover ICT operators and providers – in particulartheir equipment or content going through their networks– in undefined circumstances, including in anemergency. 16Conclusion and action stepsIt is evident that the government of The Gambiafears the opportunities for transformative democracypresented by ICTs and the internet in particular.The government is therefore struggling daily tomaintain a firm grip on ICTs and the internet. This isalso corroborated by the fact that the governmenthas blocked over 20 online news websites and14 Joof, M. S. (2013, July 8). The Gambia’s Internet Law: RSFvery disturbed, Amnesty International shocked. Front PageInternational. frontpageinternational.wordpress.com/2013/07/08/the-gambias-internet-law-rsf-very-disturbed-amnestyinternational-shocked15 JollofNews. (2013, May 8). Amnesty Int’l Denounces Gambia’sHarsh Criminal Law. JollofNews. www.jollofnews.com/.../3827-amnesty-intl-denounces-gambias-harsh-cri16 Ibid.pages. The popular instant messaging and callingservice Viber is also blocked. There are also indicationsthat proxies such as Anonymouse.org andthe Tor browser are being blocked in the country.The situation is therefore similar to what occurs incountries such as China, Ethiopia and Iran, as wellas some other parts of the Arab world.The government has denied any involvementin filtering and points to services providers whoare suspected of hiding behind vague governmentregulations. Citizens and human rights groups generallyblame the government for the status quo. It isobvious that unless there are concerted efforts, thesituation is not likely to change, at least not in thenear future.Advocacy efforts should be directed toward thede-legislation of the ICA Act, as well as the 2013amendments. This should be followed by strategicplanning to create a well-regulated sector. Specialefforts should be directed at reviewing and amendingSection 138 to bring it more closely in line withinternational standards for the protection of humanrights. In particular, it should be made clear that interceptioncan only be authorised by a judge for thepurposes of investigating serious crimes and subjectto the requirement of proportionality.HungaryData retention and the use of spy software in HungaryÉva Tormássytormassyeva@gmail.comIntroductionAfter a series of coordinated suicide attacks inMadrid in 2004 and in central London in 2005,the European Union reacted by passing the socalledData Retention Directive in 2006. Hungaryas a member state of the European Union wasobliged to introduce mandatory telecommunicationdata retention – that is, the retention of datagenerated or processed through the provision ofpublicly available electronic communications servicesor by public communications networks. Asa result of the Data Retention Directive, all telecommunicationservice providers in Hungary haveto collect and store so-called metadata, or datawhich shows who, when, where and with whomanyone tried to communicate or successfully communicatedvia email or phone. The Directive gavethe freedom for the member states to choose theperiod of time their telecommunication serviceproviders have to keep the data which, also accordingto the Directive, should be made availableto the competent national authorities in specificcases when a suspicion of serious crime arises(e.g. an act of terrorism). According to the Directive,data made available for the purpose of theinvestigation, detection and prosecution of crimesshould only be about the fact (who, where, whenand with whom email was exchanged or communicationtook place by mobile phone), not thecontent. However, when the directive was implemented,Hungary failed to make the distinctionbetween the fact and the content of the data.There is therefore a danger that the providerskept the content of the communication and theauthorities received more information about certaincitizens than they should have. The only goodnews for Hungarian citizens at the time of the implementationwas that the decision makers chosethe shortest possible period which was allowed,meaning the service providers have to keep themetadata for six months only in Hungary.New times, old habitsHungary was a member of the Soviet bloc before1989, a so-called communist country where the surveillanceof citizens by different authorities had along history, even if this history was not as bloodyas in certain other member states of the communistbloc. Most citizens had little personal experience ofsurveillance, and when the Berlin Wall collapsed in1989 and the doors to the secret archives opened,many people must have been surprised how muchthe state knew about them and their private lives.As a consequence of this, the newly adoptedlaws after the collapse of communism were verycareful when it came to citizens’ privacy and respectingthe right to a private life. Before Hungaryadopted the Data Retention Directive, the law ondata retention was tied to judicial authorisationwhich was given in cases of suspicion of seriouscrimes. The police or any other authority had to submita formal request for receiving the data from theservice providers; however, with judicial authorisationthey had the right to collect the data for threeyears.The judicial authorisation was a strong safeguardwhich disappeared with the implementationof the Data Retention Directive. The implementationtook place in 2008, under a socialist-liberalgovernment, and the competent ministry which wasresponsible for the implementation chose theshortest possible period for data retention becausethe minister was delegated by the liberal party. Butthat was the last good news for Hungarian citizens.The implementation forgot about the basicsafeguards in the law. The text was not clear when itcame to not storing the content of the data and didnot mention the necessity of judicial authorisation,court oversight or any external supervisory mechanism.The law also forgot to prescribe the obligationto inform the person concerned about the use ofhis/her data, and to inform the person who was undersurveillance, as well as the obligation to destroythe data after the end of legal proceedings. Lastly,there was nothing about who guards the guardians:who inspects or monitors the process of destroyingthe data when the retention time is over. Possiblythe worst thing of all was that the authorities weregranted direct access to the telecommunication132 / Global Information Society Watchhungary / 133


service providers’ data rooms (a special technicalconnection has been set up between the companiesand the national security authorities). And thesecurity men sitting on the two sides of the tableall knew each other from the past and understoodeach other. Hungary, which has never been able toget rid of its past of secret agents and spies, startedits own time travel back into that past.When Big Brother watches youIn his famous book 1984, George Orwell wrote that“Who controls the past controls the future.” Thisquote – even if it was related to the communist era –expresses the basic societal concern about any statesurveillance well. This recognition led many humanrights activists to fight against the Data RetentionDirective and its national implementation all overEurope. In Hungary, the Hungarian Civil LibertiesUnion (HCLU) protested against the implementationof the Directive in many ways – without significantresult, effect or echo. They submitted amendmentsto the national law through members of parliament,published articles, and organised civic actions inwhich citizens asked the service providers to informthem whether they were under surveillance or not,but all attempts remained unsuccessful.On the other hand, the conservative Hungariangovernment, which was first elected in 2010and for a second time in April 2014, became moreand more successful in controlling citizens. Theyknew well that those who control the past controlthe future. Hungary’s parliament moved to increasesurveillance of high-level public officials, with themodification of the National Security Law on 24May 2013. It was designed to allow the state toidentify any risks that could lead to someone influencingor blackmailing a person under surveillance,which would in turn cause state security issues, thelaw says. The range of positions in the secret service’sfocus is detailed: the people subject to suchsurveillance are ambassadors, state secretaries,heads of administrative bodies and councils, themanagement of parliament, the head of the militaryforces and army generals, police commanders andsuperintendents, and heads and board membersof state-owned companies. The person in questionneeds to sign an approval for the surveillance tobe allowed. Refusal to sign means they lose theirjobs. The modification has raised concerns on thepart of the ombudsman and civil rights groups, andsparked comments that the secret service’s reachinto people’s private lives would now be “total”. Thebill also lifts the earlier requirement of a court nodfor the secret gathering of information on peopleby opening their letters, making audio and videorecordings or searching and bugging their homes.Apart from allowing surveillance of a selectedgroup of people without letting them seek legalremedy, the law provides no regulations that limitwho can see the information, what can be done withit, or how long it can be stored. The law also allowsfor employees to be fired for conduct outside theworkplace, for as yet unspecified reasons. It meansthat Hungary now allows investigation of particularindividuals without any need to demonstrate a specificreason why every aspect of a person’s life mustbe reviewed. That is unusual in democratic states.The new national security law has really created anOrwellian landscape in Hungary.Hungary’s ombudsman for basic rights, MateSzabo, declared that the bill should give thoseunder surveillance the right to appeal the matterand seek legal remedy against any encroachmentof their rights in the process. But this remark wasignored in the final version of the law. The HCLUsaid that the new bill is unconstitutional even if theperson in question signs a document to give theirconsent to the surveillance. The ombudsman is theonly one who has the right to appeal to the ConstitutionalCourt – civil rights groups do not. LastJune, Szabo initiated a constitutional review. Heraised concerns over a lack of external control overthe monitoring process and the fact that agencieswould not be required to provide a concrete reasonor aim for the monitoring activity, which wouldgive the state an unfair power advantage over theindividual targeted in the surveillance. Despite theprotests, the amendment was enforced on 1 August2013. However, while the Constitutional Court decisionmade in March 2014 repealed the amendment,a new parliament set up in late May did not followthe court’s decision, meaning that the amendmentstood. The Constitutional Court declared in itsdecision that legislation allowing for secret observationon officials in positions requiring nationalsecurity screening for 30-day periods twice a yearis unconstitutional. According to the top court’sruling, permanent surveillance and secret informationgathering would disproportionately restrictthe target’s privacy rights. The body also threwout stipulations that prevented targeted personsfrom seeking legal remedy, such as an appeal to arelevant parliamentary committee against the monitoringprocedure.The other story which shows the government’stotalitarian attitude to the right to privacy is thatin 2013 Hungary appeared on the list of thosecountries where the infamous governmental spysoftware package called FinFisher is used, accordingto Citizen Lab. Citizen Lab is an interdisciplinarylaboratory based at the University of Toronto (Canada),focusing on the intersection of informationand communication technologies, human rightsand global security. FinFisher’s customers can onlybe governments and in using the software, Hungaryjoined a group of countries where oppressiveregimes are in power. FinFisher is a very sophisticatedsoftware package which is able to createaccess to all data on the infected computer, includingemails, document files, voice over internetprotocol (VoIP) calls, etc. There were few reactionsin Hungary when this news was published, but Átlátszó(Transparent), 1 a Hungarian NGO fighting forfreedom of information, submitted a public informationrequest to the Constitution Protection Office on17 October 2013. It asked the Office to disclose thelength of time and the number of times the governmentused spy software packages, and it asked itto list those that are in use. Within a week the ConstitutionProtection Office had sent a letter, andrefused to respond to their questions, referring tonational security interests. According to the websiteof the Office, “the aim of the Constitution ProtectionOffice is to protect citizens and the constitutionalorder of Hungary, and to guarantee their security.(…) Its special duty is to provide Hungary with suchinformation for decision making which is not obtainablefrom other sources.” 2While all these unfortunate events happenedin Hungary, the First European Constitutional Courtsuspended the Data Retention Directive after thedecision of the Court of Justice of the EU (CJEU). TheCJEU declared this April, among other objections,that the interference is not proportionate and thatthe Directive failed to apply those safeguards whichwere also missed in the Hungarian implementationand in other national legislation. However,the Hungarian authorities did not immediately reactto the news (e.g. in neighbouring Slovakia theConstitutional Court preliminarily suspended theeffectiveness of the Slovak implementation of theData Retention Directive right after the decision ofthe CJEU).ConclusionsThe following conclusions can be drawn from thisreport:• Data retention in general and by definition violatesour right to privacy.1 www.atlatszo.hu2 ah.gov.hu/english• It is necessary to apply certain safeguards: theneed for judicial authorisation, court oversight,or any other external supervisory mechanism;authorities should not have direct access todata stored by service providers; there is an obligationto inform the person concerned aboutthe use of his/her data; there is an obligationto inform the person who was under surveillance;there is an obligation to destroy the dataafter the end of investigative proceedings; andthere is an obligation to delegate independentexperts to inspect and monitor the process ofdestroying the data.• Surveillance mechanisms which target innocentpeople by collecting information about themsimply because they are in certain positionsserving the state cannot be justified and shouldbe taken as unconstitutional. One example ofthis is the amendment of the Hungarian NationalSecurity Law, which aims to surveil peoplewho are completely innocent, simply to controlthem and their private lives. Such acts cannotbe justified in a democracy.Action stepsThe following advocacy steps are taking place andrecommended for Hungary:• Citizens and human rights NGOs are planningto initiate a lawsuit against service providers inorder to know what personal data is being retainedby the providers.• Following the recent decision by the CJEU, Hungaryshould revise its law on data retention.• Hungary should get back onto the democraticroad when it comes to surveillance and modifythe National Security Law according to the ConstitutionalCourt ruling.• The use of spy software packages should bemore transparent and regulated by law as well.The Constitution Protection Office should havean obligation to make such data publicly availablefor everybody.• The need for transparency is obvious. The intersectionbetween national security, surveillance,law enforcement, the role of private companies,citizens’ private data and their right to privacyneeds to be clear. Transparency reports preparedby companies involved in data retentioncan be one useful tool to know what is happeningin this area. For example, Vodafone made anattempt to publish certain information on this inits worldwide report.134 / Global Information Society Watch hungary / 135


IndiaCommunications surveillance, human rights and freedomof expression in IndiaDigital Empowerment Foundation (DEF)Ritu Srivastavawww.defindia.orgIntroductionThe internet is a key tool to exercise the right tofreedom of expression. It not only allows us to exercisethe right to receive information, knowledge,ideas and opinions, but also allows us to exercisethe right to express these – be it in the form ofvideo, audio or writing. Used as a publishing andcommunication tool, it enables millions around theworld to communicate instantly, gives the commoncitizen a voice among an audience of millions, andserves as a huge multimedia library of information.One definition says “the internet is as diverse as humanthought.” 1As access to the internet becomes more diverse,including information on prominent social issues isbecoming important. United Nations (UN) SpecialRapporteur on the Promotion and Protection of theRight to Freedom of Expression and Opinion FrankLa Rue underlined in his report submitted to theHuman Rights Council (HRC) regarding the uniqueand transformative nature of the internet that itnot only enables individuals to exercise their rightto freedom of expression and opinion, but also allowsthem to exercise other human rights and topromote the progress of society as a whole. 2 It hasbeen proven that technological advances have beenpowerful tools for democracy by giving access to all.However, data mining by intelligence agencies blurslines between legitimate surveillance and arbitrarymass surveillance by governments nationally andinternationally.La Rue also emphasised how government andcorporate surveillance are undermining freedom ofexpression. His report states: “Freedom of expressioncannot be ensured without respect to privacyin communications. Privacy and freedom of expressionare interlinked and mutually dependent; an1 ACLU v. Reno, 929 F. Supp. 824, 830-849 (ED Pa. 1996) at 842(District Court Opinion)2 Report of the Special Rapporteur on the promotion and protectionof the right to freedom of opinion and expression, Frank La Rue,17 April 2013. www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdfinfringement upon one can be both the cause andconsequence of an infringement upon the other.” 3His report established the connection betweenfreedom of expression and privacy in communicationsand called for global attention to thewidespread use of surveillance mechanisms byvarious governments that are violating humanrights, such as the right to privacy and freedom ofexpression. It also makes the point that privacy isa fundamental human right, and is important fordemocratic society to maintain its human dignity.Furthermore, the right to privacy reinforces otherrights, such as freedom of expression and information,and freedom of association, also recognisedunder human rights law. 4 However, it is difficult todefine exactly what the right to privacy entails. Privacycan be seen from two perspectives – it dependson the type of information we share or the sides ofour lives that we want to keep private, and whetheror not the information is in the public interest.Governments worldwide have continued tojustify their engagement in wide-ranging surveillanceprogrammes – often at the very limits of thelaw – arguing national security concerns. While Indiais the world’s largest democracy and is said tobe protecting freedom of speech through its lawsand constitution, freedom of expression online isincreasingly being restricted in the country. Justificationsgiven for these restrictions are the problemof defamation and the need to maintain national securityand peace in society.This became evident when the Indian governmentannounced the start of the CentralisedMonitoring System (CMS) in 2009, a programmeto monitor telecommunications in the country. In2013, Minister of State for Communications andInformation Technology Milind Deora initiated therollout of CMS across India. This report analyseshow government surveillance works in India, andhow government and private organisations are accessingindividuals’ online data, which is a threat tofreedom of expression.3 Ibid.4 Universal Declaration of Human Rights, Article 12; United NationsInternational Convention on the Protection of the Rights of AllMigrant Workers and Members of Their Families, Article 14.Communications surveillance laws in IndiaThe term “communications surveillance” encompassesthe monitoring, interception, collection,analysis, use, preservation and retention of, interferencewith, or access to information which arisesfrom, reflects or is about a person’s communicationsin the past, present or future. With more and morepeople accessing the web, the internet user basein India reached 243 million 5 in 2014. This mediumnot only enables users to exchange information anddeliver services, but also allows political discourse.Platforms like Facebook and Twitter and blogs makeit easy for people to communicate and reach a vastaudience.Unlike PRISM, the United States surveillanceprogramme that captured the world’s attentionever since whistleblower Edward Snowden leakeddetails of global spying to The Guardian and WashingtonPost, India silently launched the CMS tomonitor internal communications in 2013. Thesystem cost USD 75 million, and will allow the governmentto access all digital communications andtelecommunications in the country.Since independence, laws in India have prohibitedthe unlawful interception of communications.For example, Section 26 of the India Post Office Act,1898 allows the interception of post for the “publicgood” only. According to this section, this powermay be invoked “on the occurrence of any publicemergency, or in the interest of the public safetyor tranquillity.” 6 The section also says that “a certificatefrom the State or Central Government” isrequired that would serve as conclusive proof as tothe existence of a public emergency, or to show thatthe interception is in the interest of public safety orpeace. Similarly, Section 5(2) of the Telegraph Act,1885 also authorises the interception of messages,but only a) in the event of a public emergency, orin the interest of public safety; and b) if it is necessaryor expedient to do so in the interests ofthe sovereignty and integrity of India, the securityof the state, friendly relations with foreign states,or public order, or for preventing incitement to thecommission of an offence. 7In the case of Hukam Chand Shyam Lal vs. Unionof India and Others, 8 the Supreme Court of India in-5 Times of India. (2014, January 29). India to have 243 millioninternet users by June 2014: IAMAI. Times of India. timesofindia.indiatimes.com/tech/tech-news/India-to-have-243-millioninternet-users-by-June-2014-IAMAI/articleshow/29563698.cms6 The Indian Post Office Act, 1898. www.indiapost.gov.in/Pdf/Manuals/TheIndianPostOfficeAct1898.pdf7 The Indian Telegraph Act, 1885. http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf8 AIR 1976 SC 789, 1976 SCR (2)1060, (1976) 2 SCC 128.terpreted the meaning of “public emergency”. Thecourt considered “public emergency” merely as an“economic emergency”, and justified surveillanceunder this section unless it raised problems relatingto the matters indicated in the section. The courtalso considered another qualifying term, “publicsafety”, as “security of the public or their freedomfrom danger”.Two separate sections of the InformationTechnology Act 2000 deal with interception andmonitoring of information. Section 69 deals with the“[p]ower to issue directions for interception or monitoringor decryption of any information through anycomputer resource”. 9 Section 69B deals with the“monitor[ing] and collect[ion] of traffic data or informationgenerated, transmitted, received or storedin any computer resource”. This monitoring powercan be used for cyber security purposes. 10 The term“traffic data” has been defined under Section 69Bas “any data identifying or purporting to identifyany person, computer system or computer networkor any location to or from which communication isor may be transmitted.”Surveillance is not only limited to individualmonitoring. Section 67C of the Information TechnologyAct deals with “intermediaries”, and requiresthem to maintain and preserve certain informationunder their control for a minimum of three months.Failure to do this is punishable with imprisonmentfor up to three years and a fine under Section 67C(2). Section 79 of the Information Technology Act 11provides immunity from liability for intermediariesfor third party content that is hosted by them.However, in 2011, the Ministry of Information andTechnology issued two more sets of rules under thisAct – firstly to govern intermediaries such as internetservice providers (ISPs) and web platforms, andsecondly to govern cybercafés. Both of these sets of9 Section 69 of the Information Technology Act. www.chmag.in/article/jan2012/powers-government-under-informationtechnology-act-200010 The Monitoring Rules list 10 “cyber security” concerns for whichmonitoring may be ordered: (a) forecasting of imminent cyberincidents; (b) monitoring network application with traffic dataor information on computer resources; (c) identification anddetermination of viruses/computer contaminants; (d) trackingcyber security breaches or cyber security incidents; (e) trackingcomputer resources breaching cyber security or spreading viruses/computer contaminants; (f) identifying or tracking of any personwho has contravened, or is suspected of having contravened orbeing likely to contravene cyber security; (g) undertaking forensicinvestigation of the concerned computer resource as a part of aninvestigation or internal audit of information security practicesin the computer resource; (h) accessing stored information forenforcement of any provisions of the laws relating to cyber securityin force at the time; (i) any other matter relating to cyber security.11 sflc.in/information-technology-act-and-rules-time-to-change136 / Global Information Society Watch india / 137


ules severely diminish the freedom of expressionof citizens and their right to privacy.India, which is poised to be one of the biggestmarkets for video surveillance, registered growth of20% in this regard in the last quarter of 2013. TheDelhi International Airport has installed 3,700 IPsurveillance cameras, 12 the “largest single installationof an IP video system anywhere in India.”Both the government and private businesses haveenthusiastically embraced CCTV technology, includingin municipalities, police departments, airports,banks, schools and supermarkets. Despite the factthat CCTV cameras were installed to tackle terrorismand crime, there are no laws that govern theirdeployment or use in India. The closest law appliesto electronic voyeurism and is contained in Section66E of the Information Technology Act, which punishesthe “capturing, publishing and transmission”of images of any person in a “private area” withouttheir consent, “under circumstances violating theprivacy” of that person. This offence is punishablewith imprisonment of up to three years or a fine ofup to two lakhs rupees (approx. USD 3,000).Moreover, in 2011, the government expandedits internet surveillance in cybercafés, the primaryaccess points for rural villagers. Users now need toprovide their identity card for accessing cybercafés.Requesting this kind of user data is questionablewhen it is used for prosecuting free speech onlineand stifling political criticism. India is also one ofthe worst offenders for takedowns, as well as forrequests for user information. The Google TransparencyReport shows that on requests for userinformation it is ranked after the US only. 13At the end of 2012, most of the major telecomcompanies in India agreed to grant the governmentreal-time interception capabilities for the country’sone million BlackBerry users. 14 The government isalso constantly requesting major web companies toset up their servers in India in order to monitor localcommunications.Freedom of expression and communicationssurveillanceThe Constitution of India guarantees freedom ofexpression under its Article 19(1). However, Article19(2) restricts the exercise of freedom of expression.Article 19(2) can be enforced by the state in12 www.indigovision.com/documents/public/project-briefs/Project-Brief-Delhi%20Airport-UK.pdf13 www.google.com/transparencyreport/userdatarequests/IN14 Gallagher, R. (2013, February 22). India’s spies want data enevery BlackBerry customer worldwide. Slate. www.slate.com/blogs/future_tense/2013/02/22/india_wants_data_on_every_blackberry_customer_worldwide.htmlthe interest of the sovereignty and integrity of thestate, the security of the state, friendly relationswith foreign states, public order, decency or morality,or in relation to contempt of court, defamation orincitement to an offence. 15 The constitution does notinclude a freestanding right to privacy. However, theSupreme Court of India has read the right to privacyin Article 21 of the constitution – the right to life andliberty. It states, “No person shall be deprived ofhis life or personal liberty except according to procedureestablished by law.” 16 Considering the rightto freedom of expression and the right to privacy,the fundamental question is the balance betweenthe two.For the last few years, a comprehensive PrivacyBill has been under discussion in India, althoughit has still not been adopted by the government. Adraft dated 19 April 2011, entitled “Third WorkingDraft (For Discussion and Correction) LegislativeDepartment”, was originally leaked, but is nowfreely available online. 17 The draft supports privacyrights broadly, and includes a strong mechanism toaddress breaches of the right to privacy, called theData Protection Authority of India (DPAI). Withoutprivacy laws and safeguards to protect data, the collectionand retention of such data can be misusedeasily, and this could have a chilling effect on freespeech among the Indian population. Most Indianmembers of parliament are aware of the need fora legal framework to protect the privacy of Indiancitizens. In 2011, the parliament passed new dataprotection rules; however, there is still no privacylaw in India. Like freedom of expression and freedomof association, privacy is a fundamental humanright and underpins human dignity.A road aheadThe following actions and steps are recommendedfor India:• To take better account of the right to privacyand protection from arbitrary interference withprivacy. There is also a need to address masssurveillance and unwarranted digital intrusionsin India. Both are necessary steps to fight selfcensorshipand promote freedom of expression.• Communications surveillance should be regardedas a highly intrusive act that interferes withthe rights to privacy and freedom of opinion andexpression, threatening the foundations of ademocratic society.15 The Constitution of India, Article 19 (2).16 www.legalserviceindia.com/articles/art222.htm17 Available at: bourgeoisinspirations.files.wordpress.com/2010/03/draft_right-to-privacy.pdf• Reform the Information Technology Act provisions66A and 79 regarding takedownprocedures so that authors of content can benotified and offered the opportunity to appealtakedown requests before censorship occurs.• Revise takedown procedures so that demandsfor the removal of online content do not apply tothe legitimate expression of opinions or contentin the public interest. This is important so thatfreedom of expression is not undermined.• The internet should not be used by governmentsas an excuse for introducing new technologiesof control or for curtailing existing liberties. Althoughthe right to freedom of expression canbe restricted, the circumstances under whichthis may be done have to be narrowly circumscribed.This is the case when it comes tofreedom of expression on the internet, and inany other forum.• In a country like India where 243 million peopleaccess the web through mobile phones, thereis a need to reform policy so that regulation ofthe internet is compatible with the internationallegal guarantee of the right to freedom of expression.Moreover, there is a need to promoteaccess to the internet as well as the developmentof local content.• Service providers or hardware or softwarevendors should not be compelled to build surveillanceor backdoors into their systems, or tocollect or retain particular information purelyfor state surveillance purposes.• Finally, there are many aspects involving theright to privacy and freedom of expression thatrelate to each other and that have not been addressedstrongly in Indian legislation, policyor case law. For example, the taking of photographsby individuals (not the media) has notbeen addressed, nor has the ability of individualsto issue comments anonymously online, orthe “right to be forgotten” online and offline.Freedom of expression and privacy supporteach other in many ways, as the right to expressan opinion or thought freely is often protectedby providing the individual the privacy (or anonymity)to do so. There is therefore a need tounderstand various aspects, such as the rightto be anonymous, the right to privacy, and theright to be forgotten, with respect to freedom ofexpression and freedom of association. Theseissues are being addressed by many countriesand at an international level.It is high time the Indian government took accountof the right to privacy and protection instead of interferingwith privacy. Addressing the issue of masssurveillance and unwarranted digital intrusionsis a vital and important step to fight against selfcensorshipin India and will automatically promotefreedom of expression.138 / Global Information Society Watchindia / 139


IndonesiaTaming the untameable: Indonesia’s effort to control the growing tideof digital communicationsAnonymousAnonymousIntroductionFollowing three decades of a restrictive Suharto-ledgovernment characterised by “politicalrepression and ideological surveillance,” 1 Indonesiahas morphed into a relatively open society withmore democratic space. Along with this openness, ithas witnessed a massive transformation in the areaof information and communications technologies(ICTs). Indonesia has the fourth largest mobile phonemarket in the world with 278 million subscribers. 2 By2015, it is expected that nearly 115 million will haveaccess to the internet. 3 The country has been hailedby civil society activists as “regional champion forfreedom of expression.” 4 Indonesia’s capital, Jakarta,is called the “social media capital of the world” withmore tweets coming from the city than any othercapital in the world. 5 It is the only country in the regionto provide protection of free speech through alegal framework called the Transparency of PublicInformation Law, which guarantees access to stateinformation, and the Press Law, which protects journalisticwork as “an important component of […] freespeech and access to information.” 6At the same time, legal frameworks continue totightly limit basic freedoms, justified by argumentsconcerning traditional values or the maintenance ofnational security. This is demonstrated through notablelegal setbacks, such as the Mass OrganisationLaw that restricts the right to freedom of association.The Intelligence Law of 2011 enforces furtherrestrictions by allowing the security apparatus “sig-1 Bünte, M., & Ufen, A. (eds.) (2009). Democratisation in Post-Suharto Indonesia. Oxford: Routledge.2 Indonesia’s population is 247 million. Due to multiple phonesubscriptions, this number of mobile subscribers is higher thanthe population. www.redwing-asia.com/market-data/market-datatelecoms3 www.slideshare.net/OnDevice/indonesia-the-social-media-capitalof-the-world4 Southeast Asian Press Alliance. (2013, July 8). Indonesia’s OrmasLaw: A ready weapon against civil society and free speech. IFEX.https://ifex.org/indonesia/2013/07/08/ormas_law5 www.slideshare.net/OnDevice/indonesia-the-social-media-capitalof-the-world6 Southeast Asian Press Alliance. (2013, July 8). Op. cit.nificant latitude in intelligence gathering aimed at‘opponents’ of ‘national stability’.” 7The country’s first and only cyber law, the ElectronicInformation and Transaction Law, prohibitsthe publishing of content to do with gambling, anddefamation and threats. The Indonesian parliamenthas also passed an Anti-pornography Law, which isroutinely used to block LGBT (lesbian, gay, bisexualand transgender) content on the internet. 8 In addition,the country has also adopted a number oflaws that prohibit defamation of religion, which isused broadly to block content that provides alternativeviews on Islam, the religion of the majority ofIndonesians.While the boundaries of expression havewidened notably, and are more open generallyin Indonesia than in its regional counterparts,the country is a mixed picture of freedom of expression.As suggested, norms of expression arereinforced through a variety of anti-pornographic,anti-blasphemy and anti-defamation laws. In legalterms and in practice, Indonesia has also regularlydemonstrated that “national security” or “nationalstability” interests trump freedom of expression.While censorship is overt, surveillance is less visiblebut also pervasive, with each carried out bydifferent government agencies.This report looks at communications surveillancein Indonesia by examining the recentpurchases of sophisticated surveillance equipmentby the military. It opens up questions about thepotential use of this new equipment and what thismeans for freedom of expression in the country.Surveillance +In the book Democratisation of Post-Suharto Indonesia,Jun Honna argues that “political repressionand ideological surveillance were the major toolsused” by Suharto to remain in power. 9 These “politico-ideological”surveillance tactics were carriedout principally by the military, targeting journalists,7 Ibid.8 Citizen Lab and Canada Centre for Global Security Studies. (2014).Islands of Control, Islands of Resistance: Monitoring the 2013Indonesian IGF. www.citizenlab.org/briefs/29-igf-indonesia/29-igfindonesia.pdf9 Bünte, M., & Ufen, A. (eds.) (2009). Op. cit., p 230.students, intellectuals and activists, essentiallymuzzling dissenting voices in the country. Whilea relatively free media and civil society activismhave flourished in the wake of Suharto’s removal,the practice of military surveillance continues. TheIndonesian military continues to project a role asthe protector of national unity, and to demarcatethe limits of political and ideological expression inthe country through a range of practices, includingsurveillance.Complementing its traditional intelligence collectingapproaches, and in parallel with the massivegrowth of internet use, the military is expanding itsonline surveillance capability. In January 2013, theJakarta Globe reported that Indonesia’s Ministry ofDefence purchased GBP 4.2 million (USD 6.7million)worth of surveillance products from Gamma Group,a UK-based company that provides sophisticatedsurveillance equipment to governments. 10 While theexact type of product procured was not disclosed,Gamma Group sells products ranging from mobilesurveillance vans to software like FinFisher, whichis capable of monitoring all internet communicationin the country.In fact, FinFisher command and control serverswere already found to be at work in Indonesiain 2012. According to a report released by CitizenLab in 2012, FinFisher products were found on severalIndonesian internet service providers (ISPs). 11The Indonesian government has not publicly statedif it is the one deploying this intrusive software orclarified its intended use. Gamma Group, on theother hand, has stated that it only provides servicesto governments and not private individuals andcompanies. Based on these statements, one cansurmise that complex communication surveillancemachinery is in place in Indonesia, and its use onlyseems to be expanding over time.Rights activists are concerned about the implicationsof these findings. “I’m afraid there’re notenough mechanisms and self-control to ensure thatthis technology is not abused,” Andreas Harsono,Indonesia researcher with Human Rights Watch,told the Jakarta Globe. “Indonesia has no thirdpartyintelligence gathering mechanism – be [it] acourt or a legislative mechanism – to approve wiretapping.The Gamma equipment is a nightmare.” 12The Intelligence Law is applied to intelligencegathering activities in Indonesia. When an updated10 Vit, J. (2013, September 25). TNI surveillance purchase triggersconcern in Indonesia. Jakarta Globe. www.thejakartaglobe.com/news/tni-surveillance-purchase-triggers-concern-in-indonesia11 Citizen Lab and Canada Centre for Global Security Studies. (2014).Op. cit.12 Vit, J. (2013, September 25). Op. cit.version of the law was passed in 2011, rights groupscriticised it for its expansive scope and its vaguewording, which allows for “significant intelligencegathering over opponents of national stability.” 13The government has referred to terrorism, includingtwo bombings in Bali in 2002 and 2005, aswell as multiple attacks in Jakarta, as justificationfor surveillance. While the government has saidsurveillance products will be used “only for strategicintelligence,” 14 rights groups and activists havewarned that it could be used to monitor, and potentiallysilence, civil society and media.The current situation in West Papua illustratesthe broad application of the government’s definitionof “opponents of national stability”. West Papua 15is the easternmost province of Indonesia with alarge presence of the military’s Special Forces tocombat the Papuan separatist movement, the FreePapua Movement (Organisasi Papua Merdeka orOPM), who have been engaged in armed resistance.International media are blocked from entering theprovince and international organisations have beenprevented from operating in the region.In 2011, a report by Human Rights Watch, citinginternal military documents, asserted that militarysurveillance in the province monitored not onlythe OPM, but a “broad swathe of Papuan political,traditional, and religious leaders and civil societygroups.” 16 This surveillance was carried out entirelywithout “judicial warrant and without clearevidence of wrongdoing.” 17 The internal documentsalso showed that the intention of the governmentwas to prevent the free flow of information to andfrom Papua. According to one document: “Currentpolitical activity [e.g. by civil society and students]in Papua is very dangerous compared to the activitiesof Papuan armed groups, because [civil society]influence already reaches abroad.” 18Physical surveillance and rudimentary surveillancetactics are well known by Papuan activists andjournalists. An Indonesian journalist who wishedto remain anonymous stated in an interview thatphone tapping is common. “When you are in Papuaand if you are calling someone, you can hear otherpeople talking. It is called crossed lines, when it isaccidental. In Papua, every call you make is like13 Southeast Asian Press Alliance. (2013, July 8). Op. cit.14 Vit, J. (2013, September 25). Op. cit.15 Now divided into Papua and West Papua.16 Human Rights Watch. (2011, August 14). Indonesia: Militarydocuments reveal unlawful spying in Papua. Human Rights Watch.www.hrw.org/news/2011/08/14/indonesia-military-documentsreveal-unlawful-spying-papua17 Vit, J. (2013, September 25). Op. cit.18 Human Rights Watch. (2011, August 14). Op. cit.140 / Global Information Society Watchindonesia / 141


that.” 19 Intelligence agencies have even set up phonecharging booths to collect phone numbers. “Whenyou charge your phone, you have to give them yournumber. There is evidence of intelligence agenciesusing phone credit stores to supply numbers to themilitary. Usually these are targeted at NGOs.”Papuan journalists and activists say surveillanceextends to other forms of communication. “Manytimes, I have received notification from Gmail thatsomeone tried to access my account,” said LatifahAnum Siregar, head of the Alliance for Democracyfor Papua (Aliansi Demokrasi untuk Papua). 20 “Ourwebsite adlp-papua.com has been hacked severaltimes. When that happens data is usually missing,files cannot be downloaded.”“In the past three years, our website tabloidjobi.comhas been hacked six times. We are alsoaware of surveillance on the internet,” said VictorMambor, head of the Alliance of Independent Journalistsin Papua. 21 “Our Twitter and Facebook arebeing monitored.” Journalists often receive callsand orders from the military asking them to handover tapes and other recordings, especially if theyare covering events relating to political dissent, likedemonstrations, Mambor said.Papuan activists interviewed for this reporthave also spoken of the practice of self-censorshipon social media sites over fears of being physicallyharmed by security forces. “Now I only trust faceto-facecommunication. I rarely use the telephoneto talk about sensitive issues.”Even without surveillance, Indonesia has demonstrateda position of not fully supporting freedomof expression on the internet. With a variety of anti-pornographic,anti-defamation and anti-rumourmongering laws, it already blocks content on theinternet. As suggested, this has been manifested inblocking content that discusses LGBT rights and contentthat provides alternative views on religion.The silencing of local voices from Papua is notlimited to strictly political expression. In March2014, a live video-cast of two Papuan tribesmenspeaking at a major environmental conference inthe United States was disrupted by an online attackon the site, which rights activists say came fromparties linked to the Indonesian government. 2219 Interview with an anonymous journalist on 23 May 2014.20 Interview with Latifah Anum Siregar, head of the Alliance forDemocracy for Papua, on 3 June 2014.21 Interview with Victor Mambor, head of the Alliance of IndependentJournalists in Papua, on 3 June 2014.22 Sloan, A. (2014, March 20). Indonesia suspected of hackingto silence abuse allegations. Index on Censorship. www.indexoncensorship.org/2014/03/indonesia-suspected-hackingsilence-abuse-allegationsOpportunities for reform?There are indications that a multi-pronged surveillancesystem, employing sophisticated softwareand taking advantage of weak legal protections forexpression, will mean that it will be even easier tosuppress freedom of expression on the internet inthe future.There are some potential opportunities thatcould be leveraged for reform. The Indonesiangovernment hosted the annual global Internet GovernanceForum (IGF) in Bali in 2013, which opens upa space for debate surrounding freedom of expressionon the internet. The timing of the IGF, directlyfollowing the Snowden revelations, raised the profileof surveillance at the forum.In the immediate future, whether this trendtowards openness continues will be influenced bywhich candidate wins the presidential elections inJuly 2014. The candidates for president, PrabowoSubianto and Joko Widodo, appear to maintainstarkly different positions on these issues. Prabowois taking a hard-line nationalistic stance that couldmean setbacks in terms of rights of expression,as he would appear to be less tolerant of dissent,while Jokowi, as he is known, is campaigning on aplatform of transparency.In the meantime, journalists and activists continueto tolerate limits to their freedom. “I acceptthis surveillance as the risk of my job. There is nothingwe can do except to accept this as part of oureveryday reality,” said Mambor. “People in Jakartamay have choices, but we, in Papua, don’t. Thereis only one internet provider and the service is notgood.”Siregar further echoes this sentiment, stating,“I tell my colleagues that our job is full of risks.Don’t expect that our name is not already recordedby the intelligence [agencies] and our picture anddata isn’t in their system already.”Action stepsBased on the current scenario, the following actionsteps are recommended for activists and journalists:• Be aware of the prevalence of surveillance, andtake protective measures when communicatingonline by using secure tools.• Make your colleagues and associates aware ofsurveillance; teach them to use secure methodsof communications.• Engage with freedom of expression activists locallyand internationally to leverage change inthis area.• Lobby governments for stronger legal protectionsaround freedom of expression.jamaicaResisting citizen data handover in Jamaica: The case of Digicel vs INDECOMThe University of the West IndiesHopeton Dunn and Allison Brownwww.mona.uwi.eduIntroductionA recent Supreme Court ruling in Jamaica prohibitinga state agency from gaining access to the telephonedata of Jamaican citizens touches on several of theinternational principles of human rights in relationto surveillance. In the case, Supreme Court judgeJustice Ingrid Mangatal ruled in June 2013 thattelecommunications provider Digicel was not compellableunder the law to provide customer data orsubscriber information to the investigative stateagency called the Independent Commission for Investigations(INDECOM). In this report we analysethe circumstances of this ruling and the implicationsregarding constitutional protections in Jamaica andthe Caribbean against unauthorised surveillance bygovernment of the personal data of citizens.BackgroundJamaica is a small independent, English-speakingcountry in the Caribbean. The most recent census in2011 tallied a population of just below 2.7 million. 1The country operates a bi-cameral parliament witha bill of rights and a constitution that emphasisesdemocracy and the rule of law.Jamaica’s GDP per capita was reported by thePlanning Institute of Jamaica in 2010 to be USD4,979. 2 Services such as tourism and informationand communications technologies (ICTs) remainkey contributors to GDP, with traditional productssuch as bauxite, sugar and bananas playing importantroles in employment and GDP output. Thecurrent National Development Plan, named Vision2030, targets developed country status by 2030.ICTs are a central aspect of the national developmentplan as they are seen as a growth industry intheir own right as well as a driver of economic andsocial development. A 2011 survey indicated that94% of the population were mobile phone users,16% of households had internet access, while 45%1 STATIN. (2012). Population Census Data. Kingston: STATIN.2 Planning Institute of Jamaica. (2012). Jamaica Country Assessment(Preliminary Draft). Kingston: PIOJ.of individuals used the internet from anywhere. 3These indicators would have moved upwards significantlysince that survey, particularly in the areaof mobile broadband usage. The cost of equipmentand services is the key hindrance to the growth ofthe online population in Jamaica.Policy contextThe telecommunications and ICT industry is mainlygoverned by the Telecommunications Act of 2000,which was amended in 2011. This is supplementedby other pieces of legislation such as the ElectronicTransactions Act of 2007 and the Cybercrimes Act of2010. Key legislation in relation to state surveillanceis applied in the Interception of Communications Actof 2002 (amended in 2011) while section 47 of theTelecommunications Act speaks to the protectionof customer data by telecommunications servicelicence holders. Jamaica’s Charter of Human Rights(2011) addresses the right of everyone to privacyof property and of communication. Despite longstandingcalls from civil society and the academiccommunity, a Data Protection Act is still in the consultationstage, now promised for introduction toparliament sometime in 2014. 4 This act would protectthe privacy of citizens’ personal data and wouldregulate the “collection, processing, keeping, useand disclosure” of such data. 5Basics of the caseAs we thematically consider the issue of communicationsurveillance in the digital age, the Jamaicancase of Digicel (Jamaica) Limited v The IndependentCommission of Investigations 6 is of special interest.The case touches on many of the international principlesof human rights in relation to surveillance.The matter arose from a request for informa-3 Dunn, H., Williams, R., Thomas, M., & Brown, A. (2011).The Caribbean ICT and Broadband Survey Jamaica. Mona:Telecommunication Policy and Management Programme,University of the West Indies.4 The Data Protection Act will possibly reflect model legislationdeveloped by the ITU-led Harmonization of ICT Policies, Legislationand Regulatory Procedures in the Caribbean (HIPCAR). www.itu.int/en/ITU-D/Projects/ITU-EC-ACP/HIPCAR/Pages/default.aspx5 Angus, G.L. (2014, June 11). Laws far advanced to modernize ICTsector. Jamaica Information Service. jis.gov.jm/laws-far-advancedmodernize-ict-sector6 [2013] JMSC Civ. 87.142 / Global Information Society Watch jamaica / 143


tion from police monitoring agency INDECOM todominant telecom provider Digicel in 2011 for callorigination data. This data was to have been usedin the investigation of the shooting death of Robert“Kentucky Kid” Hill in 2009 at the hands of membersof the local security forces. Digicel brought thecase to the Jamaican Supreme Court against INDE-COM in order to clarify their responsibilities in thesharing of customer data. In summary, the outcomewas a Supreme Court ruling which prohibited thestate agency INDECOM from gaining access to thetelephone data requested.Digicel (Jamaica) Limited v The IndependentCommission of InvestigationsDigicel (Jamaica)Digicel Jamaica is the first telecommunications providerwhich entered the Jamaican market after itsliberalisation in 2000. Prior to that, the market wascontrolled by the monopoly of Cable and Wireless,which now trades as LIME. Since Digicel’s entry afew other firms have entered and left the market,the most recent being Claro (América Móvil), whichwas acquired by Digicel in 2011. According to a surveycompleted in 2011, Digicel controlled, at thattime, 88% of the mobile market. 7 Its gains in marketshare following its acquisition of Claro have not yetbeen quantified, but Digicel is considered, in legalterms, to be the dominant player in the Jamaicanmobile market, with LIME being the only other majorplayer. In 2014 Digicel operates in 32 markets inthe Caribbean, Central America and Asia-Pacific.INDECOMINDECOM conducts “investigations concerning actionsby members of the Security Forces and otheragents of the State that result in death or injuryto persons or the abuse of the rights of persons;and for connected matters.” 8 It was put in placeby the INDECOM Act of 2010 which replaced thePolice Public Complaints Act. INDECOM was to bean independent body set up to investigate injusticescarried out by members of the security forcesin Jamaica. This is within the context of long-heldperceptions of police corruption among the widersociety, including what has been seen as “manyshooting incidents which have led to the death orserious injury of citizens.” 97 Dunn, H., Williams, R., Thomas, M., & Brown, A. (2011). Op. cit.8 indecom.gov.jm/about_us.htm9 Digicel (Jamaica) Limited v The Independent Commission ofInvestigations [2013] JMSC Civ. 87.A commentary in the Western Mirror by RobertDalley earlier this year noted:In some cases, there are clear facts to substantiatethe claim that the person who was shot andkilled by the police was brutally murdered, however,because of the fact that the country hascorrupt police officers in the force and an underperformingcourt and judicial system, the policeare not prosecuted or charged in any way. 10The Digicel v. INDECOM judgement refers to informationfrom the Bureau of Special Investigations(BSI) stating that from 1999 to 2010, 2,257 personswere killed by the police (an average of 188per year). Similar statistics have been reported bythe local human rights lobby group Jamaicans forJustice. It is useful to point out that the figures indicateddo not include the number of these killingswhich have been investigated and seen as justifiedby the legal system.The Digicel v. INDECOM case also speaks toseveral attempts on the part of the local governmentto address the quandary of police killings andother abuses. Previous attempts include the PolicePublic Complaints Authority (PPCA) and the BSImentioned above. However, while the PPCA was under-resourced,underfunded and lacked the neededauthority to investigate, there was an ostensibleissue of independence as it related to the secondteam – the BSI – which was located within the JamaicaConstabulary Force (JCF), one of the bodiesthe unit was required to investigate.INDECOM was established as a resolution tothese issues. The INDECOM Act of 2010 sought tobestow sufficient powers for the Commission toinvestigate corruption within the security forces.What can be surmised from the preceding section isthat at the centre of the establishment of INDECOMis a pursuit of improved human rights practices,particularly in relation to greater accountabilityamong security forces, the investigation of policekillings and other alleged abuses by members ofthe security forces.The context for INDECOMThe matter of police accountability is a subjectwhich cannot be broached in a vacuum. We are requiredto highlight the high levels of major crime inJamaica as a possible contributor to the high levelsof police killings. With 1,200 murders committed10 Dalley, R. (2014, February 2). ‘We need to reduce police killingsin Jamaica’. Western Mirror. www.westernmirror.com/index.php/permalink/6659.htmlin 2013, 11 the country has the sixth highest murderrate worldwide. 12 The punishment of execution forcapital crimes, although on the books, has not beenimplemented since 1988. Some police and citizensalike have supported the idea that extrajudicial killingscan be justified within the context of controllingmajor crimes and containing the murder rate. This isthe context within which the high number of policekillings must be understood.Details of the caseThis case emerged specifically from a request madeon 28 September 2011 by INDECOM to Digicel requiringthe telecom provider to furnish data ontelecommunication services for particular subscriberswho had been named in an investigation beingundertaken. In the investigation of the death of Hill,the allegation emerged that his shooting was theresult of a conspiracy between some named membersof the security forces, a cousin of the deceasedand another named female. The data was neededfor further investigation of this alleged conspiracy.A parallel request was also made to LIME, the contentsof which have not been discussed in detailin the judgement. Digicel noted that while it wasnot unwilling to provide the information, guidancewould be needed from the local courts as to whatis required of the telecom provider in response tothe request from INDECOM. This is particularly inlight of other legislation which governs such interactions.LIME, on the other hand, has complied withthe request.INDECOM cited section 21 of the INDECOM Actin its request for the data. A part of section 21 reads:The Commission may at any time require anymember of the security forces, a specified officialor any other person who in its opinion isable to give assistance in relation to an investigationunder this act, to furnish a statement ofsuch information and produce any document orthing in connection with the investigation thatmay be in the possession of that member, officialor other person.Section 16 of the Interception of TelecommunicationsAct was also seen by INDECOM to besupportive of its case, where subsection 2 states:11 Walker, K. (2014, January 1). 2013 bloodier than 2012. JamaicaObserver. www.jamaicaobserver.com/news/2013-bloodierthan-2012_1571666612 Jamaica Observer. (2014, April 11). Jamaica has 6th highestmurder rate worldwide – UN report. Jamaica Observer. www.jamaicaobserver.com/latestnews/Jamaica-has-6th-highesthomicide-rate-worldwide---UN-reportWhere it appears to the designated person thata person providing a telecommunications serviceis or may be in possession of, or capable ofobtaining, any communications data, the designatedperson may, by notice in writing, requirethe provider- (a) to disclose to an authorizedofficer all of the data in his possession or subsequentlyobtained by him; or (b) if the provider isnot already in possession of the data, to obtainthe data and so disclose it.Digicel considered the requirement to provide informationto be at odds with section 47 of the TelecomAct, which reads: “Every carrier and service providershall, subject to subsection (2), regard anddeal with as secret and confidential, all informationregarding the type, location, use, destination, quantityand technical configuration of services used bytheir customers.” While exceptions are cited, noneof them include that such information can be legallyprovided to INDECOM. The section does, however,allow for the delivery of such information “for thepurpose of the investigation or prosecution of acriminal offence.” Further, the Interception of CommunicationsAct was not seen by Digicel to compelthem to furnish the data since INDECOM is not anamed “authorized officer”.In the write-up of the judgement, Justice IngridMangatal noted that Digicel could not be compelledby INDECOM to provide this information as it wouldbe in contravention of section 47 of the Telecom Actand the law cannot force a party to commit a criminaloffence. There was also the issue as to whetherdiscretion of the provider could be triggered in thiscase on the basis of section 47 of the Telecom Act.However, given that the documentation provided byINDECOM did not specify that the information wasrequired for the investigation of a criminal offence,it was noted that the discretion of the providercould not be applied.INDECOM has since challenged this outcomeand the case is likely to return to court sometimein 2014.Case analysisOur understanding of this case is that the judgementdoes not prohibit state surveillance, but suchsurveillance could not be applied in the currentcase. If INDECOM had been named as an “authorizedofficer” in the Interception of CommunicationsAct (or some amendment thereof), Digicel wouldhave been compelled to provide whatever informationINDECOM had requested. If the request hadbeen worded differently (specifying it was neededto investigate a criminal offence), then Digicel144 / Global Information Society Watch jamaica / 145


