UNHRC_Eric Bridiers

Internet access, digital ID, data protection, surveillance controls: UPR review highlights threats to digital rights

Header imageEric Bridiers, licensed under Creative Commons BY-ND 2.0

Joined by partner organizations around the world, Access Now continues to engage in various United Nations (U.N.) human rights mechanisms to defend and extend the digital rights of users worldwide. The U.N. Human Rights Council’s Universal Periodic Review (UPR) process is no exception. This year,  Access Now along with six partner organizations contributed a total of eight submissions to the U.N. Human Rights Council for its upcoming UPR review. While Access Now has consistently contributed to the UPR review process, this is the largest number of stakeholder submissions our organization has contributed at once in a review cycle to date.

The United Nations Universal Periodic Review (UPR) process

Several times a year, the U.N. Human Rights Council evaluates the human rights situation of U.N. member states through a process called the Universal Periodic Review (UPR). Since 2006, this process has aimed to promote respect for human rights and hold states accountable to their obligations. The review process is multifaceted and combines information provided by (1) the state under review, (2) independent human rights experts and groups, such as U.N. entities, and (3) other stakeholders, including Access Now. 

Access Now’s involvement in the UPR process 

Access Now often joins partner organizations to comment on countries due for review. In this process, we provide an overview of the state of digital rights in the countries under review and highlight developments since the previous UPR cycle that affect our digital rights. 

Digital rights issues in the countries under review this cycle include: open, secure, equitable, and affordable internet access; privacy violations in the implementation of national digital identification programs and surveillance technology; and the need for strong data protection legislation. In conjunction with our partner organizations, we provided tailored recommendations for each country, noting specific steps to fulfill and expand their human rights obligations. For the upcoming UPR review, we submitted eight reports on the state of digital rights on the following countries: 

Access to open, secure, equitable, and affordable internet 

The internet is fundamental in ensuring access to information and expression while providing a platform for innovation in fields like health and education, and wealth creation and distribution through digital economies. Merely extending access to the internet is not enough. Internet infrastructure, policy, and governance must be resilient enough to sustain against censorship, surveillance, attacks, and shutdowns. Moreover, such access must encompass equitable and affordable internet for all citizens. 

Jamaica 

In 2017, recorded internet penetration in Jamaica was approximately 56% (1.5 million), up from 1.1. million users in 2011. However, fixed-line broadband subscriptions are still low. Accordingly, Access Now and Jamaicans for Justice recommended that the Jamaican government take steps to ensure that affordable internet access is made available across the island so that rural citizens will be able to readily access information and services through various public and private entities.  

Liberia 

In November 2016, there were reports claiming that the internet in Liberia was “taken down” by a botnet attack. Yet shortly afterward, journalists and internet infrastructure companies cast doubt on whether the country-wide outrage actually happened. Independent confirmation from Access Now’s civil society partners in the area revealed that there was no effective decline in internet connectivity. In 2019, however, a British man admitted to attacking an African phone company in 2016, which evidently inadvertently impacted Liberia’s internet access. 

This experience highlights the need for Liberia to increase its internet resilience and protect Liberians from future attacks. A more resilient internet is an internet that will better safeguard free expression and human rights. A distributed network protects all users of the open internet, allowing them to embrace its promise, communicate, build businesses, create, and express themselves. Accordingly, Access Now and Media Foundation for West Africa recommended that the Liberian government engage with the United Nations and other global institutions like the World Bank and International Monetary Fund to build a more resilient, affordable, and ubiquitous internet. 

Malawi 

Malawi citizens deserve more internet connectivity at an affordable price. Increasing internet access is especially important because vulnerable populations are often most affected by a lack of connectivity. ITU-D reports further illuminate the gender gap in access to the internet across Malawi. In 2016, Malawi’s internet penetration rate was 11.5 percent overall. Yet the internet penetration rate for male citizens was 17.5 percent and only 5.5 percent for women. 

The Malawi government must ensure human rights are protected online and implement open, transparent, and accountable internet governance processes. All stakeholders must be given a meaningful opportunity to provide input on regulatory and policy decisions that impact human rights online. Accordingly, we recommended that the Malawi government work to improve internet access and extend affordable, open, and secure connectivity for all its citizens. Malawi should particularly address the inequalitites in women’s access to the internet in accordance with its human rights obligations under the Convention on the Elimination of all Forms of Discrimination Against Women.

Digital identification programs and the right to privacy 

Access Now recently examined national digital identity programs from a human rights perspective in our publication, National Digital Identity Programs: What’s Next? In the report, we maintain that it is imperative that digital identity systems particularly those backed by a state’s resources and legal powers are designed using sound principles of governance, data protection, privacy, and security. 

