Update: On March 12, the Pyrawebs bill was rejected by the House of Representatives in an important step in the fight against mass surveillance in Paraguay. Against all odds, the legislature listened to the voices of local and global activists instead of arguments from the ruling party of President Horacio Cartes. Now the bill will go back to the Senate, where it should be shelved and left aside for good.
In November 2014 the government of Paraguay proposed a bill that would mandate that internet service providers — including mobile carriers — store metadata about all internet communications.
The bill requires service providers to retain “internet traffic data” for 12 months, which would be stored in massive databases left in their custody. These databases would be accessible by authorities for “criminal investigation purposes.” The bill has already been approved in the Paraguayan Senate and may be voted into law at the March 13 session in the House of Representatives.
Access deeply objects to the bill because such programs are often expanded beyond their original reach, and used to enable unlawful bulk surveillance.
Serious concerns about user privacy
Internet activists quickly baptised the bill the “Pyrawebs,” a play on the word pyragüé (“hairy feet”), which is Paraguayan slang for undercover agents who would watch political activists and record their movements during the military dictatorship.
A group of 15 digital rights organizations (including Access, EFF, and local partner TEDIC) signed a statement asking the Paraguayan government to kill Pyrawebs. Local and international civil society groups like Amnesty International have also raised concerns about user privacy.
Even though the the bill would require law enforcement to obtain a court order to access the database, international law makes it clear that the blanket data retention obligation is both illegal and disproportionate.
The Inter American Court of Human Rights has already considered the issue of mandatory data retention. In Escher vs. Brazil the court ruled that digital data deserves the same amount of protection as personal data under the American Convention on Human Rights. The Court of Justice of the European Union also invalidated Europe’s Data Retention Directive in 2014 for its lack of proportionality.
Metadata reveals a lot about private lives
According to the text of the Pyrawebs bill, only data “around” an internet connection is required to be stored, leaving communications content out of the equation for “privacy reasons.” But Paraguayan authorities will be able to collect information commonly referred to as metadata: user identification, IP addresses, connection logs, the origin and destination of communications, timestamps, geolocation, and IP routing — all of which can allow authorities to extract sensitive information about a person’s private life by correlation and analysis. It would be possible, for example, to cross-reference user IDs, internet traffic logs, geolocation, and timestamps to track anyone’s movements during a whole year. You would be able to know where, when, and with whom someone associates, whether someone participates in political activity, or whether someone goes on dates.
The usage of similar databases has led to abuse in the past. In Poland, intelligence agencies used metadata databases to expose journalistic sources. In the Netherlands, carriers exploited databases for marketing purposes, and in Ireland police officers used a database to spy on former romantic partners. The U.S. government has even ordered lethal drone strikes on the basis of metadata analysis.
That’s why the Necessary and Proportionate Principles, which have been endorsed by over 400 civil society organizations, state that databases should gather as little information as possible and be narrowly targeted.
Usefulness and crime
Data retention advocates in Paraguay claim that data retention will be the ultimate tool in the fight against serious crime like terrorism, drug trafficking, and child pornography. Pro-data retention lobbyists cleverly use such language when they talk to the media, and similar lobbying led to the adoption of data retention rules in Colombia in 2013, which currently requires data storage for five years.
Latin American lawmakers may honestly think that data retention is going to be useful to fight crime. Sadly, many of them ignore research that shows no significant increase in law enforcement effectiveness in countries, such as Germany, that have adopted data retention laws. In addition, “super” databases may invite misuse, confidentiality violations, information security risks, and increased costs for consumers.
Let’s stop Pyrawebs
The Paraguayan House of Representatives will vote on the Pyrawebs bill on March 13. You can follow the hashtag #pyrawebs on Twitter to join the debate and tell lawmakers to reject this dangerous and useless bill.
image courtesy of TEDIC