would have been able to provide the informationat their discretion. This certainly raises concernsregarding implications for private citizens whose informationcould be at risk based on these possibleamendments. However, these matters can only beconsidered in relation to the ostensible purposeof INDECOM, which at its foundation is seen as apreserver and defender of human rights and not anagency in opposition to such rights.This case touches on many of the InternationalPrinciples on the Application of Human Ri13hts toCommunications Surveillance. Jamaica continuesto uphold the main understanding that valueshould be placed on the privacy of individuals, andsimply because the state can access communicationsdata does not always mean that the stateshould access such data. There are clearly boundariesand exceptions which are applied, and inthe case of Digicel v. INDECOM, there is no majoropposition to data being provided where there isa “legitimate aim” and adequate “need”. The challengewhich faced the Independent Commissionwas that the laws had not been updated to ensurethat the body was able to legally compel telecommunicationsproviders to furnish subscriber data.Discretionary action was also eliminated as a possibilityin this case because of the wording of therequest to Digicel, and the omission of informationwhich would have made compliance with the requestlegal.The key outcome which must be consideredis the way in which legislation lags behind developmentsin the telecoms sector and the gaps inunderstanding the ever-transforming digital agewithin which we operate. This is true for telecompractitioners, legal persons, law enforcement andordinary citizens.There is also the matter that both major telecomproviders who are in control of telecommunicationsdata are non-Jamaican entities which may also besubject to the laws of the countries in which theywere initially established and countries where theyoperate. The role of such entities in preservingthe human rights of citizens should be explored,13 https://en.necessaryandproportionate.org/textparticularly where communication between countriescan be easily monitored in one country or theother. This is of even greater concern given ourunderstanding, through the Snowden case, thatit is not necessarily the content of communicationwhich may be monitored but also the metadata andbroader patterns of communication.The relevant matters of user notification, transparencyand public oversight are emergent issueswhich should be tackled in the pending Data ProtectionAct.Conclusions and action stepsThere remains a general concern that legislationlags behind developments in the telecoms and ICTsector. This case shows one such example. Seriousconsideration needs to now be given to the powerswhich the state wishes to grant INDECOM, and toall relevant legislation that needs to be updated.These considerations are to be made in relation tohuman rights implications as well as to acceptableexceptions to privacy in line with the internationalcontext.The second recommendation has to do withtraining and capacity building at all levels, so thatpractitioners and ordinary citizens alike will be ableto understand the many issues at work in communicationssurveillance.While the state remains a key area for considerationwhen it comes to communicationssurveillance, it is critical to contemplate how citizens,companies and foreign countries can alsouse communications surveillance to violate humanrights. Countries like Jamaica need to ensure thatlegislation is robust and adequate for these threatsin meeting national objectives and protecting citizens’rights.Finally, the Data Protection Act, which will beunder parliamentary consideration in the near future,needs to take into account the InternationalPrinciples on the Application of Human Rights toCommunications Surveillance. In addition, it is alsonecessary to rationalise the new act with all relevantexisting legislative and policy frameworks.JapanLearning from the pastJapan Computer Access for EmpowermentHamada Tadahisawww.jca.or.jpIntroductionIn 2012 the Japanese government passed legislationthat presents a number of challenges forprogressive civil society activists. Both the socalledCommon Number Law and the State SecretsProtection Law reinforce surveillance regulations.Legislation is also pending that will expand the abilityof authorities to “wiretap” the country’s citizens.These legislative changes can be seen as part of aprocess of the increased militarisation of the country,with startling parallels with changes in Japanahead of World War II.This new security legislation is far from fair,not only in terms of its content, but how it was developed.The bills were approved by the politicalmajority without sufficient deliberations in parliament.The mass media also did not report on thecontroversial points before they were passed.In this report we compare the legal frameworksgoverning communications surveillance today andthose that existed before World War II in Japan. Thisis an attempt to learn the lessons of history so wedo not repeat the mistakes we have made in thepast.Policy and political backgroundThe Japanese government has been trying to developlaws that promote the control of information andsurveillance for decades. It planned to introduce anational identification number in 1968, but everytime it submitted the bill, the mass media stronglyopposed it, and the attempts failed. Eventually, itmanaged to get the resident registry network billpassed, together with a wiretapping bill and billsrelated to defence cooperation, in 1999. At thattime, the Japanese mass media did not report thedeliberations in parliament sufficiently. Instead,they spent all their broadcasting time on a tabloidshow: a verbal battle between Mitchy and Satchy,two on-screen women talents.The government submitted the state secrecybill in 1985, but failed to have it passed. It revisedand submitted a bill on state secrets in 2013, andmanaged to get the bill passed. The law is supposedto come into force in December this year – so thisyear might be one of the turning points in Japanesehistory. Moreover, a conspiracy bill and a revision ofthe Wiretapping Law are anticipated in 2014. This,together with the Common Number Law enacted inMay 2013, suggests Japan is rapidly slipping into aparanoid surveillance state.Here is a list of problematic legislation concerningcommunications surveillance:• The Wiretapping Law (1999)• The Computer Surveillance Law (Cyber CriminalLaw) (2011)• The Common Number Law (2013)• The State Secrets Protection Law (2013).Japan is one of 36 countries which internationalwatchdog The Citizen Lab 1 shows used FinFisher, anotorious surveillance technology used to surveilinternet users.A tale of two Olympic games in TokyoWe need to understand that the legislation promotingthe regulation and control of informationdescribed above is part of a combined approach tolegislative changes prepared over the past years,such as legislation defining the nation’s responseto foreign military attack (2003) and an act dealingwith the protection of citizens in the event of anarmed attack (2004).Many intellectuals have argued that the currentsituation in Japan closely resembles the situationbefore World War II. Because of this, we would brieflylike to compare the run-up to two Tokyo OlympicGames, one scheduled for 2020, and the other in1940, which was cancelled due to the war.That Tokyo will host the 2020 Olympic Gamesis welcome news for many in the country. However,some people are concerned about the strengtheningof the surveillance system for the games, andhow this can be used to control citizens in the future.During the Olympic Games held in London in2012, the security and surveillance system usedthere became the centre of attention. The systemincluded a network of CCTV cameras mounted1 https://citizenlab.org146 / Global Information Society Watch japan / 147


throughout London, and unmanned aerial vehicles(UAVs), more commonly known as drones.In 2014, the Tokyo Metropolitan Governmentstarted to install five security cameras for each elementaryschool zone – a target of 6,500 camerasto be installed by 2018. The total expenditure isexpected to reach 2.47 billion yen (USD 25 million)over five years.The 1940 Summer Olympics were originallyscheduled to be held in Tokyo, 80 years before theTokyo Olympic Games scheduled for 2020. However,they were cancelled due to the continuation of theSecond Sino-Japanese War. The states of affairs beforethe two Olympic Games are remarkably alike:1923 The Great Kanto Earthquake . . . . . . . . (A)1929 The Great Depression . . . . . . . . . . . (B)1937 The Imperial General Headquarters 2 . . . (C)1937 Complete revision of the Military Secrets Act (D)1940 The cancelled Tokyo Olympics . . . . . . . (E)1941 The Pacific War1995 The Great Hanshin-Awaji Earthquake . . (A)2008 The Great Recession . . . . . . . . . . . . (B)2011 The Great East Japan Earthquake . . . . . (A)2013 The National Security Council . . . . . . . (C)2013 The State Secrets Protection Law . . . . . (D)2020 (scheduled) Tokyo Olympics . . . . . . . . (E)If we put the series of events leading up to the twogames in order as above, we can see how militarisationin Japan progressed (or, is progressing),affected both by government decisions and naturaldisasters.The 26 February attempted coupand wiretappingThe greatest attempted coup d’état in modernJapanese history occurred on 26 February 1936. Itrecently became clear that widespread wiretappingoccurred during this time, even though it was illegalunder the Constitution of the Empire of Japan inthose days.In the attempted coup, a group of young ImperialJapanese Army (IJA) officers rose in revolt andkilled a number of leaders in Japan. While theysucceeded initially and were supported by officersassociated with the Imperial Way Faction, 3 EmperorHirohito was furious with the rebels. The rebels surrenderedon 29 February. This provided the basis fora purge of Imperial Way members from the military.It led to a “unity” cabinet and the end of political2 en.wikipedia.org/wiki/Imperial_General_Headquarters3 en.wikipedia.org/wiki/Imperial_Way_Factionparties by the Imperial Rule Assistance Association 4in 1940.This may have accelerated the movementtowards war. The Control Faction 5 in the Army believedin a military solution to secure resourcesin Southeast Asia and Oceania. The Imperial Way,however, had focused first on national developmentrather than expansion. This approach mighthave led to economic cooperation with China, ratherthan war.At least seven weeks before the coup began,the telephones of the masterminds behind the coupwere intercepted by Ministry of Communications officialsand the military police. Although this fact waskept secret, 20 wiretapping records were discoveredin the broadcast centre at NHK, Japan’s broadcastingcorporation, in 1977. These were shared with thepublic in the documentary Martial Instructions toMonitor Phones, broadcasted on 26 February 1979.According to a 2007 book by Seiichi Nakata, 6 thedirector of the documentary, an extraordinary cabinetmeeting held immediately after the outbreak ofthe coup decided on the wiretapping, even whilerecognising it as illegal under the Constitution ofthe Empire of Japan. 7 However, it became clear thatthe wiretapping began seven weeks before theincident. 8 In other words, the Ministry of Communicationshad been wiretapping without telling othercabinet members.Moreover, the Imperial Way Faction is thought tohave anticipated the possibility of a coup by youngImperial Way officers several years before the incident.In fact, Major Katakura and others wrote adocument that served as an outline for counteringa coup and using the subsequent repression to establishmore political power. 9 The “outline” includesdetailed ideas and measures to be taken to reconstructpolitics, diplomacy, defence, the economy,social policy and education, as well as how to manipulatepublic opinion. Many of these plans wererealised by the Control Faction after the coup. 10The wiretapping records did not only infringe onprivacy, but included identity theft and impersonationto falsely implicate someone. 11 For example,Kita Ikki, a national socialist intellectual who influencedthe Imperial Way Faction, but was not directly4 en.wikipedia.org/wiki/Imperial_Rule_Assistance_Association5 en.wikipedia.org/wiki/T%C5%8Dseiha6 Nakata, S. (2007). Wiretapping in February 26th Incident [Tocho2.26 Jiken]. Tokyo: Bungei Shunju.7 Ibid., p. 45-46.8 Ibid., p. 91.9 Ibid., p. 77.10 Ibid., p. 78.11 Ibid., p. 93.involved in the coup, was sentenced to death as oneof the coup participants, and shot five days later. Inthis case, there is a wiretapping recording made on28 February of someone pretending to be Kita Ikki,who at that time was already in prison. The personwas involved in a smear campaign to paint Kita asthe mastermind behind the rebellion, foreseeingthe possibility of the recording becoming evidencein court. 12What is the lesson that we can learn from thesefacts? Speaking directly, unchecked, authoritieshave the potential to corrupt endlessly and maydrive society into a dangerous situation. Moreover,surveillance can be too powerful and paranoid, andcan result in the fabrication of crimes, instead of assistinglegitimate criminal investigation.By comparing these two periods, we can learnlessons from history and how we should engage thenew political administration on issues of communicationssurveillance and transparency.The meaning of the surveillancein the present ageNow, if we turn back to today, we can easily see howthe need for surveillance has spread into new terrain– including the mass surveillance of citizensonline. In part this has prompted the need to revisethe Wiretapping Law.At the House of Councillors plenary session on12 August 1999, the Wiretapping Law was passedby a majority vote, including the Liberal DemocraticParty, the Liberal Party and the Komei Party, and wasenforced in August 2000. Since then, the number ofwiretapping investigations conducted is reported inparliament every year – it currently stands at aboutten a year.Although it is a legislator’s view that emails arealso included under the definition of “communication”in the Wiretapping Law, no interception ofemails has been reported in parliamentary reports.However, it is possible to presume that an emaildelivered to a mail server has ended its “communication”legally, even if the user has not read theemail. If so, emails may be confiscated withoutrestriction through simple search and seizure orinspection.Furthermore, it became possible to “seize”emails on a mail server from a remote personalcomputer or mobile phone after a Criminal ProcedureCode revision.The Legal System Investigation Commissionis considering a revision of the WiretappingLaw. A reform bill is likely to be submitted to an12 Ibid., p. 158-161.extraordinary session this autumn, or to an ordinarysession of parliament next year. The following is beingconsidered:• Expanding the ability of authorities to carry outwiretapping.• Abolishing the need for an employee of a communicationscompany to be present, enablingauthorities to intercept communications with acourt order using encryption technology and akey.• Allowing authorities to intercept conversationsthrough “bugging”. The ability to bug a room orother location is a serious concern because allthe conversations held in that location will bemonitored, and it will become legal to break intoa location such as a building and install the buggingdevices.ConclusionsWe need to recognise that democracy in Japan isunder critical pressure. The government and otherscreate public anxiety, either to do with potentialconflict with another country, or within the country,and surveillance is enhanced.Moreover, many in the mass media have notsufficiently served as a watchdog over authoritiesor responded to the people’s right to know withoutyielding to pressure from authorities.The internet, which we use every day, offers thepossibility of sharing vital information and promotinga free way of thinking. However, regrettably, theinternet itself also now serves as a tool for masssurveillance.In particular, there is a huge risk in “big data”.It will be possible to identify an individual if datawhich looks harmless is collected in large quantities.Furthermore, when targeted at a specificindividual, the possibility of this leading to a seriousinvasion of privacy is high.It is not necessarily the case that Japan will slipinto fascism again, but this could be the case, evenif democracy has been established. Germany gaveHitler the post of chancellor under the Weimar Constitution.Once we have decided that we will neverrepeat the past, it is very important for us to learnhow fascism rose before World War II.The Japanese constitution declares: “We, theJapanese people, desire peace for all time and aredeeply conscious of the high ideals controllinghuman relationships, and we have determined topreserve our security and existence, trusting in thejustice and faith of the peace-loving peoples of theworld.” Japan did not become involved in a war for69 years after World War II, thanks to this pacifism.148 / Global Information Society Watch japan / 149


Surveillance is engendered by distrust of others.If a fellow creature’s mutual distrust and feardevelop, war will break out. Human beings willnot be able to survive if they cannot build a societybased not on distrust and fear but on trust andcooperation.Action stepsThe following actions steps are suggested for Japan:• Push for transparency in government.• Establish a privacy commissioner system whichis fully independent from the government.• Advance democracy through the reform of themass media, promoting alternative media andeducating the public in media literacy.• Abolish laws that aim to surveil and controlpeople.• Promote and campaign for privacy incommunications.• Conceive of a society based on trust and cooperation,not distrust and fear.jordanConfiscating the carrier pigeon: Jordan’s response to online surveillanceAlarab AlyawmYahia Shukeiralarabalyawm.netIntroductionJordan is a small kingdom with around seven millionpeople located in the turbulent Middle East.This small country has two famous features: Petra,one of the new Seven Wonders of the World, andthe Dead Sea, which is the lowest sea on the planet(396 metres below sea level). Many historians believethat the Arabic calligraphy was shaped largelyin Petra.Jordan has a reputation for collecting informationon every Jordanian from the day of his or herbirth. The General Intelligence Department (GID)– known as the mukhabarat – is considered amegastore of information. Even before the so-called“defensive democratisation in Jordan” 1 started inthe early 1990s, there was a strong belief that the“walls had ears” and that the GID collected dailydata on Jordanian citizens, monitoring phone calls,emails, text messages and social media accounts. Itthen stores the information for years. Such surveillanceis aimed at preserving “national security” inthe broader sense of the phrase, or to trace particularcriminal suspects – but it is also often politicalin nature.While some governmental interference in communicationsmay be necessary for preventingterrorism, carte blanche power may lead to the violationof users’ privacy. It is believed that securityservices closely monitor online content in Jordan.In a 2010 case that strengthened these suspicions,Jordanian college student Imad al-Ash was sentencedto two years in prison after security forcesaccused him of insulting the king in an instant messageto a friend. 2Policy and political backgroundSeventy-three years ago, Jordan passed a bylaw oncarrier pigeons (No. 810 of 1941). Article 2 of the1 Robinson, G. E. (1998). Defensive democratization in Jordan.International Journal of Middle East Studies, 30(3), 387-410.journals.cambridge.org/action/displayAbstract?fromPage=online&aid=51957242 ar.ammannet.net/news/111695bylaw – which was no doubt related to the eruptionof World War II – established that, except for officialbodies, it was prohibited for anyone to own carrierpigeons. Those that did were asked to hand themover at the nearest army base within ten days of thebylaw being passed.The spirit of this bylaw is still behind many ofthe monitoring practices of the Jordanian government,whether the communication channel is oldmedia like print and audiovisual or new media.Like many countries in the region, Jordan washesitant about exactly how to meet the challenge ofnew technology and whether to respond in a reactiveor proactive way when it came to regulating theinternet. With the increasing demand for social media,Jordan has expanded control over the internet.Despite suspicions of active monitoring, access tointernet content in the kingdom remains largely unfettered,with filtering selectively applied to only asmall number of sites. However, this access is toleratedby the government, rather than guaranteed byrule of law. Jordan ranked 38th out of 99 countrieson the World Justice Project’s Rule of Law Index. 3Harassment, intimidation and attacksJordanian journalist Alaa’ Fazzaa’ was arrested on9 June 2011 by orders of the State Security Court(SSC), a special military court, over news he publishedon his electronic news site (www.allofjo.net) 4 sharing content from a Facebook page callingfor the reinstatement of Prince Hamzah as CrownPrince. Fazzaa’ was harassed and intimidated untilhe was obliged to flee to Sweden in February 2012,seeking political asylum. 5 News websites have alsobeen subjected to hacking attacks after postingcontroversial material. For instance, in February2011, Ammon News had its website hacked afterpublishing a call for reform by tribal leaders. Thehackers posted the following text on the website’sfront page: “This site was hacked because youwork against the security of Jordan.” 6 The Islamic3 World Justice Project. (2014). Rule of Law Index 2014.worldjusticeproject.org/sites/default/files/files/wjp_rule_of_law_index_2014_report.pdf4 khabarjo.net/jordan-news/10397.html5 US Department of State. (2012). 2011 Human Rights Reports:Jordan. www.state.gov/j/drl/rls/hrrpt/2011/nea/186431.htm6 www.ammonnews.net/article.aspx?articleNO=79822150 / Global Information Society Watch jordan / 151


Table 1.Freedom of expression indicators during the last five years2010 2011 2012 2013 2014RSF press freedom ranking 1(179 countries)120 128 128 134 141Freedom House media freedomranking 2 (197 countries)Freedom House internet freedomranking 3 (91 countries)140Not free1. en.rsf.org/press-freedom-index-2011-2012,1043.html2. www.freedomhouse.org/report-types/freedom-press#.UzWLSaK9aqg3. freedomhouse.org/report/freedom-net/2011/jordan#.UzW_BaK9aqgBrotherhood website (www.ikhwan-jor.com) hasalso been hacked several times. 7On 20 February 2012, in an incident reflecting anassault on free expression, an unknown assailantstabbed female blogger and university student InasMusallam in the stomach with a knife. The assaultoccurred shortly after she published a blog postcriticising Prince Hassan, a former crown prince anduncle to the King of Jordan, for derisive commentshe made about pro-reform protesters. Local andinternational human rights watchdogs condemnedthe attack. The Public Security Directorate (PSD)confirmed the attack, but alleged Musallam hadpsychological problems and conflicts with otherstudents, and insinuated that a small amount ofdrugs had been found in her possession. HumanRights Watch said in a statement that Jordanian authoritiesshould focus on “finding Inas Musallam’sattacker” 8 – but at the time of writing, Jordanian policehave not managed to bring the perpetrators tojustice.While websites usually receive “friendly calls”from officials or security persons requesting thatsome content be deleted, undesirable articles areforcibly deleted. It is also believed that some governmentalagencies hire internet commentators topost comments favourable towards the governmentin an attempt to influence public opinion, glorifyingthe Jordanian leadership, criticising the oppositionor attacking authors who criticise the government.Moreover, citizens have reportedly been questionedand arrested for web content they haveauthored. Physical harassment and cyber attacksagainst bloggers and staff of online news websites7 www.ammonnews.net/article.aspx?articleno=1313138 Human Rights Watch. (2012, February 26). Jordan: Advocateof a republic jailed. Human Rights Watch. www.hrw.org/news/2012/02/26/jordan-advocate-republic-jailed141Not free144Not free145Not free155Not freeN/A 42 45 46 N/Ahappen frequently. Such attacks have a chilling effecton internet users.Striking a balance with online freedomsAll the above-mentioned stories have negativelyaffected Jordan’s ranking in different freedom of expressionindices. Jordan’s scores in the last five yearsin reports published by Reporters Without Borders(RSF) and Freedom House are illustrated in Table 1.In October 2011, Jordan adopted amendmentsto its constitution to improve general freedoms inresponse to the Arab Spring demonstrations. Thenew amendments included the creation of a constitutionalcourt, and more guarantees of civil rightsand liberties. The amendments touched directly orindirectly on internet freedom. Specifically, termssuch as “mass media” and “other means of communication”,which likely encompass online media,were added to provisions that protect freedom ofexpression and concomitantly allow for its limitationduring states of emergency (Article 15).How to strike the balance between competingrights: the right to privacy and protecting others’rights and national security?The Jordanian Constitution provides such balancein the following articles:Article 7:1. Personal freedom shall be guaranteed.2. Every infringement on rights and public freedomsor the inviolability of the private life ofJordanians is a crime punishable by law.Article 18: All postal and telegraphic correspondence,telephonic communications, and theother communications means shall be regardedas secret and shall not be subject to censorship,viewing, suspension or confiscation except by ajudicial order in accordance with the provisionsof the law.Article 128: The laws issued in accordance withthis Constitution for the regulation of rights andfreedoms may not influence the essence of suchrights or affect their fundamentals.The above-mentioned articles meet the first threeprinciples of the International Principles on theApplication of Human Rights to CommunicationsSurveillance (IPAHRCS): legality, legitimacy andnecessity.Political news websites are flourishing in Jordanbecause the “old media” are considered less freein reporting corruption and wrongdoing by the government.However, the Press and Publications LawNo. 8 of 1998 was amended in September 2012, requiringnews websites to obtain licences in order tocontinue to operate in the country, which severelyrestricts free speech and expression online.Whenever there is government there are laws torestrict dissent; but the law does not give the governmenta trump card to curb freedom of expressionuntil it has proof of an overriding legitimate aim.The law requires all news websites to be legally registeredand the editors-in-chief of the sites must bemembers of the Jordan Press Association. The resultis a form of cloning old laws to control new media ora “recycling [of ] old laws”. 9Online editors and site owners are liable forcomments posted by other users on their platforms.Websites must keep a record of all comments forsix months after initial publication and refrainfrom publishing any “untruthful” or “irrelevant”comments.The amendments enable the director of thePress and Publications Department (PPD) toblock any website for failing to obtain a licence.Historically, the PPD constituted the principaltool used by successive Jordanian governmentsto control the old media and control the contentof new media as well. The PPD instructedinternet service providers to block over 200websites last year. The blocked websites weremostly critical of the government. Conversely,websites that are friendly to the government aretolerated.Many national and international organisations condemnedthe decision. 10 Under international best9 www.jordanzad.com/print.php?id=9331810 Jordan Open Source Association. (2013). The Jordan OpenSource Association deplores censorship of news websites.jordanopensource.org/article/jordan-open-source-organisationdeplores-censorship-news-websites;Greenslade, R. (2013,June 4). Jordan blocks 200 news websites. The Guardian. www.theguardian.com/media/greenslade/2013/jun/04/freedom-ofspeech-jordanpractices, states should refrain from adopting separaterules limiting internet content. 11In May 2011 the United Nations Special Rapporteuron the promotion and protection of theright to freedom of opinion and expression, FrankLa Rue, submitted a report to the UN Human RightsCouncil. 12 The Special Rapporteur considers cuttingoff users from internet access, regardless ofthe justification provided, including on the groundsof violating intellectual property rights law, to bedisproportionate and thus a violation of Article 19,paragraph 3, of the International Covenant on Civiland Political Rights (ICCPR). The ICCPR is an internationalbinding treaty for almost 167 state parties,including Jordan.Jafranews publisher Nidhal al-Faraneh and editorAmjad Muala were arrested for more than threemonths in 2013, accused of harming relations with aforeign country for publishing the link to a YouTubevideo which showed a man – purportedly a memberof the Qatari royal family – lounging, dancing andshowering with several women. 13Many Jordanians do not have home internet.They depend on internet cafés to communicate witheach other. The Jordanian government has passedregulations to monitor internet cafés. The RegulationsGoverning Internet Cafés 14 stipulate thatinternet café owners must be “Jordanians of goodrepute”, who have never been charged with immoralcrimes or fraud. Internet café owners are obligedto monitor users by CCTV, register the names andidentity numbers of users, allocate an IP address toeach computer, and keep a monthly record of thewebsites browsed by visitors.Article 29 g of Telecommunications Law No.13 of 1995 and its amendments states that the licenseeshave a “commitment to offer the necessaryfacilities to the competent parties to implement thejudicial and administrative orders related to tracingthe telecommunications specified in those orders.”Such regulations and practices clearly violateIPAHRCS, especially principle 13.11 Joint London Declaration, 2001, UN Special Rapporteur, OAS,OSCE. www.osce.org/fom/99558?download=true12 Report of the Special Rapporteur on the promotion and protectionof the right to freedom of opinion and expression, Frank La Rue,Human Rights Council, Seventeenth session Agenda item 3, UnitedNations General Assembly, 16 May 2011. www2.ohchr.org/english/bodies/hrcouncil/docs/17session/A.HRC.17.27_en.pdf13 www.jfranews.net14 Published in Official Gazette No. 5034 on 1 June 2010. www.pm.gov.jo/arabic/index.php?page_type=gov_paper&part=3&id=5034152 / Global Information Society Watch jordan / 153


ConclusionsThe media are often described as the public “watchdog”or even as the “fourth estate”. The power ofthe media to influence public opinion makes theman attractive target for illegitimate control. Governmentsoften seek to transform the media fromwatchdog to lapdog. New media are part of the informationsociety and offer a huge opportunity toconsolidate democracy and to promote development.The government should not consider newmedia a challenge but rather an opportunity.Despite de jure and Jordanian constitutionalguarantees of freedom of expression and protectingcitizens’ privacy, several de facto laws remainon the books. It seems that what the constitutiongives with one hand, the government takes with theother, contrary to the positive obligations placed onthe state to guarantee freedom of opinion and ofthe media.Jordan reacted to the potential of new technology,especially seen during the Arab Spring, by usingtechnology to trace the online activities of citizensand control the flow of information. Collecting datais not limited to those suspected of criminal wrongdoing,but extends to all citizens.The government also uses laws to punishactivists when they criticise it or top officials.Physical harassment and cyber attacks againstbloggers and staff of online news websites hamperactivists from expressing their views freely.Excessive sanctions exert a chilling effect on freedomof expression, which violates the principle ofproportionality.Action stepsIn emerging democracies, introducing good lawsis the first step to promote independent, pluralisticand professional media as a fundamentalinfrastructure of good governance. It is time to takeinto consideration the following steps in Jordan:• Jordan should respect its international obligations,especially Article 19 of the ICCPR and itsinterpretation.• Government interference may be legitimate inexceptional cases if a “pressing social need”overrides others’ privacy to protect national securityor prevent a crime. The government has toprove the legality of interference before a designatedcourt to get permission to collect privateinformation.• Jordanian media laws need major surgery andcomprehensive review; criminal law rules affectingfreedom of expression, including lawsprotecting national security, should be clearlydefined.• The Regulations Governing Internet Cafés needto be abolished, as they broadly limit access toinformation without pressing social need.• The Cyber Crimes Law must be amended to meetinternational standards in striking a fair balancebetween respecting freedom of information andpenalties for abuse.• Jordan should withdraw the need to licensewebsites with the government, as it is unreasonableand restricts an individual’s access tothe internet.• Jordan should pass a data protection act to fillthe existing gap in protecting citizens’ privacy.kenyaIs surveillance a panacea to Kenya’s security threats?Kenya ICT Action Network (KICTANet)Victor Kapiyo and Grace Githaigawww.kictanet.or.keIntroductionKenya is located in East Africa and has an estimatedpopulation of over 43 million people. 1 The countryhas, according to recent estimates, 31.3 million mobilesubscribers and 19.1 million internet users. 2Despite the country’s relative peace, Kenya hassince 1975 fallen victim to a number of sporadic terroristattacks. And, since the 2011 Kenya DefenceForces (KDF) incursion in Somalia, 3 terrorist attacksin retaliation by groups such as Al Shabaab haveincreased, taking the form of grenade attacks orindiscriminate shooting, with the most recent incidentsbeing the Westgate Mall siege, 4 the Gikombagrenade attack, 5 and the Mpeketoni massacre. 6These incidents have raised public concern over Kenya’spreparedness to combat terrorism.In 2010, the country adopted a new constitution,which provides an expansive bill of rights, including,among others, privacy rights. However, the countrystill lacks dedicated privacy legislation following thestate’s repeated failure to adopt the Data ProtectionBill 2013. 7 In 2012, parliament passed the much-criticisedPrevention of Terrorism Act, 8 which providesthe legal framework for counter-terrorism activities.1 data.worldbank.org/country/kenya2 The Kenya National ICT Masterplan 2013-2017, p. 16. https://www.kenet.or.ke/sites/default/files/Final%20ICT%20Masterplan%20Apr%202014.pdf3 The Kenya Defence Forces incursion into Somalia sought to quellthe Al Qaeda-linked Al Shabaab militant group under Operation“Linda Nchi” (Protect Country).4 This occurred in September 2013, resulting in the death of 67people and the wounding of 175 people. Westgate Shopping Mallattack. en.wikipedia.org/wiki/Westgate_shopping_mall_attack5 May 2014, resulting in the death of 10 people and the wounding of70 people. Samwel, O. (2014, May 17). 10 killed and 71 injured inGikomba terror attack. The People. www.mediamaxnetwork.co.ke/thepeople/76951/ten-killed-71-injured-gikomba-terror-attack6 June 2014, resulting in the death of 60 people. Ongiri, I.,& Namunane, B. (2014, June 17). Uhuru blames massacreon tribalism, hate politics. Daily Nation. www.nation.co.ke/news/Uhuru-blames-massacre-on-tribalism--hatepolitics/-/1056/2352306/-/wyy1laz/-/index.html7 www.cickenya.org/index.php/component/k2/item/download/299_b3de9506b20338b03674eacd497a6f3a8 kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/PreventionofTerrorism_No30of2012_.docThis report seeks to assess the implications ofthe government’s response to terrorism through itsproposal to introduce and adopt surveillance technologyin major towns as a measure to avert futureterror attacks.Policy and political backgroundIn its manifesto, 9 the Jubilee Government, electedin March 2013, proposed the use of CCTV camerasin fighting crime and a “buy Kenyan” procurementpolicy as solutions to Kenya’s security problems.In this regard, in May 2014 it contracted SafaricomLimited 10 to build the Integrated Public Safety Communicationand Surveillance System (IPSCSS) tohelp security forces fight crime. 11Opinion is divided – including in discussionson KICTANet 12 – on the appropriate ICT solutionsto deal with the country’s rising security problems.Some support the introduction of a Command,Control, Communications, Computers, Intelligence,Surveillance and Reconnaissance (C4ISR)system, such as has been implemented in the USand Israel. 13However, some feel that technology alone is insufficientto counter terrorism. 14 They argue that thegovernment should sort out the basics and investin police reforms, attitude and behaviour change,police communication, police coordination andresponse to crime, anti-corruption measures, forensics,and effective prosecution of cases.The project proposed by the Jubilee Governmenthas been criticised as a continuation of thenow well-established government approach ofunsuccessfully throwing technology at problemswithout a corresponding re-organisation of bureau-9 Jubilee Coalition. (2013). Transforming Kenya: Securing Kenya’sProsperity, 2013-2017. issuu.com/jubileemanifesto/docs/jubilee_manifesto/310 The leading mobile telecommunication network operator in Kenya.www.safaricom.co.ke11 PSCU. (2014, May 14). Integrated communication, surveillancesystem to boost security. Capital FM.www.capitalfm.co.ke/business/2014/05/integratedcommunication-surveillance-system-to-boost-security12 Online discussion on Security Situation in Kenya. www.kictanet.or.ke/?p=2003013 Ibid., Gichuki John Chuksjonia via KICTANet.14 Ibid., John Walubengo via KICTANet.154 / Global Information Society Watch kenya / 155


cratic procedures. 15 Similar projects include the primaryschool laptop project, so-called “digital speedgovernors”, 16 cashless payment for public transport,speeding cameras, biometric voter registration,electronic voting, and the electronic transmission ofelection results.The proposed surveillance projectThe IPSCSS 17 will result in the installation of 1,800CCTV cameras with face and motor vehicle numberplate recognition capabilities in strategic locationsin Kenya’s two big cities of Mombasa and Nairobi;setting up a command and control centre wherefootage from the CCTV cameras and handhelddevices will be relayed in real time; a video conferencingsystem connecting 195 police stations;with high-speed internet; the development of a 4GLTE 18 network for the police with 80 base stations;supplying the police with 7,600 radio communicationdevices with SIM cards and photo and videocapability; and linking 600 police vehicles to thecommand and control centre.The goal of the project is to, among otherthings, enable security agents to communicate betterand boost their capacity to fight terrorism. 19 Thegovernment has also put in place a National CyberSecurity Strategy 20 to counter the ever-evolving cyberthreats.Safaricom Limited was single-sourced to developthe project, expected to cost 14.9 billion shillings(USD 169.6 million), 21 which will go up to 18.8 billionshillings (USD 214 million) after taxes. 22 Safaricomis expected to provide maintenance and support15 Walubengo, J. (2014, June 17). Without changes to policing,Safaricom’s cameras may struggle to deliver. Daily Nation. www.nation.co.ke/oped/blogs/dot9/walubengo/-/2274560/2351214/-/11w8ih4z/-/index.html16 Gerald Andae, G. (2014, January 1). Agency orders matatus toinstall new speed governors. Business Daily Africa. 1 January 2014,accessed 19 July 14, www.businessdailyafrica.com/Agency-ordersmatatus-to-install-new-speed-governors/-/539546/2131568/-/ccfie9/-/index.html17 The National Police Integrated Public Safety Communicationand Surveillance Project; see also: Wokabi, C. (2014, June 14).Safaricom to face MPs over Sh15bn security contract. Daily Nation.www.nation.co.ke/news/Safaricom-to-face-MPs-over-Sh15bnsecurity-contract/-/1056/2349044/-/mx7va5/-/index.html18 https://sites.google.com/site/lteencyclopedia/home19 Daily Nation. (2014, May 13). Why State House made a call toSafaricom chief over insecurity. Daily Nation. www.nation.co.ke/news/Why-State-House-made-a-call-to-Safaricom-chief-overinsecurity/-/1056/2313756/-/ybd3dt/-/index.html20 www.icta.go.ke/wp-content/uploads/2014/03/GOK-nationalcybersecurity-strategy.pdf21 Calculated at a rate of 87.94 Kenyan shillings (KES) per 1 USD.22 Ngirachu, J. (2014, July 1). Safaricom security tender tobe audited, says Rotich. Daily Nation. www.nation.co.ke/business/Safaricom-security-tender-to-be-audited-says-Henry-Rotich/-/996/2368428/-/wy2sp2/-/index.htmlover a five-year period at a cost of 440 million shillings(USD 5 million) annually. 23The project has caused a lot of controversy. Ithas emerged that it is similar to a previous controversialtender, which was cancelled, pitting Chinesefirms Huawei and ZTE against each other. Thesefirms are currently embroiled in litigation over theissue. 24 Further, the decision to single-source thetender and award it to the mobile provider Safaricomhas resulted in the suspension of the projectby the Kenyan National Assembly’s Committee onAdministration and National Security. This is dueto queries over the project cost, the choice of Safaricomas the supplier, its technical capacity, andits foreign ownership. Other queries relate to theopaqueness of the procurement and possible violationof procurement law, corruption allegations,and the secrecy, speed and purported urgency ofthe procurement. 25Implications of the proposed surveillanceprojectThis section focuses on the implications of the proposedsurveillance project, and, more particularly,the impact that the use of CCTV with facial recognitiontechnology has on privacy rights guaranteed inthe Constitution of Kenya.Facial recognition technology enables theidentification or authentication of individuals bycomparing their face against a database of knownfaces and searching for a match. 26 The process requiresa computer to find a face in the image, andthen create a numeric representation of the facebased on the relative position, size and shape offacial features. Thereafter, the numeric “map” ofthe face in the image is compared to a database ofimages of faces, such as a national identificationdatabase.23 Kiplangat, J. (2014, June 18). Safaricom to be paid Sh440m everyyear. Daily Nation. www.nation.co.ke/news/Safaricom-to-be-paid-Sh440m-every-year-/-/1056/2353672/-/b1ff14z/-/index.html24 Wokabi, C. (2014, May 13). Sh14bn Safaricom deal to boost war onterror. Daily Nation. www.nation.co.ke/news/Sh14bn-Safaricomdeal-to-boost-war-on-terror/-/1056/2313684/-/afydehz/-/index.html; see also: Teyie, A. (2014, July 5). Intrigues of lucrativegovernment tenders. Daily Nation. mobile.nation.co.ke/news/Intrigues-of-lucrative-government-tenders/-/1950946/2373320/-/format/xhtml/-/sgsya3/-/index.html25 Wafula, C. (2014, June 5). Safaricom security deal placed on hold.Daily Nation. www.nation.co.ke/news/politics/Safaricom-securitydeal-placed-on-hold-/-/1064/2338948/-/eqc0hoz/-/index.html;Ngirachu, J. (2014, June 4). Three MPs question Safaricom securitydeal. Daily Nation. www.nation.co.ke/news/politics/Three-MPsquestion-Safaricom-security-deal/-/1064/2336670/-/2t3x1vz/-/index.html26 Office of the Privacy Commissioner of Canada. (2013). AutomatedFacial Recognition in the Public and Private Sectors. www.priv.gc.ca/information/research-recherche/2013/fr_201303_e.aspThe use of such technologies is on the increase,and there is now widespread use and application inlaw enforcement, border control, the military, casinos,on mobile phones, and on social media sitessuch as Facebook. However, there are still concernsover the introduction of CCTV cameras with facialrecognition capacity in fighting crime in Kenya.Article 31 of the Constitution of Kenya providesfor the right to privacy, which includes the right fora person not to have their person, home or propertysearched; their possessions seized; information relatingto their family or private affairs unnecessarilyacquired or revealed; or the privacy of their communicationsinfringed on. Further, Article 24 providesfor the limitation by law of a right or fundamentalfreedom, but only to the extent that it is reasonableand justifiable in an open and democratic societybased on human dignity, equality and freedom, takinginto account all relevant factors. 27Section 35 of the Prevention of Terrorism Actlimits the constitutional right to privacy, but onlyfor purposes of investigating acts of terrorism; thedetection and prevention of a terrorist act; and ensuringthat the enjoyment of rights and fundamentalfreedoms by an individual does not prejudice therights and fundamental freedom of others.The proposed Data Protection Bill, 2013, doesnot recognise images or video recordings of an individualas personal data. However, the bill reinforcesthe right to privacy and provides best practices andprinciples in data protection compliance, and regulatesthe collection, retrieval, processing, storage,use and disclosure of personal data. In these circumstances,the introduction and use of facialrecognition technology in the absence of clear regulationmeans there is hardly any protection from theabuse of collected images.The government has maintained that thelegitimate aim of the project is to enable law enforcementto identify terrorists. However, this goalpresupposes the knowledge of the identity of theterrorists, which is debatable. As a result, the use ofthe technology opens the system up for abuse andapplication in a manner that is discriminatory. Evenbefore the introduction of CCTVs, Kenyan policeconducted raids targeting persons of either Somaliheritage, Muslim faith or both. The unregulated useof CCTV cameras will only catalyse such profiling.While the use of facial recognition technologyhas its benefits, its unregulated use may infringe27 The relevant factors include, among others: the nature of the right,purpose and extent of limitation; the existence of less restrictivemeans to achieve the purpose; and the need to ensure theenjoyment of rights does not prejudice the rights of others.upon human rights. It has been reported that thegovernment does not have a database of photosto use to compare their results with, as the currentphotos on IDs are unintelligible to computers. 28 Assuch, without such a database, it is not meaningfulto implement such a system, especially in light ofthe other security needs and priorities.The use of facial recognition technology will allowthe identification of any person by name and insecret from a photo taken on the street, from theinternet or other sources such as social media siteslike Facebook. In addition, it will allow the police tocapture images en masse, and maintain a photo andvideo database of the political and non-criminal activitiesof anyone. This poses threats to freedom ofexpression and association. Moreover, there is nolimitation on the scale of surveillance that the CCTVsystem will cover.The use of the technology also poses challengesto due process, as neither judicial authorisationnor the consent of the individual is required for thesurveillance, opening up the system to illegitimateaccess. This means that law enforcement, in the absenceof clear guidelines and safeguards, can abusethe system, and without any legitimate reason orcause, covertly use facial recognition on anyonewithout their permission, without any meaningfultransparency or accountability, and for unjustifiedpurposes for which the system was not originallyintended.Additionally, the technology will allow thestate to tap into the existing databases and usefacial recognition to identify people using theirnational identification records or the IndependentElectoral and Boundaries Commission biometricvoter register.It should be noted that there is no independentpublic oversight body to regulate how theinformation collected will be managed. While the IndependentPolicing Oversight Authority 29 has beenestablished, it has a limited mandate that focuseson investigation of complaints related to disciplinaryor criminal offences committed by members ofthe National Police Service, and can only make recommendationsbased on its findings. Further, whilethe Data Protection Bill proposes to confer to theCommission on Administrative Justice the mandateand responsibility to enforce its provisions, the billis yet to be passed and the Commission cannottherefore assume such functions.28 Odongo, W. (2014, June 8). Cameras will not save us. DailyNation. www.nation.co.ke/lifestyle/Cameras-will-not-saveus/-/1190/2341040/-/b7i9opz/-/index.html29 ipoa.go.ke/index.php/functions-of-authority156 / Global Information Society Watch kenya / 157


Lastly, the fact that Safaricom, which is Kenya’slargest telecommunications service provider, isbuilding the system raises doubt about the integrityof the system, the company’s independence,and the apparent conflict of interest. The companyhas over 20 million subscribers 30 whose personalinformation it keeps pursuant to laws requiring SIMcard registration. There are fears that its role in thedevelopment of the system may compromise its independence,including that of its network. There arealso worries that Safaricom will enable law enforcementto easily access its database of users to matchwith the facial recognition data. The company in recenttimes came under sharp criticism for disclosingpersonal information to third parties as part of itsbulk SMS services, despite clear provisions to thecontrary in its terms and conditions. 31ConclusionsIt is important to note that despite the presence ofconstitutional guarantees on the right to privacy, theabsence of a proper policy and legislative regimefor privacy protection means that the use of facialrecognition technology in surveillance will result inserious implications for privacy and personal safetyand lead to the violation of fundamental rights andfreedoms. Therefore, it is time for laws that limit theuse of facial recognition data collection.A report 32 by the US National Academy of Scienceshas concluded that biometric recognitiontechnologies are inherently probabilistic and fallible.In addition, according to the SurveillanceStudies Centre at Queen’s University in Ontario,Canada, urban surveillance systems have not beenproven to have any effect on deterring criminals. 33Whereas fears over insecurity have led todifferent sectors of society welcoming the introductionof the project, it must be stated that30 About Safaricom, Safaricom, www.safaricom.co.ke/about-us/about-safaricom31 Terms and Conditions, Safaricom. www.safaricom.co.ke/about-us/about-safaricom/terms-conditions32 National Research Council. (2010). Biometric Recognition:Challenges and Opportunities. Washington, DC: TheNational Academies Press. https://download.nap.edu/login.php?record_id=12720&page=%2Fdownload.php%3Frecord_id%3D12720; see also: National Academy of Sciences. (2010,September 24). Automated biometric recognition technologies‘inherently fallible,’ better science base needed. The NationalAcademies. www8.nationalacademies.org/onpinews/newsitem.aspx?RecordID=1272033 Kelly, H. (2013, April 26). After Boston: The pros and cons ofsurveillance cameras. CNN.com. edition.cnn.com/2013/04/26/tech/innovation/security-cameras-boston-bombingstechnology alone is insufficient to deal with crime.It can only be used to complement other initiativesby law enforcement to fight crime. Facial recognitiontechnologies are not always foolproof oraccurate. And as such, they ought to be designedand implemented with not only this in mind, butalso with consideration to the social, legal and culturalfactors that can affect the effectiveness andacceptance of the systems.Action stepsMoving forward, the following are recommended:• The Data Protection Bill 2013 should be amendedto take cognisance of facial recognitiontechnologies, and its adoption fast-tracked.• There is a need for clear regulations and safeguardson the collection, access, retrieval,processing, storage, use and disclosure ofpersonal data, including biometric information.This includes legislation that governsintermediaries.• The proposed surveillance project should notstart before the adoption of proper privacy safeguards,including the Data Protection Bill.• A comprehensive privacy impact assessmentshould be conducted before developing andpurchasing new technologies that will collectpersonal information including biometric data.• The CCTV cameras should be located only inpublic spaces.• Mechanisms should be put in place to regulateall state security, intelligence, policing, andother law enforcement agencies, to ensure theyobserve the rule of law and are transparent anddemocratically accountable.korea, republic ofCommunications surveillance in South KoreaJinbonetChang, Yeo-Kyunghttp://act.jinbo.net/drupal/englishIntroductionThe Korean Railway Worker’s Union (KRWU) wenton strike on 9 December 2013 opposing the privatisationof the railroad. The Korean government’sresponse was hard-line, and the police imposedwidespread surveillance on the striking workersand their families.Firstly, the police acquired all the mobile communicationrecords of union members and theirfamilies, including schoolchildren, and trackedthe real-time location of their mobile phones – themobile service providers had offered to providethis information at 10-minute intervals for severalmonths. The police also asked popular websites,such as game sites and internet shopping malls,to provide the real-time access IP addresses ofthe workers and their families. The mobile serviceproviders also handed over the identities of about300 to 400 people who talked on the phone withthe strikers to the police, who used this informationto interview the subscribers about details oftheir relationship with the strikers. Railway workersand human rights NGOs, including Jinbonet, filed apetition to the Constitutional Court against the realtimelocation tracking on May 2014.Policy and political backgroundThe NGOs argued that the lack of adequate legalrequirements for police to access communicationmetadata in an investigation is unconstitutional.The authorities conduct surveillance on workersexercising their right to strike as if they were criminals– they have been maintaining a DNA databaseof criminals, which includes striking workers, since2010. 1 Communications surveillance in particular,which has insufficient legal control given the rapiddevelopment of the internet and mobile technologies,has significantly extended the power of thepolice and the intelligence agency beyond the law.Communications surveillance in South Koreais regulated by the Protection of Communications1 act.jinbo.net/drupal/node/7631Secrets Act (PCSA). The previous military dictatorshipin South Korea had conducted communicationssurveillance for a long time without any legal regulation.The PCSA, passed in 1993 in the aftermathof a wiretapping controversy among presidentialcandidates, allows the intelligence agency andinvestigation agencies to intercept the content ofcommunications in real time with prior court approval.The content of communications such asstored email or SMS messages is provided to agencieswith a prior warrant for search and seizureunder the Criminal Procedure Act. However realtimewiretapping on foreign groups and nationalscan be conducted merely with the approval of thepresident. The intelligence agency and the investigationagencies can wiretap in real time by makinguse of intermediaries, including telecommunicationservice providers, or by using their own technologies.They can also wiretap without any permissionfor 36 hours if it is considered an emergency.Since 2002 the PCSA has begun to regulatecommunication metadata: the record of the dateand the time of communications, the IP address,the internet logs, the location of the base stationor the communication device, etc. Although courtpermission has been required to collect communicationmetadata since 2005, when it is “necessaryto conduct any investigation,” the permission isgiven without any specific restrictions. Accordingto the Telecommunications Business Act, personalinformation to identify the subscriber or user suchas name, residential registration number (which isthe national ID number in South Korea), address,etc. is separately provided to the agencies withoutany permission from external supervisory agenciessuch as the courts.Ex-post notification 2 has been implemented regardingundercover communications surveillance:users have been notified of wiretapping since 2001,of the handing over of communication metadata toagencies since 2005, and of the search and seizureof stored communications content since 2009. 3 Thepersonal information of the subscriber or the useris not included in this notification. The government2 Police notify persons of the fact that they became a target ofwiretapping within 30 days after the decision is made.3 However, in the last two cases the violator was not punished.158 / Global Information Society Watch korea, republic of / 159


