Today Access recognizes the individuals and groups that have either been champions of the 13 internationally recognized principles for human rights in communications surveillance (“Heroes”), or have undermined or violated those principles (“Villains”).
These principles, called the International Principles on the Application of Human Rights to Communications Surveillance (or “the Principles”), have been endorsed by more than 400 civil society groups worldwide. They provide a framework for assessing whether government surveillance practices comply with international human rights obligations. Today marks the two-year anniversary of the Principles, which were publicly released on September 22, 2013.
Our list of Heroes below represents only the tip of the iceberg of the people and organizations working to promote the Principles, and selecting an honoree for each role was difficult. Many others deserve recognition for the work that they have done over the past year, and in years prior. We’re grateful to everyone who is working to advance these Principles.
As for the Villains, we call out their activities in the past year, but we hold out hope — and offer our critique — to help push for a more rights-respecting 2016.
Without further ado, for their work in 2014-2015, our Heroes and Villains are:
Overall
For work that impacts all 13 Principles
Hero: David Kaye, Special Rapporteur to the United Nations Human Rights Council on the promotion and protection of the right to freedom of opinion and expression
Kaye recognized that encryption and anonymity provide the privacy and security necessary for individuals to exercise their rights to freedom of opinion and expression in his report for the U.N Human Rights Council in May 2015. His report concludes that governments should provide strong protections for encryption and anonymity, specifically noting that blanket prohibitions of either inherently fail to be necessary and proportionate.
Villain: Hacking Team
A 2015 security breach revealed that Hacking Team covertly sold advanced communications surveillance services and resources to multiple governments and entities with poor records on human rights. Hacking Team provides the means for governments and others to conduct invasive online surveillance and violate human rights across the globe.
Legality
Principle: Any limitation on the right to privacy must be prescribed by law.
Hero: U.S. Senator Patrick Leahy
Senator Leahy introduced and was a crucial advocate for the USA FREEDOM Act of 2015. This legislation, which was passed by the U.S. Congress and signed into law by President Obama in June 2015, represents a significant first step toward comprehensive surveillance reform. The law bans the bulk collection of U.S. metadata under some surveillance powers, eliminating the government’s secret interpretation of the statute, and establishes greater transparency and improved accountability for U.S. intelligence agencies.
Villain: Prime Minister Manuel Valls
In the wake of the shootings at Charlie Hebdo, Prime Minister Valls pushed through dangerous new legislation that lacks clarity and precision, and authorizes French intelligence services to exercise broad surveillance powers without prior judicial approval or oversight. The law is a broad and vague expansion of France’s current surveillance authorities.
Legitimate Aim
Principle: Laws should only permit communications surveillance by specified State authorities to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society.
Hero: Malkia Amal Cyril
As executive director of the Center for Media Justice and co-founder of the Media Action Grassroots Network, Malkia Amal Cyril’s work has focused much-needed attention on existing and potential discriminatory uses of surveillance technologies. This work has advanced grassroots opposition to these practices.
Villain: Pablo Romero Quezada
Pablo Romero Quezada is the former director of Ecuador’s intelligence agency, the Secretaría Nacional de Inteligencia (SENAIN). In 2015, leaked documents revealed that Quezada contracted for surveillance technologies in order to spy on President Correa’s political opponents, environmentalists, and journalists.
Necessity
Principle: Laws permitting communications surveillance by the State must limit surveillance to that which is strictly and demonstrably necessary to achieve a Legitimate Aim
Heroes: MPs David Davis and Tom Watson
Members of Parliament Davis and Watson led a successful judicial challenge that resulted in the finding that the United Kingdom’s Data Retention and Investigatory Powers Act was inconsistent with European Union law. The act required internet and phone companies to retain communications data in excess of what is necessary for the course of ordinary business and longer than may be recommended to secure the data.
Villain: Attorney General Githu Muigai
Attorney General Githu Muigai fought to preserve Kenya’s Security Laws despite a High Court judgment overturning the legislation. The Security Laws empower police surveillance of communications, grant the Kenyan government the right to hold terror suspects for almost a year without charge, and provide for the imprisonment of journalists for up to three years if they publish material that is found to undermine “investigations or security operations.”