Malawi

Malawi has increased mandatory data collection. SIM card registration and biometric data collection the collection of biological traits that individuals can never change through the Malawi national ID program directly threaten the safety of Malawians’ data and violate their right to privacy.

An effective policy framework for national ID programs, such as the one in Malawi, must be preceded by an equally strong legal and cybersecurity framework. The collection of large amounts of personal information pertaining to identities including biometrics often form tempting targets for criminals and other actors for malicious hacking and cyber intrusion. Additional challenges related to the secure communication of data during authentication must be met through proper encryption. We note grave concern over the use and collection of biometric data in Malawi’s new digital identification cards. We advocate a moratorium on the aggregation and use of biometric data for authentication, even if such processing is aimed at increasing convenience or justified as a way to enhance security. 

The Maldives 

In 2017, the Maldives released a new digital identification card for citizens. The digital identification card combines health, insurance, banking/payments, and a passport. The card was created by the Maldives Immigration and Dermalog, a German-based vendor.

In establishing digital identity programs, such as the one in the Maldives, authorities often intend to make the delivery of services, including welfare benefits, more efficient and accurate, and to reduce corruption by using technology to assist in clear identification and secure authentication. According to Dermalog, the goal of the digital identification cards in the Maldives is to “reduce the number of cards that the island republic’s […] citizens must carry with them.” However, these programs can themselves become impediments to governance and harm the provision of welfare services and the wider inclusion of citizens.

We note grave concern over the use and collection of biometric data in the new digital identification cards in the Maldives. The identification cards contain 10 fingerprints for verification. The collection and use of biometric data poses significant risks for individuals. Given the potential for exploitation of these data, we discourage the use of biometrics in digital ID programs. In its policy handbook for 2017, the Cato Institute echoed similar concerns advocating against the use of biometric identification in national digital ID systems. The aggregation and use of biometric data should be sharply limited, even if such aggregation and use is aimed at increasing convenience or justified as a way to enhance security.

Accordingly, we recommended that the governments of Malawi and the Maldives: (1) minimize the amount of and type of data the government and associated service providers collect through the digital identification system; (2) restrict lawful interception and monitoring of digital ID use and implement measures for accountability; (3) ensure that the national ID programs are based on models for secure communications, including providing end-to-end encrypted traffic as far as possible; and (4) develop legal procedures and evidentiary standards for biometrics with care to protect human rights and due process. 

Jamaica 

In contrast to Malawi and the Maldives, Jamaica recently took a stand in favor of the right to privacy regarding its 2017 digital identification program. In 2017, Jamaica established the National Identification System (NIDS) with the National Identification and Registrations Act (NIRA). NIDS is a centralized database of all Jamaican citizens. Each citizen, when registered with NIDS, is given a unique identifying number, also known as a digital ID. This digital ID and database are connected to, and contain, biometric data about individuals. Not only did the NIRA establish a database to preserve this identifying information, it also made it a criminal offense for any Jamaican to not register with NIDS, therefore mandating the sharing of biometric data by every citizen. This law violated the human rights of Jamaican individuals, threatening their right to privacy and increasing the possibility of dangerous data surveillance in the country. 

In early 2019, the government was in the process of finalizing NIRA accompanying regulations. These regulations sought to operationalize NIRA by specifying how data should be collected and stored and the information that the National Identification Card (NIC) would include.  

Two years after the establishment of the NIDS in 2017, the Jamaican Constitutional Court unanimously ruled in April 2019 that NIRA’s mandatory requirement of biometric identification violated the Jamaican Constitution and infringed upon the right to privacy. They accordingly rendered NIRA void and struck down the law and dissolved NIDS in its entirety, noting that those aspects of NIRA which did not infringe on the Constitutional rights of citizens were not enough to stand alone. Access Now and Jamaicans for Justice commend this action by the Jamaican Supreme Court, as this 2019 ruling against Jamaica’s Digital ID system sets a precedent of respecting the human rights the privacy and liberty of all Jamaicans. 

The government of Jamaica tabled a Data Protection Bill (bill) in October 2017. This bill supports the fundamental right of every Jamaican to have their privacy protected, and seeks to set clear guidelines for how the government, businesses, and organizations should correctly collect, store, and dispose of personal and sensitive data. The government is currently “moving rapidly” to complete the bill which it is believed will be crucial in the process of retabling an updated and constitutionally compliant NIRA. 

Improvements to data protection legislation 

States must enact data protection laws to protect the right to privacy and provide safeguards for personal data online. Accordingly, states should ensure that data protection laws and regulations align with their international human rights obligations. 

Panama 

In August 2018, the government of Panama introduced a new data protection bill in the National Assembly. Bill No. 665 was drafted by the executive power without public participation, the consequences of which are evidenced in the bill. The final proposal lacks fundamental protections for data subjects, and does not take a user rights-centered approach with clear liabilities and exceptions, among other failings. The data protection bill was approved under Law No. 81 of March 26, 2019 and was published on March 29, 2019. Accordingly, Access Now and IPANDETEC recommended that the Panamanian government amend its Personal Data Protection Law to ensure that it upholds rather than restrict rights. Specifically, we suggested that the Panamanian government should take a user-rights centered approach and promote fundamental protections for data subjects. We also recommended that Panamanian legislators create a Data Protection Act, instead of adding responsibilities to existing authorities, particularly considering that the law gives responsibility to the Transparency Authority, who at the time claimed to have neither the staff nor the resources to fulfill this responsibility.  

The United States 

In June 2018, the National Security Administration (NSA) announced that it had deleted its entire database of call detail records due to “technical irregularities.” Such “irregularities” resulted in the agency receiving data it was not authorized to collect

While several American cities, such as Seattle, Oakland, and Berkeley have passed “Community Control Over Police Surveillance” (CCOPS) laws that enable community oversight of local police departments’ acquisition of new surveillance technologies, more must be done at the national level. We made three recommendations to the U.S. government in this respect. First, we recommended that the government implement a comprehensive data privacy and protection framework that would guarantee fundamental privacy rights and control over one’s personal information for everyone whose data passes through the U.S., whether it be through a government agency or private company. Second, we called on the government to research the harms of data breaches of non-financial personal data and potential redress mechanisms to respond to those harms. Finally, we recommended that the government establish an independent data protection commission with authority and resources to monitor implementation, conduct investigations, and sanction entities in the event of data protection violations.

Surveillance and the right to privacy 

Sophisticated surveillance systems are increasingly being sold and used effectively without constraint. Export licenses are reportedly being issued by government authorities to deploy surveillance tools from private companies even when the tools are linked to human rights violations across the globe. These trends are evident in countries such as Bulgaria, Honduras, and the United States, all of which are under review this UPR cycle. 

Bulgaria 

Bulgarian authorities have issued export licenses to NSO Group (recently purchased by Novalpina Capital), a firm that sells technology that has been repeatedly linked to human rights violations worldwide. NSO Group’s Pegasus spyware appears to have played an instrumental role in government attempts around the world to deploy cyber-surveillance as a means to subvert political dissidents, surveil journalists and human rights defenders, and further marginalize at-risk populations. 

Governments must act to protect human rights and prevent abuse of these rights. In 2019, Access Now sent letters to the International Trade Control in Bulgaria (the public authority which oversees applicable export controls and relevant licensing), to request additional information. We also asked for an investigation into export licenses that have reportedly been issued by Bulgarian authorities to NSO Group, as Novalpina Capital’s founding partner, Stephen Peel suggested in his March 2019 letter to Access Now and other civil society groups.

Honduras

Honduras has reportedly purchased telecommunication interception equipment from the United Kingdom and the United States. Reports by Privacy International indicate that the U.S. has sold investigative equipment to Honduras’s police at the cost of $782,000. This equipment includes a powerful digital forensic analysis system known as UFED, which is used to extract and analyze data from digital devices developed by Israeli company Cellebrite, as well as another $150,000 on three more systems sold by Cellebrite. Prior to the 2018 election in Honduras, Honduras law enforcement agencies purchased spy technologies. Such sophisticated spy technology can be used to intercept, monitor, and track emails, mobile phones, and online messaging services such as WhatsApp. Accordingly, Access Now and Aci Participa recommended that the government of Honduras cease imports of invasive surveillance technology and abolish all security service practices related to the control of communications and the internet. 

The United States 

Certain surveillance laws and provisions in the United States, including Section 215 of the Patriot Act, are set to expire on December 14, 2019. These surveillance laws and provisions provide the basis for U.S. intelligence agencies conducting indiscriminate surveillance on a mass scale, impacting millions of people around the world. It is crucial that congressional leadership facilitate an open and in-depth public debate over the power and reach of the U.S. surveillance apparatus. Accordingly, we recommended that the U.S. Senate and House Judiciary Committees’ leaders release critical information regarding the current implementation of U.S. surveillance laws.

What’s next? 

These countries will be under review in Geneva next in May 2020. The UPR is an important U.N. process aimed at addressing human rights issues all across the globe. It is a rare mechanism through which citizens around the world get to work with governments to improve human rights and hold them accountable to international law. Access Now and our partner organizations are grateful to have made submissions to this unique process. We look forward to continuing to engage with partner organizations worldwide to provide informed insight on the state of digital rights and recommendations to governments to ensure rights-respecting technology policy and governance.