Table 1.Base-station data provided to investigatorsBase-station dataAll communications metadataSecond half of 2009 15,440,864 15,778,8872010 38,706,986 39,391,2202011 36,800,375 37,304,8822012 24,831,080 25,402,6172013 15,245,487 16,114,668source: Government of the Republic of Korea (Korea Communications Commission, the Ministry of Future Creation and Science)Table 2.Requests for telecommunications interceptionYear Prosecution Police NISMilitary investigativeunit or othersTotalNIS requestsas % of total2010 4 227 8,391 48 8,670 96.8%2011 3 263 6,840 61 7,167 95.4%2012 0 139 5,928 20 6,087 97.4%2013 1 96 5,927 8 6,032 98.3%source: Government of the Republic of Koreathen releases statistics about the number of thesecases twice a year.Besides the above, telecommunications serviceproviders, including intermediaries, should keepcommunication metadata depending on the servicethey offer:• Twelve months for mobile service providers• Six months for landline service providers• Three months for internet service providers.Communications surveillance:Cases and civil society reactionAlthough the PCSA was an attempt to legallyregulate communications surveillance, the rapid developmentof the internet and mobile technologies,and the prompt adoption of them by the agencies,makes it overwhelming. A popular example isreal-time location tracking of telecommunicationdevices.Real-time location trackingWhen the PCSA created the framework for theregulation of communication metadata in 2002,it referred to historical communication records.Without any external request, telecommunicationsservice providers have kept the historical communicationmetadata related to billing, and theywere to some extent expected to and asked to bytheir customers. However, agencies then started torequire the “future” location information of theirtargets. The telecommunications service providersaccepted the request, not only because collectingreal-time location information and providing thiswas technically possible, but also because the relatedregulatory clause was not clearly defined onthat matter.For example, in the case of a mobile phone location,the telecommunications service providerinforms a police officer of the location of the basestation capturing the signal from the specifiedmobile phone by text message every 10 minutes. Inthe case of IP addresses, the internet service providerinforms the police officer when the specifiedID logs in. 4 Because telecommunications serviceproviders in South Korea confirm their subscribers’or users’ identities before activating mobile phoneor internet services including online games, thiskind of location information helps the agencies toaccurately track the subject.Real-time tracking was illustrated when awoman worker had been staging a sit-in protest atthe top of a 35-metre-high crane for more than 150days to oppose a huge lay-off of workers. “Buses ofhope” had been organised to support her struggle,carrying thousands of supporters to the place ofprotest. To arrest those who organised the buses,the police and the prosecutors traced the real-timelocation of the mobile phones of the activists andtheir families for months. Human rights NGOs challengedthis in the Constitutional Court in 2012, filinga second petition against tracing the mobile phonesand internet IDs of the leaders of the KRWU andtheir families in 2014. Both Constitutional Court reviewsare still underway.The use of data from base stationsAnother constitutional controversy surroundingcommunication metadata concerns the use of datafrom mobile base stations. The PCSA does not clearlydefine whether or not agencies should specify thetechnical scope of the request when they require atelecommunications service provider to hand overcommunication metadata. Consequentially, agenciesare offered mobile phone numbers captured bybase stations around the areas where assembliesand demonstrations take place to identify peoplewho participate in these protests. In the case of4 Some online game companies have subsidiaries to deal with theserequests as they receive too many from the police. newsmaker.khan.co.kr/khnm.html?mode=view&code=115&artid=201112061719361&pt=nvhighly populated areas, the agency could be providedwith over 10,000 mobile phone numbers fromjust one base station.In 2012, a phone number of a journalist who coveredan opposition party event was included in thebase-station data offered to investigators. Jinbonetand the victim submitted a constitutional petitionand the review is now underway.Table 1 shows statistics on the amount of basestationdata offered to investigators, compared toall the metadata handed over to authorities.Internet packet inspectionBecause the Korean intelligence agency, the NationalIntelligence Service (NIS), not only has the rightto collect secret information but also the power toinvestigate, it now conducts the largest number oftelecommunications interceptions among the agencies,according to official government statistics.The statistics are aggregated using the data fromtelecommunications service providers who have offereddata to the agencies. However, the statisticson interception conducted by the NIS using its ownequipment have never been open to public scrutinyand are cloaked in secrecy. 5Table 2 shows the overall statistics for telecommunicationsinterceptions in South Korea comparedto NIS requests.It was first known that the NIS had been monitoringthe internet network and intercepting contentby using deep packet inspection (DPI) in 2009.Monitoring the internet network in this way infringesbasic human rights such as the right to privacyand freedom of expression and communication, as5 In 2005, the fact that the intelligence agency had monitored CDMAmobile phones was revealed by the government. The agency hadofficially denied all queries from NGOs, media and the nationalassembly for a long time. The intelligence agency had developedtapping equipment that could be attached to the wirelines ofmobile communication service providers as well as the equipmentfor intercepting radio frequencies. See Jinbonet. (2009). MobileSurveillance and the Protection of Communications Secrets Act ofKorea. act.jinbo.net/drupal/node/6306it allows the agency to monitor not only emails butall other interests of an internet user, including relationshipsand the financial life of a subject. Humanrights NGOs, including Jinbonet, revealed the presenceof internet packet inspection by the NIS at amedia conference, held together with its victims.They also submitted a petition to the ConstitutionalCourt when the NIS again conducted internet packetinspection in 2011 while investigating a personsuspected of being in violation of the country’s nationalsecurity laws.The NIS insists that it is impossible to investigateforeign-based emails such as Gmail withoutpacket inspection, while it can investigate domesticinternet usage by approaching service providers.The constitutional review is now underway.Provision of personal informationIt is a massive infringement of human rights thatinternet service providers (ISPs) provide personalinformation of subscribers or users such as name,ID, resident registration number, address, etc. tothe agencies, without any restriction. This provisionhas faced severe criticisms, with allegations that itis abused by authorities who deliberately target internetusers who criticise the government. The factthat there have been 9,574,659 cases of personalinformation provided in 2013 means that the personalinformation of 26,232 people was providedevery day, and that the details of around 19% of thetotal national population have already been providedin South Korea. Table 3 shows statistics on theprovision of personal information.ConclusionsThe reason why stored communication metadata isoffered to law enforcement agencies is because thedata is needed as evidence in investigations, andthese requests by authorities are allowed. However,when a crime has not yet happened, the “reserved”location data of someone is not necessary160 / Global Information Society Watch korea, republic of / 161


Table 3.Provision of personal information by ISPsYear Prosecution Police NISMilitary investigativeunit or othersTotalKosovoKosovo’s experience with data retention:A case of adopting negative EU standards2010 1,323,176 5,419,365 76,018 326,233 7,144,7922011 1,295,968 3,958,055 102,979 491,989 5,848,9912012 2,241,812 5,115,131 110,923 411,722 7,879,5882013 2,858,991 6,230,617 113,305 371,746 9,574,659information which telecommunications service providershave to generate or keep in order to provideit to the authorities. The data is processed only tomake it convenient for the agencies to electronicallytrace their subjects in real time. This practicegoes against data protection norms which requirethat collecting and using any personal informationshould be the minimum necessary.The data protection norms, including the country’sData Protection Act, grant many exceptionsto the intelligence and investigation agencies.The data generated under these exceptions mightalso be used for the financial benefit of the serviceproviders. Considering that the purpose of theconstitution and international human rights law isto protect private life, personal information, andthe privacy and freedom of communication fromany governmental surveillance, the present legalsystem in South Korea, such as PCSA and the DataProtection Act, means that the government is infringingon these human rights.Action stepsThere is a serious communication surveillance crisis,not only in South Korea but throughout the wholeworld. As a UN resolution 6 pointed out in November2013, it is necessary to improve domestic laws related6 UN General Assembly Resolution A/C.3/68/L.45/Rev.1 on “Theright to privacy in the digital age”, 20 November 2013. www.un.org/ga/search/view_doc.asp?symbol=A/C.3/68/L.45/Rev.1source: Government of the Republic of Koreato the protection of privacy, communication privacyand personal information in the digital age. It is essentialto establish an independent body that supervisescommunications surveillance conducted by the intelligenceagency and the investigation agencies. Neitherthe Personal Information Protection Commission andthe National Assembly in South Korea have performedthis supervisory role well enough.Additionally, an international norm to regulatesecret surveillance by intelligence agencies is neededin each country. As Edward Snowden revealed,as long as intelligence agencies across the worldcollect information by cooperating with or competingwith each other, no citizen of any nation can beguaranteed privacy.To achieve this, lawmakers in South Korea haveto recognise the seriousness of communicationssurveillance and improve domestic laws. They alsoneed to cooperate internationally to build proper internationalnorms on the issue. Human rights NGOswill continue taking vigorous action to demand thatthese steps are implemented. 77 Joint Statement by NGOs in the Republic of Korea on IntelligenceAgencies’ Internet Surveillance, 21 August 2013. act.jinbo.net/drupal/node/7636FLOSSKArianit Dobroshiwww.flossk.orgIntroductionThe Kosovo government, through the Ministry ofEuropean Integration, was in the first part of 2014considering the third draft of a problematic dragnetelectronic interception and data retention law.The adoption of the law was thwarted in large partthanks to the reaction of civil society, a EuropeanUnion Court of Justice ruling that came just in time,and ultimately the disbanding of the Kosovo Parliamentfor early elections. It will come back.The process highlights a case of imposing dubiousstandards from the European Union (EU) ona country, which often results in weak democraciesand breaches of the rule of law.Attempts to pass the lawA draft law on electronic interception and data retentionwas previously considered in 2012-2013,with the latest attempt being in 2014. In 2013 thesecond attempt was turned down by the IntelligenceAgency Oversight and Security ParliamentaryCommittee.The bill returned with similar problems in 2014.This time it came alongside the dialogue on visaliberalisation which the EU has been having withKosovo for years with meagre success. 1Currently, electronic surveillance in Kosovo ispermitted through the Penal Code and the Code ofPenal Procedure, provided a warrant is secured, althoughsome have argued that more detailed rulesare lacking. Kosovo has enshrined privacy in itsquite modern constitution and has implemented a1 The requirement is framed in this way: “Ensure that futurelegislation on interception distinguishes clearly between judicialinterception and interception for intelligence services, in line withEuropean best practices, while the provisions on data retentionfor law enforcement purposes comply with the EU acquis on dataretention.” See the Report from the Commission to the EuropeanParliament and the Council on Progress by Kosovo in Fulfilling theRequirements of the Visa Liberalisation Roadmap, 8 February 2013.ec.europa.eu/dgs/home-affairs/e-library/documents/policies/international-affairs/general/docs/report_on_progress_on_kosovo_visa_liberalisation_en.pdfdata protection law and established a data protectionagency based on EU legislation. 2As reintroduced, the bill would have giventhe Kosovo Intelligence Agency the ability to tapinto communications networks for the purpose ofrecording internet and telephone metadata andcontent. A court warrant was not mandatory; instead,only lawful authorisation was mentioned.The Minister of European Integration stated thatthe draft law had been endorsed by the EU. Emailsto the EU Mission in Kosovo were not returned. Directive2006/24/EC 3 on data retention was alreadyconsidered highly problematic, even in the EU countries.Article 5 on the types of data to be retainedis exhaustive. They are, of course, metadata, butmetadata can reveal a lot. 4 The implementation ofthe Directive had been thrown out by high courts inGermany, the Czech Republic and Romania and wasbeing contested in Austria, Ireland and Slovenia.Sweden was threatened for years with heavy finesby the European Commission to implement it, aswas Romania. 5On 7 April, just a day before the Court of Justiceof the EU (CJEU) was due to hand down its verdict onthe matter of data retention, the Ministry sent a newdraft to a selected number of civil society organisations.This again was in violation of consultationprocedures mandated by law which stipulate publicationfor general public access. 6 This draft wasmuch more precise in language and with noticeableimprovements, limiting, for example, the number ofinstitutions that would have access to the data. Twopoints giving rise to concern, however, remained:2 Kosovo has transposed EU’s Directive 95/46/EC on Data Protectionvia Law No.03/L – 172 on the protection of personal data.3 Directive 2006/24/EC of the European Parliament and of theCouncil of 15 March 2006 on the retention of data generated orprocessed in connection with the provision of publicly availableelectronic communications services or of public communicationsnetworks and amending Directive 2002/58/EC.4 Leber, J. (2013, June 18). Mobile Call Logs Can Reveal a Lot tothe NSA. MIT Technology Review. www.technologyreview.com/news/516181/mobile-call-logs-can-reveal-a-lot-to-the-nsa5 EDRi. (2013, June 5). EC goes after governments for notimplementing data retention. EDRi. history.edri.org/edrigram/number11.11/ec-fines-sweden-data-retention6 Art. 32 of Regulation No. 09/2011 on Rules and Procedure of theGovernment of the Republic of Kosovo foresees the publication ofdraft normative acts for consultation.162 / Global Information Society Watchkosovo / 163


data retention and the ability of the Kosovo IntelligenceAgency to surveil without a warrant.On 8 April, the CJEU ruled Directive 2006/24/ECon data retention invalid. 7 The Directive was key tothe data retention portion of the Kosovan draft law.In its ruling, referring to the Directive, CJEUnotes that it covers “in a generalised manner, allpersons and all means of electronic communicationas well as all traffic data without any differentiation,limitation or exception being made in the lightof the objective of fighting against serious crime”(paragraph 57). Furthermore, “the access by thecompetent national authorities to the data retainedis not made dependent on a prior review carriedout by a court or by an independent administrativebody whose decision seeks to limit access to thedata and their use to what is strictly necessary forthe purpose of attaining the objective pursued andwhich intervenes following a reasoned request ofthose authorities submitted within the frameworkof procedures of prevention, detection or criminalprosecutions. Nor does it lay down a specific obligationon Member States designed to establish suchlimits” (paragraph 62).The Court cites the opinion of the AdvocateGeneral of the CJEU: “The fact that data are retainedand subsequently used without the subscriber orregistered user being informed is likely to generatein the minds of the persons concerned the feelingthat their private lives are the subject of constantsurveillance” (paragraph 37). Have in mind thatthe Court is only addressing metadata here, unlikeKosovo’s draft law. The Court deems that by adoptingthe Directive, “the EU legislature has exceededthe limits imposed by compliance with the principleof proportionality in the light of Articles 7, 8 and52(1) of the Charter [of Fundamental Rights of theEuropean Union]” (paragraph 69). It can be concludedfrom the above that in the CJEU’s view, generalsurveillance of citizens not suspected of committingserious crimes without the authorisation of a courtis neither necessary nor proportionate.On 29 April, the Kosovo government announcedthat it would be sending a revised Draft Law onInterception of Electronic Communication to parliament.8 The draft underwent some positive changes7 See Para. 71, Joined Cases C‐293/12 and C‐594/12, Requests fora preliminary ruling under Article 267 TFEU from the High Court(Ireland) and the Verfassungsgerichtshof (Austria).8 Versions of the draft law have been distributed only via emailto several non-governmental organisations and there was noofficial publication. The author’s copy is available here: https://www.dropbox.com/s/9rcswy6a8bsozkv/Draft%20law%20on%20interception%20as%20sent%20to%20parliament%20-%2029%20April.docin light of the CJEU decision, but still had noticeableproblems. Below are the significant issues.Interception interfaces: The first major problemis the separate interception interface it providesto the Kosovo Intelligence Agency (KIA). Whilethe draft requires court warrants also for the KIA,in practice the KIA would be assigned its own interface.The law calls for two types of electronicsolutions: monitoring facilities placed at the authorisedinstitutions that would get the feed that theyhave been authorised to receive upon showing thewarrant, and interception interfaces placed at communicationscompanies that do the actual feedingof the data. But the KIA also gets one of these interfacesat its own facility. This provides no meansof control against abuse and practically gives theAgency carte blanche to intercept.Data retention: This is the second major problem.Despite promises by the sponsoring MinisterVlora Çitaku 9 and the CJEU ruling annulling the EUDirective, data retention was still present in thedraft, albeit in a somewhat lighter version. Datato be retained for 12 months included a long list ofmetadata. 10 The minister has stated that the drafthas been approved by the European Commission,and EU Special Representative/Head of EU Office inKosovo, Samuel Žbogar, stated that the law, whilenot perfect, meets minimum standards. It was clearthat the European Commission was suggesting toKosovo what the interpretation of the CJEU rulingwas, although a public formal interpretation of theruling by the Commission was not available.Authorised institutions: The draft law did notlimit the “special laws” that could be used for issuingwarrants. This means that if passed in this form,attention would be required to make sure that otherinstitutions do not get access using other less onerouslaws through the back door.Purpose (Art. 1 and 12.7): The EU Directive wasspecifically directed at fighting serious crime, althoughwhen implemented it became subject tomuch abuse. In the draft the reference to the Directivewas expunged, but a limitation of the scope to“serious crime” was at this point introduced. Thiswas an advance.Notification: This draft referred to the CriminalCode and the KIA Law as two of the legal bases forgetting warrants. While the Criminal Code has theconcept of notification of citizens upon surveillancebuilt in, the KIA Law does not. Therefore nocitizen would be allowed to know that they had9 Vlora Citaku, https://twitter.com/vloracitaku/status/46109339501723648010 See note 8, Article 12.been surveilled by the KIA, since unless otherwiseexpressly allowed by another law, notification is prohibitedby this one. As ruled by the European Courtof Human Rights, 11 notification is a right, hence thedraft is in violation of the European Convention onHuman Rights, which Kosovo has unilaterally embraced– but its citizens still cannot seek redressfrom the European Court of Human Rights becauseKosovo is not formally a party to the Convention.Interception assistance (Art. 9): As the draft lawstates, “Based on a lawful inquiry, in full compliancewith the Criminal Procedure Code of Kosovo”it allows for the violation of citizens’ anonymity byrequesting the identity of a suspect in preparationfor a warrant. Indirectly, this article states that nowarrant would be required for this procedure. Furthermore,the notification principle is once againviolated in this article, as notification is expresslyprohibited.Records of interception (Art. 11 and 13): Theneed to keep records and provide data on the numberof interception requests was a positive changein this draft. Yet this point becomes somewhat mootwhen considering that the KIA would have its owninterface. In the reporting requirements, there areno criteria about the effectiveness and indispensabilityof data retained to combat crime, only on theeffectiveness of the ability to provide data, whichprivacy advocates in Europe have argued againstwith regard to the Data Retention Directive.Penalties (Art. 15): For non-compliance violations,a network operator or service provider couldbe fined at least EUR 86,000 and up to 7% of theannual income from their economic activity in electroniccommunications. There were no penaltiesforeseen for violations that harm the privacy ofcitizens, clearly erring in favour of sharing citizens’data with the authorities.Data transmission security standards (Art. 5.5):The draft law refers to the data security standardsused by the operator and says this will be dealt within secondary legislation.Looking at how well written the relevant partsof the Criminal Code 12 and the Criminal Procedure11 Boehm, F., & de Hert, P. (2012). Notification, an importantsafeguard against the improper use of surveillance – finallyrecognized in case law and EU law. European Journal of Law andTechnology, 3(3). jlt.org//article/view/155/26412 Republic of Kosovo. (2012). Criminal Code of the Republic OfKosovo No. 04/L-082. Official Gazette of the Republic of Kosovo,No. 19.Code 13 are, there could be only two reasons to pushthis new law: data retention and the extension ofthe KIA’s ability to tap.Kosovo contextThe power of the EU in Kosovo is immense; as aresult, the new attempt to pass this law was givento the Ministry of European Integration. There wasanother strong reason for having this ministry sponsorthe draft law: the government had twice beforefailed to take the draft law beyond the IntelligenceAgency Oversight and Security Parliamentary Committee.Bypassing the specialists at the publicsecurity and intelligence committee was apparentlypart of the agenda.Kosovo has good laws, but implementationis lacking. Since 2008 Kosovo has been unique inhaving a European Union Rule of Law Mission (EU-LEX) to address the shortcomings of public securityinstitutions and the legal system. It is for this veryreason that the various reports issued by the EuropeanCommission on Kosovo find faults whichhamper Kosovo’s progress towards visa liberalisationwith the Schengen area, as well as overallEuropean integration.Action stepsFor new surveillance powers to be granted, all thenecessary legal safeguards within a state wouldhave to function in order to control the additionalauthority being provided. This situation does notcurrently exist in Kosovo and any move in this directionshould be made with increased caution aboveand beyond that found in the EU member states.The EU also has a heightened responsibilityto monitor the surveillance practices of the stateswhere it has political influence to ensure that theydo not further undermine human rights, insteadof merely exporting its own standards as fit-forpurpose.In the case of Kosovo, the EU shouldnot only come out loud and clear against any sortof mass surveillance, but should also insist thatthe KIA abide by the same rules as other securityinstitutions.13 Republic of Kosovo. (2012). Code Nr. 04/L-123 of Penal Procedure.Official Gazette of the Republic of Kosovo, No. 37.164 / Global Information Society Watchkosovo / 165


LebanonSurveilling the banking sector in LebanonMireille RaadIntroductionMany argue that online privacy is a human right,while others insist that it is a negotiated contractbetween the state and its citizens – a contract inwhich citizens exchange some of their data in returnfor national security. So in theory – and in an ‘‘idealstate’’ – citizens could rely on the protection of theirhome governments to ensure their physical safetywhile also preserving their online privacy of communications,transactions, identities and speech.But to what extent can states really uphold thiscontract?In Lebanon, there is an odd “ideal law” onbanking secrecy dating back to 1956. This law didnot create secrecy as a privilege to be enjoyed bybanks, but as a duty that banks operating in thecountry must observe. Violation of banking secrecyis a criminal offence. However, in June 2012, KasperskyLab announced the discovery of “Gauss”, acomplex state-sponsored cyber-espionage toolkittargeting major banks in Lebanon and parts of theMiddle East. Gauss is designed to steal sensitivedata, with a specific focus on browser passwordsand online banking account credentials.This cyber violation violates the Lebanese bankingsecrecy law and is a direct attack on a nation’ssensitive financial transactions and a critical economicorgan: the banking sector is one of the fewstable sectors in Lebanon and, as many argue, oneof the sectors stabilising the economy. If the bankingsector collapsed, the country might fall intochaos, experts say. 1Due to the complexity and similarities betweenGauss and malware like Stuxnet, Flame, Duqu andothers, fingers pointed at the United States (US)and Israel, accusing them of being behind Gauss.1 Dockery, S. (2012, August 11). Virus plunges Lebanon intocyber war. The Daily Star. www.dailystar.com.lb/News/Local-News/2012/Aug-11/184234-virus-plunges-lebanon-into-cyber-war.ashx#ixzz33c7Yh200BackgroundLebanon is a very small country. [...] Not much you cando. It is up to major international bodies, like the UN[United Nations], Human Rights Commission or the EU[European Union] or the American people themselvesto ask for a change in this behavior. 2 –Lebanese TelecomMinister Nicolas Sehnaoui commenting on theEdward Snowden/National Security Agency (NSA)leaks in June 2013.This blunt quote illustrates the simple reality thatmany developing countries face in a digital agewhen large-scale mass surveillance and spying ondetailed data and sensitive transactions become anact of daily nation bullying. This problem is only accentuatedby a digital divide, where most servicesand servers reside in developed countries; not tomention that only rich countries can actually “afford”to own and operate systems that allow themto perform such acts of mass privacy violation fromthe comfort of their “homeland”.Sehnaoui’s quote comes as no surprise sinceLebanon, like much of the Middle East, has a difficultrecent history – it is a small diverse countryamid big regional powers. Frequent invasions ofthis country date back to the Assyrians, Persians,Greeks, Romans, Arabs, Fatimids, Crusaders, OttomanTurks and most recently the French and Israelis.Recently, Lebanon has also been a focal pointof larger geopolitical rivalries in the region betweenIran, Saudi Arabia, Syria, Palestine, the GulfStates and of course Israel and the US. So it standsto reason that there is a long history of strugglingagainst external spying on telecommunications andinternet servers, with more than a hundred peoplearrested for collaborating with and spying for foreignstates since April 2009. 3Tracking the malwareIn June 2012, Kaspersky Lab 4 announced the discoveryof a malware toolkit spreading in Lebanon and2 Al Saadi, Y. (2013, June 13). The NSA Global Surveillance andLebanon: ‘Not Much We Can Do’. Al-Akhbar. english.al-akhbar.com/node/161073 Ibid.4 Kaspersky Lab is a Russian multinational computer securitycompany and the world’s largest privately held vendor of softwaresecurity products. https://en.wikipedia.org/wiki/Kaspersky_Labparts of the Middle East. This discovery was madepossible only after knowledge gained by in-depthanalysis and research conducted on the Flame 5malware.The toolkit had different modules named afterfamous mathematicians and philosophers likeGodel, Lagrange and Gauss. The module named“Gauss” implements the data-stealing capabilities.The Kaspersky investigation estimated that Gaussbegan operations in mid-2011. Its infiltration intosystems is conducted in a controlled and targetedfashion, ensuring stealth and secrecy.The main functionality of the malware includes:• Intercepting browser history, cookies andpasswords.• Harvesting and sending detailed system configurationsof infected machines, includingspecifics of network interfaces, computer drivesand BIOS. 6• Infecting USB sticks (flashdrives) with adata-stealing module using the same LNK vulnerabilitythat was previously used in Stuxnetand Flame, but in a more “intelligent” way thatunder certain circumstances is capable of “disinfecting”the drive.• Listing the content of the system drives andfolders.• Stealing credentials for various banking systemsin the Middle East (Bank of Beirut, EBLF,BLOM Bank, Byblos Bank, Fransabank and CreditLibanais). It also targets users of Citibank andPayPal. The online banking Trojan functionalityfound in Gauss is a unique characteristic thatwas not found in any previously known cyberweapons.• Hijacking account information for social networks,email and instant messaging accounts.• Installing a font called “Palida” with an unknownobjective, but speculations suggest it isused to remotely detect infected machines.• Using advanced techniques for handling hightraffic load balancing, load distribution andfault tolerance known as Round-robin DNS 7 –which suggests that the makers of the malwarewere expecting high traffic volumes.5 Flame is arguably the most complex malware ever found, and isused for targeted cyber espionage in Middle Eastern countries.https://en.wikipedia.org/wiki/Flame_(malware)6 The fundamental purposes of the BIOS are to initialise and test thesystem hardware components and to load the operating system.https://en.wikipedia.org/wiki/BIOS7 https://en.wikipedia.org/wiki/Round-robin_DNS• An encrypted code with an unknown objective.• Communication with command and controlservers.The above technical specifications clearly connectGauss to Flame – Flame is connected to Stuxnet– which prompted Kaspersky Lab to call it a “nationstatesponsored cyber-espionage toolkit” 8 ratherthan a tool for criminal theft – something that givesGauss a geopolitical dimension.Once the news of the malware broke, the LebaneseCentral Bank 9 issued a note to all commercialbanks to take the necessary measures to protectcomputer systems. Some bankers confidently saidthat they are not concerned about any virus, insistingthat they had nothing to hide. “Let them [theAmericans] browse our accounts. They won’t findanything suspicious because all our clients arewell-known,” one banker told The Daily Star, 10 whileanother denied the existence of the virus altogether.The head of the IT department in the CentralBank of Lebanon said that the Lebanese banks hadupgraded their software security systems to blockany virus designed to spy on transactions and operations:“The anti-virus program blocks all knownviruses and this has been going on for a long time.But the Gauss virus did not have time to inflict harmon the systems,” he said. 11However, a group of independent security professionalswho claim having first-hand experiencedealing with the Gauss malware in Lebanese banksissued a statement 12 that was published on severalLebanese blogs. It stated that banks are still vulnerable,and raised the concern that by conveyingsimplistic views about Gauss, the banking sector isnot truly willing to fight back.ConclusionTechnology trumps all. In a borderless interconnectedcyberspace, states – even the most tech-savvy ones –are seldom able to uphold contracts they make withtheir citizens on digital rights, even if they want to.This claim is backed by stories from across the globe,8 Kaspersky Lab. (2012, August 9). Kaspersky Lab discovers ‘Gauss’– a new complex cyber threat designed to monitor online bankingaccounts. Kaspersky Lab. www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Discover_Gauss_A_New_Complex_Cyber_Threat_Designed_to_Monitor_Online_Banking_Accounts9 https://en.wikipedia.org/wiki/Banque_du_Liban10 Habib, O. (2012, September 14). Lebanese banks develop antivirussystem. The Daily Star. www.dailystar.com.lb/Business/Lebanon/2012/Sep-14/187818-lebanese-banks-develop-anti-virussystem.ashx#axzz3AFd4RS4h11 Ibid.12 www.plus961.com/2012/10/no-our-banks-are-still-vulnerable-tocyber-attacks166 / Global Information Society Watch lebanon / 167


MexicoThe FinFisher caseScreenshot from BLOM Bank current online banking portal (https://eblom.blombank.com)stories that are similar to the Lebanese one. Many ofthese we have learned from the Snowden revelations.Those revelations changed the conversation onprivacy and surveillance from a government-citizendebate into an international debate between states.“Spying”, which traditionally was a “targeted” operationon specific political actors in foreign states,turned into mass surveillance and catch-all, detailedmonitoring and wiretapping of terabytes ofdata per second.This mass surveillance is enabled by technologyand can exist only because of it. Huge amounts ofdata on our social interactions and economic transactionssimply exist “online”. Technology, with itsalgorithms, cheap storage and processing cycles isable to store and “make sense” of data that is almosthumanly “un-crunchable”. This data needs tobe captured only once – it can be copied and cannever really be “returned”.However, technology comes with costs, rangingfrom research and development to the day-to-dayoperating costs of large systems. This only addsinsult to injury by increasing the digital divide betweenpoor and rich and enabling rich countries tohave the “advantage” of big data over many othernations.Privacy protection measures also come at a highcost for governments and the private sector. Theyalso come with a hit on user-friendly interfaces andinteractions. Security and usability have alwaysbeen at odds.The digital divide is already raising concerns andplays a major role in surveillance, since most of theservices and infrastructure like internet exchange datacentres are hosted in “rich” countries or owned bycompanies who follow the legal jurisdictions of thosecountries. This gives those countries easier access tolarge amounts of data being routed through their territoriesor legal reason to demand disclosure of datafrom companies who have to comply with their laws,not the laws its clients are subject to.The best option that countries have to upholdtheir contract with their citizens and protect privacyis to try to keep as much of the data as possiblewithin their own territories – for example, Germanyand France are leading efforts to secure EU traffic bykeeping it within borders. German Chancellor AngelaMerkel has called for creating a “European communicationsnetwork” – something that poses a newrisk of “fragmenting” the internet. In response tothat call, US President Barack Obama announcedthe extension of US citizen privacy protections to EUcitizens. 13This announcement shows how much powerdynamics and politics are at play in internationalsurveillance and how different people using the“open internet” – our biggest common shared resource– are not treated equally, while equality isparaded as an international human right that everyonemust uphold.Action stepsThere is no direct action point with immediate outcomethat can be taken to tackle extraterritorialsurveillance. But here are some of the ideas that canbe helpful:• The internet is a global, open and shared resourcethat everyone helped build and everybody uses.The benefits of accessing the internet have beendemonstrated in many studies. Data is what weshare on the internet – without data and metadata,the internet is an expensive set of cables.We should lobby to include privacy of data on theinternet as a global human right, and offer easyand solid safeguards for all countries to abide by,with clear punishments for those who refuse to.• Inform local policy makers of different researchbeing done, especially of the International Principleson the Application of Human Rights toCommunications Surveillance. 14• Localise and strengthen the ability of activiststo debate these issues in each country.• Have media discussions with the general public,especially inside the US or countries more likelyto conduct surveillance.• Increase awareness and the technical abilitiesto counter surveillance.13 MacAskill, E. (2014, June 25). US to extend privacy protection rightsto EU citizens. The Guardian. www.theguardian.com/world/2014/jun/25/us-privacy-protection-rights-europe14 https://en.necessaryandproportionate.org/textSonTusDatosCédric Laurant and Monserrat Laguna Osoriosontusdatos.orgIntroductionThe right to privacy is protected by the MexicanConstitution, which establishes that the privacyof one’s person, family, residence, documents orpossessions cannot be violated. In addition, theconstitution recognises the human rights establishedin it, and those included in internationaltreaties that Mexico has signed. However, it was notuntil 2007 that Mexico started to regulate the areaof data protection: the constitution was amendedin order to guarantee the right to data protectionand established that any interference in communicationsmust be approved by a judge. In July 2010,Congress enacted the Federal Law on Protection ofPersonal Data Held by Private Parties (LFPDPPP).The scope of this law only applies to individualsand companies, not government and other publicentities.Policy and political backgroundThe Federal Institute of Access to Information andData Protection (IFAI) is the autonomous institutionmandated to safeguard individual rights todata protection. In the beginning, IFAI only existedto guarantee the right of citizens to access governmentpublic information. However, since 2010 itsmandate has been extended in order to guaranteethe right to the protection of personal data.In March 2013, Privacy International’s report,The Right to Privacy in Mexico, Stakeholder ReportUniversal Periodic Review 17 th Session, 1 pointed toconcerns over surveillance practices. It highlightedthat between 2011 and 2012, the Department of Defencebought USD 350 million worth of surveillancesoftware to be used by the Mexican Army. Of concernhere is the lack of transparency on the purchase anduse of this software. Recent news also revealed that1 Privacy International. (2013). The Right to Privacy in Mexico,Stakeholder Report Universal Periodic Review 17 th Session.London: Privacy International. https://www.privacyinternational.org/sites/privacyinternational.org/files/file-downloads/mexico_stakeholder_report_-_privacy_international.pdffederal agencies had purchased software that mightplace individuals’ right to privacy at risk.Today there is doubt about whether Mexico hasadequate laws and institutions to deal with any violationof their citizens’ rights in terms of privacy anddata protection, considering that the responsibleparty might be its own government.FinFisher in MexicoIn March 2013, the Citizen Lab, 2 an interdisciplinaryresearch centre at the University of Toronto, publishedan investigation about a spyware programmecalled FinFisher, marketed by the company GammaInternational.FinFisher is malicious software that requiresthe user to download fake updates from apparentlyreliable sources such as Adobe Flash, iTunesand BlackBerry. Once it is installed on a computersystem, a third party can remotely control the user’scomputer and access it as soon as the deviceis connected to the internet. As soon as the devicebecomes infected by FinFisher, the hacker whoused it is able to see the user’s emails and socialmessaging conversations, take screenshots, obtainpasswords, and switch on microphones andcameras. FinFisher cannot be easily detected by anantivirus or antispyware.The Citizen Lab detected 25 countries with serversthat host the programme. 3 In Mexico, an infectedserver was detected at the provider UNINET S.A. deC.V, while another was detected at IUSACELL S.A. deC.V., but in Malaysia where the company has someof its servers. 4Previously, reports had revealed that activistsand members of political opposition aroundthe world had their phones and computers tappedbecause they had been infected by FinFisher. Forexample, in February 2013, the European Centre for2 The Citizen Lab’s areas of investigation include human rightsviolations in the digital environment, censorship and surveillance.https://citizenlab.org3 Marquis-Boire, M., Marczak, B., Guarnieri, C., & Scott-Railton,J. (2013). You Only Click Twice: FinFisher’s Global Proliferation.Canada: The Citizen Lab. https://citizenlab.org/wp-content/uploads/2013/07/15-2013-youonlyclicktwice.pdf4 Sánchez, J. (2013, July 17). Fijan plazo a UniNet y Iusacell parainformar sobre FinFisher. El Universal. eleconomista.com.mx/tecnociencia/2013/07/17/fijan-plazo-uninet-iusacell-informarsobre-finfisher168 / Global Information Society Watchmexico / 169


Constitutional and Human Rights (ECCHR), ReportersWithout Borders, Privacy International, BahrainWatch and the Bahrain Centre for Human Rights fileda complaint before the Organisation for EconomicCo-operation and Development (OECD) againstGamma International with respect to it exportingespionage technology to Bahrain. 5 The softwarehas been used to spy on activists in Bahrain. Whenasked about this, Gamma International declaredthat they only sell FinFisher to governments. However,they admitted to having found copies of theirproducts and stolen demos that have been used inrepressive regimes. 6On 20 June 2013, Mexican civil associations ContingenteMX,Propuesta Cívica and Al Consumidorfiled a complaint with the IFAI that resulted in theauthority investigating both IUSACELL and UNINETwith the aim of learning about the use of FinFisher ontheir servers, and to protect the personal data thatmight be at risk. Academics, journalists, activistsand members of civil society organisations joinedthe complaint. 7 A month later, Privacy Internationalsent a letter to the IFAI supporting the investigation.The letter makes it clear that “the presence of aFinFisher Command and Control server in a countrydoes not necessarily imply that this product is beingused by Mexican intelligence or law enforcementauthorities.” 8 The ECCHR also supported the complaintby asking the IFAI to investigate the case.At first, UNINET declared that they have noresponsibility concerning the allocation of IP addressesassigned to clients, while IUSACELL claimedFinFisher was not installed on their servers.On 3 July 2013, the Permanent Commission ofthe Mexican Congress exhorted the IFAI to begin theinvestigation, as requested by ContigenteMX, PropuestaCívica and Al Consumidor. 9 Seven days later,5 ECCHR, Reporters without Borders, Privacy International,Bahrain Watch, & Bahrain Center for Human Rights. (2013). OECDComplaint against Gamma International for possible Violationsof the OECD Guidelines for Multinational Enterprises. UnitedKingdom: Privacy International. https://www.privacyinternational.org/sites/privacyinternational.org/files/downloads/pressreleases/jr_bundle_part_2_of_2.pdf6 Vermer, A. (2013, July 22). Corruption scandal reveals use ofFinFisher by Mexican authorities. Privacy International. www.privacyinternational.org/blog/corruption-scandal-reveals-use-offinfisher-by-mexican-authorities7 Ricaurte, P. (2013, June 28). IFAI: inicie investigación sobreFinFisher en México. ContingenteMX. contingentemx.net/2013/07/03/ifai-inicie-investigacion-sobre-finfisher-en-mexico8 Ricaurte, P. (2013, July 3). Privacy International solicita alIFAI que inicie investigación sobre FinFisher. ContingenteMX.contingentemx.net/2013/07/03/privacy-international-solicita-alifai-que-inicie-investigacion-sobre-finfisher9 Deputies Chamber. (2013). Proposiciones con punto de acuerdopresentadas por diputado en la LXII Legislatura turnadas acomisión. sitl.diputados.gob.mx/LXII_leg/proposiciones_por_pernplxii.php?iddipt=421&pert=4 .Congress asked the Secretariat of the Interior for adetailed report on the state’s strategy for monitoringcyberspace and how it avoids infringing on userprivacy rights. 10 Congress also asked the Secretariatwhether they had acquired the FinFisher software,and asked the Office of the Mexican Attorney Generalwhether there had been any complaint about thewiretapping of individual communications. Neitherhas answered the questions.On 11 July 2013, human rights activists from thegroup Civil Disobedience reported that they hadfound trails of the FinFisher programme on theirmobile phones and computers and had receivedvarious, but undefined, threats. 11 The newspaperalso reported that the Office of the Mexican AttorneyGeneral had spent nearly MXN 109 million(approximately USD 8 million) for the FinFishersoftware and about MXN 93 million (around USD7 million) for a satellite tracking system calledHunter Punta Tracking/Locsys. Both purchaseswere made from the Mexican company Obses and,according to the newspaper Reforma, the contractwas overpriced.José Luis Ramírez Becerril, Obses’s representative,declared that the company had sold the sameespionage equipment to other Mexican governmentagencies. But if Gamma International onlysells to governments and does not have resellers,how could Obses make the deal? Due to the initiallegal procedure of verification that ContingenteMX,Propuesta Cívica and Al Consumidor filed againstIUSACELL and UNINET to learn about the operationof FinFisher, the IFAI also decided to investigateObses.In its verification of Obses, which started in May2013, the IFAI asked the company if it had sold theFinFisher software and had provided services to thegovernment. The information it gave was insufficientas it argued that the information was protectedby rules of confidentiality. The IFAI therefore imposeda fine of MXN 1,295,200 (approximately USD100,200) on the company for obstructing the IFAI’sinvestigation by not providing the full information itrequested. 12There are records that show that, in Augustand September 2013, two citizens made two requestsfor information from the Secretariat of theInterior through the internet system INFOMEX,which is designed precisely for citizens to ask for10 Ibid.11 Jiménez, B. (2013, July 11). Denuncian activistas cacería cibernética.Reforma. (Link only available for subscribers but available also atwww.criteriohidalgo.com/notas.asp?id=180404)12 IFAI. (2014). Verification Process exp. PS.0025/13. sontusdatos.org/biblioteca/decisiones-judiciales-y-administrativaspublic information about the government. The firstrequest asked for information about the use of theFinFisher software in government agencies. 13 Thesecond request asked which strategies amongthose that entail eavesdropping on cyberspace hadbeen implemented and, if this were the case, whatthe scope of the strategies were, including the protocolsand rules that were used to avoid violatingusers’ privacy. 14 The answer to both petitions wasthat the information requested did not exist andit was recommended that the specific agenciesinvolved (the Army and the Attorney General) beasked.On 4 September 2013, WikiLeaks revealed thatexecutives from Gamma International visited Mexicoin February and April 2013. 15 Carlos Gandini,high executive from that company, was in Mexicofrom 14 to 17 February, while Martin Muench, Fin-Fisher developer, was in the country around 23 to26 April. There is no information about what officesthey visited. In September 2013, the Citizen Labreported that the FinFisher command and controlcentres in the IP addresses that Citizen Lab hadpreviously detected were still active: FinFisher wasstill installed and operating on the Mexican serversthat Citizen Lab had reported on back in March2013. 16 Since September 2013, there has been nonew information about the presence of FinFisher onMexican servers. On 4 August 2014, a hacker withthe nickname of PhineasFisher announced that hehad hacked FinFisher 17 and posted on the internetvarious confidential documents. Among these werewhat seem to be authentic client records, manuals,brochures, price lists and source code. Accordingto a description of the leaked information, 18 it is interestingto note that, in the list of customers, theusername “Cobham” appears, probably referringto the Cobham Group, whose division “Cobham13 INFOMEX. (2013). No. application 0000400188713. The applicationonly can be seen as a result of a search in the Infomex system athttps://www.infomex.org.mx/gobiernofederal/moduloPublico/moduloPublico.action14 INFOMEX. (2013). No. application 0000400230813. The applicationonly can be seen as a result of a search in the Infomex system athttps://www.infomex.org.mx/gobiernofederal/moduloPublico/moduloPublico.action15 Ramírez, P., & Molina, T. (2013, September 4). Desarrollador deFinFisher y otros ejecutivos del espionaje cibernético, activos enMéxico, revela Wikileaks. La Jornada. wikileaks.jornada.com.mx/notas/desarrollador-de-finfisher-y-otros-ejecutivos-del-espionajecibernetico-activos-en-mexico-revela-wikileaks16 Molina, T. (2013, October 7). Sigue activo el programa de espionajecibernético FinFisher en México: Citizen Lab. La Jornada. wikileaks.jornada.com.mx/notas/sigue-activo-el-programa-de-espionajefinfisher-en-mexico-citizen-lab17 www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked18 pastebin.com/kZQ5J0jsDefence Electronics” builds products for defence,medical, industrial and commercial applications inMexico. 19Analysis of the situationMexico has one single federal law regulatingthe area of privacy and data protection, the LFP-DPPP. This law could be used against UNINET andIUSACELL because both are private parties thatmight be collecting and processing personal dataillegally. 20 UNINET and IUSACELL must adhere tothe principles of legality, consent, information,quality, purpose, fairness, proportionality and accountabilityunder the LFPDPPP. This implies thatboth companies should have implemented adequateoperational processes and informationsecurity measures in order to ensure the protectionof those principles. In any transfer of personal data,the data owner 21 needs to be notified beforehand,unless the transfer is necessary or legally requiredto safeguard the public interest, or when requiredfor a judicial proceeding.In this regard, the constitution guarantees theindividual’s right to privacy and data protection,subject to a few exceptions, such as in the case ofmilitary invasion, serious breach of the peace, orany other event which may place society in severedanger or conflict. According to the constitution,only the federal judicial authority can authorise telephonewiretapping and the interception of privatecommunications, at the request of the appropriatefederal authority or the State Public ProsecutionService.The IFAI’s investigation is still in progress and ithas not revealed any of its findings yet. The investigationaddresses several issues: the cases in whichFinFisher has been used, the purposes for which ithas been used, and whether there has been dueprocess. If FinFisher has been used by state entitiesto violate the communications of activists or thegeneral population’s human rights, with purposesdifferent from the ones established under law, andthe espionage has been carried out without any authorisationby the competent authorities, a seriousviolation of those constitutionally protected humanrights is at stake.In order to legally fight against this violation,one could initiate a judicial process called constitutionaladjudication (juicio de amparo). This19 www.cobham.com/about-cobham/defence-systems/about-us/defence-electronics/san-diego/services/cobham-defenceelectronics-mexico.aspx20 By “processing” we mean the retrieval, use, disclosure or storageof personal data by any means.21 The data owner is the individual to whom personal data relate.170 / Global Information Society Watchmexico / 171


process is mentioned in the constitution under asection entitled “Laws or acts issued by the authority,or omissions committed by the authority, whichinfringe the fundamental rights recognised and protectedby this Constitution”. 22 As the constitutionprotects the right to privacy, the legal basis uponwhich to file a constitutional adjudication wouldprecisely be the violation of this human right andthe absence of due process of law: the lack of awarrant by a judge authorising the interception ofcommunications. A constitutional adjudication canalso be founded on the rights protected under theinternational human rights treaties that Mexico hasratified. The jurisdiction that issues the decision ofthe constitutional adjudication is a federal court.Appeal of the ruling (recurso de revisión) is possiblebefore an appeals court. As a last resort, it isthe Supreme Court of Justice of the Nation (SCJN),Mexico’s highest federal court, that is competent tohear the case, but only on a discretionary basis andif the matter is significant (“asunto de importanciay transcendencia”). In case the complaint is granted,whether at a federal court or before the SCJN,the court would restore the right claimed by theplaintiff, but not issue any sanction to the agencyresponsible for violating the right.Another, completely different recourse wouldbe to reclaim the patrimonial accountability (responsabilidadpatrimonial) of the state. This is anadministrative procedure, not a judicial one, whichis designed for those individuals whose rightsand property have been infringed on as a resultof illegal or unconstitutional state administrativeactivity. 23 The judicial, legislative and executivebranches of the federation, constitutional autonomousagencies, units, entities of the Federal PublicAdministration, the Office of the Mexican AttorneyGeneral, federal courts, administrative and anyother public federal entity, are subject to this administrativeprocedure. A lawsuit of patrimonialaccountability is presented before the offendingagency and is aimed at determining if there was afault – in this case, the violation of a human right.It is possible to appeal the agency’s decision beforethe Federal Tax and Administrative Court. If the faultcan be demonstrated and expressed in monetaryterms, the plaintiff obtains relief through financialcompensation.22 Trife. (2013). Mexican Constitution. www.trife.gob.mx/sites/default/files/consultas/2012/04/cpeum_ingles_act_08_octubre_2013_pdf_19955.pdf23 Cámara de Diputados. (2014). Ley Federal de ResponsabilidadPatrimonial del Estado. www.diputados.gob.mx/LeyesBiblio/pdf/LFRPE.pdfThe IFAI is responsible for guaranteeing the dataowner’s right to the protection of his or her personaldata. In this case, however, its role is unclear. It caninvestigate, as it has already done, and issue fines.But there is no established procedure for a caseof government surveillance. Also, as the matter atstake is a violation of human rights, another institutioncould play a role: the National Human RightsCommission (CNDH). Nevertheless, that institutionmay only make recommendations that are not binding:it can determine whether there was a violationof human rights and who was responsible, but canonly issue recommendations to prevent it from happeningagain.ConclusionsMexico is facing a situation that is testing the strengthof its legal framework and the effectiveness of its administrativeand judicial institutions. The petition byContigenteMX, Propuesta Cívica and Al Consumidorcould prove to be a factor that triggers more complaintsaimed at ensuring transparency and respectof human rights by the Mexican government – in particularwith respect to the right to privacy.No matter whether, one day or another, someonewill demonstrate that the government used FinFisherand did it illegally, Mexico does have a legal frameworkin place that enables it to address the FinFishercase as a privacy violation and a breach of humanrights. However, the country does not have the legaland institutional framework that enables it to tacklegovernment surveillance cases effectively. Governmentespionage is a delicate issue because it is notalways clear whether government authorities are actingto protect national security interests and whetherthey are going beyond their obligations and startinfringing on citizens’ human rights. It is preciselybecause limits are not always clear and institutionsare fallible that there should be specific rules andprocedures to safeguard individual human rights, aswell as accountability and oversight rules that thegovernment must comply with.Action stepsThere should be a minimum number of principles,the goal of which should be to protect the right toprivacy and data protection, and to address governmentsurveillance. Analysing the FinFisher case inlight of existing legislation shows that the governmentis violating human rights, but is not revealingthat it is spying on individuals, nor its seriousness.The International Principles on the Application ofHuman Rights to Communications Surveillance(“the Principles”) are a good starting point toanalyse other aspects of similar cases. These principlesare the outcome of a global consultation withcivil society groups, industry and international expertsin communications surveillance law, policyand technology, and apply to surveillance conductedwithin a state or extraterritorially, regardless ofthe purpose of the surveillance. 24In order to guarantee privacy and data protection,ContingenteMX, Propuesta Cívica and Al Consumidorhave also proposed that competent authoritiesreconcile their legal framework with the Principles. 25However, the first seven of the 13 principles (legality,legitimate aim, necessity, adequacy, proportionality,competent judicial authority and due process) arein fact safeguards that can be found in the MexicanConstitution, which deals with human rights and thecases and circumstances in which the state is able tointerfere with them. Then, it would be more importantthat the government commit to comply with theother six principles (user notification, transparency,public oversight, integrity of communications andsystems, safeguards for international cooperation,safeguards against illegitimate access and right toeffective remedy) because they provide propositionsspecifically focused on wiretapping communicationsin the surveillance ambit.Aside from covering the legal aspect, it is alsonecessary to foresee the operative needs that thelaw requires to be enforced: there should be operativerules and procedures derived from the Principlesthat let the same principles work in practice. Then,once the government’s commitment is verified, thestate should determine the institutions and federalagencies that have to abide by those operativerules and procedures in order to protect individualsagainst surveillance. The compliance by the FederalInstitute of Telecommunications (Instituto Federalde Telecomunicaciones) with the above-mentionedoperative norms and procedures would, for instance,be necessary to guarantee the principles ofuser notification, but also the integrity of communicationsand systems. The Attorney General’s Office(Procuraduría General de la República), on theother hand, would help implement the principlesof legality, legitimate aim, necessity, adequacy, proportionality,competent judicial authority and dueprocess. In fact, since all the principles are relatedto each other, every institution and federal agencythat would commit to the objective of protecting24 https://en.necessaryandproportionate.org/text25 Robles, J. (2013, October 7). Comunicado de prensa sobre losavances en las investigaciones sobre #Finfisher en Mexico.ContingenteMX. contingentemx.net/2013/10/07/comunicado-deprensa-sobre-los-avances-en-las-investigaciones-sobre-finfisheren-mexicoindividuals against surveillance would contribute tocompliance with each of the 13 principles to variousdegrees. The state should also decide which specialisedinstitution could guarantee the compliancewith the applicable operative rules and procedures.In this sense, the IFAI is a good starting point becauseit is an autonomous institution that has ahigh level of public confidence. In this way, the principlesof transparency and public oversight wouldbe reinforced at the same time.It is important to underline that the Principleswould be worthless without an engaged societythat demands respect of its rights. We recommendthat from the Principles, we use the ones that canbe promoted and exercised by Mexican civil societyand non-profit organisations. As an example, theprinciple of legality suggests that, due to the rateof technological changes, limits to the right to privacyshould be subject to periodic review by meansof a participatory legislative or regulatory process.We recommend giving a role to civil society in thesereviews. Regarding the principle of user notification,which establishes that individuals should benotified of communications surveillance, and theprinciple of transparency, which establishes thatstates should be transparent about communicationssurveillance, both of them can be achieved ifcivil society is vigilant and continuously informedabout what the government is doing.As a result, the action steps we recommend arethe following:• Establish a clear legal framework for using espionagesoftware and other similar tools. Thereshould be specific rules for when the governmentwishes to use software like FinFisher. Therules would indicate the cases in which it is allowedand how the privacy of all the individualswho are not being investigated is safeguarded.• Ratify the United Nations Guidelines for the Regulationof Computerized Personal Data because,by doing so, individuals would be assured of obtaininga basic threshold of protection for theirprivacy and personal data. Mexico would alsoshow its commitment towards better protectingindividuals’ communications and internetprivacy.• Encourage Congress to discuss the topic ofgovernment surveillance, as well as protect theprivacy of communications.• Organise campaigns to make civil societyaware of the importance of privacy and howsurveillance puts freedom of expression and associationat risk.172 / Global Information Society Watchmexico / 173


NEPALSomebody’s watching me?Development Knowledge Management and InnovationServices Pvt. Ltd.Kishor Pradhanwww.dekmis.comIntroductionLocated in South Asia, Nepal is a relative latecomeras a republic in democratic circles. After more thana decade of insurgency, the interim constitutionpromulgated in 2007, which is still in force, pavedthe way for the first constituent assembly election(CAE) in 2008. The constituent assembly formedfrom this abolished the more than century-old monarchy.Nepal has been in the process of writing anew constitution since 2008. After the second CAEin 2013 and the formation of the second assembly,it is hoped that in a year or two the people of Nepalwill finally have the pleasure of a new constitutionand a stabilisation of the envisioned federal republicof Nepal.According to the latest Nepal TelecommunicationAuthority (NTA) Management InformationSystem Report published in February 2014, Nepal,with its population of 26,494,504, 1 has an 84.77%telephone penetration rate. The data shows there isa 74.97% mobile penetration rate among telephoneusers. At the moment, Nepal has an internet penetrationrate of 28.63%, with 7,585,761 users. 2The OpenNet Initiative (ONI) reported that Nepalhad little or no internet censorship in 2007. ONIconducted testing from October 2006 through January2007 on six Nepali ISPs, 3 and the tests revealedno evidence of filtering. 4However, four years ago, September 2010 wasa dark period for netizens 5 in Nepal who until thenhad enjoyed a free internet to its fullest extent. Theauthorities, out of the blue and citing the reasonsthat there had been an increase in crime and anti-1 www.cbs.gov.np2 www.nta.gov.np/en/mis-reports-en3 According to the Internet Service Provider Association of Nepalthere are currently 43 internet service providers and nine VSATnetwork service providers in Nepal. www.ispan.net.np/registeredisp-list4 https://opennet.net/research/profiles/nepal5 The term netizen is a portmanteau of the English words internetand citizen. It is defined as an entity or person actively involved inonline communities and a user of the internet, especially an avidone. en.wikipedia.org/wiki/Netizensocial activities using the internet, formed a specialcentral investigation bureau that started clampingdown on internet service providers (ISPs) to trackthe misuse of the internet by their subscribers. 6In 2011 the ISPs were told by the authorities tomonitor their subscribers’ activities and those whofailed to do so were jailed. Since then the governmenthas been monitoring the browsing details ofhigh-bandwidth subscribers. The NTA has directedISPs to provide information on all subscribers whouse a bandwidth of 1 Mbps or more. 7 The Nepalpolice work closely with NTA technicians now in ajoint task force to scan web details of users so thatthey can identify voice over internet protocol (VoIP) 8racketeers.The NTA further made it mandatory for ISPs toinstall filtering software to block websites that are“obscene, seductive and corrupt social morals”.Any content that threatens “religious harmony, nationalsecurity, and goes against values and beliefsof the state” was deemed objectionable enoughto be blocked. 9 Under pressure, the ISPs havebeen providing the police with Multi Router TrafficGrapher (MRTG) 10 data of subscribers for networktraffic monitoring since 2011.Of late Nepali netizens cannot help feeling that“somebody’s watching me” 11 while using the internetor communicating by some other technologicalmeans.Policy perspectivesIn order to assess the policy perspectives regardingprivacy rights and mass communications6 Pradhan, K. (2010, September 20). Can internet be muzzled inNepal? Nepalnews.com. www.nepalnews.com/index.php/guestcolumn/9294-can-internet-be-muzzled-in-nepal7 Mahato, R. (2011, July 22). Surfing under surveillance. NepaliTimes. nepalitimes.com/news.php?id=183958 VoIP is illegal in Nepal, although netizens use Viber, Skype, Tangoand other internet-based voice communication services.9 Mahato, R. (2011, July 22). Op. cit.10 The Multi Router Traffic Grapher (MRTG) is a tool to monitorthe traffic load on network links. MRTG generates HTML pagescontaining PNG images that provide a live visual representation ofthis traffic. oss.oetiker.ch/mrtg/doc/mrtg.en.html11 Somebody’s Watching Me was the title of a song by R&B artistRockwell, released on the Motown label in 1984. The song’s lyricsrelate the narrator’s paranoid fear of being followed and watched.en.wikipedia.org/wiki/Somebody’s_Watching_Mesurveillance in Nepal, primarily three legal or policyprovisions need to be considered.In Article 22 of the Constitution of the Kingdomof Nepal 1990, the right to privacy was addressed asa fundamental right for the first time. The right toinformation was also included in the constitution.Later, the right to privacy was retained in the 2007interim constitution, which remains in force today.Article 28 of the interim constitution states: “Exceptin circumstances as provided by law, the privacy ofthe person, residence, property, document, statistics,correspondence, and character of anyone isinviolable.” However, there is no government authorityto receive complaints regarding violationsof privacy rights, although people may submit applicationsand reports concerning violations of theirprivacy rights to the National Human Rights Commission(NHRC). It is also possible to file a case inthe Nepalese courts regarding violation of the rightto privacy. 12In Chapter 2 of The Right to Information Act of2007 (RTI Act 2007), entitled “Right to Informationand Provisions Regarding the Flow of Information”,Article 3 deals with the right to informationand states: “Every citizen shall, subject to this Acthave the right to information and every citizen shallhave access to the information held in the publicBodies.” 13 The right to information is however stipulatedby defining the parameters of the informationthat can be accessed; notwithstanding anythingprovided for in Sections (1) and (2) of the RTI Act2007, the information held by a public body on certainsubject matters cannot be disseminated. 14The Nepal Electronic Transaction Act of 2008 15serves as the cyber law in Nepal. In general it establisheslegal provisions on the “dos and don’ts”for using ICTs such as computers and the internet,and on the nature of content circulated online. Itprovides for the official and legal application ofelectronic transactions such as digital signatureand certification, but is silent about how privacy12 Privacy International. (2012). Nepal. https://www.privacyinternational.org/reports/nepal13 www.moic.gov.np/acts-regulations/right-to-information-act.pdf14 As per the RTI Act 2007, the subject matters on which informationcannot be disseminated by a public body include informationwhich seriously jeopardises the sovereignty, integrity, nationalsecurity, public peace, stability and international relations ofNepal; which directly affects the investigation, inquiry andprosecution of a crime; which seriously affects the protectionof economic, trade or monetary interest or intellectual propertyor banking or trade privacy; which directly jeopardises theharmonious relationship among various castes or communities;and which interferes with the individual privacy and security ofbody, life, property or health of a person.15 www.tepc.gov.np/uploads/files/12the-electronic-transactionact55.pdfwill be protected. Nevertheless, the cyber law hascritically empowered the authorities more when itcomes to protecting the privacy rights of people.Somebody’s watching me?When the authorities clamped down on ISPs in2010, they said that VoIP is illegal in Nepal but thatmany of the public communications service providerswere and still are rampantly using the internetto provide relatively low-cost calls. The authoritiesargued that, due to the illegal use of the internet foronline calls which bypassed the NTA, it was losingbillions of rupees every year. 16 Who was responsiblefor this was not clear, however, as the ISPs counteredthat they provide the internet bandwidth totheir subscribers – who could be public communicationsservice providers – but they cannot reallymonitor or regulate what the internet bandwidthgets used for.Further, the authorities claimed that the internetwas used for criminal activities, as no record canbe traced of internet calls. At the same time therewere increasing cases of “objectionable” contentbeing posted on websites from Nepal.Rubeena Mahato, reporting on the tougher controlsimposed by the NTA in 2010, emphasised that“MRTG data only allows monitoring the browsingpatterns of users, but could be a stepping stonefor the government to introduce censorship andintrude on private correspondence in the future.” 17Measures taken by the authorities in Nepal forspecific communications surveillance of criminaland objectionable activities are reasonable. Butthe monitoring of MRTG data entails mass communicationssurveillance. Mass communicationssurveillance entails surveillance of personal dataand metadata, or what the International Principleson the Application of Human Rights to CommunicationsSurveillance (IPAHRCS) – adopted througha global consultation with civil society groups,industry and international experts in communicationssurveillance law, policy and regulation in July2013 – defines as “protected information”. Informationthat includes, reflects, arises from or is abouta person’s communications and that is not readilyavailable and easily accessible to the general publicshould be considered to be “protected information”,and should accordingly be given the highestprotection in law. 1816 In July 2014, the exchange rate was approx. 96 Nepali rupees per 1USD.17 Mahato, R. (2011, July 22). Op. cit.18 https://en.necessaryandproportionate.org/text174 / Global Information Society Watch nepal / 175


Communications surveillance and violation ofprivacy rights are said to be increasing in Nepal.This perspective is corroborated by a recent incidenton 18 April 2014, when Vinaya Kasaju, formerchief commissioner of the National InformationCommission (NIC), updated his Facebook status:Dear FB friends, I cannot write this message inNepali, because police personnel from AparadhAnusandhan Mahasakha, 19 Hanumandhoka,have taken away my desktop computer. Theycame at about 3:30 p.m. They showed me theiridentity card. I asked for letter. They said wehave come with an order of boss. If you don’tcome with us, we must force you. I followedthem to their van. On half way they talked withtheir chief and stopped the van. Waited forabout half an hour in front of Radiant Academy,Sanepa, then they brought me back home. Theyalso got a written receipt from us that Ganga,my wife, received. They took our photos. Gangatook photos of them and of their receipt. Theymentioned that they have taken my computer.But we do not have hard copy of receipt, onlyphoto which I’m trying to put here. Don’t I haveright to know why I was arrested, even for anhour? I am deprived of my communication tool.Who will save our RTI?The next day Vinaya posted the following:In all this Vinaya concludes that the cyber crimeauthorities in Nepal took action against him wrongly,which was the result of the lack of capacity of theauthorities in tracking or locating the actual culprit.He concluded, “The capacity of the authorities todeal with and investigate cyber crimes is lackingin Nepal. Their capacity needs to be built to handlecyber crime issues, so that the real criminals arecaught and innocent people are left alone.” 21The ordeal Vinaya went through was a gross violationof his privacy rights. The authorities, withoutany warrant and on the basis of an informal complaintto a senior police authority by a powerfulmedia mogul, violated his privacy rights.It is not that the authorities or any other citizenin Nepal do not have rights to information. Asestablished by the Right to Information Act, an institutionor an individual is entitled to have accessor the right to information, but by following a properprocedure. The NIC, formed under the Act, managesright-to-information cases. After receiving a requestfor information and verifying the authenticity, theNIC decides on the ensuing action. And this is applicableto government authorities, such as policedepartments, too.The issue is the juxtaposition and limitation ofthe right to privacy, right to information and communicationssurveillance. As the legality principleof the IPAHRCS states:make them not feel that “somebody’s watching me”when communicating privately, socially, professionallyor officially.Conclusions and action stepsThe conclusions that can be drawn from the Nepalexperience so far are two-fold. On the one hand itcan be asked, how is the right to privacy going tobe protected by the authorities in a changed communicationlandscape? On the other hand, giventhe imperative of communications surveillance fornational security and crime control, how is it not goingto be intrusive?These juxtaposed perspectives urgently call forthe authorities to revisit the issues of the right toprivacy and the imperative of communications surveillanceand find a balanced middle path that canuphold both. In this context, the following actionsteps can be suggested.• The authorities need to revisit the policies orlaws related to the right to privacy and reformulatethem in the changed context of the wayspeople communicate or access information orprocess and maintain personal data.• Regarding the laws or policies for communicationssurveillance, the authorities shouldformulate regulations which distinctly addressthe issues of internet censorship and communicationssurveillance.• Communications surveillance, whether masscommunications surveillance or specific communicationssurveillance, needs to be distinguishedby law or policy and regulated accordingly, followinga standard legal procedure.• Civil society, especially rights-based organisations,should be more engaged in Nepalon lobbying the authorities to recognise andprotect the right to privacy and the right to communication,without being under surveillance.• International rights organisations and donorsworking on the right to privacy related tocommunications surveillance should providetechnical assistance to the government andcivil society (including the media) in developingcountries like Nepal, in order to build their capacityfor addressing and managing the issuesof privacy and communications surveillance inline with international principles or conventions.Hegemony of some big media house is increasingin our country too. Dil Sobha was reportedas criminal running sex trade. Yesterday one bigmedia covered Kanak Dixit as if he has done abig scandal. They don’t wait for investigationreport or court decision. I came to know unofficially,that a big media boss complained againstmy website www.cmr.org.np charging that heis losing the money from Google Ads. What ashame. There is no ad in my website. It is notdifficult to find where Google Ads money is going.Has the media boss ever paid tax of thatincome to the government? I want my computerback as soon as possible safely, without lossor manipulation or theft of any data/file. Asthe former chief information commissioner, asa media consultant and as an author there arefiles of national importance and my resourcesfor study and writing. There are many such filesabout which I can tell only to concerned authority.I hope and request to return my computersafely. 20Any limitation to the right to privacy must beprescribed by law. The State must not adopt orimplement a measure that interferes with theright to privacy in the absence of an existingpublicly available legislative act, which meansa standard of clarity and precision that is sufficientto ensure that individuals have advancenotice of and can foresee its application. Giventhe rate of technology changes, laws that limitthe right of privacy should be subject to periodicreview by means of a participatory legislative orregulatory process. 22Given the rapid changes in the communicationslandscape, it is about time that the authorities inNepal revisit the current right-to-privacy legal provisions,those that deal with the right to information,as well as mass communications surveillance policiesand practices. The authorities should be ableto reassure citizens and netizens alike that their privacyis not intruded on when communicating, and19 In English, Crime Investigation Department.20 https://www.facebook.com/vinaya.kasajoo?fref=ts21 Personal conversation with Vinaya Kasaju.22 International Principles on the Application of HumanRights to Communications Surveillance. https://en.necessaryandproportionate.org/text176 / Global Information Society Watch nepal / 177


New ZealandEyes on New ZealandAssociation for Progressive Communications (APC)and Tech LibertyJoy Liddicoat and Tech Liberty 1www.apc.org, www.techliberty.org.nzIntroduction 1New Zealand is a small country, with a populationof less than five million, situated in the far reachesof the southern hemisphere. But its physicalremoteness belies a critical role in the powerfulinternational intelligence alliance known as the“Five Eyes”, 2 which has been at the heart of globalcontroversy about mass surveillance. This reportoutlines the remarkable story of how an internationalpolice raid for alleged copyright infringementactivities ultimately became a story of illegal spyingon New Zealanders, and political deals on revisedsurveillance laws, while precipitating proposals fora Digital Rights and Freedoms Bill and resulting inthe creation of a new political party. We outline howcivil society has tried to respond, and suggest actionpoints for the future, bearing in mind that thisincredible story is not yet over.Background: New Zealand’s rolein the Five EyesThe impact of the revelations of mass surveillanceand New Zealand’s role must be seen against thebackdrop of the country’s role in the Five Eyes alliance.Nicky Hager, New Zealand’s most prominentinvestigative journalist, says “for the most part[New Zealand’s role in the Five Eyes] was an accidentof history.” 3 Arising from intelligence-sharingagreements among five countries during and afterWorld War II, the main agency responsible for itsday-to-day operations in New Zealand is the1 TechLiberty is a New Zealand group advocating for civil libertiesonline: www.techliberty.org.nz2 The “Five Eyes” countries are New Zealand, Australia, Canada, theUnited Kingdom and the United States of America. The allianceoperates an integrated global surveillance arrangement thatcovers the majority of the worlds’ communications. For an overviewof legal arrangements see: APC et al. (2014). Joint Submission inConnection with General Assembly Resolution 67/167, “The rightto privacy in the digital age”. https://www.apc.org/en/pubs/submission-office-high-commissioner-human-rights-r3 Hager, N. (1996). Secret power: New Zealand’s Role in theInternational Spy Network. Port Nelson: Craig Potton Publishing, p.58.Government Communications Security Bureau(GCSB). 4A key aspect of this intelligence-sharing regimeis a legal framework that provides differing levels ofprotections for internal (national) versus external(extraterritorial) communications, or those relatingto national citizens versus non-nationals. This frameworkdiscriminates on grounds of national origin, andin doing so purports to step around human rights protectionsfrom interferences with the right to privacy ofcommunications by the governments of the Five Eyes,claiming that such protections apply only to nationalsor those within their territorial jurisdiction. 5Historically, the main purpose of the GCSB underthis legal framework has been to spy on ourneighbours in Asia and the South Pacific on behalfof the Five Eyes. This enabled the GCSB to claim thatit did not spy on New Zealand citizens or permanentresidents. Public assurances to this effect were givenon a number of occasions by both the GCSB andthe New Zealand government. 6Case study: Mega Upload – the moveto domestic surveillanceIn 2012 the New Zealand Police assisted the UnitedStates of America’s Federal Bureau of Intelligence(FBI) to carry out a raid on the house of Mr Kim Dotcom,founder of Mega Upload, an online file-sharingplatform. Mr Dotcom had migrated to New Zealandfrom Hong Kong and was living in New Zealand legallyas a permanent resident. The extraordinary raid ofthe house (replete with a helicopter bringing armedpolice officers into the house grounds to seize computersand other property), the seizure of the MegaUpload online service, and Mr Dotcom’s subsequentarrest and criminal prosecution, received huge mediaattention both in New Zealand and overseas. 7Mr Dotcom is an enigmatic figure, who has maintaineda vigorous defence of all charges and highand consistent media presence through public en-4 The first law authorising its operations was in 1977, followed bythe Government Communications Security Bureau Act 2003.5 APC et al. (2014). Op. cit., Appendix 1.6 See also Hager, N. (2013, April 10). Who is really responsible forthe GCSB shennanigans? Pundit. www.pundit.co.nz/content/whois-really-responsible-for-the-gcsb-shenanigans7 For an overview of the case, see: https://en.wikipedia.org/wiki/Megaupload_legal_casegagement against leading politicians, including theprime minister. There are many factors to the casewhich remain outstanding – extradition issues, validityof search warrants, and many other legal mattersoutside the scope of this report. However, in relationto surveillance issues, the case against Mr Dotcomrevealed that the GCSB had been spying on him andsharing information from its activities with New Zealandlaw enforcement officers who were also dealingwith the FBI in the investigation of Mega Upload.Public outrage followed the discovery that the GCSBwere in fact spying on New Zealanders and resultedin the prime minister establishing an independent investigationby Rebecca Kitteridge.The Kitteridge Report 8 revealed that the GCSBactivity was not an isolated case: in fact 88 unnamedNew Zealanders had been spied on overmany years. 9 The report concluded that the GCSBbased their operations on a faulty interpretation ofthe relevant New Zealand law (for example, they believedthe prohibition on spying did not apply wherethere was a warrant and did not apply to “metadata”because metadata was not a “communication”),and that the law was unclear and therefore theGCSB were not at fault. 10 Various recommendationswere made for changing GCSB operations and law.Prime Minister John Key immediately respondedthat the report made “sobering reading” and further:“I am embarrassed to say that I heard the unequivocalassurances and read the clear prohibition in theGCSB legislation, and I believed that they did not spyon New Zealanders. But it turns out they have beenregularly spying on New Zealanders from before 2003and since. They have seriously let down the public.” 11Signalling a need for law reform, the prime ministeralso said: “In addition, the Act governing the GCSB isnot fit for purpose and probably never has been.” 12The Kitteridge Report had been leaked, much tothe fury of government ministers, and a parliamentaryinquiry was launched. The prime suspect was PeterDunne, a parliamentarian holding a single vote supportingthe coalition government. Data about bothDunne’s movements and those of journalists in the parliamentaryprecinct (from security card swipe recordsat various doors in different buildings) were handed tothe investigation. Dunne and journalist Andrea Vance’s8 Kitteridge, R. (2013). Review of Compliance at the GCSB. www.gcsb.govt.nz/news/publications9 Ibid.10 Bennett, A. (2013, April 9). CSB report: 88 cases of possible illegalspying uncovered. New Zealand Herald. www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=1087642411 Key, J. (2013, April 9). PM releases report into GCSB compliance.Beehive.govt.nz. www.beehive.govt.nz/release/pm-releasesreport-gcsb-compliance12 Ibid.private phone records and emails from a three-monthperiod were also provided to the investigation, withouttheir knowledge or consent. These actions were widelyseen as an attack on privacy and press freedom, sparkingintense commentary from local journalists andmedia outlets. Dunne denied he was the source of theleak and asserted his rights to privacy, 13 but was forcedto resign his ministerial portfolio. 14Throughout this time, the Snowden revelationsalso kept coming, contributing to ongoing mediafocus and providing a wider global backdrop to theGCSB scandal and the proposed law reforms.It was in this context that two new laws were introduced.The first, the GCSB Bill, was designed torestructure the GCSB and establish its legal basismore clearly. But the new laws went much further,retrospectively validating the GCSB action andfundamentally shifting the permitted surveillanceactivities to include surveillance of New Zealandcitizens. Rather than clarifying that the GCSB couldnot spy on New Zealanders, the new law simplyextended the authority to do so and validated thepreviously unlawful activity, clearly violating privacyrights. There was widespread consternation andopposition from legal groups, the technical community,business, human rights organisations andcommunity organisations. The New Zealand humanrights commission also took the unusual step ofpreparing a separate report for the prime ministerhighlighting serious concerns with the proposals.The second law, the Telecommunications InterceptionCapability and Security Act (TICS), gavesweeping new powers to the GCSB, making newnetwork security measures by all network operatorsincluding telecommunications companies, such assubmission of security measures to the newly constitutedGCSB. Thomas Beagle from Tech Liberty noted:The [TICS] bill codifies the government’s assertionthat all digital communications (which isincreasingly becoming equivalent to “all communications”)must be accessible by governmentagencies. The limits imposed are minimal andlaws such as the GCSB Act override any limits includedin TICS. Furthermore, to ensure that thegovernment can do this, the GCSB will now haveoversight of the design and operation of NewZealand’s communications networks. They willbe able to veto any decision made by the network13 Shuttleworth, K. (2013, July 30). Reports phone records released.New Zealand Herald. www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=1090549514 Burr, L. (2013, June 7). Peter Dunne resigns as minister. 3 News.www.3news.co.nz/Peter-Dunne-resigns-as-minister/tabid/1607/articleID/300658/Default.aspx178 / Global Information Society Watch New Zealand / 179


operators that might impact on security or, morelikely, limit their ability to spy as they see fit. 15Under the TICS, the GCSB now has the ability to approveor refuse to approve all significant changes toNew Zealand’s telecommunications infrastructure.This new power far exceeds any role of the GCSBin the Five Eyes, extending its oversight to businessand other private sector activities.At the same time as these two new laws werebeing passed, a new internet censorship law aimedat harmful online speech, the Harmful Digital CommunicationsBill, was also before parliament. 16 Thelocal internet community worked hard to respondto these new measures, including bringing nationalattention to concerns about the role of New Zealandin the Five Eyes, highlighting human rights concernsand the need for limitations on human rights only inexceptional and narrow circumstances, in line withthe 13 International Principles on the Application ofHuman Rights to Communications Surveillance. 17The degree of public interest was enormous. Largepublic meetings and street rallies were held throughoutthe country, fuelled by the Snowden revelationsand leaks of information about the role of New Zealandin the Five Eyes. Thousands of people rallied,started and joined online campaigns, with both onlineand offline media and journalists engaging.Overall, it was an intense period of constantmedia coverage and political focus. At times developmentshappened daily, even hourly, making it difficultto maintain an overview of what was happening, howdevelopments were related and to think strategicallyabout how to respond. Views were also divided: somethought privacy issues were not relevant in an internetage; others considered it was legitimate for the governmentto carry out surveillance. Despite widespreadpublic opposition to the GCSB Bill, the prime ministerwent so far as to claim that New Zealanders caredmore about how many fish they were allowed to catchthan they did about their online privacy. 18By the end of 2013 both the GCSB and TICSBills were law and campaigns to counter them hadproved ineffective. But the awareness of internetrelatedpolicy issues had grown enormously. In15 Tech Liberty. (2013 November 5). TICS - Second spy law passes.Tech Liberty. techliberty.org.nz/tag/gcsb16 The Harmful Digital Communications Bill 2012 deals with harmfulonline content and has been reported back from Select Committee.It is not expected to become law until 2015. See also Paton, L. andLiddicoat, J. (2013). New Zealand. In APC and Hivos, Global InformationSociety Watch 2013: Women’s rights, gender and ICTs. www.giswatch.org/en/country-report/womens-rights-gender/new-zealand17 www.necessaryandproportionate.org18 John Key, press conference, 12 August 2013. www.3news.co.nz/Key-NZers-care-more-about-snapper-than-GCSB/tabid/817/articleID/308665/Default.aspxMarch 2014 the main political opposition, the LabourParty, announced plans for a new Digital Bill ofRights. 19 Within weeks Gareth Hughes, a Greens politicalparty member of parliament, launched a newDigital Rights and Freedoms Bill, 20 drawing heavilyon the global civil society Charter of Internet Rightsand Principles, 21 with protections for encryption,privacy and freedom from search, surveillance andinterception of communications.ImplicationsThe GCSB and TICS laws were passed, while NewZealand continues to affirm its security stance withthe United Kingdom 22 and the Five Eyes alliance. Yetthe political and legal fallout from the Kim Dotcomraid has extended far beyond anything that couldever possibly have been imagined.What began as mutual assistance in law enforcementfor alleged intellectual property rights violations(which sparked the original police raid and seizure ofMega Upload) has ended in multiple investigations,revelations of spying, new laws, and a sea changein regulation affecting the internet in New Zealand.We have even seen the birth of a new political party,the Internet Party, founded by Mr Dotcom, which hasformed an alliance with the Mana Party and is contestingthe general election in September 2014. 23But the pace of regulatory intervention, its technicalaspects, and the intensely political nature ofthe proposals make it very difficult for many NewZealanders to engage meaningfully. More major lawreforms were announced in May 2014, with a wholesalereview of the Privacy Act which will include newmeasures for data sharing by government agencies,mandatory reporting of data breaches, and a newoffence of impersonation.While this review is welcome, and there is agood Privacy Commissioner 24 who has knowledgeof internet-related issues, the policy review willalso require close scrutiny and engagement fromcivil society groups. Legal academics are still onlybeginning to focus on surveillance and privacy 2519 Cunliffe, D. (2014, March 9). Digital Bill of Rights. Labour. https://www.labour.org.nz/media/digital-bill-rights20 internetrightsbill.org.nz/ten-internet-rights-and-freedoms21 internetrightsandprinciples.org/site/22 McCully, M. (2013, January 13). NZ-UK joint statement on cybersecurity. Beehive.govt.nz. www.beehive.govt.nz/release/nz-ukjoint-statement-cyber-security23 Bennett, A. (2014, May 27). Mana confirms election year deal withInternet Party. New Zealand Herald. www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=1126259724 Privacy Commissioner John Edwards: privacy.org.nz25 For example, the University of Otago held a symposium onSurveillance, Copyright and Privacy in January 2014: https://blogs.otago.ac.nz/scpconf/programme-of-events/abstracts-of-talksand in general the legal community has been slowto grasp the human rights implications of internetrelatedpolicy and regulatory measures.In some cases rights-affirming changes havebeen made to draft laws, 26 but change is often difficultonce laws are drafted because of political issues.In the case of the GCSB Bill, for example, it quicklybecame apparent that the government was unlikelyto make major changes. Dunne, the politician whohad refused to disclose his own communicationsto parliamentary investigators, ultimately voted forthe GCSB Bill in a political deal widely condemnedas a cynical “trade off for privacy”. 27 His ministerialportfolio was later reinstated. 28In addition, the Kitteridge Report had found that thelegal authority for collection of metadata was unclearand that it should be clarified. However, the governmentdeclined to do so in the GCSB and TICS laws andinstead went further, extending the powers of the GCSBand the legal regime for spying on New Zealanders.The 13 Principles are being used to support advocacyand were referenced in submissions on theHarmful Digital Communications Bill. 29 But whilethese have been helpful for civil society, it is difficultto see if these have had lasting impact in a countrywhose government’s foreign policy is so closelyaligned to the Five Eyes alliance. One encouragingsign is that the Principles have been cited in the InternetParty’s policy on privacy and internet freedom. 30New Zealand prides itself on its human rightsreputation. But the reality is that our human rightsonline are more at risk. The result from these eventsis that threats to internet freedom have actually increased:instead of curtailing the GCSB’s powers,new laws provide much stronger, direct state-sanctionedsurveillance (including the use of metadata)by the GCSB, which it can use in domestic law enforcement.In the public mind, significant issues oftrust remain, but it is unclear how this might affectthe 2014 national elections.New civil society voices have emerged in the lasttwo years, but these groups need more support becausethe volume, speed and size of internet-related26 Tech Liberty. (2014, May 27). HDC Bill reported back by SelectCommittee. Tech Liberty. techliberty.org.nz/hdc-bill-reported-backby-the-select-committee27 National Business Review. (2014, August 14). Swing vote Dunnesupports GCSB Bill after changing tune on domestic spying. NationalBusiness Review. www.nbr.co.nz/article/swing-vote-dunne-supports-gcsb-bill-after-changing-tune-domestic-spying-peters-holds-out-ck-28 AAP. (2014, January 21). Leak forgotten, Dunne back as minister.MSN.nz. news.msn.co.nz/nationalnews/8787062/dunnereinstated-as-minister29 For example, by Tech Liberty: techliberty.org.nz/submissionharmful-digital-communications-bill/#more-196830 Internet Party, Privacy and Internet Freedom Policy, Clause 4.1.1.https://internet.org.nzpolicy is growing rapidly. In this environment, whichis also highly politically charged, it is vital to havestrong independent voices, and groups such as TechLiberty are being increasingly called on to respondand help to inform public understanding and debate.In a further development, in July 2014, the UnitedNations High Commissioner for Human Rightsissued a damning report on issues of mass surveillance.The report concluded that the collection ofmetadata is a violation of the right to privacy andhuman rights obligations apply without discrimination.31 It is unfortunate that the report was notavailable during the Kitteridge inquiry, which concludedthat the legality of metadata collection wasunclear. But the clear and unequivocal UN reportnow needs to be followed up and actioned in NewZealand. Regular monitoring of New Zealand internetfreedom is also needed so that it can be availablequickly to support advocacy when needed. 32Action stepsTech Liberty is one of only a handful of New Zealandcivil society groups and individuals workingon internet-related human rights issues, includingprivacy and surveillance. Others include the NewZealand Council for Civil Liberties, New ZealandLaw Society, and InternetNZ. As a voluntary groupwith limited resources, the task of monitoring andadvocating is often difficult. More support and resourcesare needed if the network of voices that hasthe capacity to engage in these important debatesand activities is to be grown and strengthened. Thisincludes the legal and academic communities.Specific actions that need to be taken include:• Support civil society advocacy efforts, includingcapacity building for those groups for whom internet-relatedhuman rights issues are still new.• Regularly update the NZ internet freedom index 33to enable periodic monitoring of threats to internetfreedom, and use these results in reportingon New Zealand’s human rights performance.• Review, and where necessary amend, the GCSBand TICS Acts in light of the United Nations HighCommissioner for Human Rights report whichfinds, among other things, that collection ofmetadata is a violation of the right to privacy.• Bring the New Zealand experience to the UnitedNations Human Rights Council session on theright to privacy in the digital age in September2014.31 See also Association for Progressive Communications. (2014, July).Op. cit.32 https://www.apc.org/en/irhr/i-freedom-nz/about33 freedomindex.apc.org/index.php/Main_Page180 / Global Information Society Watch New Zealand / 181


NIGERIAOnline surveillance: Public concerns ignored in NigeriaFantsuam FoundationJohn Dada and Teresa Tafidawww.fantsuam.netIntroductionNigeria, a country of 170 million people, recentlymade global headlines when social activists,through the use of social media (#BringBackOur-Girls), brought media attention to the kidnapping ofover 300 girls by an armed gang of religious extremists.1 This event and the related security concernsabout Africa overshadowed the 24th World EconomicForum on Africa that was hosted by Nigeria inMay 2014. 2 The global scrutiny caused by this eventhas put the Nigerian government on the back footin its efforts to bring security in the country undercontrol.This report looks at the government’s mass surveillanceattacks on its citizens before and after itpurchased USD 40 million of Israeli technology 3 tobe used for the monitoring and control of the internet.Various top government officials have calledfor the regulation of social media: the minister ofinformation argued that even the United States (US)intercepts its citizens’ communication. However, heomitted the fact that in the US there are legal andjudicial processes to show its use and limits sothat abuses will be checked. To further the government’ssurveillance agenda, additional legislationis already under consideration by the Nigerian CommunicationsCommission. 41 Van Wagtendonk, A. (2014, May 2). Nigerians take to streets, socialmedia to demand return of kidnapped girls. PBS. www.pbs.org/newshour/rundown/nigerians-take-streets-social-media-demandsafe-return-kidnapped-girls2 Mosch, T. (2014, May 9). Africa’s future overshadowed by Nigeria’spresent. DW. www.dw.de/africas-future-overshadowed-bynigerias-present-at-wef/a-176256653 Emmanuel, O. (2013, April 25). Jonathan awards $40millioncontract to Israeli company to monitor computer, Internetcommunication by Nigerians. Premium Times. www.premiumtimesng.com/news/131249-exclusive-jonathan-awards-40million-contract-to-israeli-company-to-monitor-computerinternet-communication-by-nigerians.html4 Draft Lawful Interception of Communications Regulations.media.premiumtimesng.com/wp-content/files/2014/05/Legal-Regulations_Lawful_Interception_of_Communications-080113.pdfPolicy and political backgroundNigeria is in its third round of democratic governancesince the ouster of the military regime.However, vestiges of autocratic leadership stillabound. The recent awarding of the USD 40-millionsurveillance contract, without following dueprocess and in spite of nationwide expression ofopposition, suggests a governance system that isyet to function democratically.Nigeria is ranked 112th out of 180 countries inthe 2014 Reporters Without Borders press freedomindex. 5 Recently, government agents raided somemedia houses and seized their newspapers duringwhat was called “routine security action”. 6 Sucharbitrary action gets the support of several topgovernment officials, including the president andagencies who have expressed the desire to clampdown on the use of social media and access toinformation.Nigeria does not yet have any existing dataprivacy laws or legal provision for interception ofcommunication. The current security challenges inthe country are being used as the reason to takemajor security decisions and make national commitmentswithout the necessary constitutionalapprovals.The history of implementation of governmentprojects in Nigeria is riddled with inefficiency andcorruption. A recent example is the USD 470-millionNational Public Security Communication System 7that resulted in the installation of CCTV camerasostensibly to curb crime and violent attacks in thecapital city. However, since its inception the levelof insecurity in the capital city has increased dramatically.The people’s lack of endorsement of theIsraeli Elbit Systems purchase is therefore based onpopular perception of the capabilities and motivesof the government when initiating projects, espe-5 rsf.org/index2014/en-index2014.php6 Reporters Without Borders. (2014, June 11). Army seizes newspaperissues day after day on “security” grounds. Reporters WithoutBorders. en.rsf.org/nigeria-army-seizes-newspaper-issuesday-11-06-2014,46418.html7 Isine, I. (2014, June 27). High-level corruption rocks $470millionCCTV project that could secure Abuja. Premium Times. www.premiumtimesng.com/news/163975-high-level-corruption-rocks-470million-cctv-project-secure-abuja.htmlcially when such projects are deliberately shroudedin secrecy.Exposing the Nigerian surveillance systemNigeria has experienced widespread and growing incidencesof kidnapping, blackmail, terrorist attacksand abduction. While these issues may be linked togovernance challenges of mismanagement, corruptionand unemployment, short–term measures toaddress these problems can be counterproductive.In April 2013, an Abuja-based newspaper, PremiumTimes, 8 broke the news that the Nigeriangovernment had awarded the security tender to anIsraeli firm for the procurement of the Elbit Systemstechnology. 9 This would enable the Nigerian governmentto intercept all internet activity, and to invadeusers’ privacy at will. The purchase is made moredisturbing in that there is no enabling legislation forsuch an action by the government.The paper also revealed that all Nigerian GSMservice providers were intercepting all forms of communication.10 This action on its own is a violation ofthe International Principles on the Application ofHuman Rights to Communications Surveillance. 11Without the benefit of judicial protection throughany laws on privacy and data collection, Nigeriansremain vulnerable to an infringement of theirprivacy from their government, and from foreigngovernments or organisations.Another angle to the surveillance contract is theallegation by BDS Switzerland that the Elbit Systemstechnology has been developed and testedthrough the surveillance, repression and killing ofPalestinians, including numerous civilians. 12 Thisissue, however, appears to have gone largely unnoticedin Nigeria.The Nigeria Communications Commission (NCC)has released a draft policy on lawful interceptionthat will empower security officers to interceptphone calls, text messages, chat messages, emails,etc. 13 It is of concern that the NCC would opt forregulation rather than allow the National Assembly8 Emmanuel, O. (2013, April 25). Op. cit.9 Johnson, J. (2013, July 2). Scandal in Nigeria over Israeli arms firm’sInternet spying contract. Electronic Intifada. electronicintifada.net/blogs/jimmy-johnson/scandal-nigeria-over-israeli-arms-firmsinternet-spying-contract10 Emmanuel, O. (2014, February 10). U.S. spy program reformsspotlight Nigeria’s expanding surveillance program. PremiumTimes. http://www.premiumtimesng.com/news/154931-u-sspy-program-reforms-spotlight-nigerias-expanding-surveillanceprogram.html11 https://en.necessaryandproportionate.org/text12 www.bds-info.ch13 Collins, K. (2013, September 4). Nigeria embarks on mobile phonesurveillance project. Wired.co.uk. http://www.wired.co.uk/news/archive/2013-09/04/nigeria-phone-buggingto debate and decide on the issue. The NCC optionwould be open to abuse and violation of the fundamentalright to privacy, a violation of Nigeria’s 1999constitution.The recent arbitrary seizure of newspapers bythe army and similar acts have raised concernsabout security agents and law enforcement officialsusing the access and information at their disposalto their own advantage, or the government usingregulations to crack down upon the opposition.ConclusionsWhile it is difficult to fault the need for mass surveillancefor the purpose of ensuring national security,and in the Nigerian situation, to track the terroristactivities of Boko Haram and online fraudsters, thepeoples’ concern is the normalising of surveillancein the guise of safety in a polity where legislativeoversight and legal protection are missing. Thehistory of governments all over the world, as documentedby Snowden, is replete with abuse of theircitizens’ rights to privacy. It is significant that inspite of the outcry by citizens and attempt by thelegislative arm of government to halt the Elbit contract,the government was not deterred. It is thefear of action with such impunity, not subject to thescrutiny of constitutional provision, that creates somuch concern.There is a need for more openness from theNigerian government to allow a public debate onthe spying programme to ensure better inclusionand buy-in. In its present form it does not meet thelegislative requirements for procurements of thatmagnitude and national significance, and the governmenthas not asked for the people’s view – theviews that have been expressed have been largelyignored. In its present form, the contract breachesthe International Principles on the Application ofHuman Rights to Communications Surveillance, 14specifically on the issues of legality, legitimate aims,competent judicial authority, due process, user notification,transparency, integrity of communicationsand systems, and the need to safeguard againstillegitimate access. Its illegality derives from itscontravention of the 2007 Public Procurement Act.The Elbit contract did not meet the requirements forthe awarding of such special contracts.Action stepsIn spite of loud protests by civil society organisationsand individuals in Nigeria, and a feebleattempt by the House of Representatives to stop thecontract, the government went ahead to purchase14 https://en.necessaryandproportionate.org/text182 / Global Information Society Watch nigeria / 183


the very expensive Elbit surveillance equipmentfrom Israel. The ignoring of peoples’ views by thegovernment is a worrying trend.A second disturbing trend that clearly violatesthe principle of integrity of communications andsystems is compelling telecommunications serviceproviders to provide their customers’ records tosecurity agencies. This is under the Bill for an Actto Provide for the Interception, Development andProtection of Communications Networks and Facilitiesfor Public Interest and Other Related Matters,2013. 15At the same time, the impact of social networkingon the government’s actions and activitieshas been rather limited in scope: it was useful inmobilising people for the 2012 fuel protests, and recentlyit was used to force the government to finallyacknowledge the abducted girls (#chibokgirls), althoughthis is beginning to lose traction and threemonths later, the girls have yet to be rescued.An issue that may work in favour of the governmentis access. This was suggested during therecent elections in Ekiti state in which the incumbentgovernor, whose track record of governancewas widely held as a model, lost to a rival who is undercriminal investigations arising from his earliertenure. 16 Social networking sites were overwhelmingin their support for the incumbent, but theresults showed that the reality was far from that.15 Nigeria Communications Week. (2013, October 24). FG pressesforward with controversial wire-tap programme. NigeriaCommunications Week. www.nigeriacommunicationsweek.com.ng/telecom/fg-presses-forward-with-controversial-wire-tapprogramme#sthash.zLPYJ7jY.dpuf16 Channels Television. (2014, June 22). Ekiti election: Fayemiconcedes defeat, congratulates Fayose. Channels Television.www.channelstv.com/2014/06/22/fayemi-concedes-defeatcongratulates-fayoseCould it be that social networking in Nigeria’s mosteducationally advanced state is still not accessibleto the bulk of the population?If this trend continues, the government maysoft pedal on its crackdown on internet freedoms.With the cost of internet access in Nigeria at aboutten times what it costs in a country like the UnitedKingdom, affordable access remains a challengeto the people’s access to relevant information. If itis the government’s intention to operate clandestinelyand without consideration for public opinion,a deliberate effort NOT to create an enabling environmentto facilitate affordable internet access mayjust be all the government needs to do. Advocatingfor increased citizen access to the internet thereforeremains a priority for civil society.With increasing pressure on the governmentas the national elections draw closer, it can beexpected that the views of the people will be ignoredand decisions taken to curtail their freedom,and they will have no recourse to the law for redress.There will therefore be a need to campaignlegislators, policy makers and other stakeholdersto raise the concerns. The new programme beingdeveloped by the Fantsuam Academy on electronicsurveillance as part of its Computer Diploma curriculumis a small effort towards raising morepublic awareness of the gravity of the issue ofmass surveillance.PAKISTANPakistan dominates the surveillance hall of shameBytes for All, PakistanFurhan Hussain and Gul Bukharibytesforall.pkIntroductionNestled in the heart of South Asia, the IslamicRepublic of Pakistan has had an intense historyinvolving multiple wars, the splitting away of itseastern wing, military coups, political insurgency,ethnic cleansing and separatist movements; all inless than seven decades of existence.Many of these afflictions have paved the wayfor the strengthening of institutions such as themilitary, resulting in the civilian system of checksand balances or oversight of these institutionsbecoming non-existent, while human rights violationsby these powerhouses remain as rampant asbefore. Their reach has now also fully extendedto information and communications technologies(ICTs).Policy and political backgroundIn 2013, for the first time in its 66-year history,Pakistan saw a democratic government completeits legitimate tenure of five years, before handingover the reins to another democratically electedgovernment. This change came after a pattern ofshort bursts of democracy, followed by military dictatorships,spanning decades. Be that as it may, themilitary is widely understood to maintain control ofcertain key areas, in particular foreign policy andsecurity. Civilian governments may not trespass onthese areas. Compounding this is the non-accountabilityof the military establishment, with graveimplications for fundamental rights, and a directimpact on communications surveillance. Civiliansubordination and helplessness is epitomised bythe National Commission for Human Rights Act2012, which excludes the armed forces and the intelligenceagencies from the purview of the plannedcommission. 11 FORUM-ASIA. (2013). Pakistan: Delay and uncertainty inestablishing the National Commission for Human Rights. In B.Skanthakumar (Ed.), 2013 ANNI Report on the Performance andEstablishment of National Human Rights Institutions of Asia, p.180. www.forum-asia.org/?p=16848A parliamentarian, upon condition of anonymity,commented that today Pakistan is a securitystate, where a number of authorities, ambitious forcontrol, have thrived unchecked by law. “Some intelligenceagencies in Pakistan are without andbeyond any law,” he said, referring to the Inter-Services Intelligence agency (ISI), the military’spremier spy agency believed to be highly active inillegal surveillance. 2 These sentiments are reflectedin the fact that out of an ever-increasing militarybudget, no breakdown of portions allocated for intelligenceand surveillance agencies is ever madeavailable. 3Today, Pakistan is ranked as one of the mostdangerous countries in the world for human rightsdefenders (HRDs), journalists and minorities, 4who are threatened by acts of discrimination andviolence with impunity by both state and non-stateactors. According to some experts, the actions ofthe state suggest that it is strategically complicit incrimes committed by non-state actors, rather thanbeing a silent onlooker. 5 Meanwhile, the massivesurveillance in place – both online and off – is increasinglyseen as a tool for repression, rather thanmeeting the government’s narrative of protectingcitizens from terrorism.Surveillance in Pakistan is not just limited to thelocal authorities. Last year’s data leaks by whistleblowerEdward Snowden revealed that Pakistan isthe second most spied-on country in the world. 6 Thegovernment of Pakistan determined that the country’ssensitive data was at risk of being stolen bythe United States (US) and decided to address the2 Interviewed by the authors in June 2014.3 Sheikh, I., & Yousaf, K. (2014, June 3). Budget 2014: Govtannounces 700bn defence budget. The Express Tribune. tribune.com.pk/story/716913/budget-2014-defence-budget-increasing-atdiminishing-rate4 Pathak, A. (2014, May 14). PAKISTAN: Human rights defenders inPakistan in need of defence. Asian Human Rights Commission.www.humanrights.asia/news/ahrc-news/AHRC-ART-036-2014;Haider, M. (2014, May 4). Pakistan most dangerous country forjournalists: UN. DAWN.com. www.dawn.com/news/1104120;Hassan, S. (2014, May 5). Pakistan’s Hindus, other minorities facesurge of violence. Reuters. www.reuters.com/article/2014/05/05/us-pakistan-minorities-idUSBREA440SU201405055 Bukhari, G. (2014, May 12). Silent onlooker? No, Sir. The Nation.www.nation.com.pk/columns/12-May-2014/silent-onlooker-no-sir6 CIOL. (2013, June 13). India fifth most snooped country by US,Pakistan second. CIOL. www.ciol.com/ciol/news/190000/indiafifth-snooped-country-us-pakistan184 / Global Information Society Watch Pakistan / 185


crisis. 7 Most recently, the Pakistani Foreign Officeofficially protested against the US National SecurityAgency’s (NSA) surveillance of its left-leaning politicalparty, the Pakistan People’s Party (PPP), 8 afterrecent revelations about the NSA having specialpermission from the US government to do so. 9Ironically, certain Pakistani laws also permit theexecution of surveillance warrants in foreign jurisdictions10 and the state has a history tainted withinstances of collaboration with foreign intelligenceagencies (including the NSA) 11 as well as corporationswhen it comes to information surveillance andcontrols. 12The state of surveillance/surveillance state:An analysisThe constitution of Pakistan largely supports fundamentalrights to privacy and freedom of expression,assembly and information, meaning mass communicationssurveillance is essentially illegal. Pakistanis also a signatory to the United Nations Declarationof Human Rights (UDHR), the InternationalCovenant on Economic, Social and Cultural Rights(ICESCR), and the International Covenant on Civiland Political Rights (ICCPR), each of which focusesextensively on the rights of people to privacy, assemblyand free speech, without fear of judgmentor persecution. Yet some legislation and extra-legislativepractices put in place by various arms of the7 Mirza, J. (2013, September 26). Pakistan takes steps to protectitself from NSA style cyber attacks. The News International. www.thenews.com.pk/Todays-News-6-204384-Pakistan-takes-steps-toprotect-itself-from8 Haider, M. (2014, July 6). Pakistan lodges formal protest withUS against PPP surveillance. Dawn.com. www.dawn.com/news/11168029 Mail Today Bureau. (2014, July 2). America gave NSA permissionto spy on BJP, claims whistleblower Snowden. Mail Online India.www.dailymail.co.uk/indiahome/indianews/article-2677247/America-gave-NSA-permission-spy-BJP-claims-whistleblower-Snowden.html10 La Rue, F. (2013). Report of the Special Rapporteur on thepromotion and protection of the right to freedom of opinion andexpression (A/HRC/23/40). United Nations Office of the HighCommissioner for Human Rights. www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf11 Gallagher, R. (2014, June 14). How Secret Partners Expand NSA’sSurveillance Dragnet. The Intercept. https://firstlook.org/theintercept/article/2014/06/18/nsa-surveillance-secret-cablepartners-revealed-rampart-a/12 Bytes for All, Pakistan. (2012, June 17). Dr. Eric Schmidt, pleasedon’t advertise surveillance to Pakistan government. Bytes for All.content.bytesforall.pk/node/56; The Express Tribune. (2012, June15). Gilani seeks Google’s help in tracking cross-border movement.The Express Tribune. tribune.com.pk/story/394128/gilani-seeksgoogles-help-in-tracking-cross-border-movement;Davies, S.(2013, July 18). Pakistan government admits secret “censorshiparrangement” with Facebook. The Privacy Surgeon. www.privacysurgeon.org/blog/incision/pakistan-government-admitssecret-censorship-arrangement-with-facebookexecutive contravene the letter and spirit of humanrights protections as laid out in the country’s ownconstitution, as well as of those in its internationalobligations.Extra-legislative surveillanceThe case of murdered journalist Saleem Shahzad,who was tortured and killed after being abductedfrom the heart of the country’s capital,demonstrates the role of secret agencies that existwithout any legislative underpinnings, and theiralmost absolute control over surveillance. Physicalsurveillance (security checkpoints and CCTV)of Shahzad’s route to the television studios wherehe was headed did not help solve his case. It wasmade evident in subsequent reports and analysis,including that of Amnesty International, 13 that onlythose who controlled these surveillance tools andapparatuses could have avoided detection. TheISI, though a prime suspect in the case, was onlypartially investigated by the judicial commissionformed to investigate the case. Conversely, it wasclaimed by human rights defenders and groups thatShahzad’s mobile phone records went missing forup to 15 days before his murder, although the ISIhas denied it. The independent judicial commissionrecommendations subtly hinted for the needto make “important intelligence agencies (ISI) morelaw abiding through a statutory framework carefullyoutlining their respective mandates and roles.” 14These recommendations led to the draft Inter-Services Intelligence Agency (Functions, Powersand Regulation) Act of 2012 being proposed inparliament, in an attempt to give the spy agency alegal status and subject it to judicial and parliamentaryoversight. However, the bill, which among otherthings would have laid the foundations against illegalsurveillance by the ISI, was withdrawn 15 – themilitary remains all-powerful and continues to operatethe ISI in a fashion after the Orwellian secretforce in Animal Farm.13 Amnesty International. (2014). “A Bullet has been chosen for you”:Attacks on journalists in Pakistan. London: Amnesty International,International Secretariat, United Kingdom.14 ANI. (2011, June 19). ‘Prime suspect’ ISI to probe Pak journalistmurder case. Yahoo News. https://sg.news.yahoo.com/primesuspect-isi-probe-pak-journalist-murder-case-071918521.html;Abbasi, A. (2011, June 19). ISI to probe Saleem Shahzad murder.The News International. www.thenews.com.pk/TodaysPrintDetail.aspx?ID=6829&Cat=13; Nisar, M., Khan, A. A., Iqbal, J., Khan, B. A.,& Shaukat, P. (2012). Judicial Inquiry Report on Saleem Shahzad’sMurder. Islamabad.15 Zaafir, M. S. (2012, July 13). Farhatullah withdraws bill in Senateabout ISI control. The News International. www.thenews.com.pk/Todays-News-6-120149-Farhatullah-withdraws-bill-in-Senateabout-ISI-controlLegalised surveillance?According to the Pakistan Telecommunication(Re-organization) (Amendments) Act, 2006, the governmentcan authorise any person(s) to interceptcalls and messages, or trace location or movementthrough any telecommunication medium, giving theauthorities a free hand to conduct communicationssurveillance, and with no mention of any governanceparameters ensuring a due process. The ordinancealso states that no cyphering hardware or softwareused within the country may be considered “approved”unless authorisation has been granted bythe Electronic Certification Accreditation Councilestablished under the Electronic Transaction Ordinance,2002. 16 This suggests that the fundamentalright to online privacy through encryption is subjectto the approval of the authorities. According tothe Pakistan Telecommunications Authority’s (PTA)policy on the use of virtual private network (VPN)tunnels, use of all “non-standard modes of communicationlike VPNs […] by which communicationbecomes hidden or modified to the extent that itcannot be monitored, is a violation,” as per the Monitoringand Reconciliation of International TelephoneTraffic (MRITT) Regulations 2010. 17 An interesting intersectionbetween legal vs illegal surveillance canbe observed by noting that while the PTA has legalauthority to conduct communications surveillance, itdenies doing so by itself. 18 Instead, it has confirmedthat the ISI monitors “grey traffic” over the internet, 19despite the fact that it has no legal mandate to do so.Similarly, another act called the Investigationfor Fair Trial Act, 2013, can be criticised for beingworse than US’s “Patriot Act” because it bypassesrequirements for surveillance to be necessary andproportionate. The law encompasses and permitscollection of all imaginable forms of data, 2016 Pakistan Telecommunication (Re-organization) (Amendments) Act,2006.17 Pakistan Telecommunication Authority (PTA). (2010, December2). No.17-1/2010/Enf/PTA (VPN) | Use Of VPNs/Tunnels and/or Non-Standard SS7/VoIP Protocols. Retrieved from InternetService Providers Association of Pakistan (ISPAK): www.ispak.pk/Downloads/PTA_VPN_Policy.pdf18 Pakistan Telecommunication Authority. (2014). PTA response.bolobhi.org/wp-content/uploads/2014/05/PTA-response.jpg19 Abbasi, A. (2014, December 5). Grey phone traffic: IT authoritiespassing the buck to ISI. The News International. www.thenews.com.pk/Todays-News-13-27079-Grey-phone-traffic-IT-authoritiespassing-the-buck-to-ISI20 “[D]ata, information or material in any documented form, whetherwritten, through audio-visual device, CCTV, still photography,observation or any other mode of modern devices or techniques,[…] e‐mails, SMS, IPDR (internet protocol detail record) or CDR (calldetail record) and any form of computer based or cellphone basedcommunication and voice analysis. It also includes any means ofcommunication using wired or wireless or IP (internet protocol)based media or gadgetry.” Investigation for Fair Trial Act, 2013.www.na.gov.pk/uploads/documents/1361943916_947.pdftaking state surveillance of communications topreviously unheard of levels. The act obviates theneed to serve a warrant permitting the authorisedsurveillance body to collect data when the natureof the surveillance or interception “is such that itis not necessary to serve the warrant on anyone,”which is vague and unspecific. 21 Further, the lawtakes away the option of service providers refusingto provide user data to spy agencies. Failure tocooperate by allowing backdoors into private userdata, or by disclosing information about such cooperation,carries the punishment of imprisonmentof one year and/or a fine of up to 10 million rupees(roughly USD 101,000). The secrecy implicit herehas obvious implications for any user-notificationmechanisms pertaining to the issuing of any surveillancewarrant. 22While the Act provides for some public andjudicial oversight, these are feared to remaintheoretical as most operations undertaken by intelligenceagencies remain beyond the reach oflaw and oversight as pointed out earlier. Also, thelevel of well-documented intimidation tactics andinfluence that impact on court decisions in Pakistan23 would bear negatively on the efficacy of suchoversight.Jahanzaib Haque, editor of Dawn.com, says ofthe recent pro-surveillance legislation: “Due to amixture of both fear and ignorance, parliament haspassed extremely regressive legislation that leavesthe public, and especially journalists, exposed tothe threat of state surveillance that will inevitablyresult in misuse in the current form.” 24Indeed, most known instances of harassmentof civilians through surveillance, especially womenpoliticians 25 and HRDs, have taken place withoutthe expression of any legitimate aim and withoutappropriate measures. Indicative of an absolutelack of transparency, there still are few or no officialrecords available pertaining to the procurementof advanced surveillance technologies such asFinFisher, the presence of which (in the country’scyberspace) was revealed by a detailed reportpublished by the Citizen Lab at the University of21 Ibid.22 Ibid.23 Deutsche Welle. (2014, March 11). Pakistan postpones Musharraftrial amid threats from al Qaeda, Taliban. Deutsche Welle. www.dw.de/pakistan-postpones-musharraf-trial-amid-threats-fromal-qaeda-taliban/a-17487157;Sattar, B. (2014, April 12). LawyerBabar Sattar critiques Pakistan Protection Ordinance. Siyasat aurQanoon. (M. Pirzada, interviewer). tune.pk/video/259213124 Interview with Jahanzaib Haque, July 2014.25 Dawn.com. (2011, August 5). No end to phone tapping of womenMNAs. Dawn.com. www.dawn.com/news/649648/no-end-tophone-tapping-of-women-mnas186 / Global Information Society Watch Pakistan / 187


Toronto. 26 A court case by Bytes for All, Pakistan attemptingto resolve the questions pertaining to theelusive usage of this Trojan technology has beenpending in the Lahore High Court since 2013. ThePakistani government is also known to be a clientof Narus, a company that sells internet monitoringsolutions. 27 Further, in an attempt to “eradicatecrimes”, the government has also purchased astate-of-the-art monitoring and surveillance systemfrom a company known as GCS. 28According to Gulalai Ismail, a women’s rightsdefender and chairperson of Aware Girls who isbased in the conflict-affected province of KhyberPakhtunkhwa, “Last December, when I was launchingan intensive peace programme in the MalakandDivision, the state agencies came to inquire aboutthe programme. I was shocked when I was told thatI and my social media communications had beenunder surveillance for the last three years... In mycommunication with the agencies it was clear thatmy work for peace and human rights was seen as‘anti-state’, and I was seen as an enemy rather thanan activist.” 29The most recent reinforcement for conductingcommunications surveillance has come in the formof the Pakistan Protection Bill (PPB) 2014. Apartfrom legitimising a number of violations, it is essentialto note that the bill discusses “crimes againstcomputers including cybercrimes, internet offencesand other offences related to information technology,etc.” as scheduled offences, despite that factthat no form of cyber/electronic crimes ordinanceexists in the country that could comprehensivelydefine the nature and scope of these offences.Existing individual protection mechanisms andsafeguards against illegitimate access also needre-examining in light of the current possibilities ofmisuse. 30ConclusionThe residents of Pakistan are subject to mass surveillanceby local and international governments.Recent laws that focus on dealing with terrorism,26 Bytes for All, Pakistan. (2013, May 1). Notorious spy technologyfound in Pakistan. Bytes for All. content.bytesforall.pk/node/99;Khan, A. Z. (2013, May 22). Big fish. The News International. www.thenews.com.pk/Todays-News-9-178951-Big-fish27 Privacy International. (n.d.). Narus sells InternetMonitoring technology. Privacy International. https://www.privacyinternational.org/sii/narus/#action28 P@SHA. (2014, April 17). GCS delivers Pakistan’s largest citywidesurveillance center. P@SHA. pasha.org.pk/2014/04/17/news/gcsdelivers-pakistans-largest-citywide-surveillance-center29 Interview with Gulalai Ismail, July 2014.30 Protection of Pakistan Ordinance, 2014. www.dhrpk.org/wpcontent/uploads/2014/02/PPO-with-amendments.pdfsuch as the Fair Trial Act 2013 and Pakistan ProtectionBill 2014, are feared to legitimise perniciousand wide-ranging communications surveillance.While apparently intended to address issuesarising from the war against terror and national security,surveillance has been and is being used forpolitical reasons, leading to invasions of privacy,intimidation and blackmail, often targeted at civilsociety actors such as journalists and HRDs, as wellas political activists and elected politicians.Communications surveillance by intelligenceagencies such as the ISI – the existence of whichitself is not covered by any act of parliament and istherefore without any legal basis – is entirely extralegal.Attempts at bringing such agencies within thepurview of law have failed so far. This has grave implicationsfor transparency and the rule of law, andhas paved the way for continuing human rights violationswith impunity.Owais Aslam Ali, secretary general of the PakistanPress Foundation (PPF), sums it up by callingthe scale of surveillance in Pakistan “breathtaking”.Highlighting the lack of awareness of thisissue amongst the public, he says, “Right now,there’s some awareness about mobile phones beingrisky. The awareness of the internet and emailbeing equally dangerous has not yet permeated thejournalist community... [It needs to be understoodthat] nothing is private [anymore]. [Without] confidentiallyof sources […] all you’ll be left with aredifferent forms of press releases.” 31Action stepsThe following advocacy steps are recommended inPakistan:• An overarching framework needs to be developedfor issues of free expression, privacy,data protection, security, surveillance, etc. Civilsociety should advocate for the alignment ofexisting fragmented pieces of ICT policies, andthe drafting of a comprehensive policy througha multi-stakeholder process. Such a policyshould replace the current non-transparent inter-ministerialcommittees that function in lieuof transparent policy. 32 The policy should ensureindependent public oversight of any acquisitionof surveillance technologies. Such oversightshould be designed to take into account the31 Interview with Owais Aslam Ali, 26 May 2014.32 Bajwa, F. (2009, June 29). National Security and Surveillance- Implications for an ICT Policy. ProPakistani. propakistani.pk/2009/06/29/national-security-and-surveillance-implicationsfor-an-ict-policypotential for human rights violations inherent inthese technologies.• Certain surveillance-focused provisions in lawssuch as the Investigation for Fair Trial Act 2013that are considered predatory to human rightsneed to be examined against internationalhuman rights benchmarks, such as the InternationalPrinciples on the Application of HumanRights to Communications Surveillance, 33 andchallenged in courts of law. 34• With regard to international surveillance, Pakistanicivil society must become active in relevantinternational forums to pressure foreign governmentsto cease mass surveillance of Pakistanicitizens. 35• Public awareness needs to be raised regardingthe risks of communications surveillance andways to counter it through digital security toolsand skills.33 https://en.necessaryandproportionate.org/text34 Bytes for All’s petition challenging the FTA 2013 is currently underreview in the Lahore High Court, Pakistan.35 Bytes for All in collaboration with Privacy International andother international human rights groups challenged the GCHQon mass surveillance of Pakistani citizens at the InvestigatoryPowers Tribunal in February 2014. See: Clark, L. (2014, January19). Pakistani human rights group sues UK government fordiscriminatory GCHQ surveillance. Wired.co.uk. www.wired.co.uk/news/archive/2014-01/09/pakistan-human-rights-sues-uk• Public awareness about how communicationssurveillance violates fundamental humanrights standards needs to be raised in order topressure the government and influence policychange.• Civil society must lobby to bring extra-legal intelligenceagencies within the purview of law.• The link between various forms of electroniccommunications surveillance and offline methodsof surveillance needs to be highlighted fortraditional HRD organisations not necessarilywell-versed in the latest issues on internet governance,online privacy, modern technology andhuman rights.188 / Global Information Society Watch Pakistan / 189


PERURights versus crime: Twenty years of wiretapping and digitalsurveillance in PeruRed Científica Peruana and Universidad Peruanade Ciencias AplicadasFabiola Gutiérrez and Jorge Bossiowww.rcp.pe, www.upc.edu.peIntroductionThe systematic monitoring of citizens by the state inPeru was revealed in 2000, after the collapse of thesecond administration of ex-president Alberto Fujimori(1995-2000). Fujimori resigned in his last yearin office, after a network of government espionageand corruption was revealed. This included videorecordings of secret meetings and alleged communicationssurveillance conducted and managed bypresidential advisor Vladimiro Montesinos, workingwith the National Intelligence Service (SIN). Thissystematic surveillance by the state resulted in thedissemination of private information, recordingsand videos of public officials, journalists and manyother influential people.These events sparked the beginning of the debatearound the purpose of surveillance in Peru,and the violation of the right to private communicationsby state agencies and private entities – andwhat legislation could be developed to regulatethis. This discussion is ongoing, with more cases ofcommunications interception being revealed.From state surveillance to industrialespionage and hackingThe Constitution of Peru establishes the privacy ofcommunications as an individual right and does notdifferentiate between digital or non-digital communications.Nevertheless, respect for freedom ofexpression and association and non-discrimination,which are basic rights, have been violated manytimes due to the government’s interest in trackingopposing opinions, the actions of politicalopponents, industrial competition or even religioustendencies and sexual preferences.It is generally recognised that the state hasthe tools for monitoring, and can do so within alegal framework, with judicial approval, includingin cases of suspected terrorism and crime. But, forinstance, Peruvian legislation on cyber crime hasalso included a modification on what is permissiblewhen it comes to tapping telephones, a change thathas been met with criticism.Over the past 15 years there have, as a result,been several cases of communications violations,both by the state and individuals. Among the mostnotorious cases: the surveillance by the Fujimorigovernment; industrial espionage that revealedthe corruption of officials in influence peddling andlobbying; the dissemination of private telephoneconversations of electoral candidates; and the publicationof the email communications of governmentministers by journalists.The Fujimori government, the intelligence services,and the use of the military for surveillance (2000)The history of the regime of Alberto Fujimori, presidentof Peru during two consecutive terms (between1990 and 2000), is stained by the corruption that ledto his resignation. His presidential adviser VladimiroMontesinos had a starring role in this story full ofespionage and extortion, and even kidnapping andmurder.Montesinos effectively became the chief of intelligenceservices, where he allegedly created agiant spy network using army personnel and monitoringequipment, intercepting communicationsand recording videos of public officials, journalists,media entrepreneurs and other influential people.Industrial espionage: The case of Business Track(2008)Authorities found some 60,000 intercepted emailsby journalists and politicians opposed to the governmentin the computer systems of the generalmanager of the private security firm Business Track,Manuel Ponce Feijoo, a retired Navy officer. Evidenceof the wiretapping of officials and businessexecutives was also discovered. The most relevantcase was called Petroaudios (the so-called “oil recordings”),in which telephone conversations aboutillegal negotiations involving state oil concessionsthat would benefit a foreign company (Norway’sDiscover Petroleum Company) were recorded anddisseminated. Following this discovery, the illegalpractices of a private company engaged in systematicespionage came to light. 1Communications violation: Monitoringa candidate for the mayoralty of Lima (2010)On September 2010, during the election campaignfor the mayoralty of Lima, a television programmebroadcast an audio clip of a private telephoneconversation between Christian People’s Partycandidate Lourdes Flores Nano and a former congressmanfrom her party, Xavier Barron. In theconversation, Flores said that she no longer caredabout the election, after the results of a preliminaryvoter poll in which her opponent, Susana Villarán,took the lead for the first time. “I am not interestedin this election crap,” she said in the extracts thatwere released, prompting her precipitous decline invoter preferences. This audio recording was a determiningfactor in her loss of the election.National Security: Violation of a minister’s officialemails by LulzSec/Anonymous Peru (2013)The hacker group LulzSec Peru, collaborators ofAnonymous, obtained and shared emails from theMinistry of Interior, including the minister, WalterAlban. Digital communications about issues such asthe tracking of regional opposition leaders, the securityof officials and prosecutors’ investigations wereintercepted. The hackers said their intention was toprove the vulnerability of state information systems.The weak line: Private versus publicAfter the dismantling of the National Intelligence Service(SIN) following numerous cases of secret videorecordings being made and communications monitoredduring the Fujimori regime, a new intelligenceagency called the National Intelligence Directorate(DINI) was created. A couple of years ago, it came tolight that the budget for the DINI was increased in orderto monitor public network repositories like socialnetworks, forums or general topic lists, arguing thatthe use of these online platforms meant that this wasnot a violation of private communications.However, this surveillance is on the borders ofwhat is considered private and public, and raises theproblem of the legality of monitoring the public in generalwithout any suspicion of a crime being committed.The surveillance by the DINI sparked a debateabout access to and protection of information, asit cannot be argued that it has been done with alegitimate interest in mind – if this were the case,1 Romero, C., & Véliz, A. (2010, April 26). Tenía 53 mil emailshackeados. La República. www.larepublica.pe/26-04-2010/tenia-53-mil-emails-hackeados-0the law would have been followed and a court orderwould have been obtained. Although the increasein the budget allocated to the DINI is to monitorpublic networks, if they already do so illegally, thesuspicion that they perform other types of communicationssurveillance looms with great force. 2The legal frameworkLegislation relating to cyber crime in Peru is a relativelynew category under the Penal Code. In 2000,provisions relating to espionage or computer hacking(Article 207‐A) and computer sabotage (Art207‐B), that were within the scope of crimes againstprivate property, were included. However, it becameapparent over time that these did not respond tothe needs of protection required when it came to informationand communications technologies (ICTs).In 2011, when the bill for the Cybercrime Lawwas presented to Congress, its original versionmeant that the police could access digital communications,and legislators felt that it did not respondproperly to the right to privacy of communications.They argued that this right extends to all types ofcommunication, and the bill had to be corrected.The state filed a new version of the draft law,which was finally approved. However, the approvedlaw was also questioned, because it prohibits, on theone hand, the creation of databases using any publicinformation (which contradicts the law on access toinformation), and, on the other hand, leaves legislativegaps regarding telephone interceptions.Cybercrime LawOn 22 October 2013 the new Cybercrime Law 3 wasapproved. This law was inspired by the BudapestConvention on Cybercrime 4 – although Peru is not asignatory to this international convention.The new law punishes those who, using ICTs,“introduce, delete, copy, spoil, alter or suppressdata, or render data inaccessible” for criminalpurposes; those who engage in digital espionage,including telephone interceptions; engage in sexualharassment; and distribute child pornography.Regarding telephone interceptions, the penaltyfor this offence has been increased to a maximumof eight years when it comes to classified or “secretand confidential” information. It also includesaggravating circumstances when the offence compromisesnational security, or when it is performedby public officials or those linked to these officials.2 Interview with Erick Iriarte A., lawyer and founding partner ofIriarte & Asociados (www.iriartelaw.com), 24 May 2014.3 Law No. 30096 of 2013.4 conventions.coe.int/Treaty/EN/Treaties/Html/185.htm190 / Global Information Society Watch peru / 191


But the Cybercrime Law violates at least twoother rights:Access to informationThe law establishes a sentence of three to six yearsfor persons found guilty of capturing digital informationfrom a public institution, such as what is spenton social programmes, and complements this withnew data to analyse the information (such as when ajournalist analyses public data from different sources,creating a new data set). Critics of this legislationunderstand that at this point it contradicts the Lawon Transparency and Access to Public Information. 5Article 6 of the law on access to informationmakes it a criminal offence to use data without permission,which means that anyone who accessespublic information without authorisation and createsa database where this information could bedisseminated would be guilty of a crime. In this way,access to public information and the right to freedomof information are limited. 6This observation sparked the debate amongpoliticians, civil society and experts and prompteda review. Article 6 was repealed in March 2014.Information freedomThe amended article regarding telephone interceptionsincluded in the Cybercrime Law goes as faras to punish any kind of monitoring, regardless ofthe purpose. This makes the privacy of communicationsso strict that the monitoring of public officialsin order to secure transparency is also prohibited,affecting citizens’ freedom of information and theirability to conduct research in the public interest.The exemption that applies to the media, and whichrefers to an exemption of the penalty when investigatingor monitoring issues of public interest, wasnot included in the amendments of the law passed.ConclusionsMass surveillance by the Peruvian state has notbeen proven in recent years; however, it is knownthat the national intelligence services are treading athin line of legality through their use of surveillancetools to monitor citizens’ publicly shared information,which according to the norm is a crime too. Theincrease in the budget for the DINI suggests thatthey could be doing more than that. Ideally, theseresources should be directed to using surveillanceas a tool for protection and security – but we do notknow yet know if that is the case.5 Law No. 27806 of 2002.6 Interview with Roberto Pereira C., lawyer and legal consultant atthe Press and Society Institute (IPYS) (www.ipys.org), 14 May 2014.Regarding the legal framework for surveillance,the biggest problem is not the law itself, but its interpretationand application. This creates the needfor specialised training for legal practitioners, prosecutorsand law enforcement authorities in technicalterms and standards and technological methods relatedto the violation of communications in all aspects.The Cybercrime Law appears to affect freedomof information legislation, which guarantees transparencyin the public sector. The Cybercrime Lawalso impacts negatively on other genuine rights thatallow society and individuals to exercise democraticcontrol and play an oversight role. The fact is thatwhat one law defends, the other blocks.Undeniably, the many cases of interceptionpushed the approval of the Cybercrime Law, in thepursuit of legal mechanisms to curb such crimes.However, the result reflects little analysis on thetopic, poor legal specifications, little precision inthe application of the law, and the lack of a consciousreview of comparative international lawsthat could have contributed to making it more efficientand appropriate.Action stepsThe debate on how to improve the Cybercrime Lawshould continue. Specifically, it should include theclause on media exemption in order to keep trackof what is considered in the public interest. In thissense, it is also crucial to protect the right to freedomof information and investigation, which serves as amechanism for citizen control in governmental affairs.Given the uniqueness of the environment inwhich it must be applied, the Cybercrime Law couldbe reviewed by legal practitioners and comparedto similar laws in other countries. It would also beadvisable to add some kind of standard glossary ofterms as an interpretive guide.Civil society organisations that are frequentlymonitored should place more importance on theneed to encrypt information and have reliablesecurity mechanisms for their communications. Securityprotocols and devices can be used to preventcommunications being violated. Internet serviceproviders (ISPs) must guarantee their users reliableand safe communications, since it is very likely thatintermediaries are used in surveillance.Finally it is clear that the opposition, civil societyand the media cannot give up fighting for theirrights to privacy and to exercise their oversight ofpublic affairs. The state will always try to find waysto control its citizens, and Peruvians already knowthat surveillance is just one of these ways.PhilippinesCommunications surveillance in the Philippines:Laws and the struggle for the right to privacyComputer Professionals’ UnionRick Bahaguewww.cp-union.comIntroductionThe Philippines has been crowned the “texting capitalof the world” 1 the “social networking capital ofthe world”, 2 and its financial district is ranked asthe “selfiest city of the world”. 3 Data is voluntarilyuploaded and shared by its “netizens” on socialmedia networks through mobile and landline networksand is a gold mine for any state surveillanceactivities. Its 106.5 million mobile subscribers senttwo billion text messages daily last year. Fixed telephonesubscription is almost non-existent, witha telephone density of four subscribers for every100 inhabitants, and mobile subscriptions serveas the main communications tool. The digital dividehas, however, plagued the country even afterthe deregulation of the telecommunications industry.The Philippines is ranked 98th in the world onthe Information and Communications TechnologyDevelopment Index (IDI), 4 with the lowest scorecompared to its Asian neighbours.There are two monopolies controlling the telecommunicationsindustry in the country: GlobeTelecoms and Philippine Long Distance Telephone(PLDT). Telecommunications infrastructure is underthe control of corporations. Government communicationsand transactions have to pass through thisprivate network infrastructure, which is a concernfor sensitive information. Because of this, moststate surveillance activities would require somecooperation from any of the telecoms monopolies.In fact, the controversial “Hello Garci” wiretapping1 Tuazon, J. M. (2012, December 4). 20 years on, SMS remains kingin the ‘texting capital of the world’. Interaksyon. Accessed July 17,2014. www.interaksyon.com/infotech/20-years-on-sms-remainsking-in-the-texting-capital-of-the-world(20 years on, SMSremains king in the ‘texting capital of the world’. Interaksyon)2 MST Lifestyle. (2013, May 21). PH is social networking capitalof the world. Manila Standard Today. manilastandardtoday.com/2013/05/21/ph-is-social-networking-capital-of-the-world3 Golangco, V. (2014, March 13). Sexy and social: why Manila is theselfiest city in the world. The Guardian. www.theguardian.com/cities/2014/mar/13/manila-selfiest-city-most-selfies4 International Telecommunication Union. (2013). Measuring theInformation Society 2013. www.itu.int/en/ITU-D/Statistics/Pages/publications/mis2013.aspxincident, which will be the focus of this report, wasaccomplished with the facilitation of one of theirpersonnel.Furthermore, the Philippines has been a longtimeally of the United States (US), being a formercolony. Various agreements are in place which allowthe US Armed Forces to use local resources formilitary exercises, to strategically position theirweapons, and for mass surveillance activities. EdwardSnowden revealed in March that the MYSTICsurveillance programme run by the US NationalSecurity Agency (NSA) monitors local telcos 5 and“scrapes mobile networks for so-called metadata– information that reveals the time, source, and destinationof calls.” 6While other governments in countries like Braziland Germany protested the unlawful surveillanceby the NSA, Philippine President Benigno Simeon“Noynoy” Aquino is not even familiar with the incidentand has approved another agreement withthe US on enhanced defence cooperation, whichwill open up more surveillance activities. In a statement,the Computer Professionals’ Union (CPU)warned that the Enhanced Defense CooperationAgreement (EDCA) “is an invitation for surveillance,drones and establishment of new listening postsviolating rights to privacy and sovereignty.” 7In this report, we look at the state of communicationssurveillance in the Philippines, focusing ongovernment policies and how they were applied in awiretapping incident. It remains to be seen if thesepolicies can be used against the growing US militarypresence in the country.5 Robinson, K. (2014, May 22). ‘NSA Gone Wild’ in the Bahamas,Mexico, Kenya, the Philippines and more. AccessNow.org. https://www.accessnow.org/blog/2014/05/22/nsa-gone-wild-in-thebahamas-mexico-kenya-the-philippines-and-more6 Devereaux, D., Greenwald, G., & Poitras, L. (2014, May 19).Data Pirates of the Caribbean: The NSA Is Recording Every CellPhone Call in the Bahamas. The Intercept. https://firstlook.org/theintercept/article/2014/05/19/data-pirates-caribbean-nsarecording-every-cell-phone-call-bahamas7 Computer Professionals’ Union. (2014, March 2). Enhanceddefense cooperation: an invitation for surveillance, drones andunregulated communications. Computer Professionals’ Union.www.cp-union.com/article/2014/05/02/enhanced-defensecooperation-invitation-surveillance-drones-and-unregulated192 / Global Information Society Watch Philippines / 193


Policies on communications surveillanceThere are several policies governing surveillance,such as the Anti-Wiretapping Law, CybercrimeLaw, Data Retention Law, Human Security Act,and E‐Commerce Act. In addition, the NationalTelecommunications Commission has a standingMemorandum Circular for the retention of data bytelecommunications companies.The Anti-Wiretapping Act (AWA) enacted on 19June 1969 is the first law regulating communicationssurveillance in the country. Section 1 of theAWA 8 specifically states: “It shall be unlawful forany person, not being authorized by all the partiesto any private communication or spoken word, totap any wire or cable, or by using any other deviceor arrangement, to secretly overhear, intercept, orrecord such communication or spoken word by usinga device…” However, “any peace officer, who isauthorised by a written order of the Court” upona “written application and the examination underoath or affirmation of the applicant and the witnesses”can do this.Before being granted authorisation, the AWAenumerates particular strict conditions that have tobe met: (1) “that there are reasonable grounds tobelieve that any of the crimes enumerated [...] hasbeen committed or is being committed or is aboutto be committed,” (2) “that there are reasonablegrounds to believe that evidence will be obtainedessential to the conviction of any person for, or tothe solution of, or to the prevention of, any of suchcrimes,” and (3) “that there are no other meansreadily available for obtaining such evidence.”Furthermore, the AWA requires that authorisationshould (1) identify the person or persons to belistened to, (2) identify the peace officer to overhearthe communication, (3) identify the offence or offencescommitted or sought to be prevented, and(4) the period of authorisation. All conversations recordedare then to be submitted to the court within48 hours after the expiration of the authorisation.Section 3 of the Bill of Rights enshrined in the1987 Philippine Constitution 9 guarantees every Filipinocitizen the right to privacy of communication.It states: “(1) The privacy of communication andcorrespondence shall be inviolable except uponlawful order of the court, or when public safety ororder requires otherwise, as prescribed by law.”It specifically discourages authorities from conductingunlawful surveillance, otherwise: “(2) Anyevidence obtained in violation of this or the preced-8 www.lawphil.net/statutes/repacts/ra1965/ra_4200_1965.html9 www.gov.ph/constitutions/the-1987-constitution-of-the-republicof-the-philippinesing section shall be inadmissible for any purposein any proceeding.” As such, the current RevisedPenal Code penalises any unlawful entry, search orseizure carried out in violation of the Bill of Rights.Republic Act 8792 or the Electronic CommerceAct of 2000 10 was the first law to govern electronictransactions in the age of internet in the country. Ithas a dedicated section (Section 31) on privacy orlawful access: “Access to an electronic file, or anelectronic signature of an electronic data messageor electronic document shall only be authorizedand enforced in favor of the individual or entityhaving a legal right to the possession or the useof the plaintext, electronic signature or file andsolely for the authorized purposes. The electronickey for identity or integrity shall not be made availableto any person or party without the consent ofthe individual or entity in lawful possession of thatelectronic key.”On 6 March 2007, the Human Security Act(HSA) 11 was signed into law by former PresidentGloria Macapagal-Arroyo. Section 7 of the HSAspecifically allows law enforcement agencies to“listen to, intercept and record, with the use of anymode, form, kind or type of electronic or other surveillanceequipment or intercepting and trackingdevices, or with the use of any other suitable waysand means for that purpose, any communication,message, conversation, discussion, or spoken orwritten words” between people identified by thegovernment as “terrorists” – or even on the slightsuspicion of being terrorists.Five years later, the Cybercrime Prevention Act of2012 (CPA 2012) 12 was signed by current PresidentAquino. Section 12 of the law gave law enforcementagencies the power to “collect or record by technicalor electronic means traffic data in real-time associatedwith specified communications transmitted bymeans of a computer system.” In February 2014, theSupreme Court struck down this section of the CPA2012 and ruled that real-time collection of networktraffic violates the constitution.A month before CPA 2012 was put into law, Aquinosigned the Data Privacy Act of 2012 (DPA 2012).This law defined the rights of a “data subject” aswell as the responsibilities of “data processors” toensure privacy while “ensuring free flow of informationto promote innovation and growth.” It createdthe National Privacy Commission where all complaintson “unauthorised processing of personal10 www.ipophil.gov.ph/images%5Cipenforcement%5CRA8792-E-Commerce_Act.pdf11 www.congress.gov.ph/download/ra_13/RA09372.pdf12 www.gov.ph/2012/09/12/republic-act-no-10175information and sensitive personal information”,“accessing personal information and sensitive personalinformation due to negligence”, “improperdisposal of personal information and sensitivepersonal information”, among others, would beheard and processed. While there are no specificprovisions on surveillance per se, the rights givento “data subjects” and prohibited acts are addedsafeguards against any kind of surveillance, in particularfrom the state.As part of its regulatory function to protect usersof telecommunications services, the NationalTelecommunications Commission also releaseda memorandum in 2007 on the data log retentionof telecommunications traffic. 13 This memorandumis unnecessary from a privacy perspective, butwas otherwise implemented. It “aims to furtherstrengthen the welfare and protection afforded toend-users and/or consumers” by directing telcosto record and store voice and non-voice traffic forat least two months. To date, even with this memorandum,no one has been reprimanded for SMSspamming. This phenomenon is a common problemnow, where advertisers use personal data collectedillegally.The “Hello Garci” wiretapping incidentIt would take an alleged taped conversation of formerPresident Arroyo during the 2004 elections todemonstrate that communications surveillance ishappening in this country.After the ouster of President Joseph Estrada in2011, Arroyo, then vice-president, assumed office.Arroyo is perceived to be the most corrupt presidentof the republic. 14 IBON Foundation, a local thinktank, estimated that PHP 7.3 billion (USD 181 million)of public funds were lost during her sevenyears in power. 15 In 2011, she would be charged withelectoral fraud and plunder. 16 .Among the popularevidence of her involvement in rigging the 2004presidential election was a wiretapped conversationwith an election commissioner which came tobe known as the “Hello Garci Scandal”.13 Data Retention of Telecommunications Traffic, MemorandumCircular 04-06-2007, National Telecommunications Commission, 8June 2007.14 Gopalakrishnan, R. (2007, December 11). Arroyo “mostcorrupt” Philippine leader: poll. Reuters. www.reuters.com/article/2007/12/12/us-philippines-arroyo-idUSSP3028122007121215 GMANews.TV. (2008, March 4). IBON: Corruption scandals underArroyo cost Filipinos P7.3B. GMANews.TV. www.gmanetwork.com/news/story/83278/news/nation/ibon-corruption-scandals-underarroyo-cost-filipinos-p7-3b16 Associated Press. (2011, November 18). Philippines charges GloriaArroyo with corruption. The Guardian. www.theguardian.com/world/2011/nov/18/philippines-asia-pacificA complete transcript of the wiretapped conversation17 and a recording of the full conversation 18 areavailable on the website of the Philippine Center forInvestigative Journalism (PCIJ). In this transcript,Arroyo called Commission on Elections (COMELEC)Commissioner Virgilio Garcillano (Garci) severaltimes to ensure a lead of no less than one millionvotes against the popular rival Fernando Poe Jr.in the presidential race. She also made sure thatdocuments to support this lead were consistent.In one conversation, she asked for the statementof votes (individual summary of votes from townsand municipalities) to make them consistent withthe certificate of canvass (consolidated votes in theprovince).The Hello Garci operation brought a 12-0 winfor Arroyo’s party in Lanao del Sur, a province in thesouthern island of Mindanao. In a Philippine election,voters select 12 senators in a ballot. It was anelection manipulation operation which happened“with the complicity of the military, the COMELECand even Malacanang,” 19 according to Sheila Coronelof the PCIJ. (Malacanang or Malacanang Palaceis the official residence and office of the Philippinepresident.)The wiretapped conversations were released on6 July 2005 by no less than Presidential SpokespersonIgnacio Bunye. Arroyo addressed the nation ina televised speech on 27 June 2005 to apologise forthe “mistake” of calling Garci and assured the peoplethat she did not cheat in the previous election. 20The Hello Garci wiretapping incident was investigatedby the Philippine Senate. It turns out thata military intelligence operation known as ProjectLighthouse supervised the wiretapping of Garci andother individuals in the opposition. The IntelligenceServices of the Armed Forces of the Philippines(ISAFP) working with personnel of a telco networkmade the wiretapping possible. 21The Hello Garci scandal exposed the manipulationof the most sacred right of the people in ademocracy, elections. Furthermore, it also showedthe current extent of communication surveillanceperformed by state forces.17 pcij.org/blog/2005/06/25/downloadables-section/318 pcij.org/blog/2005/06/25/downloadables-section19 Coronel, S. (2005, November 2). Lanao’s dirty secrets. PhilippineCenter for Investigative Journalism. pcij.org/stories/lanaos-dirtysecrets20 A transcript of the president’s speech is available on the PCIJwebsite: pcij.org/blog/2005/06/28/the-president-says-i-amsorry-i-want-to-close-this-chapter-221 GMANews.TV. (2007, August 22). Doble: ‘Hello Garci’ wiretap opsdone through Smart mole. GMA News. www.gmanetwork.com/news/story/57157/news/nation/doble-hello-garci-wiretap-opsdone-through-smart-mole194 / Global Information Society Watch Philippines / 195


Surveillance of social movementsThe Philippines has a vibrant protest and socialmovement. In 2001, technology played an importantrole in the ouster of President Joseph Estrada overallegations of corruption. TXTPower, a group composedof mobile subscribers, was active in the useof text messaging during the “Oust Erap Campaign”of various sectors (“Erap” was Estrada’s nickname).It would also later launch a similar initiative againstArroyo.Activists involved in social movements in thecountry are concerned with reports of electroniccommunication surveillance by state forces. The“Hello Garci” incident amplified these doubts.Moreover, the record of bringing justice to more than1,206 victims of extrajudicial killings, 206 victims offorced disappearances, 2,059 victims of illegal arrestsand 1,099 victims of torture during the Arroyoregime has been questioned in the second cycle ofthe Universal Periodic Review of the United NationsHuman Rights Council. 22 The Philippine governmentis a signatory to the International Covenant on Civiland Political Rights (ICCPR), International Covenanton Economic, Social and Cultural Rights (ICESCR)and the Universal Declaration of Human Rights.If recent reports are to be believed, the currentAquino administration has purchased PHP 135 million(USD 3 million) worth of high-end surveillanceequipment to spy on its critics. 23 This will be usedby the ISAFP, which is alarming for social activists.ISAFP is the same agency that spearheaded the“Hello Garci” incident. It is now common activistpractice that other than the usual personal securityorientation, a discussion on information security isheld so that they can take precautions.Activists have also raised the alarm on the currentregime’s EDCA. For them, “allowing US troopsto position equipment which will definitely includesurveillance equipment and drones with free accessto the radio spectrum is the best recipe for masssurveillance.” 24This year, the Supreme Court nullified the realtimecollection of data provision in the CybercrimeAct. This was declared unconstitutional, heedingthe campaigns of the CPU and other netizen groups.However, libel, the most contested provision of the22 Olea, R. (2012, May 21). Groups score continuing rights abusesas The Philippines and the Universal Periodic Reviewundergoesreview by UN body. Bulatlat. Accessed July 17, 2014. http://bulatlat.com/main/2012/05/21/groups-score-continuing-rightsabuses-as-philippines-undergoes-review-by-un-body/23 Tan, K. J. (2014, April 8). Palace backs ISAFP, denies using spygadgets vs. opposition. GMA News. www.gmanetwork.com/news/story/355967/news/nation/palace-backs-isafp-denies-using-spygadgets-vs-opposition24 Computer Professionals’ Union. (2014, March 2). Op. cit.Act, which stifles freedom of expression, was upheldas within the frames of the constitution.Violating the constitution and internationalnormsWiretapping is a form of communications surveillance.The Philippines does not lack laws prohibitingand regulating it. The country’s AWA and HSA areboth a starting point for defining legitimacy, adequacyand necessity of surveillance. Both laws alsohave strict requirements for enforcement officers,which include authorisation from a judicial authorityin the conduct of surveillance, due processand user notification. Moreover, any unauthorisedsurveillance is penalised with 10 to 12 years of imprisonmentin the HSA.While the Hello Garci incident exposed the rottenand corrupt system of the Philippine elections,it also demonstrated blatant disregard of the rightto privacy and the 13 International Principles onthe Application of Human Rights to CommunicationsSurveillance. 25 It was conducted without courtpermission, due process or user notification, andrevealed that telco companies and state authoritieswere working together. Until now, the intentionof the wiretapping of Commissioner Garcillanowhich caught former President Arroyo by chance isunclear.Even with existing laws legitimising communicationssurveillance, the practice remainsproblematic. The HSA, AWA and Cybercrime Act arewidely opposed to too much power being given tothe state. While judicial authority is required bythese laws, opposition is still strong due to thedoubtful impartiality of courts in issuing surveillancepermissions.Public oversight has yet to be seen in the implementationof the HSA. The law prescribes aGrievance Committee composed of the Ombudsman,the Solicitor General, and the undersecretaryof the Department of Justice. The Committee istasked to receive, investigate and evaluate complaintsagainst the police and other state forcesregarding the implementation of the law. An OversightCommittee, composed of senators andmembers of congress, has also yet to publish reportson its oversight functions.Lack of integrity of communicationsand systemsHello Garci was the first proof that the state and monopolytelcos are working together to track citizens.25 https://en.necessaryandproportionate.org/textIt has created awareness among the general publicthat telcos and the government are tracking callsand text messages without court permission anduser notification.In the case of the Hello Garci incident, a specialmodel of phone was used to receive calls divertedto it by the telco for recording.Furthermore, a memorandum circular from theNational Telecommunication Commission (NTC),the regulatory body overseeing telco monopolies,allows storage of voice and non-voice datasupposedly to serve as reference for consumercomplaints. 26 While intended for prosecution ofconsumer complaints, a similar section on real-timetraffic monitoring in the Cybercrime Act was ruled asunconstitutional by the Supreme Court.The Philippines is part of the NSA’s MYSTICand PRISM surveillance programmesThe country has more than a hundred years of beingtied to the NSA in the US. In the early 1900s,in the great Philippine-American War, surveillancetechniques were already employed. To defeat theFilipino guerrillas fighting for independence, theUS army “created five integrated security agencies,a centralised telephone network, fingerprinting,photographic identification and index of police filesof 200,000 alphabetised file cards with the meansto collect, retrieve and analyse a vast amount ofintelligence.” 27Last March, Edward Snowden revealed that alltext messages and calls passing through the twotelco monopolies in the Philippines are captured bythe NSA. With more than 100 million users of mobiletelephones, and a vibrant protest movement whichis demonised for its militancy, the US has all its reasonsto implement mass surveillance in the country.In 2013, Snowden also said that the NSA has an establishedlistening post in Manila to conduct masssurveillance against other Asian countries.Recently, a new agreement with the US wassigned by the Department of Foreign Affairs. TheEDCA allows US weapons to be based in the country.The US has a rotating military presence throughits frequent military exercises allowed by the VisitingForces Agreement (VFA). The EDCA has beenstudied by a group of computer professionals andwas found to be “an invitation for unregulated communicationand surveillance” due to its provision of26 Data Retention of Telecommunications Traffic, MemorandumCircular 04-06-2007, National Telecommunications Commission, 8June 2007.27 Morey, M. (2013, June 25). From Philippines to NSA: 111 years ofthe U.S. surveillance state. Occupy.com. www.occupy.com/article/philippines-nsa-111-years-us-surveillance-stateallowing US troops to use the full radio spectrum,which is heavily regulated by the National TelecommunicationsCommission.ConclusionsThe Philippines has established laws on communicationssurveillance since 1969. Its constitutionalso regards privacy as a fundamental right of itscitizens. In the Hello Garci scandal, where formerPresident Arroyo was caught as she allegedly instructedCommissioner Garcillano – who was beingwiretapped by the intelligence agency of the armedforces – to rig the 2004 presidential election in herfavour, the right to privacy and the principles ofjudicial authority, due process and user notificationwere not applied. This also verified the fearsof activists and privacy advocates on the possibleconnivance between telcos and state forces to trackelectronic communications.Furthermore, the country has a long history ofbeing part of NSA spy programmes. Its previousand present administrations have been subservientto US interests, which includes allowing the establishmentof listening posts by the NSA to establishlistening posts, the capture of massive amounts ofmetadata on mobile networks, and the importing ofsurveillance equipment through the EDCA and VFA.However, Filipino netizens are also aware oftheir political strength, once mobilised. They wereactive in the ouster of two previous presidents andhave shown their capacities again in the 2013 MillionPeople March against the corrupt use of publicfunds by the current Aquino regime. It did not takelong before they realised that the state and the UShad been tracking their activities online and offline.Action stepsThe following recommendations can be made sothat awareness of the 13 Principles and a strongersense of the right to privacy are propagated:• Through campaigns, create awareness of theSnowden revelations and how the state and telcoshave cooperated with the NSA to conductcommunications surveillance.• Lobby for an Internet Bill of Rights similar toBrazil’s.• Call for the strict implementation of the DataPrivacy Act to protect citizens from the misuseof data for profit.• Create forums on information security and privacyrights, similar to CPU’s briefing for socialactivists.196 / Global Information Society Watch Philippines / 197


polandAccess to telecommunication data in Poland: Specific problemsand general conclusionsPanoptykon FoundationKatarzyna Szymielewicz and Anna Walkowiakpanoptykon.orgIntroductionPoland, as a member state of the European Union,was obliged to introduce mandatory telecommunicationdata retention as part of the implementationof the so-called Data Retention Directive. 1 As a result,all telecommunications service providers in Polandhave to collect and store so-called metadata (i.e.data showing originator, destination, date and time)for at least 12 months. According to the directive,such data should be made available to the competentnational authorities only in specific cases andin accordance with national law for the purpose ofthe investigation, detection and prosecution of seriouscrimes (as defined by relevant national law). 2However, when implementing the directive, Polandfailed to introduce these rules regarding the useof telecommunications data for law enforcementpurposes. As a result, such information – collectedabout every person using telecommunication servicesin Poland – is used even in the prosecution ofcommon crimes (like theft) and for the sake of crimeprevention.Moreover, Polish law does not provide for anysafeguards that would prevent abuses, such as anexternal supervisory mechanism, court oversight,the obligation to inform the person concernedabout the use of his or her data or the obligation todestroy data after the end of proceedings. 31 European Union. (2006). Directive 2006/24/EC of the EuropeanParliament and of the Council of 15 March 2006 on the retentionof data generated or processed in connection with the provision ofpublicly available electronic communications services or of publiccommunications networks and amending Directive 2002/58/EC.eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF2 European Union. (2006). Op. cit.3 Panoptykon Foundation. (2012, April 3). How many times did thestate authorities reach out for our private telecommunications datain 2011? We publish the latest research. Panoptykon Foundation.panoptykon.org/wiadomosc/how-many-times-did-state-authorities-reach-out-our-private-telecommunications-data-2011-wePolicy and political backgroundThe distinction between security and freedom andthe argument that it is not possible to have bothare very powerful notions in Polish public debate. Italso seems to be commonly accepted that if a certainactivity is related to national security, it shouldbe kept secret by default. The argument “becauseit is useful for law enforcement, it must be good forpublic security” is raised whenever the lack of accountabilityof intelligence agencies is mentioned.In addition, law enforcement and intelligence agencieshave a strong influence in drafting the laws thatare meant to regulate their powers.This political climate has enabled what humanrights advocates perceive as possibly the worstimplementation of the Data Retention Directive:Poland opted for the longest possible data retentionperiod (24 months) and, as mentioned, failedto introduce any legal safeguards. Therefore, Polishregulation providing for retention and use oftelecommunications metadata has been heavilycriticised by human rights advocates, the Ombudsmanand the national Data Protection Authority.As a result of persistent pressure exerted byboth human rights organisations and public authorities,in 2011 this legal landscape gradually startedto change. The Ombudsman and Prosecutor Generalfiled six official complaints to the ConstitutionalCourt, arguing that various powers attributed to intelligenceand law enforcement (including the useof telecommunication data) should be limited. Thiscase is still pending. 4 In January 2013 the period oftelecommunications data retention was shortenedto 12 months, but other problems remained. 5 Furtherchanges, however, are expected because oftwo legislative proposals that are under discussion:(i) a draft law introducing a special commission tosupervise intelligence agencies that investigatecomplaints from individuals; and (ii) a draft law lim-4 Klicki, W. (2014, April 4). Służby przed Trybunałem. FundacjaPanoptykon. panoptykon.org/wiadomosc/sluzby-przedtrybunalem5 Klicki, W., & Szymielewicz, K. (2012, October 15). Sejmjednomyślnie przyjął nowelizację Prawa telekomunikacyjnego.Fundacja Panoptykon. panoptykon.org/wiadomosc/sejmjednomyslnie-przyjal-nowelizacje-prawa-telekomunikacyjnegoiting the access to citizens’ telecommunication databy intelligence agencies. 6Surveilling the media:The case of Bogdan WróblewskiIn 2010 one of the most influential Polish dailynewspapers, Gazeta Wyborcza, published an articleclaiming that several journalists who specialised inpolitics were under illegal surveillance. Polish intelligenceagencies – namely the Internal SecurityAgency (Agencja Bezpieczeństwa Wewnętrznegoor ABW) and the Central Anti-Corruption Bureau(Centralne Biuro Antykorupcyjne or CBA) – gainedaccess to telecommunications data retained forpublic security purposes to spy on at least 10 journalistsbetween 2005 and 2007. The intelligenceagencies denied these allegations, but proof oftheir requests sent to telecommunications serviceproviders proved otherwise. Bogdan Wróblewski,author of the abovementioned article, was amongthe alleged victims of illegal surveillance.According to published information, the CBA spiedon Wróblewski (back then a journalist specialised incourt cases, now at the Supreme Audit Office, thehighest public auditing body) by accessing andanalysing his telephone accounts for six months – accountswhich revealed a list of his contacts, includingjournalistic sources. This happened exactly when Wróblewskiwas working on critical articles dealing withspecial operations conducted by the CBA, which cameunder public scrutiny because of various irregularities.It seemed clear that the CBA tried to find out who Wróblewski’ssources of information were.Because of these suspicions, the public prosecutorconducted an investigation to verify whetherintelligence agencies acted against the law. Oddlyenough, although there was evidence that theCBA and ABW asked telecommunications serviceproviders for data related to journalistic activity,the investigation was closed due to “the failure todetect a crime”. Most of the records of the prosecutor’sproceedings were classified, which made itvery difficult for individuals concerned to challengethe outcome. 76 Ministry of the Interior. (2013). Projekt ustawy o KomisjiKontroli Służb Specjalnych. legislacja.rcl.gov.pl/docs//2/181401/181409/181410/dokument87492.pdf; Senateof the Republic of Poland. (2014). Projekt ustawy o zmianieniektórych ustaw w zakresie przepisów dotyczących uzyskiwania iprzetwarzania przez uprawnione podmioty danych gromadzonychprzez przedsiębiorców telekomunikacyjnych. www.senat.gov.pl/gfx/senat/userfiles/_public/k8/komisje/2014/kpcpp/materialy/wniosek_nik_bilingi03120020140221095724.pdf7 Czuchowski, W. (2010, October 8). Dziennikarze nacelowniku służb specjalnych. Gazeta Wyborcza. wyborcza.pl/1,76842,8480752,Dziennikarze_na_celowniku_sluzb_specjalnych.html .Due to a lack of other legal measures availableto him, in 2011 Wróblewski decided to sue the CBAin civil proceedings, indicating that their actionsviolated his right to privacy, secrecy of correspondence,freedom of expression and freedom of thepress. Wróblewski obtained additional supportfrom civil society organisations that submitted theiropinions to the court (amicus curiae), emphasisinghuman rights violations. One of those organisationswas the Panoptykon Foundation. 8In 2012, a district court in Warsaw ruled that theuse of Wróblewski’s billing data by the CBA violatedhis right to privacy and constituted “typical surveillancefor unknown purposes”. According to thejudge, the CBA should be able to use billing dataonly for the purpose of anti-corruption proceedings(in accordance with the statutory duties of thisagency). The court ordered the CBA to apologise toWróblewski and to delete all data relating to himthat the agency had obtained. 9 The Court of Appealdismissed the CBA’s appeal and upheld the ruling –finally, the CBA publicly apologised. 10Wróblewski’s case showed that imposing theobligation on telecommunications service providersto retain and give intelligence agencies accessto their clients’ data without adequate safeguardsinevitably leads to human rights violations. Whatturned out to be very problematic in this case is thatPolish law does not require intelligence agencies todelete data once it is no longer necessary to retainit. As a result it may be possible to collect and retaindata about a given person for years, even thoughhe or she is not formally suspected of any crime. Itis sufficient for intelligence agencies to prove thatsuch person belongs to a “group under special scrutiny”for security purposes. Security purposes varyfrom allegations of belonging to a terrorist organisationto being part of a religious, political or sexualminority – and in many cases these groups do notjustify surveillance.Without introducing strict control over intelligenceagencies’ powers to access citizens’telecommunications data, and without further legal8 Panoptykon Foundation. (2011). Opinia przyjaciela sądu (amicuscuriae) Fundacji Panoptykon w postępowaniu Bogdan Wróblewskiprzeciwko CBA. panoptykon.org/sites/panoptykon.org/files/opinia_wroblewski.pdf9 Klicki, W. (2012, April 26). Zwycięstwo dziennikarza w sporze zCBA – będą przeprosiny. Panoptykon Foundation. panoptykon.org/wiadomosc/zwyciestwo-dziennikarza-w-sporze-z-cba-bedaprzeprosiny10 Gazeta Wyborcza. (2013, April 26). CBA ma przeprosić dziennikarza„Gazety Wyborczej“ Bogdana Wróblewskiego za to, że za rządówPiS kontrolowało jego billingi telefoniczne. Gazeta Wyborcza.wyborcza.pl/1,76842,13815430,CBA_ma_przeprosic_dziennikarza__Gazety_Wyborczej_.html#ixzz32LVDhTpP198 / Global Information Society Watch poland / 199


changes that would limit the legitimate purposes ofsurveillance, it is likely that cases like Wróblewski’swill be repeated.ConclusionsTelecommunications data retention, by definition,constitutes a serious violation of the right to privacy.Mobile phones are a part of our everyday lifeand therefore our telecommunications data revealsa lot about our life: from professional to intimaterelationships to daily routines. With increasingamounts of data stored by private companies (notonly telecommunications or internet service providers,but also shops, banks, insurance companies,health services or energy providers), the issue oflegitimacy of data retention and access rules mustbe revisited. The trend towards retaining more dataand broadening the catalogue of purposes that justifyits further use should be reversed.Any surveillance mechanism that targets innocentcitizens and leads to the collection of data“just in case it may turn out to be useful” cannotbe reconciled with a presumption of innocence. Thisposition has been reinforced by the Court of Justiceof the European Union in its recent judgement thatdeclared the Data Retention Directive “invalid fromthe beginning” because of insufficient human rightssafeguards. 11 This judgement should be implementedin all European countries.Currently Polish law does not provide for anyindependent oversight over intelligence agencies.Only internal control mechanisms are in place,which cannot be treated as independent. As a resultthere is no way to verify whether Polish intelligenceagencies observe at least existing legal safeguards,other than through journalistic investigation orwhistleblowing. Wróblewski’s case shows beyonddoubt that strict control over intelligence agencies’powers to access citizens’ telecommunicationsdata is necessary. Such control mechanisms shouldcover not only the use of data retained for securitypurposes, but access to all types of data, the useof other surveillance technologies (SIGINT, CCTV,open source intelligence, predictive profiling, etc.)and international cooperation among intelligenceagencies.Institutional checks and balances with regardto surveillance carried out by the state cannot workwithout sufficient information. Therefore, the mainobstacle that we face in demanding more accountabilityfor illegitimate surveillance is secrecy and a11 The Court of Justice declares the Data Retention Directive to beinvalid. http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdflack of transparency. Polish law does not providefor any reliable mechanism for verifying how manytimes and for what purposes public entities (lawenforcement or any of the nine intelligence agencies)asked for citizens’ personal data. This problemaffects all types of data and all types of requests,whether telecommunications, electronic services,banking, or social security data.Currently Polish public authorities are underno legal obligation to register their data requests,nor publish the number of requests or other details.Only telecommunications service providers are requiredto collect statistics showing how many timesthey were asked for their clients’ personal information.However, research conducted by PanoptykonFoundation in Poland showed that even data that iscollected by public authorities cannot be relied on. Asimple comparison of statistics published by the Officefor Electronic Communications (the supervisorybody for telecommunications service providers) anddata obtained directly from police and intelligenceagencies via freedom of information requests,shows that there is a significant discrepancy. Thelaw should provide for one methodology that wouldapply to collecting information about the scale andpurpose of requests for citizens’ data from varioussources.Action stepsGiven the above, the following steps should be takenin Poland to secure a human rights frameworkfor surveillance:• Thanks to Edward Snowden’s disclosures, Europeancitizens learned that there is a link betweenmandatory retention of telecommunicationsdata, introduced by the EU in 2006, and US programmesof mass surveillance. Measures whichhuman rights advocates across Europe havebeen fighting for the last seven years turned outto be part of something much bigger and muchmore disturbing. This common context of internationalmass-surveillance operations shouldbe further explored for advocacy purposes bycivil society on both sides of the Atlantic.• Following the recent ruling of the Court of Justiceof the EU, Poland and other Europeancountries should revise their laws that providefor telecommunications data retention withoutadequate safeguards. However, it will not bean automatic process resulting from the judgement.The judgement itself only affected theData Retention Directive – not respective nationallaws. It might be necessary for citizens andthe European Commission to take further legalaction. The possibility of bringing a complaint tothe European Commission on the grounds thatexisting national laws are in violation of the Europeanlaw is worth exploring.• The need for more transparency in the areawhere law enforcement and intelligence agencies“meet” private companies and demandcitizens’ data has become evident, not only withregard to telecommunications data, but evenmore so with regard to all types of data that arestored by internet service providers. One wayof pursuing this goal is by drafting so-calledtransparency reports – reports that show notonly the scale of surveillance but also exploreits purposes and human rights impact. Whilecompanies focus on numbers, civil society andresearchers should focus on problem analysis,asking pertinent questions on the basis ofavailable data. Panoptykon Foundation draftedsuch a transparency report for Poland in 2013. 12Other organisations could build further on thismethodology.12 Panptykon Foundation. (2013). Access of public authorities tothe data of Internet service users: Seven issues and severalhypotheses. Warsaw: Panoptykon Foundation. panoptykon.org/sites/panoptykon.org/files/transparency_report_pl.pdf200 / Global Information Society Watch poland / 201


ROMANIABack to the digital cageStrawberryNet Foundation and Sapientia HungarianUniversity of TransylvaniaRozália Klára Bakówww.sbnet.ro, www.sapientia.ro/enIntroductionRomania joined the European Union (EU) in 2007– an important step towards integrating its policiesinto the EU framework, but with several gaps whenit comes to information and communications technologies(ICTs).While the European Court of Justice (ECJ)has rejected the EU Data Retention Directive 1 asinvalid, 2 Romanian legislators were preparing twolaws which, if adopted, would throw the countryinto a “digital cage”: Draft Law 263/2014 on cybersecurity, and Draft Law 277/2014 on the registrationof prepaid mobile SIM cards and public Wi-Fiusers. 3 Back in 2011, Romania was at the forefrontof rejecting the EU Data Retention Directive, 4 riskingsanction from the European authorities. In thiscontext, adopting laws that violate users’ right toprivacy in 2014 would be a step back for the ICTpolicy-making standards in the country.“Romania is currently undergoing rapid andmajor technological development, but we haveto make sure the new technology respects users’rights. Under Ceausescu, 5 Romanians were forcedto register all typewriters with the Militia. Today,the government wants all Romanians to registerall prepaid SIM cards and record all traffic goingthrough free public Wi-Fi hotspots,” states an onlinepetition launched on 8 June 2014. 6 This reportfocuses on two civil society protests against dataretention laws in Romania that occurred in Juneand July 2014.1 Directive 2006/24/CE of the European Parliament.2 O’Brien, D. (2014, April 8). Data Retention Directive invalid, saysEU’s highest court. Electronic Frontier Foundation. https://www.eff.org/deeplinks/2014/04/data-retention-violates-human-rightssays-eus-highest-court3 www.apti.ro/noutati-cybersecurity-si-prepay-cdep4 legi-internet.ro/blogs/index.php/legea-pastrarii-datelor-de-trafica-fost-respinsa-de-senat5 Nicolae Ceausescu, Romanian dictator (1965-1989) under theCommunist regime (1949-1989)6 coliberator.ro/petitionPolicy and political background:Romania in the European contextThe process of ICT policy alignment started duringRomania’s accession to the EU (2001-2004). Milestonesof regulatory changes contributing to anICT-enabled environment included the liberalisationof the telecommunications market (2003), and legislationdealing with universal access, e‐commerceand online security, as detailed in the Romaniacountry report in GISWatch 2007. 7While the EU regulatory framework acted asa pulling force, ICT businesses have also pushedRomanian governmental agencies to keep up withregional and global communication trends. Infrastructuraldevelopment has enabled access tomobile telephony and internet across the country,with narrowing gaps between urban and ruralareas, the young and the elderly, the rich and thepoor. The mobile broadband penetration rate rosesignificantly between 2011 and 2013, with 47.6% ofthe population connected to the internet via mobiledevices in December 2013, compared to 21% in December2011. 8Digital literacy gap: Low or no skillsAccording to the Digital Agenda Scoreboard 2014for Romania, 9 which assesses the country’s digitalperformance based on data available for 2013, thewidest gap between Romania and the EU averagescores concerns rural fixed-broadband coverage(78% vs 90%), mobile broadband take-up (41% vs62%), and 4G mobile broadband coverage (27%vs 59%). Partly due to this infrastructural gap, 1042% of the Romanian population has never usedthe internet, compared to the 20% EU average,and only 45% is using the internet on a weeklybasis, while the EU average is 72%. Meanwhile,individuals with low or no digital skills represent85% of the population, significantly higher than7 giswatch.org/en/country-report/civil-society-participation/romania8 Autoritatea Nationala pentru Administrare si Reglementare inComunicatii (ANCOM). (2014). Piata serviciilor de comunicatiielectronice din Romania. Raport de date statistice pentru perioada1 iulie – 31 decembrie 2013, p. 39.9 https://ec.europa.eu/digital-agenda/en/scoreboard/romania10 And partly due to low ICT skills.the 47% EU average. 11 An alarming ratio of 94%of “disadvantaged” people – individuals who areaged 55-74, have low levels of education and/orare unemployed, retired or inactive – have low orno digital skills, compared to the 64% EU average.Online safety and privacy issues are among themost critical digital skills gaps of Romanian internetusers.A report on EU digital skills issued in May 2014 12placed Romania at the lowest end of the performancescale for every indicator: general ICT skills,safety, content creation and problem solving online.Even the so-called connected generation Z inRomania lags behind the digital literacy of youthin other countries, as shown in the EU Kids Onlineproject findings, 13 and the Net Children Go Mobilereport. 14 These alarming results show the heightenedresponsibility for policy makers and society atlarge, including businesses and civil society organisations,to protect the digital rights of a vulnerable,unskilled population.Stop surveillance activities in Romania!A civil society campaignICT policy experts from Romania 15 have warned ofthe threats to privacy if data retention laws 16 are adopted.After draft laws were published in April 2014,civil society organisations have closely monitoredthe legislative process and informed the public,taking positions against both the content and thepolicy-making process.“Invading people’s privacy is like rape”When commenting on the draft laws on data retention,the head of the ICT committee for the RomanianChamber of Deputies put it bluntly: intruding intopeople’s computers without their consent is likerape. 1711 Data available for 2012.12 European Commission. (2014). Measuring Digital Skills acrossthe EU: EU wide indicators of Digital Competence. ec.europa.eu/digital-agenda/en/news/measuring-digital-skills-across-eu-euwide-indicators-digital-competence13 Helsper, E. J., Kalmus, V., Hasebrink, U., Sagvari, B., & de Haan,J. (2013). Country Classification: Opportunities, risks, harm andparental mediation. LSE, London: EU Kids Online.14 Mascheroni, G., & Ólafsson, K. (2014). Net Children Go Mobile:Risks and opportunities. Second edition. Milan: Educatt, p.39.www.netchildrengomobile.eu/reports15 apti.ro/pozitia-apti-comisia-ITC-prepay-securitate-cibernetica16 Draft Law 263/2014 on cyber security, and Draft Law 277/2014on registering prepaid mobile SIM cards and public Wi-Fi users(issued in April 2014 for public consultation).17 www.avocatnet.ro/content/articles/id_37763/Boc-Boc-Cine-e-Nuconteaza-da-mi-telefonul-sa-caut-in-el.htmlCivil society and its partners 18 began to mobilisein June 2014 at the Coliberator conference, 19organised by the Ceata Foundation. On 7-8 June2014, a follow-up to this digital rights conferencecalled Coliberator took place in Bucharest, featuringtopics like “Reimagining the Digital Revolutionafter Snowden”, “A Free Digital Society”, and “Surveillance,capabilities, social consequences andresponses”. Conference participants published anonline petition, asking the Romanian authoritiesto withdraw the draft laws on data retention. Thepetition, called “Stop surveillance activities in Romania!”,received 1786 signatures 20 from peoplewith various backgrounds: digital rights activistslike Richard Stallman (the president of the FreeSoftware Foundation), Jillian York (director atElectronic Frontier Foundation), Bardhyl Jashari(Metamorphosis Foundation), 21 mainstream mediarepresentatives, bloggers, software developers andstudents.Targeted protests against the “Big brother law”At the same time, the Association for Technologyand Internet, the Association for Defence of HumanRights in Romania, the Helsinki Committee, ActiveWatch,the Centre for Independent Journalism,the Romanian Centre for Investigative Journalism,Geo‐spatial.org and the Ceata Foundation launcheda joint statement 22 expressing their strong disapprovalof Law 277/2014 on registering prepaid SIMcards and monitoring public Wi‐Fi users. This lawwas passed in the Romanian Senate on 2 June 2014,with only one day allowed for amendments and comments.The signatory organisations highlighted thedisproportionate and unclear character of the law:• All free Wi-Fi users will need to be identified.• All prepaid mobile phone users will have tobe registered within six months after the lawcomes into force, otherwise their services willbe deactivated.• Users’ registration will be done under uncertainconditions, with no clear provisions on who willbe accessing their personal data.On 2 July 2014, the law was rushed through parliamentby the Chamber of Deputies. It was the18 Centre for Research in Applied Ethics, Friedrich Ebert StiftungOffice Romania, The Sponge Media Innovation Lab, Knight-MozillaOpen News, and Coalition for Open Data.19 coliberator.ro/index.en.html20 As of 7 July 201421 Macedonian member organisation of the Association forProgressive Communications.22 www.apador.org/en/parlamentul-aproba-proiect-lege-carteleprepay202 / Global Information Society Watch romania / 203


Online petition appeal launched at the Coliberator conferenceon 8 June 2014Stop surveillance activities in Romania!Romania is currently undergoing rapid and major technological development, but we have tomake sure the new technology respects users’ rights. Under Ceaușescu, Romanians were forcedto register all typrewriters to the Militia. Today, the government wants all Romanians to register allpre-paid SIM cards and record all traffic going through free public WiFi hotspots.PreambleJust one month after the ECJ decision declaring the Data Retention Directive invalid, the RomanianGovernment made three decisions to continue and even extend mass surveillance by:• ignoring the ECJ decision and keeping the law 82/2012 regarding the data retention to beenforced anyway.• adopting, without any kind of public consultation, a law requiring registration of all prepaidsim card users (including forcing the current 12 million users to submit their personal dataduring the next 6 months or face disconnection). This is all the more egregious given that thisis the 4th such attempt since 2011.• planning to require providers of free public WiFi hotspots to identify their users.• adopting, without any kind of public consultation, a new law giving agents of the state thepower to examine data in any computer system whatsoever without a court order, includingyour computer, in order to “have access to the data being held”.The signatories, participants of Fundația Ceata’s Coliberator conference, as well as other peopleand organizations supporting this protest, are demanding the Romanian government and theRomanian public institutions to respect the citizens’ privacy rights.Thus, the signatories:1. Remind that privacy is a fundamental human right, and that it is central to the existence andsurvival of democratic societies. It is essential to human dignity and it reinforces other rights,such as freedom of expression and information, and freedom of association, and is recognisedunder international human rights law. Activities that restrict the right to privacy, includingcommunications surveillance, can only be justified when they are prescribed by law, whenthey are necessary to achieve a legitimate aim, and when they are proportionate to the aimpursued. (International Principles on the Application of Human Rights to CommunicationsSurveillance)2. Demand the immediate rejection by Parliament and withdrawal by the Government of theabove mentioned draft laws that are infringing the right of privacy of the Romanian citizens.3. Ask for rapid annulment of the data retention law in order to respect the ECJ decision.4. Underscore that any future action of the government that could affect the right of privacyor any other fundamental rights must be drafted and adopted only after meeting thetransparency requirements made by Law 52/2003, with a full human rights impact assessmentand with a mandatory opinion from the Romanian Data Protection Authority.fourth attempt to adopt a “Big Brother Law” inthree years, all opposed by civil society organisationsand industry – three times successfully. 23 On3 July 2014, civil society organisations issued astatement highlighting the lack of real consultationduring the legislative process, and asking that theRomanian Constitutional Court take note of the unconstitutionalcharacter of the law. 24 On 7 July 2014,nine Romanian civil society organisations issueda request to the presidency, asking it to notify theConstitutional Court on the unconstitutional characterof the surveillance law. 25ConclusionsSteady technological development has connectedmany Romanians to the global digital culture, butwhen it comes to skills, awareness and participation,there is a long way to go: 85% of the population haslow or no digital skills, and 45% has never used theinternet. Governmental machineries and interestsare still dominating the public arena, but civil societyorganisations have strong capacity to channel energiesand to protect vulnerable users’ right to privacy.Romanian organisations were able to mobilise, andin one month 1786 signatures were gathered protestingagainst an abusive surveillance law.Two draft laws were issued in April 2014: oneon cyber security, with a pending status in July2014, and the other on monitoring prepaid SIMcard holders and public Wi-Fi users – the latter waspushed through the legislative apparatus in onemonth, from 2 June to 2 July 2014. The future remainsuncertain: it is more likely that a top-downauthoritative voice from the EU would be able toprevent Romanian authorities from invading citizens’privacy.Ironically, while the ECJ has rejected the EUsurveillance directive, Romanian authorities stilladopted an abusive law that throws the country intoa “digital cage”.Action stepsA multi-stakeholder approach to ICT issues, includingdigital rights, should be promoted andimplemented at a national level in Romania. Civilsociety organisations should act as barometers offreedom and watchdogs of democracy by:• Building stronger coalitions with local and internationaldigital rights activists.• Developing common platforms and strategieswith businesses and international governmentalorganisations, such as EU organs.• Initiating and implementing ICT educationalprogrammes in order to raise the level of digitalliteracy in Romania.Note: English translation by the petition organisers.source: http://coliberator.ro/petition/23 apti.ro/Ini%C5%A3iativ%C4%83-legislativ%C4%83-privind-%C3%AEnregistrarea-utilizatorilor-serviciilor-decomunica%C5%A3ii-electronice-tip-Prepay24 apti.ro/solicitare-sesizare-CCR25 apti.ro/apel-catre-presedentie-impotriva-inregistrare-prepay204 / Global Information Society Watch romania / 205


RussiaSliding downhill after SochiHuman rights and electronic surveillance journalistOliver PooleIntroductionThey are the two most famous people in Russia:Vladimir Putin, the country’s president, who publiclystated that the internet is a “CIA project”, 1 andEdward Snowden, the US National Security Agency(NSA) whistleblower who sought asylum in Moscow.For months neither was known to have talked.Then, this April, they appeared in a television debate.2 Speaking via video link, Snowden asked:“Does Russia intercept, store or analyse in any waythe communications of millions of individuals?” Putin’sanswer was adamant. “We don’t have a masssystem for such interception,” he said, “and accordingto our law it cannot exist.”Unfortunately for the country’s internet users,there is a weight of evidence – much of it recentlyuncovered by researchers – that a mass system ofinterception does in fact exist and that Russia doeshave laws which enable it to exist. In Russia, asSnowden surely knew, the question increasingly isnot which parts of the internet are being monitoredby the state but which parts are not. It is why hisnew home is an unlikely refuge for a champion ofcommunications privacy.Policy and political backgroundThe Soviet Union (USSR) had no qualms about surveillance.From its inception, the secret servicespried into the private lives of its citizens. In the1980s this resulted in the development of an automatednationwide communications interceptionservice which could monitor the government-ownedtelecommunications services.This did not stop with the USSR’s collapse. 3The KGB’s 4 successor, the Federal Security Service1 Al Jazeera. (2014, April 25). Putin says Internet is a CIA project. AlJazeera. www.aljazeera.com/news/europe/2014/04/putin-saysinternet-cia-project-201442563249711810.html2 Mackey, R. (2014, April 17). Video of Snowden Asking PutinAbout Surveillance. The New York Times. thelede.blogs.nytimes.com/2014/04/17/video-of-snowden-asking-putin-aboutsurveillance/?_php=true&_type=blogs&_r=03 agentura.ru/english/projects/Project_ID/PIproject4 Former Russian secret service.(FSB), remained committed to surveillance. Thetelecommunications sector was no longer owned bythe state, but the Ministry of Communications stipulatedthat the newly privatised companies installa device that is believed to enable the FSB to listento or record calls without the provider’s knowledge.This was SORM (System of Operative-InvestigativeMeasures). Its capabilities have since been increased,first under SORM-2 and then SORM-3.Described by one expert as “Prism on steroids”, 5it is now an intercept programme that privacy campaignersmaintain permits the FSB to monitor andcollect traffic without the knowledge of internet serviceproviders (ISPs) or their users.The country’s laws do contain prohibitions onmass surveillance and FSB officers are required toobtain a court order to access communications. 6Once a warrant has been obtained, however, it doesnot have to be shown to phone or internet providers,as is required in much of the West. Free speechactivists have shown that the only person the FSBofficer must show the court order to is his superior. 7Assume any electronic device canbe exploitedAhead of the Sochi Winter Olympics, the US StateDepartment’s Bureau of Diplomatic Security warnedstaff visiting the Games: “Assume any electronic deviceyou take can be exploited. If you do not needthe device do not take it.”Visitors were given a series of dos and don’ts toprotect their privacy, according to those who haveseen the document. 8 It read like something from aJohn le Carré novel. “Essential devices should haveall personal identifying information and sensitivefiles removed or ‘sanitized’. Devices with wirelessconnection capabilities should have the Wi-Fiturned off at all times… Do not connect to local ISPs5 Walker, S. (2013, October 6). Russia to monitor ‘allcommunications’ at Winter Olympics in Sochi. The Guardian.www.theguardian.com/world/2013/oct/06/russia-monitorcommunications-sochi-winter-olympics6 Federal Law No. 144-FZ on Operational - Search Activities (1995,last amended 2004). www.legislationline.org/documents/id/41917 Soldatov, A., & Borogan, I. (2013). Russia’s Surveillance State.World Policy Journal, Fall. www.worldpolicy.org/journal/fall2013/Russia-surveillance8 Ibid.at cafés, coffee shops, hotels, airports or other localvenues… Change all your passwords before andafter your trip… Be sure to remove the battery fromyour Smartphone when not in use.”On how the Russian state apparently gainedsuch penetration, we primarily have two Russianinvestigative journalists – Andrei Soldatov and IrinaBorogan – and the website they co-founded, Agentura.ru,to thank. For Sochi, the pair collated dozens ofopen source technical documents on the governmentprocurement website Zakupki, 9 cross-referencedwith the public records of various oversight agencies,to show how telephone and Wi-Fi networks were beingamended in the run-up to the Games.The organisers of Sochi had trumpeted it as themost technologically accessible Games ever with freehigh-speed Wi-Fi access at all venues, and at mediacentres and hotels, as a well as a 4G LTE 10 network.Soldatov and Borogan detailed in “Surveillance atthe Sochi Olympics 2014” how wireless encryptionhad apparently been disabled in this network sothat, although communications remained encryptedagainst casual eavesdropping by hackers, theywould not be for the FSB. 11 The pair furthermore produceddocuments showing Rostelecom, the nationaltelecoms operator responsible for the 4G network,was installing deep packet inspection (DPI) devices. 12Soldatov and Borogan also revealed the existenceof an FSB presentation on how SORM wasbeing upgraded for the event. 13 The existence ofSORM is well known. Indeed Russian internet usersnever seem to have been under the illusion, as in theWest pre-Snowden, that internet use was private. 14In every Russian town there are widely believed tobe underground cables that connect the local FSBbureau with ISPs and telecom providers. Originallycreated by the KGB to monitor phone calls,from 1998 SORM could also access the internet. 15This incarnation of SORM enabled only a limitedamount of data to be collected, however, not leastbecause many intercepts were operated manually9 www.zakupki.gov.ru/epz/main/public/home.html10 A standard for wireless communication of high-speed data formobile phones.11 www.agentura.ru/english/projects/Project_ID/sochi12 zakupki.gov.ru/223/purchase/public/purchase/info/commoninfo.html?noticeId=507603&epz=true13 infosystems.ru/assets/files/Sochi%202010/Kuzmin_RNT.pdf14 Giles, K. (2013, October 29). After Snowden, Russia Steps UpInternet Surveillance. Chatham House. www.chathamhouse.org/media/comment/view/19517315 Pincus, W. (2014, April 21). In questioning Russia’s Putin aboutsurveillance, Snowden misses the point. The WashingtonPost. www.washingtonpost.com/world/national-security/inquestioning-russias-putin-about-surveillance-snowden-missesthe-point/2014/04/21/c3e09352-c732-11e3-bf7a-be01a9b69cf1_story.htmlby agents. According to Soldatov and Borogan, thisis no longer the case. SORM’s Sochi incarnation collectsinformation from all forms of communicationand provides long-term storage. Furthermore, theywrite, the introduction of the DPIs enables thosesending and receiving specific packets of electronicinformation to be identified, and for the informationin those packets to be filtered.Since 2000 eight Russian agencies have access tointercepts: the Interior Ministry, the FSB, the FederalProtective Service, the Foreign Intelligence Service,Customs and Excise, the Federal Anti-drug Agency,the Federal Prisons Service and the Main IntelligenceDirectorate of the General Staff. 16 Independent privacywatchdogs report that it is the ISPs who are required tocover the cost of installing the devices enabling trafficto be monitored, but they are denied access to the surveillanceboxes so neither service providers nor theirusers know what is being collected or when. Thosethat resist face penalties: 17 first a fine; then, if theydo not comply, the possibility of their licence beingrevoked. A joint investigation by Agentura.ru, CitizenLab and Privacy International found 16 such warningsto telecoms and internet providers in 2010. For 2011they found 13. In 2012 the number had jumped to 30. 18The use of SORM also appears to be growing. Figuresfrom the Russian Supreme Court showed a doublingof telephone communication intercepts between 2007and 2012 from 265,937 to 539,864. 19 These figures didnot include counterintelligence conducted on Russiancitizens and foreigners – and it was before Snowden’sNSA revelations.Keir Giles of Chatham House has argued thatthe Russian authorities have long approached theinternet differently to the West. 20 Democratic societiestraditionally see freedom of expression andindividual liberties as core rights to be protected.But the Russian perspective is to dwell on nationalsecurity dangers. Snowden’s disclosures renewedbelief in government circles that internet use inRussia must be more carefully controlled and free offoreign interference – and gave a fresh justificationto those who already wanted it to be so. 2116 Soldatov, A. (2012, October 11). Privacy International and Agentura.Ru launch the joint project ‘Russia’s Surveillance State’. PrivacyInternational. https://www.privacyinternational.org/blog/privacyinternational-and-agenturaru-launch-the-joint-project-russiassurveillance-state17 One such court decision can be seen here: msud106.krd.msudrf.ru/modules.php?name=info_pages&id=1002&cl=118 Soldatov, A., & Borogan, I. (2013). Op. cit.19 Ibid.20 www.conflictstudies.org.uk/publications.php21 Ames, M. (2014, January 16). Edward Snowden demands pressfreedom (for journalists who don’t live or work in Russia). PandoDaily. pando.com/2014/01/16/edward-snowden-demands-pressfreedom-for-journalists-who-dont-live-or-work-in-russia/206 / Global Information Society Watch russia / 207


In December the Russian Duma extended theso-called internet “black list” with a law allowing“extremist” websites to be blocked without courtconsent. The definition of “extremist” included thecalling of unauthorised demonstrations. The Kremlin’sown Committee on Human Rights warned thatthis risked infringing the country’s constitution. 22However, three independent sites were blockedshortly afterwards, and more followed as the crisisescalated in Ukraine. Furthermore, to the concernof Reporters Without Borders and others, from Augustbloggers with more than 3,000 daily viewerswill be placed under the same content restrictionsas newspapers and television. 23 This means theywill have to register with the authorities. A numberof blogging sites are removing features showingvisitor numbers as a result. In addition Lenta.Ru,a major online current affairs site, was effectivelydestroyed in March when its editor-in-chief andexecutive director were sacked, resulting in the resignationof its entire team of journalists. 24Soldatov and Borogan have said that Russianbusinesses that rent space on servers in Russiaare required under the stipulation of their licencesto give access to the security services via SORM. 25But platforms such as Facebook, Twitter and Googleare not hosted in the country. Indeed Facebook andTwitter did not even have a formal representativeentity there. This is a particular problem for anyonewishing to intercept their traffic, as social networksites are notoriously difficult to monitor due tobeing closed accounts and therefore resistant tosemantic analysis.Snowden’s revelations seemingly promptedrenewed effort to bridge this knowledge gap. Legislationhas been introduced to make websiteowners and operators (including Facebook, as thelaw states it includes foreign websites with Russianusers) archive user data for six months andbe willing to provide it to the government whenrequested. 26 Foreign internet companies are alsobeing pressured to invest in local data storage facilities.In April, Maksim Ksenzov, the deputy director22 Sugarman, E. (2014, March 27). Russia’s War on Internet FreedomIs Bad for Business and the Russian Economy. Forbes. www.forbes.com/sites/elisugarman/2014/03/27/russias-war-on-internetfreedom-is-bad-for-business-and-the-russian-economy/23 Reporters Without Borders. (2014, April 18). Will the Russianinternet soon be under complete control? Reporters WithoutBorders. en.rsf.org/russia-will-the-russian-internet-soonbe-18-04-2014,46167.html24 Human Rights Watch. (2014, April 24). Russia: Veto law torestrict online freedom. Human Rights Watch. www.hrw.org/news/2014/04/24/russia-veto-law-restrict-online-freedom25 Soldatov, A., & Borogan, I. (2013). Op. cit.26 Sugarman, E. (2014, March 27). Op. cit.of Roskomnadzor (the Agency for the Supervisionof Information Technology, Communications andMass Media), hinted that those who did not complycould be switched off. 27 Prime Minister DmitryMedvedev sharply denied this was the case, callingon officials to “use their brains” before announcingthe closure of social networking sites. However,Kommersant has published leaked documents thatit claims show the government intends to prohibitany DNS 28 server outside of Russia from using the.ru or .rf domains. 29It is not just international social media ownersthat are under pressure. Vkontakte is the country’slargest independent social media site – and a favouriteof opposition activists after its founder, PavelDurov, refused to close groups organising protestmarches during the early 2012 protests. Durovinitially resisted attempts by Vkontakte’s Kremlinfriendlyshareholders, including Alisher Usmanov,to force him out. 30 This April, however, he left notonly the company but the country. A few days earlierhe wrote on his blog that the FSB had ordered himto provide personal data on the organisers of 39groups on Vkontakte, allegedly linked to Ukraine’sEuromaidan movement. 31Explaining his departure, Durov warned it hadbecome “harder and harder to remain with thoseprinciples on which our social network is based.”His statement ended with a quote from Douglas Adams’comedy science fiction novel The Hitchhiker’sGuide to the Galaxy. Given Russia’s increasinglyhypnagogic internet – officially free but in practicelooking anything but – it was an aptly surrealchoice. “So long,” he said, “and thanks for all thefish.”ConclusionSnowden seemingly acknowledged SORM’s invasivenet when, after his exchange with Putin,he called on journalists to pressure the Russianpresident “for clarification as to how millions of individuals’communications are not being intercepted,analyzed or stored, when at least on a technicallevel the [Russian] systems that are in place mustdo precisely that in order to function.” 32 It is this27 Hille, K. (2014, May 16). Russian regulator threatens to blockTwitter. The Financial Times. www.ft.com/cms/s/0/a3ea4946-dd06-11e3-b73c-00144feabdc0.html#axzz39plsMHbi28 Domain name system.29 www.kommersant.ru/doc/246276030 Walker, S. (2014, April 2). Founder of Vkontakte leaves afterdispute with Kremlin-linked owners. The Guardian. www.theguardian.com/media/2014/apr/02/founder-pavel-durovleaves-russian-social-network-site-vkontakte31 Human Rights Watch. (2014, April 24). Op. cit.32 Pincus, W. (2014, April 21). Op. cit.question – what the Russian state is doing with theinterception network it appears to have spent millionsof roubles creating – that is of such concernto privacy, security and human rights campaigners.There is a public security cause for the centralgovernment to keep an eye on electronic communications.The extent of the Sochi programme, whichalso saw 5,500 video cameras installed and drones– some with thermal vision – deployed, was in parta reflection of the heightened terrorist threat fromregional separatist groups. But the evidence indicatesthat this intercept programme is seeminglybeing extended far beyond such extremist groups.The amount of data produced by Russia’s 75million internet users is vast, and data capture,let alone storage, may well be beyond the capacityof many telecoms operators. 33 Soldatov has saidthat Russian technology for storing and interceptingcommunications is not as advanced as thatused by the US. 34 Moreover, as InfoWatch headNatalia Kasperskaya has pointed out, Russia remainsdependent on Western computer technologyfollowing the near collapse of the country’s own microelectronicsindustry in the 1990s. 35 Any attemptto “balkanise” the Russian web would only lead topoorer access, slower speeds and greater costs tothe consumer.Nevertheless, the policy trajectory appearsclear. First the Kremlin targeted phones. Then it targetedemails and internet pages. Now there is anassault on social networks. A raft of lawful methods33 Giles, K. (2013, October 29). Op. cit.34 Lake, E. (2014, April 18). Sorry, Snowden: Putin Lied to You AboutHis Surveillance State – And Made You a Pawn of It. The DailyBeast. www.thedailybeast.com/articles/2014/04/17/sorrysnowden-putin-lied-to-you-about-his-surveillance-state-andmade-you-a-pawn-of-it.html35 tvrain.ru/articles/natalja_kasperskaja_majkrosoft_pozhaleet_esli_podderzhit_sanktsii_v_otnoshenii_rossii-367814/now exist for the Russian state to collect informationand block unwanted online content – whileSoldatov and Borogan have detailed a range ofextralegal approaches allegedly being adopted aswell. Given such circumstances, the Bureau of DiplomaticSecurity’s warning ahead of Sochi appearsnot only prudent for its staff but for anyone wishingto protect their communications in modern-dayRussia.Action stepsThe following advocacy steps can be recommended:• Lobby national governments to encourage Russianot to suppress free expression online, todrop proposed restrictions on bloggers, and toend pressure on social networks and independentwebsites.• Promote legal support for media organisationswith limited financial capacities, including bycreating collective legal tools.• Create and disseminate best practice guidelinesto promote protection on the internet.• Conduct outreach programmes for the widerpublic to highlight the social and economic advantagesof a free and open internet.• Lobby the Russian government to adopt transparentcivic discussions ahead of the adoptionof new laws impacting on communicationsfreedom.208 / Global Information Society Watch russia / 209