Adequacy
Principle: Any instance of communications surveillance authorized by law must be appropriate to fulfill the specific Legitimate Aim identified and effective in doing so.
Hero: Maricarmen Sequera
Maricarmen Sequera is the director of TEDIC, a Paraguayan digital rights organization that led the efforts to defeat new data retention legislation. The proposed bill would have compelled internet service providers in Paraguay to retain customer information such as personal communications and location details for a year.
Villain: Steven Blaney, MP
Canadian MP Steven Blaney was the sponsor of Bill C-51, which centralizes data kept on citizens and allows intelligence services to conduct disruptive operations such as altering seized websites and conducting man-in-the-middle attacks.
Proportionality
Principle: Decisions about communications surveillance must consider the sensitivity of the information accessed and the severity of the infringement on human rights and other competing interests.
Heroes: Jeremy Scahill and Josh Begley
Journalists Scahill and Begley revealed that American and British spies hacked into the internal computer network of the world’s largest producer of SIM cards and stole vast quantities of encryption keys. As a result of this breach, these governments may have the tools to monitor millions of voice and text communications without obtaining approval from telecom companies or foreign governments.
Villain: U.K. Prime Minister David Cameron
The newly released British Home Office’s Codes of Practice for the exercise of surveillance authority fail to adequately consider rights established by the European Convention and other human rights instruments. The codes permit government hacking, thereby facilitating powerful control over networks, and by extension, over users. Prime Minister Cameron has also taken a convoluted but strong stance against the use of encryption in personal communications.
Competent Judicial Authority
Principle: Determinations related to communications surveillance must be made by a competent judicial authority that is impartial and independent.
Hero: Farieha Aziz
As director of the digital liberties organization Bolo Bhi, Farieha Aziz has been at the forefront of the campaign to modify the Prevention of Electronic Crimes Act 2015, currently under consideration in Pakistan. Bolo Bhi has maintained that establishing investigation agencies should not be left to the discretion of the federal government but should take place through an act of Parliament with clear statutory scope and functions.
Villain: Anthony Batts, former Commissioner of the Baltimore Police Department in the U.S.
Acting under a nondisclosure agreement with the FBI that was signed by a previous commissioner, the Baltimore Police Department used the “Stingray” surveillance device 4,300 times since 2007 to pull information from suspects’ cell phones, largely under Batts’ supervision. In a perversion of competent judicial authority, the use of these devices was hidden from defense attorneys, with the department going so far as to drop cases rather than reveal the surveillance.
Due Process
Principle: States must respect and guarantee individuals’ human rights by ensuring that lawful procedures that govern any interference with human rights are properly enumerated in law, consistently practiced, and available to the general public.
Hero: Netzpolitik
Netzpolitik released confidential documents to the public exposing Germany’s plans to launch bulk surveillance programs and expand government surveillance of online communications. The Netzpolitik bloggers underwent a criminal investigation because they courageously brought to light these plans to violate the principles of due process.
Villain: Attorney General Mukul Rohatgi
Attorney General Mukul Rohatgi argued before India’s Supreme Court that privacy is not a fundamental right and that two decades of case law granting the right to privacy fundamental status must be reconsidered.
User Notification
Principle: Individuals should be notified of a decision authorizing Communications Surveillance with enough time and information to enable them to challenge the decision to seek other remedies and should have access to the materials presented in support of the application for authorization.
Hero: Nicholas Merrill
In September a District Court struck down an 11-year-old gag order imposed by the FBI on Nicholas Merrill, the owner of Calyx, an internet service provider. Merrill actively opposed an order forbidding him to reveal that Calyx had received a national security letter containing a warrantless demand for customer data.*
Villain: Judge Javier Gómez Bermúdez
In December, Spanish Judge Javier Gómez Bermúdez jailed seven people without specifying the individualized charges or facts attributed to each suspect, forcing the defendants to make statements without knowing what they were accused of. The judge stated that the defendants had “used emails with extreme security measures,” referring to the use of an encrypted email service, RiseUp.
Transparency
Principle: States should be transparent about the use and scope of Communications Surveillance laws, regulations, activities, powers, or authorities.
