Digital Security and Privacy for Human Rights Defenders

3.3 Communications Surveillance

Surveillance of communications has been conducted for many years. It is generally accepted that police and intelligence services need the power to eavesdrop on others for the overall benefit and security. Many criminals have been caught because of wiretapping and retrieval of phone records. It is also assumed that these powers are not given lightly and a rigorous judicial or similar process takes place before such actions are authorised. People would stand up and shout if they found out that every telephone conversation they ever had was recorded and stored.

It is therefore both surprising and unfortunate that so many countries were able to quickly and quietly introduce the laws permitting surveillance of Internet communications. No doubt, the September 11 attacks caused enough concern in civil society to allow authorities additional power. The result was far beyond the freedoms granted to them in the epoch of telecommunications.

In 1996, Digicom, the largest provider of electronic services in Pakistan, asked its clients to sign agreements that imposed a number of restrictions on the use of the Internet. Under the terms of the agreements, users were prohibited from using data encryption and had to accept that their electronic communications could be monitored by government agencies. On top of that, users of Internet services had to provide Digicom with copies of their National Identity Cards (NIC), whereas foreign nationals had to submit copies of their passport. Those failing to do so would face disconnection of their services. 93

As mentioned already, the Internet surveillance systems have been implemented at national levels for some time. Russia’s FSB installed a black-box monitoring system at every ISP (the project is known as SORM2). In addition to that, they forced the ISPs to pay for the monitoring equipment. The United States introduced a similar system - CARNIVORE. China’s ‘Golden Shield’ project was announced on 2001. Rather than relying solely on the national Intranet, separated from the global Internet by a massive firewall, China is preparing to build surveillance intelligence into the network, allowing it to “see,” “hear” and “think.”94 A global surveillance system known as ECHELON95 was jointly launched by the US, the UK, Australia, New Zealand and later Germany after the end of the Cold War.

Commercial companies are no less interested in collecting as much of our personal data as possible. In 2004, Google launched its free webmail service, called Gmail. It provided the unprecedented one gigabyte of storage space. The aim was for people to switch to Gmail where they would never run out of storage space. The privacy statement to be agreed upon registering, enables Google to access the contents of your email messages with the intention of providing relevant advertising on the sidebars. All users of Gmail had to agree to have their email monitored and its content analysed and acted upon. The users were relying on Google not to disclose this information to third parties. Gmail’s Terms of Use stated:

“Google may, in its sole discretion, modify or revise these terms and conditions and policies at any time, and you agree to be bound by such modifications or revisions. If you do not accept and abide by this Agreement, you may not use the Gmail service.”

In effect, were Google to change their policy overnight (and theoretically they can), your entire email data and its analysis would become available to the highest bidder. We already know how willingly Yahoo! cooperated with the Chinese government by providing access to private email accounts, with several account holders being put behind bars as a result.

The surveillance methods that can bypass encryption have been used in the United States since 2001. These devices are called keyloggers and installed (often remotely) on personal computers without the users’ notice or authorisation. A keylogger records all the keys a user types on their keyboard and sends this information to a designated address. Such surreptitious police decryption methods were highlighted in the case of United States v. Scarfo.96, when the FBI manually installed a key logger device on the defendant’s computer to capture his PGP encryption password. Once they discovered the password, the files were decrypted, and incriminatory evidence was found. In December 2001, the FBI confirmed the existence of a similar technique called ‘Magic Lantern’.

Internet data is not only being monitored, it is also stored and often for a long time. In 2005, the European Union, under pressure from the Council of Europe, introduced legislation that obliges all member countries to retain Internet data for a minimum of two years97 (although members can choose to hold it for longer periods). Article 8 of the European Convention on Human Rights guarantees the individual’s right to respect for his private and family life. Article 8 specifies that public authorities may only interfere with this right in narrowly defined circumstances. In particular, any interference must be in accordance with the law and can only be conducted in the interests of national security and crime prevention.

The existing approach to systematic data retention therefore assumes that we are all guilty until proven innocent. In the meantime, our personal data becomes open to abuse by either public or private agents. Furthermore, indiscriminate surveillance and retention constitute a breach of a person’s right to privacy.

Illegal by international standards, these practices nevertheless occur on a global scale. Many countries that do not have the resources to build nationwide surveillance and retention systems (like, for example, India and Tunisia), instruct the ISPs to do it instead. Some other countries simply do not have sufficient safeguards to prohibit unauthorised access and manipulation of the Internet data which then becomes susceptible to corruption and hacking. In other words, anyone could be brought to court and judged on the evidence, fabricated to look as if it was contained in the emails written by the defendant several years earlier.

Indiscriminate surveillance and data retention constitute a threat to the right to privacy of individuals, particularly human rights defenders, already targeted by extra surveillance and monitoring on behalf of the state. The state’s ability to monitor, record and store HRDs’ communications leads to interruption of their work. This data can also be tampered with and corrupted to bring a HRD into disrepute or to impose criminal sanctions. Internet corporations, cooperating with repressive regimes, are therefore contributing to destabilisation of an individual’s privacy.

Every country involved in mass surveillance of its citizens’ Internet activity must establish an independent authoritative body to monitor the collection of such data as well as access to it. Strict laws to prevent the abuse of these systems must be in place to protect our privacy, identity and peace of mind.


93
Internet Censorship Report - The Canadian Committee to Protect Journalists

94
G. Walton, China’s Golden Shield: Corporations and the Development of Surveillance Technology in the People’s Republic of China 9 (Rights and Democracy, 2001) available at http://serveur.ichrdd.ca/english/

95
The use of Echelon to target diplomatic communications was highlighted as a result of disclosures made in 2003 by a British intelligence employee, former United Nations officials, and a former British Cabinet The use of Echelon to target diplomatic communications was highlighted as a result of disclosures made in 2003 by a British intelligence employee, former United Nations officials, and a former British Cabinet Minister concerning eavesdropping by the US NSA and the British GCHQ over UN Secretary General Kofi Annan’s telephone communications and private conversations.

96
180 F. Supp. 2d 572 (D.N.J. 2001).
See generally EPIC’s Scarfo web page http://www.epic.org/crypto/scarfo.html

97
http://www.europarl.europa.eu