RwandaEnsuring security, or violating privacy and freedom?Emmanuel Habumuremyiwww.giswatch.org/users/ehabumuremyiIntroductionThe rapid growth of information and communicationstechnology (ICT) services in Rwanda hasbrought new policies, laws and strategies. Theseare aimed not only at alignment with establishedeconomic development and poverty reductionstrategies, but also at ensuring that citizens andnon-citizens enjoy full freedom, security and privacy.At the moment, the mobile phone penetrationrate is estimated at over 65.4% when it comes toactive SIM cards, 1 up from 53.1% in December 2012,and the internet penetration rate was approximately22% in terms of mobile broadband subscriptionsby June 2014. 2 The statistics are based on a populationof 10,515,973 recorded in the 2012 nationalcensus. 3 However, communications surveillance isnot a common issue discussed publicly. The reasonsare hypothetical, including a lack of awareness ofwhy surveillance is necessary, what its advantagesor disadvantages are for people’s rights, and howit is done.The focus of this report is to discuss existingmeasures to keep citizens’ personal data safe frominternal and external intruders, and to examine thereasons and conditions under which surveillance ofcommunications is conducted, as well as who is authorisedto do so. It explores the current Rwandanlegal framework, government commitments in thisarea and the international community’s views onhow the government honours these commitments.Policy and political backgroundAs Rwandans are becoming active users of smartdevices (like mobile phones, iPads and tablets), aswell as consumers of social media and other onlinefacilities, on the one hand people are discoveringhow ICTs are helping them to share their privateinformation, store personal data and discuss1 www.rura.rw/fileadmin/docs/Montly_telecom_subsribers_telecom_subcribers_as_of_June.pdf2 Republic of Rwanda. (2004). MYICT performance contract for FY2014-2015, p. 4.3 www.statistics.gov.rwsensitive issues. On the other, they are finding outthat if these communications are not well protected,they can be misused or abused by corporateentities, malicious people and public officials.While writing on the rights to privacy in the digitalage, the National Commission for Human Rights(NCHR) in Rwanda ascertained that measureshave been taken at the national level to ensure respectfor and protection of citizens’ freedom andrights to privacy, including in the context of digitalcommunications. 4The NCHR says that the first measures canbe traced to the Constitution of the Republic ofRwanda, 5 which guarantees the protection and respectof the right to privacy. Article 22 states thatthe private life, family, home or correspondence ofa person shall not be subjected to arbitrary interference,and that a person’s home is inviolable. Article34 paragraph 2 states that freedom of speech andfreedom of information shall not prejudice publicorder and good morals, the right of every citizen tohonour and good reputation, and the privacy of personaland family life.The most cited laws established to ensure therespect of the right to privacy and data protection inRwanda are the following:• Law No. 02/2013 of 8 February 2013 regulatingmedia (article 9) 6• Law No. 03/2013 of 8 February 2013 regulatingaccess to information (article 4) 7• Law No. 48/2008 of 9 September 2008 relatingto the interception of communications 8• The recently enacted ICT law 94 National Commission for Human Rights. (n/d). The rights toprivacy in the digital age. www.ohchr.org/Documents/Issues/Privacy/RwandaNHRC.pdf5 www.parliament.gov.rw/fileadmin/Images2013/Rwandan_Constitution.pdf6 www.mhc.gov.rw/fileadmin/templates/PdfDocuments/Laws/Official_Gazette_n__10_of_11_March_2013.pdf7 www.mhc.gov.rw/fileadmin/templates/PdfDocuments/Laws/Official_Gazette_n__10_of_11_March_2013.pdf8 lip.alfa-xp.com/lip/AmategekoDB.aspx?Mode=r&pid=7801&iid=23699 www.parliament.gov.rw/uploads/tx_publications/DRAFT_LAW___GOVERNING_INFORMATION_AND_COMMUNICATION_TECHNOLOGIES.pdf• Law No. 44/2001 of 30 November 2001 governingtelecommunications 10• Law No. 18/2010 of 12 May 2010 relating toelectronic messages, electronic signatures andelectronic transactions (the e‐signature law) 11• Law No. 54/2011 of 14 December 2011 relating tothe rights and the protection of the child (Article16).The government of Rwanda honours internationalcommitments on internet governance. During theNETmundial internet governance discussions, atwhich Rwanda was represented by its Minister ofYouth and ICT Jean Philbert Nsengimana, 12 the internetwas taken as “a universal global resource,that should remain a secure, stable, resilient, andtrustworthy network” and Rwanda supported theproposal of an internet governance frameworkwhich is “inclusive, multistakeholder, effective, legitimate,and evolving.” 13Rwanda ratified the International Covenant onCivil and Political Rights, and is therefore bound byArticle 17, which states: “No one shall be subjectedto arbitrary or unlawful interference with his privacy,family, home or correspondence, nor to unlawful attackson his honour and reputation. Everyone hasthe right to the protection of the law against suchinterference or attacks.” 14The above-mentioned regulations are applieddomestically. According to Privacy International,the corporate sector plays a critical role in facilitatingsurveillance. 15 Interception and monitoring ofindividuals’ communications are becoming morewidespread, more indiscriminate and more invasive,just as our reliance on electronic communicationsincreases. 16 This report does not have data on howbig corporations’ privacy policies, such as those ofGoogle and Yahoo, among others, affect internet usersin Rwanda. This is a matter for attention, sincesome of the spokespeople of these companies havebeen wilfully tone-deaf on the issue in the past: “Ifyou have something that you don’t want anyone to10 www.rura.rw/fileadmin/laws/TelecomLaw.pdf11 www.rwanda.eregulations.org/media/Electronic%20law.pdf12 Kenyanito, E. P. (2014, May 9). What did Africa get out ofNetMundial internet governance discussions? Access. https://www.accessnow.org/blog/2014/05/09/spotlight-on-african-contributions-to-internet-governance-discussions-part-13 document.netmundial.br/1-internet-governance-principles14 www.ohchr.org/en/professionalinterest/pages/ccpr.aspx15 Nyst, C. (2014, July 17). UN privacy report a game-changer infighting unlawful surveillance. Privacy International. https://www.privacyinternational.org/blog/un-privacy-report-a-game-changerin-fighting-unlawful-surveillance16 https://www.privacyinternational.org/issues/communicationssurveillanceknow, maybe you shouldn’t be doing it in the firstplace.” 17Communications interception and collectionof personal data vs international humanrights principlesRwanda, like many countries in the world, has putin place “measures to establish and maintain independent,effective domestic oversight mechanismscapable of ensuring transparency, as appropriate,and accountability for state surveillance of communication,its interception and collection of personaldata.” 18A certain number of international human rightsorganisations and external journalist reports attackthe government, at the level of ranking the countrynot free or partly free, citing the interception ofcommunications among other factors they considerhindering freedom and privacy.When the bill on the interception of communicationswas awaiting approval by the RwandanSenate, sensational headlines in internationalnewspaper reports and interpretations like “in thename of ‘public security’ Rwandan police and securityforces will be able to spy on journalists, humanrights defenders, lawyers and activists who criticiseor oppose the Kagame regime” appeared. 19With today’s global evolution driven by the advanceof ICTs, the registration of identity informationto activate a mobile SIM card is fast becoming universalin Africa. SIM registration and the collectionof biometric data were among the most criticisedprojects when they were being implemented inRwanda. They were considered by some as componentsof a growing surveillance assemblage thatalso incorporates other technologies such as electronicpassport systems, new video surveillancetechnologies, and electronic health systems. 20SIM registration2013 was characterised by a campaign encouragingall citizens of Rwanda to begin registeringtheir SIM cards, an activity started in Februaryand ending in July the same year. According to17 Taylor, A. (2014, June 16). Google and Yahoo want to ‘reset thenet’. But can it work? The Guardian. www.theguardian.com/commentisfree/2014/jun/16/google-yahoo-reset-the-net-tech-nsadata-collection18 National Commission for Human Rights. (n/d). Op. cit.19 Nyst, C. (2012, August 25). Rwandan government expandsstranglehold on privacy and free expression. Privacy International.https://www.privacyinternational.org/blog/rwandan-governmentexpands-stranglehold-on-privacy-and-free-expression20 Donovan, K. P., & Martin, A. K. (2014, February 3). The rise ofAfrican SIM registration. First Monday. firstmonday.org/ojs/index.php/fm/article/view/4351/3820210 / Global Information Society Watch rwanda / 211


the then-director general of the Rwanda Utilitiesand Regulatory Authority (RURA), the exercisewas due to “East African Community (EAC) resolutionswhere all countries agreed to implementthe SIM card registration (SCR), which is relatedto the security of mobile subscribers – such asfighting mobile-based crimes – in the region.” 21This was confirmed by some researchers such asNicola Jentzsch, who affirms that the East AfricanCommunications Organization (EACO) has been amajor proponent of SIM registration, encouragingnational governments in the region to adoptrelevant laws and regulations, or to support voluntaryinitiatives. She went on to mention EACO’smotivation: the belief that forcing customers toregister SIM cards will reduce the opportunitiesfor malevolent actors to use mobile devices anonymouslyto undertake unlawful or socially harmfulactivities, including kidnapping, drug traffickingand terrorism. 22East African countries like Kenya, Rwanda,Uganda and South Sudan are working towardsestablishing a cross-border SIM card registrationframework in a new effort to curb the rise in crimesperpetrated through the use of mobile devices. 23Biometric identityA biometric system for the identification of citizensstores all the resources needed to identify aperson, based on their digitised fingerprints andphotographs.In Rwanda, the National Identification Agency(NIDA) has opted for ICT-based initiatives to speedup citizen registration. Under the motto “SmartID, Smart Ideas”, Rwanda has built a populationregister to issue secure national identity cards,driving permits and integrated smartcards that willbe multi-purpose to enhance quick public servicesdelivery. 24 Services that come with the card includepersonal identification, insurance assessments,and bank and immigration services, among others.This avoids the need to carry many cards to accessthe different services.Since January 2014, citizens from three partnerstates (Rwanda, Kenya and Uganda) have begunto use the smartcard to cross their respective21 Bright, E. (2013, February 4). SIM card registration gets under way.The Rwanda Focus. focus.rw/wp/2013/02/sim-card-registrationgets-under-way/22 Donovan, K. P., & Martin, A. K. (2014, February 3). Op. cit.23 Wokabi, C. (2013, December 23). East African states to share SIMcard, national ID data. Pan African Visions. panafricanvisions.com/2013/east-african-states-share-sim-card-national-id-data24 www.worldbank.org/content/dam/Worldbank/Event/socialprotection/Building_Robust_Identification_Systems_Session_Packet.pdfborders without presenting any passport orpass. 25 The interconnected national ID system ismeant to facilitate the faster movement of peoplebetween the three countries, and at the sametime to ensure that people moving from one countryto another do not fake their nationalities andidentities.Arguments against the establishment of biometricdata collection state that studies of nationalID card programmes have consistently found thatcertain ethnic groups are disproportionately targetedfor ID checks by the police. Privacy Internationalgoes further by pointing to the genocide againstTutsis in 1994, when ID cards designating theirholders as Tutsis cost thousands of people theirlives. For them, an ID card enables disparate identifyinginformation about a person that is storedin different databases to be easily linked and analysedthrough data-mining techniques. This createssignificant privacy vulnerability, especially giventhe fact that governments usually outsource theadministration of ID programmes to unaccountableprivate companies. 26Following the success of the national ID programme,Rwandan government stakeholders areoptimistic about the potential success of this initiative.Many stakeholders believe that the Rwandansmartcard initiative will enhance their quality ofservice delivery while reducing lengthy turnaroundtime. 27Interception of communicationsIn August 2013, the Rwandan government passedamendments to a 2008 law relating to the interceptionof communications. While reading mostmedia articles criticising the law, laypeople in thefield lose track of what it is and what it is not, whenit is lawful and when it is unlawful, and who is authorisedto intercept communications.The law defines communications interceptionas “any act of listening, recording, storing,decrypting, intercepting, interfering with, or carryingout any other type of surveillance over voiceor data communications without the knowledgeof the user and without explicit permission to doso.” 2825 IWACU. (2014, January 14). ID cards to replace passports in EAC.IWACU English News. www.iwacu-burundi.org/blogs/english/idcards-to-replace-passports-in-eac/26 https://www.privacyinternational.org/issues/id27 Sivan, S. K. (n/d). Enhancing public and private sectordelivery through Rwandan national smart card initiative. www.appropriatetech.net/files/ENHANCING_PUBLIC_AND_PRIVATE_SECTOR_DELIVERY.pdf28 Law relating to the interception of communications.Relevant authorities are authorised to carry outinterception of communications for national securitypurposes. 29 According to the law, this is doneon a criminal suspect: “[W]hen all other proceduresof obtaining evidence to establish truth havefailed, the prosecutor in charge of investigations,may, after obtaining a written authorisation by theProsecutor General of the Republic, listen, acknowledgeand intercept record[ed] communications,conversations, telegrams, postal cards, telecommunicationsand other ways of communicating.” 30The law governing telecommunications, meanwhile,recognises privacy and data protection, andforbids interception of communications in its Article54. It states: “Every user’s voice or data communicationscarried by means of a telecommunicationsnetwork or telecommunications service, remainsconfidential to that user and the user’s intendedrecipient of that voice or data communications.” Ifa court authorises the interception or recording ofcommunications in the interests of national securityand the prevention, investigation, detection andprosecution of criminal offences, the above articleis not applied.Government authorities of “the relevant securityorgans” are authorised to apply for an interceptionwarrant. In May 2014, the government appointedthe Ombudsman and Deputy Ombudsman as ateam of inspectors in charge of monitoring thatinterception of communication which is done in accordancewith the law. 31 No person shall reveal anyinformation which he/she accessed in the exerciseof his/her responsibilities or duties in relation tothis order, except when authorised by the head ofthe security organ which has carried out the interception(Article 8). 32The following acts are not considered as interceptionof communications:• Evidence of a crime collected after the messagereached the receiver.• Evidence based on communication recorded bythe sender or the receiver or other person withoutusing a monitoring device for interception ofcommunications. 3329 Ibid.30 Law N° 13/2004 relating to the Code of Criminal Procedure. www.refworld.org/docid/46c306492.html31 2014 Presidential Order appointing inspectors in charge ofmonitoring the interception of communication.32 2014 Prime Minister’s Order determining modalities for theenforcement of the law regulating interception of communication.33 Ibid.ConclusionAs is becoming the practice in most democraticcountries, in Rwanda intercepts of oral, telephonicand digital communications are initiated by lawenforcement or intelligence agencies only after approvalby a judge, and only during the investigationof serious crimes.Arguments against communication interception,based on asserting that the reasons advancedfor interception are weak, seem to be on the extremeside when a developing country is involved.In the absence of clear case studies and unbiasedopinions that consider both the pros and cons ofcommunications surveillance, the public is not ableto know how surveillance can make a safer societyas proposed by governments, or how it can deterioratetheir rights as argued by human rights activists.With SIM registration, your email, ID and phoneare linked together. The requirement by big corporationsto provide a telephone number when usingtheir services, for instance, is also dangerous andpromotes unnecessary personal data surveillance,since users are not aware who is accessing theirdata and what the data is being used for.Action stepsApart from the existing laws in place, the Rwandangovernment should consider the following when itcomes to communications surveillance:• The government needs to sensitise Rwandancitizens through awareness campaigns on procedures,practices and legislation regarding thesurveillance of communications. This should bedone in order to increase their knowledge onmatters related to surveillance on the one hand,and to help them use communication channelsresponsibly on the other hand.• Telecommunications and internet service providersshould increase the quality of what theyoffer to the clients, since poor service that requirescitizens to seek help from a customercare desk is likely to expose the clients’ privacy.• Rwandan civil society and human rights organisationsshould be in a position to understandwell what is involved in communications surveillancein order to avoid relying on speculativeinformation.212 / Global Information Society Watchrwanda / 213


SenegalCommunications surveillance in the Senegalese digital societyJONCTIONAbabacar Diopwww.jonctions.orgIntroductionSenegal, located in West Africa, is a country formerlycolonised by France which gained its independencein 1960. It currently has a population of roughly 13million people.The advent of the Senegalese digital societyin the late 1990s and its exponential developmentsince the 2000s has led policy makers to set up aninstitutional and legal framework for digital activitywith the adoption in 2008 of a series of laws governingthe internet in the country. 1 Policy makers foundthis necessary for reasons of national security, andto establish a legal and institutional framework toprotect citizens against crimes related to onlineactivity.ICTs have brought real changes in the forms ofcommunication and exchange, not only at the corporatelevel, but also in the relationships betweencitizens. However, even if it is proven that ICTs aregreat tools at the service of freedom of speech, theyalso constitute a real danger when it comes to theprivacy of correspondence.The Senegalese media continue to revealscandals about citizens’ communications beingmonitored either by the government or by privatecompanies. 2 This will be the subject of our discussion,which attempts to analyse the institutionaland legal architecture of communications surveillancein Senegal.Political contextSenegal has signed and acceded to several internationaland regional human rights instruments,including the Universal Declaration of HumanRights, the International Covenant on Civil andPolitical Rights, the International Covenant on1 www.jonctions.org/index.php?option=com_content&view=article&id=16&Itemid=622 Enquête+. (2013, July 29). Les enregistrements téléphoniquecomme moyens de preuves : ‘’Illégaux’’ et ‘’irrecevables’’, selondes juristes. Enquête+. www.enqueteplus.com/content/lesenregistrements-t%C3%A9l%C3%A9phoniques-comme-moyensde-preuves-ill%C3%A9gaux-et-irrecevables-selon-desEconomic, Social and Cultural Rights, and the AfricanCharter on Human and Peoples’ Rights.The Universal Declaration of Human Rightsstates in Article 12: “No one shall be subjected toarbitrary interference with his privacy, family, homeor correspondence, nor to attacks upon his honourand reputation. Everyone has the right to theprotection of the law against such interference orattacks.” The same UN text provides in Article 19:“Everyone has the right to freedom of opinion andexpression; this right includes freedom to holdopinions without interference and to seek, receiveand impart information and ideas through any mediaand regardless of frontiers.” 3In addition, Article 17 of the International Covenanton Civil and Political Rights states: “Noone shall be subjected to arbitrary or unlawfulinterference with his privacy, family, home or correspondence,nor to unlawful attacks on his honourand reputation.” 4In compliance with Senegal’s international commitments,its constitution states in Article 13: “Thesecrecy of correspondence and of postal, telegraphic,telephonic and electronic communications shallbe inviolable. This inviolability shall be subject onlyto such restrictions as are made applicable by law.” 5“Noticing echoes…”Senegal, like many countries in the world – as demonstratedby the revelations of Edward Snowden– is threatened by the practice of illegal surveillanceof communications. This practice, which doesnot meet international standards prescribed bythe relevant United Nations texts, including theUniversal Declaration of Human Rights and the InternationalCovenant on Civil and Political Rights, isa real threat to privacy, freedom of expression andthe right to confidentiality of communications.Revelations made by the Senegalese pressabout the tapping of citizens’ telephone conversations,but also the monitoring of communicationsof employees in a telecommunication company, illustratethis.3 www.un.org/en/documents/udhr/index.shtml#a124 www.ohchr.org/en/professionalinterest/pages/ccpr.aspx5 www.wipo.int/wipolex/en/details.jsp?id=6223According to an article in the newspaper LePays, published on 5 September 2011 and posted onthe OSIRIS website: “It is common: we often noticeechoes in the middle of a call, unusual noise, interruptedconversations without apparent reason andeven noise ... of mechanical tools. This implies thatwiretaps are being made. To pierce the mystery surroundingthe ongoing wiretapping that Senegaleseare subject to, there could be no more appropriatesource than a mobile phone company.” 6 Moreover,the same newspaper reports in its edition on 30November 2011: “Wiretaps were organised internallyby the top management and have practicallyturned the lives of the workers upside down, revealanonymous Tigo agents. Senior employees wereunpleasantly surprised to receive sanctions andother requests for explanations, based on the contentof messages sent by email.” 7If these claims are true, they show infringementson the communications of Senegalesecitizens by both the government and private companies.This constitutes a real threat to the enjoymentof fundamental human rights which our country hascommitted to respect.According to Article 13 of the Senegaleseconstitution, as noted above, the secrecy of correspondenceand communications is inviolable, andthis inviolability is “subject only to such restrictionsas are made applicable by law.”Even if there is no specific legislation on phonetapping, there are several laws and regulations protectingthe confidentiality of correspondence andother communications. These include Law 2008-12on the Protection of Personal Data, Law 2011-01 of24 February 2011 on the Telecommunications Code,and the decree on electronic communications madefor the purposes of Law 2008-08 of 25 January 2008on Electronic Transactions. 8According to Article 7 of the TelecommunicationsCode: “The operators of telecommunicationsnetworks open to the public and suppliers of publictelecommunications services, as well as their staffmembers, are sworn to secrecy of correspondence andcontinuity of the service under penalty of prosecutionpursuant to Article 167 of the Penal Code. They mustalso ensure that consumers and users have optimalnetwork conditions that guarantee confidentiality and6 Diagne, E. (2011, September 5). Surveillance des communicationstéléphoniques : Pourquoi et comment l’État écoute les citoyens.Osiris. osiris.sn/Surveillance-des-communications.html7 Seck, A. A. (2011, November 30). Tigo et le scandale des écoutetéléphoniques. Senenews.com. www.senenews.com/2011/11/30/tigo-et-le-scandale-des-ecoutes-telephoniques_17135.html8 www.jonctions.org/index.php?option=com_content&view=article&id=16&Itemid=62neutrality of the service with respect to transmittedmessages and the protection of privacy and personaldata... There can be no exception to this rule unlessunder the conditions prescribed by law.” 9Article 12 of the Telecommunications Code providesthat “[a] judge or police officer, for the needsof the prosecution or an investigation, or the enforcementof a judicial ruling, may require thattelecommunications operators and service providersor telecommunications networks make availableuseful information stored in the computer systemsthey administer. Telecommunications operators andservice providers of telecommunications networksare required to submit the required information to theauthorities.” 10 In other words, only a judge or policeofficer is authorised by law to order a restriction on theinviolability of private communications. This seems tobe, for us, consistent with the principle of legality aswell as that of the competent judicial authority providedby the 13 International Principles on the Applicationof Human Rights to Communications Surveillance. 11According to the principle of legality, “Any limitationto the right to privacy must be prescribed by law. TheState must not adopt or implement a measure that interfereswith the right to privacy in the absence of anexisting publicly available legislative act.”However, the law should be more precise to complywith the principle of adequacy, by specifying theextent and limits of an order by a judge or police officerunder Article 12 of the Telecommunications Code. Accordingto the principle of adequacy as established inthe abovementioned 13 International Principles, “Anyinstance of communications surveillance authorisedby law must be appropriate to fulfil the specific legitimateaim identified.” For us, it seems to be necessarythat the judge or police officer declare the legitimateaim pursued by the order, which has the advantage ofavoiding any abuse by the authorities.In light of this, there is no doubt that the incidentsreported above are unfairly and severelyviolating the integrity of the communications of citizens,because they do not have any legal grounds.Beyond that, they are a breach of citizens’ rights toprivacy and freedom of expression as enshrined inthe Senegalese legal system.It is undisputed that, for security requirements,the state may conduct surveillance of communications.But monitoring the communications orcorrespondence of citizens outside of legal channelsis an intrusive act against privacy and personaldata protection, and stands against human dignity.9 www.gouv.sn/IMG/pdf/code_des_Telecom_2011_senegal.pdf10 Ibid.11 https://en.necessaryandproportionate.org/text214 / Global Information Society Watch senegal / 215


It is even more serious if illegal surveillance ofemployee communications is the work of privatecompanies. The case of the telecommunications companycited earlier, illegally “spying” on its employeesby monitoring their electronic correspondence andtelephone communications, reveals serious issueswhen it comes to human rights and fundamentalfreedoms within the company. These rights are at theheart of corporate social responsibility.In addition to the monitoring by the state andcompanies, citizens monitor each other. Oftenscandals involve people illegally recording the privateconversations of others using mobile phones.These recordings not only infringe on privacy, butare sometimes used to attack the dignity of others. 12This is why the government – but also citizens– should proactively protect the right to privacy ofcorrespondence, not only to be compliant with internationalstandards of human rights, but also toensure the safety and the social and democratic stabilityof our country.ConclusionThe rapid growth of ICT use raises the issue ofthe security of communications and electronic exchanges.This is not only a technical issue but alsoa societal one. What are actually being threatenedare the foundations of the rule of law and a democraticsociety, which are the aspiration of Africancountries, including our country, Senegal.However, given the recent situation prevailingin Nigeria, with attacks and kidnappings carried outby Boko Haram, one can legitimately ask whetherit is not useful to better monitor communicationsto effectively fight against terrorism. Our answer isno, because the fight against terrorism should notjustify the restriction of fundamental freedoms andwidespread infringement on the privacy of citizens.The phenomenon of mass surveillance is a seriousdanger which civil society organisations and humanrights activists have to face.In this regard, in order to counter the threats toprivacy, security and civil liberties, African statesface challenges in putting in place appropriate institutionaland legal mechanisms to enforce theright to privacy of correspondence. Fraudulent andillegal surveillance of communications in Senegal isa reality and the government, as guarantor of civil12 Nettali.net. (2010, November 23). Affaire Diombasse Diaw : KhadijaMbaye et ses complices prennent 6 mois, Abdou Aziz Diop relaxé.Xalimasn. xalimasn.com/affaire-diombasse-diaw-khadija-mbaye-etses-complices-prennent-6-mois-abdou-aziz-diop-relaxe(In this case,the defendants were charged with, among others, acts of cyber crime.The victim was filmed without his knowledge by a supposed friendwhile he was naked and the footage was then found on the internet.)liberties, should find solutions. It is an absolute imperativeof social and democratic stability, as wellas of institutional and citizen security.Although efforts are being made at the legislativeand institutional level to respect the privacyof correspondence, the government must make aneffort to protect citizens’ internet rights from thethreat of evolving surveillance technologies. Withthe rapid development of sophisticated technology,it becomes possible for private entities or individualsto violate the privacy of communications withthe simple aim of harming others. When a telecommunicationscompany is authorised to spy on thecorrespondence and communications of its ownemployees, this deserves special attention. It is thesame when a citizen is equipped with sophisticatedtechnological means to intercept or record callerswithout their knowledge, and for a non-lawful use.While the dynamism of the ICT sector is progressingat an accelerated pace in our country, tools forrecording and monitoring communications are becomingincreasingly sophisticated and are often outof the government’s control. Therefore it is necessaryto implement appropriate legislation. The currentlegislation protecting the confidentiality of correspondence,freedom of expression and privacy doesnot, as we have seen, take care of all the issues andchallenges of mass surveillance of communications.Action stepsTo better ensure the integrity of the digital space,privacy rights, and secrecy of correspondence,we recommend some actions that are absolutelynecessary:• Citizens should be constantly aware of surveillancepractices in order to ensure respect of theright to privacy and protection of personal dataand to defend against all unjustified and unlawfulacts of communications monitoring.• We recommend that the government furtherstrengthen the legal and institutional frameworkfor communications monitoring from thestandpoint of respect for human rights. Also,the government should develop technical andhuman resources in order to have the ability toexercise appropriate controls on unauthorisedwiretapping and communications surveillancetechnologies installed in Senegal, to ensure securityand the public’s civil liberties.• The government must ensure that any regulationson communications surveillance conformto the 13 International Principles on the Applicationof Human Rights to CommunicationsSurveillance.serbiaAccess to retained dataSHARE Foundation/SHARE DefenseMilos Stojkovic and Djordje Krivokapicwww.shareconference.net/en/defenseIntroductionDuring 2012, Rodoljub Sabic, the Commissionerfor Information of Public Importance and PersonalData Protection (CIPIPD), oversaw the implementationand enforcement of laws on the protection ofpersonal data and electronic communications. Hiswork involved investigating four telecommunicationsoperators: Orion Telekom, Telenor, VIP Mobileand Telekom Serbia. This related inter alia to thelegality of the Ministry of Interior (MUP) and secretservices accessing user telecommunications datathat had been stored by the operators.On 6 July 2012 the CIPIPD publicly releasedfindings showing that the national authoritieshad unauthorised, direct access to retained data(metadata) using the previous regulatory frameworkthat allowed them to establish technical linkswith the systems used by telecommunicationsoperators. The current legal framework requiresthat authorities submit an official request to theoperator, together with a court order. The data releasedfrom one operator showed that the relevantauthorities submitted only 3,600 official requestsfor access to retained data from 27 March 2011 until27 March 2012. On the other hand, in the sameperiod, the authorities approached one operator(Telenor) over 270,000 times. The number of unauthorisedaccess requests is 130 times higher thanofficial requests.Policy and political backgroundThe legal framework regulating surveillance in Serbiais outdated and imprecise. In addition, someprovisions of the relevant laws have been declaredunconstitutional. Constitutional safeguards regardingthe protection of privacy are very strong. Article41, Paragraph 2 of the Constitution of the Republicof Serbia prescribes that any restriction on the privacyof communication is only possible temporarily,and is only allowed on the basis of a court decision– if it is necessary for investigating a crime or for theprotection of the national security of the country inline with the law.However, most of the laws regulating accessto retained data have been contrary to the safeguardsprovided by the constitution, and mostprovisions of these laws have been challengedand repealed in constitutional court proceedings.In addition, in practice, constitutional safeguardsare often violated by various authorities and secretservices. Although pressure from civil society andindependent institutions is strong, there has beenno progress in the reform of the legal frameworkand no changes in the way that secret servicesoperate.Regulatory cul-de-sac gives securityagents free access to databasesAs noted above, the CIPIPD supervision over telecomoperators revealed that the MUP and secretservices have direct access to retained data, andthat the access takes place in a manner which iscontrary to the constitutional safeguards regardingthe privacy of communications. It all started in 2008,when the Republic Agency for Electronic Communications(RATEL) prescribed technical conditions foroperators that also determined their obligation tostate bodies authorised for electronic surveillance.Technical conditions were adopted according tothe provisions of the Law on Telecommunications,which was abolished in 2010 when the new Law onElectronic Communications was enacted. The technicalconditions were related to telephony, internetand cable distribution operators, and they were the“legal basis” for establishing the technical link betweenstate authorities and operators. These linksenabled state authorities to access retained communicationsdata without any control, and withoutany evidence that such access is legally based (inaccordance with the mentioned constitutionalsafeguards).In July 2010, the new Law on Electronic Communications,in line with the European Frameworkfor Electronic Communications 2003, was adoptedby the National Assembly. In the public debate overthe draft of the law, the CIPIPD and Protector of Citizens(PC) argued that some of the provisions of thelaw are contrary to the constitutional safeguardsregarding the privacy of communications. Theprovisions in question were related to accessing216 / Global Information Society Watch serbia / 217


etained data. The draft prescribed that accessingretained data is “possible for the purpose of conductinginvestigations, crime detection and criminalproceedings, in accordance with the law regulatingcriminal proceedings, as well as for the purpose ofprotecting national and public security of the Republicof Serbia, according to the law which governsthe operation of security services of the Republicof Serbia and the operation of the authorities incharge of internal affairs.” Other laws containedproblematic provisions that gave the secret servicesaccess to retained data even without a court orderin exceptional cases.After the adoption of the Law on Electronic Communications,both independent institutions (theCIPIPD and the PC) launched separate proceedingsbefore the Constitutional Court. The result was thatcontroversial provisions from the Law on ElectronicCommunications, the Law on the Military SecurityAgency and Military Intelligence Agency, as well asthe Law on Criminal Proceedings, were repealed.The decision of the Constitutional Court meant thataccess to retained data is possible only on the basisof a court order. For example, before the decision ofthe Constitutional Court, the Law on Criminal Proceedingsprescribed that the police are authorisedto obtain telephonic listing data and data regardingthe usage of a base station, as well as data on locationof a communication, simply upon the order ofthe Public Prosecutor. After the Constitutional Courtdecision, the provision was changed in a way thatobtaining this data is possible only upon the orderof an authorised court (a court dealing with the initialproceedings of a case).However, without provisions prescribing themanner and conditions of access on the technicallevel, and with existing technical links to telecommunicationsoperators, there was still a high risk ofunauthorised access. Unfortunately, data releasedby the CIPIPD showed that unauthorised access iscommon practice among the secret services andother state bodies. Over 270,000 unauthoriseddata requests for just one operator showed thatconstitutional safeguards and even legal provisionsare not respected. The only basis for directaccess is RATEL’s technical conditions, whichcould not be in force, because they are bylawsadopted according to the Law on Telecommunicationsthat ceased to exist. Somehow it is stillapplicable because new technical conditions havenot been adopted. It is obvious that such a regulatorycul-de-sac creates a situation in which stateauthorities can access and use the retained datawithout any control.After its findings concerning telecommunicationsoperators, on 4 November 2013 the CIPIPDbegan to investigate internet operators. The supervisionis still ongoing, but there is a high level ofcertainty that similar or even worse results will berevealed regarding the protection of privacy.ConclusionsThe findings of the CIPIPD showed that there is ahuge gap between constitutional safeguards andpractice. Unauthorised access by state bodies impliesthat there is no appropriate balance betweenthe legitimate interests of protection of privacy onone side, and investigating crimes and protectionof security on the other. The privacy of communication,among other human rights, can be restricted.However, there are standards that should be fulfilled.Any restriction has to be prescribed by thelaw and must be necessary to protect vital interestsof society (e.g. national security). There also has tobe proportionality in the imposed restriction andthe goal which the restriction intends to achieve,and any restrictions should be the least intrusiveon the free exercise of human rights (principle ofproportionality). Unfortunately, these conditionsare not fulfilled at the moment, and it is clear thatsomething has to be changed.The current state of affairs is not satisfactory,because there is wide scope for interfering withtelecom users, regardless of the type of communicationstechnology they use. As long as statebodies have opportunities to access large amountsof data without any restrictions, such as data aboutthe location of telecommunications devices, anddata regarding the destination, or duration of communications,users will be in constant fear that their“everyday” life is monitored by government. Theprotection of state security is undoubtedly in theinterests of every society, but the manner of protectionmust be in line with human rights standards.This implies the oversight and involvement of asmany stakeholders as possible, from state bodiesto independent institutions and NGOs dealing withhuman rights.Action stepsIn order to improve the privacy of communications,the legal framework should be completely in linewith constitutional safeguards. That means thatlaws which regulate access to retained data shouldbe changed in a manner which provides clear andunambiguous rules about who is authorised to accessthe data, what their obligations are, and whatsafeguards exist when it comes to the misuse ofdata. Second, civil society, state authorities and independentbodies have to initiate a public debateon all aspects of the work of secret services and otherstate bodies, including their access to retaineddata. Finally, state bodies which are authorised toaccess retained data have to adapt so that theirwork conforms to the principles of transparency,civil control and accountability. Only through suchan approach is it possible to achieve mutual understandingbetween various stakeholders, and onlythen will it be possible to achieve the appropriatebalance between privacy and security.218 / Global Information Society Watch serbia / 219


Slovak RepublicThe quest for privacy in Slovakia: The case of data retentionEuropean Information Society Institute (EISi)Martin Husovec and Lubomir Lukicwww.eisionline.orgIntroductionShortly after a series of coordinated suicide attacksin Madrid in 2004 and central London in 2005, theEuropean Union reacted by passing the so-calledData Retention Directive in 2006. The directiveobliged all EU member states to implement lawsforcing telecommunications providers to monitorand store a wide range of metadata concerning theonline and phone activities of their citizens for periodsranging from several months to years. The hopewas that this data could help Europe to better fightterrorism and other serious crimes. Strong protestsby citizens in some of the member states could notstop the scale of this imposed surveillance.In September 2010, when the European InformationSociety Institute (EISi) was formed in theSlovak Republic (also known as Slovakia), the fightagainst surveillance in other member states had alreadybeen going on for several years. The GermanConstitutional Court in March of that year suspendedGermany’s implementation of the directive andmany other national initiatives began appearing.Encouraged by the efforts and fruits of the labourof our colleagues, EISi decided to make litigationagainst data retention in Slovakia its first goal.There was, at the time, no civil society organisationto do the job in the country; there was virtually nopublic debate and very little, if any, public resistanceagainst data retention.Policy and political backgroundAfter the Data Retention Directive was implementedat the national level throughout the EU,the resulting legislation was subject to numerouschallenges at the national level. 1 However, it tookalmost a decade to challenge the source of all ofthis: the directive itself. In April 2014, the Court ofJustice of the EU (CJEU) – in its historical role as aconstitutional court for the Union – repealed the1 Jones, C., & Hayes, B. (2013). The EU Data Retention Directive:a case study in the legitimacy and effectiveness of EU counterterrorismpolicy. secile.eu/data-retention-in-europe-case-studyentire Data Retention Directive 2 and also broadlyquashed any future hopes for similarly far-reachingmeasures. This, however, did not exhaust the advocacyrole for civil society groups. Today, there is agreat need to sweep clean numerous post-directiveconsequences. In Slovakia, this entails the reviewof the Act on Electronic Communications and someother acts.This report outlines the struggle of launchinga challenge against the implementation of thedirective in Slovakia. It presents a picture ofnon-responsive local authorities, a lack of publicawareness and little resistance to an invasionof privacy rights among Slovak civil society andultimately citizens. It also illustrates a misuse ofretained data and the real practice of disclosure,which is often distant from the letter of the law.Challenging the implications of the DataRetention Directive at the local levelSoon after its launch, EISi authored a brief reportpointing out the basic discrepancies between theAct on Electronic Communications (“the Act”) andits data retention provisions, and the fundamentalrights embodied in the Slovak constitution, theEU Charter of Fundamental Rights and Freedoms,and the Convention for the Protection of HumanRights and Fundamental Freedoms. This reportwas then presented in the form of a motion 3 to twolocal authorities, which were entitled to initiateproceedings before the Constitutional Court. Theseauthorities were the General Prosecutor’s Officeand the Ombudsman.Both of the local authorities, despite the evidence,reached the view that the data retentionprovisions do not lead to an interference with thefundamental rights and freedoms of citizens. And sothey refused to initiate any proceedings before theConstitutional Court, which could review the constitutionalityof the provisions of the Act.When easier ways of initiating proceedings beforethe Constitutional Court were exhausted, EISi2 Digital Rights Ireland C-293/12 and Kärntner LandesregierungC‐594/12.3 www.eisionline.org/index.php/projekty-m/ochrana-sukromia/22-podanie-generalna-prokuraturahad to try more complicated and resource-intensiveways. We put together a submission for the ConstitutionalCourt 4 and started asking for the supportof members of parliament, who can also initiatesuch a constitutional review. The required numberof signatures is relatively high – at least each fifthmember of parliament needs to sign such a submission(a total of 30 MPs).It probably does not need to be stressed toomuch that this requirement slowed down the process.Because EISi has no regular staff members,but only volunteers, it took a few years to both draftthe submission and get the necessary support forit. And had the work on the submission not beensupported by the research of one of its members, itcould have taken even longer than that.The ultimate aim of the submission, which waslater presented to MPs, was to succinctly point outconflicts between the data retention provisions andfundamental rights and freedoms. The submissiondescribed the overall situation, the fundamentalfeatures of which are presented below.According to the Act, an undertaking 5 is obligedto retain traffic data, location data and data of theparties who communicated. The data retentionperiod was set to six months in the case of internetaccess, email and voice over internet protocol(VoIP), and 12 months in the case of other types ofcommunications. The scope of the retained datais very broad. It can probably be best divided intothe following categories: i) data necessary to traceand identify the source of a communication; ii) dataneeded to identify the recipient of communicationor to identify the date, time and duration of communicationand iii) data needed to identify the type ofcommunication, the users’ end equipment (or whatseems to be their equipment) and the location ofmobile devices.In the opinion of EISi, the introduction of theseobligations constituted a substantial encroachmentupon the private life of individuals – especiallybecause this mandated a blanket monitoring ofall inhabitants of Slovakia, regardless of their innocenceor prior behaviour. The data retentionrequirements mandated that every day the dataabout every inhabitant of Slovakia must be collected,amassing a profile of who called whom, towhom someone sent an SMS or email, when the4 www.eisionline.org/index.php/projekty-m/ochrana-sukromia/28-vzorove-podanie-na-ustavny-sud-sr-vo-veci-plosneho-sledovaniaobcanov5 For the purposes of the Act on Electronic Communications,“undertaking” means every person who provides a networkor service; undertaking activity means a network or a serviceprovision in the electronic communications sector for a third party.person sent it, from which location, using what typeof device or service, how long the communicationtook, and many other details. It is needless to saythat the combination of this information made itpossible to perfectly describe the movement of everyinhabitant of Slovakia who uses a mobile phoneor the internet. In this way, the behaviour, circle ofacquaintances, hobbies, health, sexuality and otherpersonal secrets of all the citizens can be predicted.It therefore comes as no surprise that EISiconsidered the legislation to be entirely disproportionateand lacking any safeguards against themisuse of the sensitive data. The legislation createda regulatory free space which increasinglyminimised citizens’ privacy. Moreover, the mainduties and details of data retention regulationwere left to private companies, which are naturallymore interested in minimising their costs, since thestate did not reimburse them for the cost of thisobligation.The submission argued that in the light of theapplication of the proportionality test, the dataretention legislation turns out to be clearly unconstitutional.It also argued that the retention ofmetadata can in a concrete way result in even moreintrusive interference with the right to privacy thana scenario in which the content of the communicationitself is retained.Moreover, the legislation, in contrast with otherlegal requirements for criminal proceedings, didnot exempt persons who are otherwise bound byprofessional secrecy (e.g. lawyers, doctors), or whocannot be surveilled or wiretapped when they performcertain activities (e.g. relationships betweenadvocate and accused).EISi argued that the national provisions on dataretention were therefore in direct conflict with theprinciple that the restriction of fundamental rightsand freedoms has to comply with their essence andmeaning. The restrictions can only be implementedwhen there is a clear, stated aim. It is a violation ofprovisions if the state restricts fundamental rightsand freedoms in a way that both lacks an achievablegoal and, especially, threatens the very essence ofthose freedoms.We furthermore believed that blanket data retentionis unconstitutional for several reasons, andthat the Data Retention Directive itself is invalidbecause of this. First of all, data retention is not asufficiently effective tool to combat serious crime: itaffects ordinary people more than the perpetratorsof serious crimes. Therefore it disproportionatelyinfringes on the right to privacy and the right to protectionof personal data. It also disproportionately220 / Global Information Society Watch Slovak Republic / 221


estricts freedom of expression and media freedom.Moreover, the length and extent of retained datawas prescribed without the support of any empiricalresearch.EISi also argued that many provisions of boththe Data Retention Directive and the Act are vagueand provide too much room for abuse by both publicauthorities and the private sector. The real-lifepractice of Slovak service providers retaining andstoring data was found to be entirely arbitrary, becauseoften the data retention was not required bylaw and/or data was provided to authorities whohave no legal right to request them. So both thescope of retention and scope of access often exceededthe law.Access to stored data is not regulated by anyprecise legislation. This enables law enforcementauthorities to take advantage of a messy legal situationand request data for less serious crimes. Thisis constitutionally incompatible with human rightssuch as the right to privacy and freedom of expression.EISi presented evidence which illustrated areal misuse of data when it comes to disclosures.It was established that the practice is often verydistant from what the letter of the law says. Thisis especially the case given that there is very littlesupervision from the public authorities responsiblefor this.The submission asked the Constitutional Courtto file for a preliminary reference before the CJEUarguing that the Data Retention Directive itself isinvalid.After several months of negotiations withmembers of parliament, the required number ofsignatures was reached to support our initiative.Finally, after six months, EISi managed to get thesubmission before the Constitutional Court. At thispoint, however, it had already been three yearssince we had started the initiative.In October 2012, the submission 6 demanding areview of the data retention provisions embodiedin the Act was officially submitted to the ConstitutionalCourt. 7 Shortly after the submission wasfiled, a preliminary submission concerning the constitutionalityof the Data Protection Directive wasfiled before the CJEU. The referring Austrian andIrish courts made a reference similar to the one EISiproposed for the Slovak Constitutional Court in theproceedings before it. Due to the inactivity of theSlovak Constitutional Court, it soon became clearthat the Court had decided to wait for the decisionof the CJEU first. In April 2014, the CJEU annulled theData Protection Directive. 8ConclusionsBy repealing the Data Retention Directive, the CJEUnot only invalidated a single act of the Union’ssecondary law, but also defined the scope of theirdiscretion. Slovak transposing acts, which are atthe moment under the scrutiny of the Slovak ConstitutionalCourt, were thus not only deprived ofthe reason for transposition, but are now also in adirect contradiction with the explicit standard setby the CJEU in Digital Rights Ireland C-293/12 andC-594/12.According to the decision of the CJEU, any kindof blanket data retention that does not distinguishbetween persons who can be connected to majorcriminal activity and other persons, does not conformwith the rights to privacy and protection ofpersonal data.In terms of future legislation:• Any kind of metadata retention must (i) beaimed at specific persons or circle of persons,and (ii) have a specific time period and/or (iii)geographical area.• Access to data must be restricted to investigatingacts of a serious nature that can justify thesignificant interference with fundamental humanrights such as the respect of private andfamily life and protection of personal data.• Access to data must be subject to judicial supervisionor the supervision of an independentadministrative body which can allow such accessbased only on a substantiated applicationto the courts.• Data retention must reflect the special statusof persons bound by a duty of confidentialityconferred by national law, such as attorneys ordoctors.• When grounds for data detention are not relevantanymore, the particular person must benotified of the fact that he/she was under surveillancein the past.• The period and types of retained data in a specificcase must be adapted to what is necessaryfor achieving a particular aim.• The data retention must provide clear safeguardsagainst possible misuse or unauthorisedaccess to this data.• Legal regulations must clearly describe how thedata can be stored and how the data will be destroyedafter it is used.• Any kind of access and subsequent use of metadatamust fall within a clearly defined scope andbe for a clearly defined aim.On 23 April 2014, the Slovak Constitutional Courtpreliminarily suspended the national implementingAct. This measure means that the retention laws arestill formally in place, but have no legal effect untilthe Court decides on the merits of the complaint.However, at the same time, data that has alreadybeen collected will not need to be destroyed, and itremains open to interpretation whether service providersmay or may not hand over data collected inthe past to state authorities upon request.On the other hand, the Slovak Parliament cameup with a proposal to amend the Penal ProcedureCode, which is one of the acts regulating the accessto this type of information. The proposal fails to liveup to the standard set by the CJEU. Yet no civil societyorganisation, and very few in the mainstreammedia, picked up on the topic. This creates littlepressure on legislators. It appears that even afterthe landmark decision of the CJEU and our efforts,sensitivity to privacy rights is still rather low in Slovakia.Even less significant copyright developmentsenjoy better coverage in the media and garner morepublic interest than most privacy-related issues.Action stepsSlovakia still lacks a strong privacy advocacy group.EISi, as a think tank focusing more on litigation,is not well suited to fulfil this role. Our exampleshows that the presence of expertise and litigationcoming from civil society does not necessarilyimprove social sensitiveness to the issues amongthe general public. Slovakia needs, in our view, thefollowing:• A strong privacy activist group needs to beestablished.• The work of the Slovak Data Protection Authorityneeds to be improved. Currently, it is not onlyfailing to act ex officio, but also in cases whendata is requested by the authorities, and itswork is marked by a lack of expertise.• The opportunity for civil society to object to legislationbefore the Constitutional Court, evenwithout political support, needs to be legislatedin Slovakia. When the general public is not sensitiveto certain issues, neither are the publicauthorities.All this will be important after the decision by theConstitutional Court is made, when the debate willagain be shifted to the national parliament. In theabsence of broader interest by civil society, thestrength of the pro-privacy opposition will remainvery small and we will witness a race to the bottom.6 PL. ÚS 10/20147 www.eisionline.org/index.php/projekty-m/ochrana-sukromia/49-slovak-case-on-data-retention8 www.eisionline.org/index.php/projekty-m/ochrana-sukromia/74-us-data-retention-suspension222 / Global Information Society Watch Slovak Republic / 223


South AfricaCommunications surveillance in South Africa:The case of the Sunday Times newspaperDepartment of Journalism, Film and Television,University of JohannesburgJane Duncanwww.uj.ac.zaIntroductionThis article discusses the communications surveillanceof two investigative journalists from thebiggest weekend newspaper in South Africa, theSunday Times. The paper is owned by one of thefour largest press groups, Times Media Limited. Thejournalists, Stephan Hofstätter and Mzilikazi wa Afrika,had their communications intercepted by theCrime Intelligence Division of the South African PoliceService (SAPS), in order to disrupt their work asjournalists and uncover their sources. This story hasbeen chosen as a case study of just how corruptibleSouth Africa’s communications monitoring and interceptioncapacities are, in spite of the governmentclaiming that it offers all the necessary protectionsfor civil liberties.The revelations by former National SecurityAgency (NSA) contractor Edward Snowden – thatthe NSA was conducting mass surveillance of UScitizens, as well as political leaders such as GermanChancellor Angela Merkel – have created a seriousinternational controversy. Other countries have alsobeen exposed as conducting mass surveillance too,and many people in South African civil society andthe media have been concerned that the country’sauthorities may be doing the same. This reportexamines one case where clear proof emerged ofabuses, and what the case tells us about the stateof civil liberties in relation to communicationsnetworks.Policy and political backgroundSouth Africa is not a terrorist target, yet growingsocial protests mean that the temptation is therefor less principled members of the security apparatusto abuse the state’s surveillance capabilitiesto advantage the faction currently in control of theruling African National Congress (ANC) and disadvantagetheir perceived detractors. South Africahas some excellent investigative journalism teams,and the state could easily misuse its surveillancecapabilities to harass them and expose their confidentialsources of information, especially if theythreaten ruling interests.South Africa has a law that governs the surveillanceof domestic communications on both criminaljustice and national security matters, the Regulationof Interception of Communications and Provision ofCommunications Related Information Act (RICA).RICA forbids the interception of communicationswithout the permission of a designated judge, andsets out the conditions for the granting of interceptiondirections. According to the Act, interceptiondirections should be granted only if there are reasonablegrounds to believe that a criminal offencehas been or is being or probably will be committed. 1The Act also requires all South Africans to registertheir subscriber information management (SIM)cards with their mobile phone providers, so that thestate can track the activities of suspected criminalsor victims if they need to. 2In spite of the fact that RICA attempted to strikethe correct balance between the interests of justiceand national security on the one hand, and civilliberties on the other, the Act has insufficient guaranteesfor civil liberties online. It ignores many ofthe most basic protections set out in the recentlyreleased Application of Human Rights Principles toCommunications Surveillance, otherwise known asthe Necessary and Proportionate Principles. 3An added problem is that foreign signals intelligencegathering does not fall under RICA, whichmeans that this practice is unregulated by law. Thisis particularly worrying as the state’s bulk monitoringcapacity is held by the interception centre thatundertakes foreign signals intelligence; so the stateagency with the greatest capacity for mass surveillanceis also the one that is least regulated by law.In 2005, the state’s mass surveillance capacitywas misused to spy on perceived opponents ofthe then contender for the presidency, Jacob Zuma.Several politicians and activists have also alleged1 Section 5(a)(i), Regulation of Interception of Communicationsand Provision of Communications-Related Information Act, www.justice.gov.za/legislation/acts/2002-070.pdf2 Section 39, Regulation of Interception of Communications andProvision of Communications-Related Information Act. www.justice.gov.za/legislation/acts/2002-070.pdf3 en.necessaryandproportionate.org/textthat their communications are being surveilled, althoughit is difficult to say whether this is the case.Another weekly newspaper, the Mail & Guardian,has quoted sources inside the police and State SecurityAgency (SSA) alleging that security personneloften do not even bother obtaining directions tointercept communications. 4 These incidents and allegationsarise from the fact that there are systemicweaknesses in the country’s communications surveillanceregime, which predispose it to abuse.The Sunday Times caseHofstätter and wa Afrika are part of an award-winninginvestigative journalism team at the SundayTimes. They have been responsible for some ofthe most important stories exposing governmentcorruption and malfeasance, and as a result haveearned the ire of some government officials whowould prefer to keep their dark secrets just that.The journalists were responsible for a story thatsaw South Africa’s top cop, National Police CommissionerBheki Cele, being fired by the president in2012 for dishonesty, unlawfulness and mismanagementin concluding a lease deal for offices for SAPSin the capital city of Pretoria and in Durban. The dealwas concluded with businessman Roux Shabangu,who was close to President Jacob Zuma. Their storiesexposed how Cele had broken treasury rules toadvantage an associate of Zuma’s financially.The team also investigated allegations of corruptionagainst Cele when he was the member of theexecutive council (MEC) responsible for transport,safety and security in the KwaZulu-Natal province ofSouth Africa. Moreover, they published damning exposésof the serious and violent crimes unit of SAPSin the township of Cato Manor, which they claimedturned rogue by operating a “death squad” and killingsuspects. The police members alleged to havebeen involved still have to stand trial.As they deal with extremely sensitive stories,Hofstätter and wa Afrika must do their utmost toprotect their sources, including those located insidethe police. In an attempt to do just that, they carrytwo phones: one with a SIM card that has been registeredin terms of RICA and one with a card that hasbeen registered by someone other than themselves.“Pre-RICA’d” SIM cards – SIM cards that are registeredbefore they are bought – can be bought fairlyeasily in South Africa, and cannot be traced back totheir users as they are not registered in their names.They use the first for non-sensitive communications4 Swart, H. (2011, October 14). Secret state: How the governmentspies on you. Mail & Guardian. mg.co.za/article/2011-10-14-secretstateand the second for sensitive communications withconfidential sources, assuming that communicationsusing pre-RICA’d SIM cards will be impossibleto trace back to their sources.Wa Afrika had a sinister run-in with the authoritiesin 2010, when his communications wereintercepted by the police on the pretext that hewas suspected of gun running. The journalist hadtravelled in and out of the country several times onstories, and the police used this as “evidence” thathe may well have been involved in crime. The existenceof the interception direction was confirmedby the Inspector General of Intelligence, who alsoconfirmed that the direction was lawful. 5 The vagueand speculative grounds for the issuing of interceptiondirections worked to the police’s advantage,and they used this to pursue an investigation of anon-existent crime.However, according to Hofstätter and wa Afrika,later in 2010, the police managed to obtain theirpre-RICA’d numbers, and slipped them into a largerapplication for an interception direction for thedesignated judge, Joshua Khumalo, to approve. Thepolice claimed that the numbers were of suspectedmembers of a criminal syndicate, and the journalists’numbers were included under fictitious names.Oddly enough, the Police Commissioner’s numberwas also included in the application, althoughCele’s number was subsequently cancelled.Apparently the police obtained these numbersfrom one of their sources, who had decided to betraythe journalists in return for a promotion. 6 Thejournalists learned these details from other sources.The bugging of their phones was confirmed bya Pietermaritzburg magistrate, who stated that theKwaZulu-Natal provincial crime intelligence chiefhad sent him as an emissary to apologise for thebugging. However, the chief has refused to be drawninto a discussion with the journalists directly. 7The Sunday Times has taken this case to court,and two officers are being charged with havingviolated RICA. The sanctions for having done soare stiff: any person intercepting communicationsunlawfully could be imprisoned for up to 10 yearsor fined up to ZAR 2 million (approximately USD200,000). The journalists claim that they have notbeen involved in any crimes, and as a result there isno valid reason for the police to investigate them. 85 Discussion with Stephan Hofstätter and Mzilikazi wa Afrika,Rosebank, 20 March 2014.6 Discussion with Stephan Hofstätter and Mzilikazi wa Afrika,Rosebank, 20 March 2014.7 Affidavit by Stephan Hofstätter, 24 March 2012.8 Affidavit by Stephan Hofstätter, 24 March 2012.224 / Global Information Society Watch south africa / 225


The only reason why they were placed undersurveillance must be that they were being harassedfor their investigations into the police, and that thepolice wanted to uncover their sources so that theycould plug the leaks. In fact, in an affidavit for thecase, one of the police officers on trial, Brian Padayachee,stated that he was given an instruction by ahigher-ranking officer to undertake a covert investigationinto the activities of certain journalists that,it was claimed, posed a threat to the organisation.This investigation included the interception andmonitoring of their calls. 9 Apparently, the ultimateinstruction came from Cele, who was concernedthat the journalists were attempting to infiltrate thepolice with an intention of tarnishing the image ofthe police; but, in a bizarre twist, this very directionthat he had given the instruction for was usedagainst him to place him under surveillance.These incidents showed just how easy it is to interceptjournalists’ communications, or indeed thecommunications of any citizen who asks inconvenientquestions about those in authority. There hasbeen growing evidence of South Africa’s securitycluster – consisting of the police, the intelligenceservices and the military – becoming increasinglypowerful and unaccountable. Unless the state’ssurveillance capacities are regulated properly,then abuses for political reasons are likely to continue.As Hofstätter noted, “…there is a completefree-for-all for the intelligence services to interceptwhatever they want. They just come up with spuriousgrounds. There is a time-honoured practiceto circumvent RICA, and all they do is just slip thenumbers in.” 10Analysis and conclusionThe Sunday Times case reveals several systemicweaknesses in the regulation of communicationsinterception in South Africa. One of the most seriousweaknesses is that no one is even informedthat their communications have been intercepted,even after the investigation is complete. This meansthat the authorities are given a power that is, to allintents and purposes, hidden from the public eye.This violates the requirement in the Necessary andProportionate Principles that individuals should benotified of a decision authorising communicationssurveillance with enough time and information toenable them to appeal the decision, and shouldhave access to the materials presented in support9 Affidavit by Brian Padayachee, 14 March 2012.10 Discussion with Stephan Hofstätter and Mzilikazi wa Afrika,Rosebank, 20 March 2014.of the application for authorisation. 11 Needless tosay, this principle should apply only if there is norisk to the purpose of surveillance, in which casepost facto notification is appropriate.In the United States’ system, in order to protectthe rights of the people under surveillance incriminal matters, within 90 days of the terminationof the court order the judge must ensure that theperson whose communications were intercepted isinformed about the order. 12 The fact that a similarprovision does not exist in RICA lays it wide open toabuse, as the authorities can rest assured that theirabuses will most probably never come to light. Theonly reason why the Sunday Times learned of theabuse was because they have extensive contactswithin the police; sources of information that wouldgenerally not be available to ordinary citizens. 13Another problem this case highlights is thespeculative nature of the grounds for issuing interceptiondirections using RICA. Privacy Internationalhas argued that the grounds are too vague, and thatthe higher standard of “probable cause” or a similarlevel of finding is generally required for a judge toissue an interception direction. 14 Directions may alsobe issued in relation to serious offences that may becommitted in future, which may not be constitutionalas it allows law enforcement officers to speculateon future acts that have not yet occurred. 15Furthermore, the granting of directions is an inherentlyone-sided process, which means that thejudge has to take the information that is given tohim on trust. No ombudsman is present to representusers’ interests; as a result, the process lacksan adversarial component, which also predisposesit to abuse.The level of information provided by thedesignated judge that is eventually released is inadequate.The annual report provides bare detailsabout the number of applications for interceptiondirections, the state agency that made the applicationsand the number that were granted or refused.11 International Principles on the Application of Human Rights toCommunications Surveillance. en.necessaryandproportionate.org/text12 US Code § 2518 - Procedure for interception of wire, oral, orelectronic communications. www.law.cornell.edu/uscode/text/18/251813 Discussion with Stephan Hofstätter and Mzilikazi wa Afrika,Rosebank, 20 May 2014.14 Privacy International. (2001). Submission to the ParliamentaryCommittee on Justice and Constitutional Development, 14 August.15 Bawa, N. (2006). The Regulation of Interception ofCommunications and Provision of Communications RelatedInformation Act. In L. Thornton, Y. Carrim, P. Mthsaulana, &P. Reburn (Eds.), Telecommunications Law in South Africa.www.wits.ac.za/academic/clm/link/publications/22988/telecommunications_law_in_south_africa.htmlThe judge may also include some general commentson trends. No information is available in these reportson the number of interceptions that actuallyresult in arrests and convictions. For instance, insufficientinformation was provided to understand whythere was a huge 231% increase in the number ofinterception directions granted by the designatedjudge to Crime Intelligence between 2009 and 2010,the year that Hofstätter and wa Afrika’s communicationswere intercepted. 16Furthermore, other democracies have establishedindependent commissions to oversee allmonitoring and interception activities. Such commissionsundertake full and public reportingprocesses, with the most sensitive areas beingremoved. Yet in South Africa, the parliamentaryreports are written by the very judge who took thedecisions, which is not healthy as the judge is unlikelyto reflect adequately on the weaknesses ofhis or her own decisions.South Africa’s Act also does not recognise theright of journalists to protect their sources of information,either in the form of express provisions inthe Act or in the form of a protocol that law enforcementor intelligence officials are required to adhereto in investigating journalists.All these problems make for an Act that is nothuman rights-compliant, and is likely to continuebeing abused unless safeguards are introduced.16 Khumalo, J. A. M. (2010). Statistical briefing by designated judgefor the period 1 April 2009 to 31 April 2010, p. 3-4.Action stepsIn 2014, the Department of State Security will launcha review of intelligence policy, to assess the strengthsand weaknesses of all national security-related policies.The Department of Communications has alsolaunched a review of ICT policy and legislation. Civilsociety needs to present researched alternatives tothe existing communications surveillance regimesthat enhance respect for basic rights and freedoms.Particular emphasis should be placed on ensuringthat the regime conforms to the Necessary and ProportionatePrinciples and that these principles aredomesticated in South African surveillance policyand practice.These advocacy efforts should focus particularlyon the following areas:• Strengthening the grounds for the issuing of interceptiondirections in RICA.• Increasing transparency in reporting levels oncommunications surveillance practices.• Ensuring that a user-notification provision is insertedinto RICA.• Ensuring independent oversight over the processof issuing interception directions.• Implementing a protocol with respect to thesurveillance of journalists’ communications,setting out the circumstances in which such interceptionscan take place, and the procedures.• Including a provision in RICA for an ombudsmanto represent users and the public interestwhen applications for interception directionsare made.226 / Global Information Society Watch south africa / 227


sudanSystematic violations of digital rightsLiemia Eljaili Abubkrlemiakatib.katib.orgIntroductionSince 1989 Sudan has been ruled by the NationalCongress Party (NCP), which came to powerthrough a military coup, supported by militant Islamists.In relation to freedom of expression andthe media, the current regime, policies and lawsare undemocratic, contradicting Sudan’s constitution,which respects freedom of expression andopinion. 1 The telecommunications sector in Sudanis regulated by the National TelecommunicationCorporation (NTC).In 2007, Sudan enacted the IT Crime Act, whichdoes not guarantee free speech and criminalisesthe establishment of websites that criticise thegovernment. 2 The Act provides for fines and prisonsentences of between two and five years. In 2008Sudan established its first Attorney General for CyberCrimes.In response to the Arab Spring in differentneighbouring countries, Sudan imposed furtherrestrictions on freedom of expression and the media.It also imported advanced technologies andequipment to censor and filter internet communications.The National Intelligence Security Services(NISS) set up a special internet filtering unit calledthe “Cyber Jihad Unit” to conduct “online defenceoperations”.This report will discuss the effect of limitingthe internet and censorship on activists andhuman rights defenders during last year’s September-Octoberdemonstrations against fuelsubsidies, the challenges they faced and how tolearn from these experiences to develop their capacityand work.1 Article (39) of the national interim Constitution 2005 providesthat “[e]very citizen shall have unrestricted right to the freedomof expression, reception and dissemination of information, andaccess to the press without prejudice to order safety or publicmoral as determined by law - the state shall guarantee thefreedom of press and other media shall be regulated by law in ademocratic society ”.2 Freedom House. (2013). Freedom on the Net 2013. www.freedomhouse.org/report/freedom-net/2013/sudan#.U289VlPLcf2Policy and political backgroundIn 2007 the NTC set up a special unit to censor andfilter internet content before it reaches users insideSudan. According to its policy, the unit filters contentthat is “morally offensive and violates publicethics” and “forestalls evil in the society”. 3 In practicethis unit censors and filters the opposition’swebsites, including social media and email communications.In 2011 the NISS imported a remotecontrol system (RCS) to manipulate informationand to spy on government opposition, journalists,human rights activists and different youth groups.In December 2012, a media law was proposedand discussed by the information committee in thenational assembly. The new draft imposes more restrictionson media and freedom of expression, andincludes provisions to regulate online media. 4While the government spent a lot of money onraising the capacity of its staff and imported advancedequipment for surveillance, human rightsdefenders, journalists and activists lack opportunitiesfor proper training. They also do not haveaccess to specialised ICTs and new media tools becauseof a United States digital technology sanctionagainst the country, which was imposed on Sudanin 1997. Sudanese cannot buy original software, noraccess training or courses online. This situation exposescivil society to serious security threats.No privacy, no protection“While I was filming a boy was shot and fell deadright in front of me, around two metres away. I was ina state of shock. I started screaming and I continuedfilming. I had documented the entire killing of theboy. The officers then approached me and snatchedmy phone.” This is the testimony of Dr. Samar Mirghanito the local and international media, after herdetention and her experience while witnessing protestsin her neighbourhood. Mirghani, a pharmacistand social media activist, was detained, harassedand tortured by security forces in September 2013.This was after she was pressured by security forces3 National Telecommunication Corporation, Internet InformationFiltering (Blocking Unit). www.ntc.gov.sd/index.php/en4 A member of the Sudanese National Council revealed in aninterview with the Doha Centre for Media Freedom in April 2013that the new law would include regulations on online media.to provide the password to her mobile phone. Sherefused to do so, and they beat her and opened acase against her. She was charged with the crimeof public disturbance. 5 Mirghani’s case illustratesthe tough and hostile environment in which socialmedia activists operate, the difficulties they face,and the impact of government restrictions on theirwork. Social media activists face gross violations oftheir right to privacy, detention, ill treatment, sexualharassment and extralegal intimidation. Mirghanidocumented the killing of a boy on her mobile. Unfortunately,instead of using the video as evidenceagainst the perpetrator, she has been fined and accusedof public disturbance.During demonstrations and political or economiccrisis, the NISS places extra-restrictive measureson the media, targeting journalists (whether local orinternational correspondents), social media activistsand human rights defenders. In Sudan, duringthe mass protests known as the “September Revolts”,which broke out on 25 September 2013, theauthorities responded with excessive force, includingthe use of live ammunition against protestersby security forces. The people were demonstratingagainst the government’s decision to lift fuel subsidies.More than 177 people were killed and morethan 800 were detained. Many well-known politicalactivists and human rights defenders were arrestedin their homes in an apparent attempt to stop themfrom documenting violations and to curb future mobilisationefforts. 6Bloggers and activists played an effective rolein documenting human rights violations duringthe protests. They mobilised using the internet –emails, websites, social media and blogs – in thepreparation and organisation of demonstrations,and shared news, photos and videos. They succeededin informing the world about the excessive forceused against protesters, which was condemned bythe international community. Digital media activismenabled the protest to spread from its starting pointin Khartoum and Wed Madni to other cities and urbanareas around the country.The restrictions on freedom of expression andthe media in Sudan present serious challengesto the protection and promotion of human rights,the rule of law and democracy. The NISS used tovisit newspapers daily to read the content beforeallowing them to print, and confiscated the papers5 sudanspeaks.blogspot.fr/2013_10_01_archive.html; see alsoCopnall, J. (2013, November 14). Sudan feels the heat from fuelprotests. BBC News. www.bbc.com/news/world-africa-249382246 ACJPS. (2013, October 4). Over 170 dead, including 15 children, and800 detained as demonstrations spread throughout Sudan. AfricanCentre for Justice and Peace Studies. www.acjps.org/?p=1663supporting independent and opposition parties afterthey had been printed. More than 20 topics wereconsidered “red line”, meaning the media were notallowed to write about them. These included issuesto do with price increases, demonstrations, and theconflict in Darfur, South Kordofan and Blue Nile. Inorder to suppress the media to prevent coverageof human rights violations during the demonstrations,the NISS summoned the editors of the mainnewspapers to its headquarters and forbid them topublish any information about the protests that didnot come from government sources. 7Many progressive and independent journalistspublished actively using new media duringthe demonstrations, in order to disseminate newsand articles which they could not publish in localnewspapers. Some newspapers publishedcensored material on their websites, blogs or Facebookpages. Informal journalist groups and youthgroups used their websites and Facebook pages topublish reports and news about government violationsof human rights and freedom of expression.These included Journalists for Human Rights (JHR),the Sudanese Journalists’ Network, Change Now,Abyna and Grifna. At the same time, the securityforces used social media to spread false informationabout activists, protests and gathering placesfor protests, to mislead the protesters and activists.The NISS also used social media to spread falseinformation about the situation in Darfur, and aboutopposition party leaders, rebels and human rightsdefenders, sometimes accusing them of committingcrimes against the state or immoral behaviour. Theyorganised these activities through the Cyber JihadUnit, using advanced technology and equipment.The government, since 1995, had allocated morethan 70% of its budget to defence and security activities.Part of this money was used in importingadvanced technology and in training the technicalofficers of the unit.The Citizen Lab reports that Sudan, is one of 21governments that are currently using or have usedHacking Team’s RCS spyware. 8 According to ReportersWithout Borders, “The NSA [National SecurityAgency in the United States] and GCHQ [GovernmentCommunications Headquarters in the UnitedKingdom], Ethiopia’s Information Network SecurityAgency, Saudi Arabia’s Internet Services Unit,Belarus’ Operations and Analysis Centre, Russia’sFSB [Federal Security Service] and Sudan’s National7 Among others, the newspapers Al-Midan and Al-Jareeda.8 Marczak, B., Guarnieri, C., Marquis-Boire, M., & Scott-Railton,J. (2014, February 17). Mapping Hacking Team’s “Untraceable”Spyware. The Citizen Lab. https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware228 / Global Information Society Watch sudan / 229


Intelligence and Security Service are all securityagencies that have gone far beyond their core dutiesby censoring or spying on journalists and otherinformation providers.” 9Using its advanced technology and equipmenton 25 September 2013, the NISS disconnectedthe internet throughout the country for more than24 hours. Then, on the following days, the internetslowed down drastically. 10 The internationalmonitoring group Access wrote an open letter totelecom service providers in Sudan on 11 Octoberasking about the internet blackout, which states:“We write with serious concerns over reports of thedisruption of Sudan’s international internet connectivityon September 25 and 26 [when] a substantialportion of the country’s networks became unreachable,effectively removing Sudan from the broaderInternet at the height of protests in Khartoum. Thisshutdown occurred on all major data providers (…)and appears to have been the result of actions takenby the service providers.” 11During the internet blackout, many reportedthat even SMS messages were blocked. And servicessuch as tweeting via SMS were interrupted by thesole telecommunications provider that carries thisservice, Zain. 12 The authorities had done the same inJune 2012. According to Reporters Without Borders(RSF), at that time there was an eight-hour internetblackout during a gathering organised by the UmmaParty 13 that attracted thousands of people. Duringthese protests, the internet slowed down drasticallyon the night of 29 June, before a large protest wasannounced. 14 Sudanese news websites such as SudaneseOnline, Hurriyat and Al-Rakoba were shutdown and YouTube was blocked several times.The opposition parties accused the NISS of spyingand filtering opposition leaders’ phone calls,Twitter accounts, Facebook pages and emails. Accordingto Elterieg, a Sudanese online news site,the NISS established special filtering units in eachof the telecommunications companies in Sudan.These units are totally controlled by the NISS. 159 Reporters Without Borders. (2014). Enemies of the Internet 2014.12mars.rsf.org/2014-en/enemies-of-the-internet-2014-entities-atthe-heart-of-censorship-and-surveillance10 Reporters Without Borders (2013, September 30). All-outcensorship in response to anti-government protests. ReportersWithout Borders. en.rsf.org/sudan-all-out-censorship-in-responseto-30-09-2013,45248.html11 https://www.accessnow.org/page/-/Open%20Letter%20to%20Sudan%20Telcos.pdf12 Access letter to data providers, on file with Human Rights Watch,dated 11 October 2013.13 A political party led by Sudanese ex-prime minister Sadiq al-Mahdi.14 Reporters Without Borders. (2014). Op. cit.15 www.altareeq.info/ar/control-the-internet-and-phones-openspaces-in-the-hands-of-the-security/The website mentioned that the NISS asked thecommunications companies to save SMS and onlinecommunications data for five years, instead of twoyears in the past.Despite this hostile environment, the blocking ofwebsites and the imposition of restrictions on differenttypes of media, Sudanese activists and humanrights defenders succeeded in organising, mobilisingthe people, cooperating and communicatingwith the international community, and reporting onmost of the violations that occurred during demonstrations.They used proxy programmes such as Torand Hotspot Shield to open blocked websites anddeveloped their digital skills to find secure ways toupload their images, videos, news and articles.Social media activists developed different measuresto protect themselves in case of detention.They informed close relatives or friends about theirFacebook and email passwords so that they couldchange them or delete the accounts in case of detention.These applications and platforms couldexpose them to torture or ill treatment by securityforces during detention. Other activists had morethan one Facebook page with different accounts inorder to confuse the authorities.On 27 May 2014 the NTC announced that it wasconducting technical studies on social networkingsites, particularly Facebook and WhatsApp, in abid to find ways to control their use in the country.Many observers believe that this is an attempt toprevent the leaking of information on governmentcorruption relating to senior figures. 16 By takingthese measures, the government can easily blockcitizens from online information and communicationwith the international community. This will freethe NISS’s hand to torture and harass journalists,online activists and human rights defenders withoutfear of punishment or the condemnation of theinternational community.On 19 May 2014 the minister of communications,in a report submitted to parliament, showed the difficultyin controlling Facebook and WhatsApp. Thereport explained that the Ministry of Culture andInformation in Khartoum state is seeking to blockFacebook and WhatsApp sites using advanced andsophisticated equipment, adding that the governmentwill continue its strategy and policy to controland suppress social media using different tools.Their aim is to legalise the blackout of social mediaand other websites. The government is trying toconvince the Sudanese that they are doing this to16 Sudan Tribune. (2014, May 27). Sudan looking into ways to controlFacebook and Whatsapp. Sudan Tribune. www.sudantribune.com/spip.php?article51144protect the community from the negative impact ofsocial media, and content which goes against traditionsand religious beliefs.In 2012 the Sudanese authorities proposed anew media law, which seeks to control social mediaand online activities. The proposed law gives authoritiesthe power to ban journalists from writing,and to censor newspapers and internet content.The NISS Act (2010) gives security officerspower to spy, to intercept the communications ofany citizen without judicial permission, and to trackthem in real time. The act gives the NISS immunityfrom prosecution.ConclusionsThe crackdown against internet freedom and graveviolations of privacy rights pose a serious securitysituation for human rights defenders and onlinemedia activists. Because of mass surveillance,most of them are subject to detention, torture andill treatment by NISS officers. At the same timethere is no legislation protecting human rights andprivacy rights. Most journalists, social media activistsand human rights defenders lack awarenessof protection and digital security and have limitedknowledge of ways to stay digitally safe. To improvethe situation there is a genuine need to reform thecurrent legislation to be in line with human rightsstandards and the country’s constitution. There isalso a need to raise the capacity of human rights defenders,journalists and social media activists whenit comes to online protection and digital security.According to Reporters Without Borders, Sudanscores high in censorship – it is considered one ofthe 2014 “Enemies of the Internet”. Most of theinformation about freedom of expression and humanrights defenders is researched and publishedby international organisations such as ReportersWithout Borders, Human Rights Watch, FreedomHouse and Amnesty International, by regional humanrights organisations such as the East and Hornof Africa Human Rights Defenders Network and theAfrican Centre for Justice and Peace Studies, or bySudanese organisations in the diaspora and theirallies inside the country, such as JHR.Restrictions on NGOs limit their role in monitoringand documenting human rights violationsand internet censorship, as well as their abilityto develop capacity-building projects and trainingprogrammes for human rights defenders andactivists.Action stepsThe deterioration of the human rights situation andrestrictions on freedom of expression in Sudan asa result of the economic crisis and armed conflictin five countries in the region is a matter of concernand needs to be addressed at regional andinternational human rights platforms such as theUN Human Rights Council and the African Commissionon Human and Peoples’ Rights. According toactivists, regional and international pressure helpsadvocacy initiatives.Human rights organisations have for years useddifferent tools to mobilise available avenues toinform the world about gross violations of humanrights and freedom of expression in Sudan, and toask the state to fulfil its international and regionalhuman rights obligations. In 2015 Sudan will submitits second Universal Periodic Review (UPR) reportto the UN Human Rights Council. The governmentof Sudan should take serious steps to implementthe recommendations which were received in thefirst UPR process and accepted by Sudan. 17 Therecommendations include ratifying internationalhuman rights treaties; reviewing the institutionaland legislative framework to be in accordance withinternational human rights standards; reformingthe repressive Press and Publication Act of 2009and the 2007 IT Crime Act; and lifting restrictionson freedom of expression and censorship of theinternet.17 Statement made by Sudan under review at the HRC under item 6after the adoption of the UPR report on 16 March 2012.230 / Global Information Society Watch sudan / 231


Switzerland“All eyes on you”Communica-chWolf Ludwigwww.comunica-ch.netIntroductionAs in various neighbouring countries, the Snowdenrevelations in early June 2013 caused increasingawareness and concerns in Switzerland about “BigBrother watching you” and surveillance by stateauthorities. While related discussions have beenlimited to few and informed circles in the country sofar, the revelations have set a new landmark, withpublic opinion drifting somewhere between overloadand resignation. However, the still ongoingrevision of the Swiss Federal Act on the Surveillanceof Post and Telecommunications (BÜPF) – along-standing process – has gained broader publicattention now and is more contested than ever before(see the Swiss country report from GISWatch2011). 1 As in surrounding countries, widespreadsecurity considerations – mostly referring to terroristthreats or child pornography – are increasinglythreatening and undermining principles of accessand openness, as well as civil rights. Over theyears, starting in May 2010, the federal government(Bundesrat) and its justice and police departmentare relentlessly pointing to the necessity of newtechnical means to combat crime and enhance lawenforcement. 2 Such means, like Trojan horses oncomputers of suspects and the prolongation of thecurrent data retention period from six to 12 months,are sold as “technological upgrades”, while providing“not more, but better surveillance”.Policy and political backgroundIn the first round of the usual consultations on newlaws between May and September 2010, the suggestedBÜPF revisions were harshly criticised bymost stakeholders from the business sector and1 Ludwig, W. (2011). Switzerland: Surveillance and security maniaviolating basic rights. In APC and Hivos, Global Information SocietyWatch 2011: Internet rights and democratisation. www.giswatch.org/en/country-report/freedom-expression/switzerland2 Bundesamt für Justiz, Überwachung des Fernmeldeverkehrs,Totalrevision des Bundesgesetzes betreffend die Überwachungdes Post- und Fernmeldeverkehrs (BÜPF). www.ejpd.admin.ch/content/ejpd/de/home/themen/sicherheit/ref_gesetzgebung/ref_fernmeldeueberwachung.htmlcivil society. The strongest concern was raisedabout the intended installation of Trojan horseson computers of suspects, and the prolongationof the current data retention period from six to 12months. Under the contested data retention rules,internet service providers (ISPs) are obliged tostore comprehensive customer data to be deliveredto security forces on demand. Another bone of contention,besides privacy concerns, was a new broaddefinition of “access providers”, including all sortsof internet-related services. The broad resistancefrom various parts of society – including the rightwingSwiss Peoples Party (SVP/UDC), usually atthe law and order front – caused some delays in thelegislative procedure and pulled the Federal Departmentof Justice and Police into a crisis of needing toexplain its position. 3 A year later, in November 2011,the Federal Council announced a revised versionof the Ordinance on the Surveillance of Post andTelecommunications (VÜPF), which was to comeinto effect in January 2012. With the revised VÜPF,the government cunningly bypassed the contestedBÜPF by introducing new surveillance measures atthe ordinance level – such as prescriptions for telecomand service providers to monitor mobile andinternet traffic. 4The BÜPF: Extending surveillanceAt the time, critics surmised that this acceleratedrevision of the Ordinance actually circumventedthe legislative power of the parliament, withoutcreating the required legislative basis for any newsurveillance laws by simply creating precedents.The Ordinance’s field of application was adjusted byincluding internet access providers alongside theirtelecom equivalents. These providers are obliged tosecure infrastructure to facilitate surveillance andto implement new surveillance measures either bythemselves or to task a third party to do this. Internetaccess providers were given a reprieve of 12months for implementation.3 Ludwig, W. (2011). Op. cit.4 Bundesamt für Justiz, Post- und Fernmeldeüberwachung: Klareund restriktive Rechtsgrundlagen, press release, November 2011.www.ejpd.admin.ch/content/ejpd/de/home/dokumentation/mi/2011/2011-11-23.htmlWith the revised VÜPF the government announcedan overhauled schedule for the ongoingrevision of the BÜPF. 5 Two years later, in February2013, the Federal Council submitted its Memorandum(Botschaft) to the parliament regardingthe BÜPF – a usual legislative procedure in thecountry. The purpose of the revision would be “toprovide a clear and restrictive legal basis” for lawenforcement and the use of GovWare for criminalprocedures. This special software is used by policeto monitor communication data such as sender, recipient,date, duration and ways of communication.On the other hand, the new law did not allowthe online investigations of computers or surveillanceof spaces using cameras and microphonesfrom infiltrated computers. The use of GovWare wassupposed to be limited to “hard crimes” only, whichjustified covert investigations.The government insisted on the prolongation ofdata retention from six to 12 months. According tothe new law, surveillance by law enforcement bodiescannot be done in a preventive manner but onlyin the course of a criminal procedure. It must be orderedby public prosecutors and approved by courtdecision. Suspects may object to surveillance – if orwhenever they get to know about it.Compared to the VÜPF, the field of applicationin the revised BÜPF will be considerably extended:from telecom and internet access providersto service and hosting providers, chat forums andplatforms, as well as all forms of other networks likehotels, hospitals, universities, public libraries andschools. 6Besides some modifications to the first contesteddraft (May 2010), its new version appears tovarious stakeholders like new wine in old wineskins– basically sticking to new surveillance techniquesundermining civil rights and liberties. Critical voicesdid not become silent: in February 2014, DigitalSociety Switzerland, a small but active group specialisedin net policy, together with six other civilsociety groupings including Member of ParliamentBalthasar Glättli (Green Party), launched a complaintagainst data retention in Switzerland. Thefederal office in charge, the Service for Surveillanceof Post and Telecommunication Traffic (ÜPF),rejected the complaint – as expected – by arguingthat “high legal barriers would protect fundamentalrights.” The complainants appealed to the Federal5 Ibid.6 Bundesamt für Justiz, Post- und Fernmeldeüberwachung: Klareund restriktive Rechtsgrundlagen, press release, February 2013.www.ejpd.admin.ch/content/ejpd/de/home/dokumentation/mi/2013/2013-02-271.htmlAdministrative Court. 7 Meanwhile, in April 2014, theEuropean Court of Justice (ECJ) declared the DataRetention Directive of the European Union “invalid”– a landmark ruling for many civil liberties groupsall over Europe. 8 The ECJ is backing key argumentsof the Swiss complainants that existing practicesfor data retention “exceeded the limits imposedby compliance with the principle of proportionality”and calling it “a wide-ranging and particularlyserious interference with the fundamental rights ofrespect for private life and of the protection of personaldata.” 9Despite this revealing court ruling and broadopposition, the Swiss government and authoritiesdrift between being unimpressed and stubborn. InMarch this year – just before the verdict – the SecondChamber of the Swiss Parliament (Ständerat),representing the cantons, gave its blessing tothe BÜPF: 94% of the council’s members voted infavour, with only two votes against and four abstentions.Even some Ständeräte who had doubts cavedin. Alexis Roussel, president of the Swiss PirateParty, criticised the decision by concluding: “TheStänderat didn’t learn anything from the Snowdenrevelations.” 10Freedom or security – a common dilemmaHowever, parties and stakeholders opposing theplanned BÜPF revision are broader than before. Whilemost of the political parties (except the Greens) andthe country’s political establishment of parliamentariansand party leaders support the new law orare indifferent at least, most of the party youngstersfrom all political spectrums have changed sides andjoined the increasing ranks of opposition. Summer2014 somehow looked like a showdown: at the end ofMay Switzerland saw its first net-political demonstrationin front of the Federal Parliament in Bern, whereseveral hundreds of people – digital natives mostly –expressed their common concerns against the BÜPF.They were supported by representatives from majorbusiness associations in the telecom and internetindustry. Speakers from Asut, the Swiss TelecommunicationsAssociation, and Swico, the Associationof ICT enterprises, besides others, expressed strong7 Steiger Legal, Urteil pro Vorratsdatenspeicherung in der Schweiz,July 2014. https://www.steigerlegal.ch/2014/07/01/urteil-provorratsdatenspeicherung-in-der-schweiz8 Court of Justice of the European Union, The Court of Justicedeclares the Data Retention Directive to be invalid, press releaseNo 54/14, April 2014, curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf9 See footnote 7.10 Ständerat segnet BÜPF-Revision ab, Computerworld.ch, March2014. www.computerworld.ch/news/it-branche/artikel/staenderat-segnet-buepf-revision-ab-65429232 / Global Information Society WatchSwitzerland / 233


eservations. Jean-Marc Hensch (Swico) welcomed thedemonstrators: “Dear potential criminals, dear possiblesuspects” – referring to broad-scale surveillanceand the storage of personal data without concretefacts supporting suspicion of a crime. 11 A speaker fromthe young social democrats (Juso) accused the FederalCouncil and his party elders of “historical amnesia”,pointing to the revelations of the second Secret FilesScandal in summer 2010 (and the early 1990s) or similarincidents that had shattered people’s confidence inits secret services before. 12The Federal Parliament (Nationalrat) was supposedto deal with the BÜPF bill in June, but thedebate was postponed to its autumn or winter session.Observers predict more critical voices andsubstantial debates among parliamentarians, yetparliamentary opponents seem to be rather scarce.Ruedi Noser from the Liberal Party and a well-knownICT entrepreneur reflects: “Many MPs are not awareabout the consequences of the BÜPF because theyare digitally distant.” They obviously care more aboutbanking secrecy than privacy. “I need to remind myparty folks that privacy matters on the internet aswell,” he said. 13Privacy as a privilege?From the official side, it is Switzerland’s Data Protectionand Information Commissioner HanspeterThür who expresses doubts about private and stateactors that need to be better controlled whenevercollecting data. “Consumers have almost no optionsany more to protect their private sphere – privacybecomes a privilege,” he feels. 14 According to a recentstudy conducted in nine countries on behalf ofthe European Commission, public awareness andwariness about state surveillance is on the rise. Thesurvey sample in Switzerland (75 to 90 people in alllanguage regions) indicated that Swiss citizens arerather anxious about surveillance of the public forsecurity reasons: 38% only were in favour of it (citizensare more critical in Germany only). 1511 STOP BÜPF, Medienecho zur Stop-Büpf-Demo vom 31. Mai 2014and Testimonials. stopbuepf.ch/medienecho-zur-stopbuepf-demovom-31-mai-201412 Die Fichenaffäre – eine Geschichte von Lug und Trug,Tagesanzeiger, 5 July 2010. www.tagesanzeiger.ch/schweiz/standard/Die-Fichenaffaere--eine-Geschichte-von-Lug-und-Trug/story/1622336213 Überwachung: Der Streit um Staatstrojaner spaltet die Parteien,TagesWoche, July 2014. www.tageswoche.ch/de/2014_30/schweiz/66422914 Datenschutz: „Privatsphäre wird zu einem Privileg“, Interviewwith the FDPIC, March 2014. www.nzz.ch/aktuell/schweiz/privatsphaere-wird-zu-einem-privileg-1.1825691515 Schweizer lehnen Staatsüberwachung ab, NZZ am Sonntag,May 2014. www.nzz.ch/aktuell/schweiz/schweizer-lehnenstaatsueberwachung-ab-1.18309315A referendum on surveillanceseems predictablePolitical prognoses are usually difficult, dependingon various factors (not only in Switzerland).However, if the contested BÜPF passes the FederalParliament in the autumn or winter session (likethe second Chamber Ständerat in March before)– which seems to be predictable – a referendumwill be called for by various actors in the country.A Referendum Committee was already created atthe end of May. 16 Such referendums are instrumentalto direct democracy and an essential part of thepolitical system in Switzerland. Whenever the twoChambers of the Parliament pass a law, a public referendumcan be announced and organised by anystakeholder groups in the country (usually politicalparties, unions, business or other associationsor any initiatives). They usually create an allianceof opponents called a Referendum Committee.Such committees need to collect 40,000 signatures(practically, around 50,000 are necessary) from allover the country during a limited period of severalmonths. Once this number is achieved, large packagesof signatures are delivered – usually in a publicaction – to the Federal Chancellery in Bern. The officein charge will review and check the validity ofthe collected signatures before a referendum is officiallyapproved. Upon approval of a referendum,the respective law is suspended until public voting– dates are fixed by the Federal Council in thecourse of the next federal voting schedule (usuallyin spring, summer or autumn every year).The biggest challenge for any ReferendumCommittee is to organise broader alliances of supportersamong opponents and to raise funds (aminimum of one million Swiss francs, roughly USD110 million) for a voting campaign. In the given caseof an anticipated Anti-BÜPF campaign, the prospectsare not bad, with strong business actors onboard (not only for money, but also for networking).Another decisive success factor for any such campaignis media coverage and support by influentialmedia titles all over the country. As it looks now, themixture of the Anti-BÜPF coalition is rather uniqueand heterogeneous, and has considerable potentialto mobilise support from various spheres of Swisssociety – particularly among youngsters and digitalnatives. However, a well-known risk factor is votingdiscipline – usually elder and conservative peopleuse the opportunities of direct democracy whileyounger generations tend to abstain. And usuallythe level of participation in Swiss voting is rather16 Ibid.low, at around 50% or less. Nevertheless, an Anti-BÜPF campaign (depending on the final decision ofthe parliament) offers great opportunities for broaderpublic discourse about state and other forms ofsurveillance in the digital age. The colourful coalitionof critical voices and pronounced opponents ofthis law looks promising at least. What appears likea conflict of generations – digital natives versus immigrants– could be a next step into an open Swissinformation society. 17Action stepsThe topic of advancing the information society inSwitzerland is so far mostly limited to some specialists,academia or a few informed circles. A highpercentage of the population (close to 80%) usecomputers, mobile devices and the internet on adaily basis, but do not care so much about relatedissues, problems or challenges – as long as accessto infrastructure and content is provided and everythingworks well. Even those using social networks17 Petition STOP BÜPF, Nein zum Überwachungsstaat, July 2014.buepf.chlike Facebook, etc., generally do not care aboutprivacy that much. Compared to Germany, net politicsand related matters is still a playground for afew nerds, and media and internet literacy is oftendemanded but continuously underserved. More initiativesin this respect are needed on various levelsof society (particularly schools). To work againstthe idea that “privacy becomes a privilege”, moreawareness raising and discussion in needed – fromthe family up to the political levels (parties andparliament).The anticipated Anti-BÜPF campaign (after thelaw is presumably adopted later this year) offers agreat chance for broader public dispute and contestationon limits of state interference into andsurveillance of private spheres. As the politicalestablishment of the country has not yet arrived inthe digital age, other parts of society – like the Anti-BÜPF coalition – need to step in and take the leadfor an appropriate debate about the dangers andlimits of surveillance. 1818 Balthasar Glättli, Dossier BÜPF (13.025 Bundesgesetz betreffenddie Überwachung des Post- und Fernmeldeverkehrs). www.balthasar-glaettli.ch/dossier/dossier-buepf-bundesgesetzbetreffend-die-ueberwachung-des-post-und-fernmeldeverkehrs234 / Global Information Society WatchSwitzerland / 235


SyriaCircumventing surveillance of internet communicationsKarim BitarIntroductionHardly a day passes without news about the conflictin Syria making headlines. After more thanthree years of clashes, the death toll is estimated tohave exceeded 150,000. 1 Since the early days of theuprising, the government has imposed strong restrictionson foreign media coverage of the events,granting access only to reporters who share its sideof the story.Under such restrictions, it would be expectedthat the opposition would turn to citizen journalismto provide coverage of the events from its perspective.Many initiatives were started for this purpose,using mobile phone cameras to record and documentevents, and broadcast this footage to theworld through the internet.With the internet becoming the only viablemedium for communication, the issue of the government’sability to intercept, block and exploit thecommunications of the opposition becomes a majorchallenge. Citizen journalists and activists had tofind creative measures to circumvent governmentsurveillance and protect their communications.In the following sections of this report, I investigatea major project implemented by the Syriangovernment to intercept and trace all the digitalactivities and communications of its citizens. I alsoexplore the tools and techniques developed by Syriancitizens to bypass the government’s intrusiveeye, and regain their privacy.Policy and political backgroundSurveillance of citizens’ communications is not newin Syria. While it has certainly intensified in scaleand scope over the past four years, government surveillancehas been a dominant theme in the countryfor decades, pre-dating the internet and digital communications.While the Syrian Constitution protectsfreedom of expression, and guarantees the privacy1 Evans, D. (2014, April 1). Death toll in Syria’s civil war above150,000: monitor. Reuters.www.reuters.com/article/2014/04/01/us-syria-crisis-tollidUSBREA300YX20140401of all communications of the country’s citizens, thegovernment does not seem to be too concernedabout that.Syria was ruled by a state of emergency law from1963 to 2011. 2 This law severely restricted personalliberty and freedom of expression. The massive secretservices organisation established shortly afterensured that the red lines were clearly drawn, andthose who crossed them were duly punished. As aresult, Syria became the 177th country (out of 179)on the Reporters Without Borders’ 2014 Press FreedomIndex, 3 and was given the “worst of the worst”title by Freedom House in 2014 for achieving thelowest possible ratings on all criteria in politicalrights and civil liberties. 4This explains the internet’s delayed entryinto the country, since an open, international anddifficult-to-control communication medium couldundermine the establishment and lead to situationsthe government may not tolerate. Over time,the government realised that it could use the exactsame technology to expand the scale and scope ofits traditional surveillance activities, and it soonacted to make mass surveillance of digital communicationsthe new reality.Pervasive surveillance in the digital ageIn late 2011, an Italian telecommunications company,Idea SpA, was caught in the midst of anunsettling controversy: the company was installingsurveillance equipment in Syria that would enablethe government to intercept every single email andinternet communication that flows through thecountry. 5The leaked details of the deal, which are highlycredible given the details they cite, indicate that theinstalled system would use deep packet inspec-2 Marsh, K., & Black, I. (2011, April 19). Syria to lift emergency ruleafter 48 years – but violence continues. The Guardian. www.theguardian.com/world/2011/apr/19/syria-lift-emergency-ruleviolence3 Reporters Without Borders. (2014). World Press Freedom Index2014. rsf.org/index2014/data/index2014_en.pdf4 Freedom House. (2014). Freedom in the World 2014.freedomhouse.org/report/freedom-world/freedom-world-20145 Elgin, B., & Silver, V. (2001, November 3). Syria Crackdown GetsItaly Firm’s Aid With U.S.-Europe Spy Gear. Bloomberg. www.bloomberg.com/news/2011-11-03/syria-crackdown-gets-italy-firms-aid-with-u-s-europe-spy-gear.htmltion to analyse the content of all traffic that travelsthrough the country’s national public data network(PDN). The national PDN constitutes the digitalcommunications backbone for the whole country,and all traffic – for internet service providers (ISPs),banks, voice over IP (VoIP), etc. – passes through itsinfrastructure. This would give the installed surveillancesystem comprehensive access to all digitalcommunications in the country, and the leaks of thedeal confirm that Idea SpA was training local personnelon operating the system’s monitoring andtracing capabilities.While Idea SpA used some of its own technologyto integrate the system, it also implementedseveral components from other hardware and softwarevendors, including US company NetApp Inc.,French company Qosmos SA, and German companyUtimaco Safeware AG. These companies werequick to announce that they were unaware thattheir products were shipped to Syria, and that theywere acquired locally in Italy. This raises seriousquestions about the effectiveness of export controlregulations for surveillance gear, and how easilysuch regulations can be circumvented.A primary concern for surveillance projects likethis is the argument that the government can usethem to hide its intrusive surveillance activitiesunder the “lawful interception” of citizens’ communicationsfor law enforcement purposes. In fact,that is precisely the claim stated by Idea SpA’s CEOin responding to the criticisms of his firm’s involvementin the project.What those who adopt this argument fail tomention, however, is that “lawful interception” istightly governed by checks and balan