Hero: Kakao (formerly Daum Kakao)
Kakao owns a South Korean internet company with a popular messaging service. Over the past year, Kakao vowed to reject government requests for user data and began implementing privacy safeguards such as end-to-end encryption and reduced time for keeping user data on company servers. The company also issued a Transparency Report disclosing the number of requests for user information that it received from government agencies, and explaining how the company responds to these requests.
Villain: Telefonica
The giant telecom company has made human rights commitments and funds a “data transparency lab,” but has failed to live up to these principles in its own business practices. Despite serving around 300 million users worldwide, Telefonica does not issue a data Transparency Report, as its peer companies do, and has not disclosed its responses to government requests for user data, network disconnections, and content removal.
Public Oversight
Principle: States should establish independent oversight mechanisms to ensure transparency and accountability of Communications Surveillance
Hero: The U.N. Human Rights Council
In March, the U.N. Human Rights Council took the dramatic step of creating a Special Rapporteur on the right to privacy. The Rapporteur, Joseph Cannataci, will study and report on considerations on the right to privacy in the digital age, and the U.N. has called on all member states to cooperate fully with and assist the Special Rapporteur in the performance of the mandate.
Villains: Prime Minister Prayut Chan-o-cha
As Prime Minister of Thailand, Prayut Chan-o-cha approved legislation to create a National Cybersecurity Committee with the power to access information on personal computers, cell phones, and other electronic devices without a court order. Membership on the Committee is reserved primarily for members of Thailand’s military and police forces and there would be no direct means for public oversight.
Integrity of Communication Systems
Principle: States should not compel service providers, or hardware or software vendors to build surveillance or monitoring capabilities into their systems, or to collect or retain particular information purely for State Communications Surveillance purposes.
Hero: Moxie Marlinspike (& team)
Marlinspike is the founder of Open Whisper Systems, an open source software group that freely offers the programs Signal, TextSecure, and Redphone. These tools encrypt voice and messaging communications, allowing individuals to take the security of their communication systems into their own hands.
Villain: Washington Post Editorial Board
In October, the Washington Post Editorial Board suggested that the U.S. Congress could compel Apple and Google to use their “wizardry” to create a “Secure Golden Key” for the government to access otherwise secure user data, despite repeated statements from technologists pointing out that creating such a key would be incompatible with basic data security.
Safeguards for International Cooperation
Principle: Mutual Legal Assistance Treaties (MLATs) entered into by States should ensure that, where the laws of more than one State could apply to Communications Surveillance, the available standard with the higher level of protection for individuals should apply.
Hero: Kate Westmoreland
Kate Westmoreland is a cybercrime and human rights expert with Stanford’s Center for Internet and Society. Her January paper, Foreign Law Enforcement Access to User Data: A Survival Guide and Call for Action, examines problems with how foreign governments seek user data from U.S.-based internet companies, with the hope of laying the groundwork for MLAT reform through a “clear understanding of the status quo.”
Villain: Gerhard Schindler
Gerhard Schindler is president of Germany’s Federal Intelligence Service (BND). Despite strong language from German leaders condemning U.S. surveillance practices, BND carried out surveillance activities on behalf of the U.S. National Security Agency and directed the transfer of intelligence information on European firms and officials to the U.S. government in exchange for access to NSA data.
Safeguards Against Illegitimate Access and Right to Effective Remedy
Principle: States should enact legislation criminalizing illegal Communications Surveillance by public and private actors.
Hero: Tim Cook
Apple’s CEO has vocally resisted government demands to weaken the company’s data security practices to provide access to customer information, and has fought against against government requests and court orders turn over encrypted iMessage communications.
Villain: U.S. Senator Richard Burr
As chairman of the Senate Intelligence Committee, Senator Burr has been a driving force behind the Cybersecurity Information Sharing Act (CISA) legislation, which, among other things, grants legal immunity to companies that share user information under the law’s provisions. This would deprive users of a right to an effective remedy for violations of their privacy and would discourage companies from adequately protecting user privacy interests.
* Full disclosure: Nicholas Merrill has recently joined the Access team.
Photo credit: By RyC – Behind The Lens from San Francisco, United States of America (dc heroes vs villains) [CC BY 2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons