This is the second in a series of posts mapping global surveillance challenges discussed at EFF’s Surveillance Camp held in Rio de Janeiro, Brazil in December 2012. Several Global Voices Advocacy Members actively participated in the meeting. Here is a summary of what we learned:
In December 2012, EFF organized a Surveillance and Human Rights Camp in Brazil that brought together a diverse group of experts concerned about electronic surveillance by governments in Latin America and other parts of the world. Among other concerns, participants highlighted the many ways in which the private sector increasingly plays a role in state surveillance. Here are a few examples:
Voluntary Agreements Between Law Enforcement and Private Companies
Often law enforcement agencies will approach companies asking for voluntary disclosure of information for investigative purposes. Yet those requests may look and sound more like threats, with a great deal of moral pressure applied on the companies.
This kind of voluntary assistance that companies provide to governments remains out of the public eye: the individual does not receive notification about the government request, and the process is not codified in law. It is often not clearly disclosed in the company's terms of service or user agreement. Currently there is minimal if any oversight for such voluntary cooperation, so the scope of assistance provided is not well-documented.
Canadian ISPs have jointly decided to provide identifying data about Canadian Internet users to law enforcement agencies in child exploitation investigations. In fact, several Canadian ISPs have developed a formal protocol in conjunction with various law enforcement agencies to be used when those authorities are seeking identification information associated with a given IP address at a specific date and time. Since the adoption of this protocol, some ISPs have expanded their information sharing practices to cover customer identification data in other contexts, such as online harassment cases.
Law Enforcement Approaching Service Providers Without Legally-Required Authorization
A growing concern is the number of law enforcement officers skirting the law by asking service providers to simply fork over information without any sort of search warrant. Even when legal procedures require authorities to obtain a search warrant prior to making their request, police increasingly request information without obtaining a legal authorization. Nevertheless, they often expect full compliance from service providers.
In 2008, a Chilean website called Huelga.cl (“strike” in English) was approached by the Cyber Crime Section of the Chilean Police. The site is an online space for coordinating union actions. The agency demanded that the webmaster hand over data related to pseudonymous user accounts, such as IP addresses, records of previous connections, real names, and physical addresses. The targeted users had left comments on a website about an ongoing strike.
In this case, because police did not have a court order to back up the request for information, Huelga.cl took a stand by resisting police pressure and refusing to hand over the data without a fight. For legal assistance, they turned to Derechos Digitales, a Chilean online human rights nonprofit organization, and managed to resist the request.
In another case, the Regional Director of the Chilean Department of Labor, the agency responsible for ensuring the enforcement of labor laws, sent a letter to Huelga.cl simply demanding the removal of “inappropriate content” from their website along with the disclosure of user information, but it was only for administrative purposes as opposed to serious criminal investigations. Huegal.cl again refused to comply and instead made the director’s demands public.
It is not always the case that service providers can resist extralegal government requests, find legal advice or gather the economic resources necessary to fight against such demands as Huelga.cl did. Huelga.cl should be praised for speaking up and managing to make the request from law enforcement public.
Governments Pressure Private Sector
Governments frequently impose heavy fines when companies do not comply with their requests for access to user data. This form of coercion acts as a mechanism of enforcement over service providers and can raise serious concerns for privacy and free expression. The service provider is left with little incentive to resist illegitimate requests from the government when they are threatened with heavy fines.
In 2012, a Brazilian judge froze Google's accounts and imposed a fine on the company for refusing to remove three anonymous blogs hosted by Google or reveal contact details of the bloggers. The blogs had reported on allegations that the mayor of Varzea Alegre, a small city in northern Brazil had engaged in corruption and embezzlement.
While some companies might be able to withstand governmental pressure, this often will not be the case for smaller companies that lack resources and influence. This is particularly true in contexts where heavy fines for noncompliance are written into legislation, and companies are not given legal avenues to appeal or fight the fine.
Foreign Government Access To Individuals’ Data in the Cloud
Governments are increasingly seeking to negotiate access or interception capabilities to user data with companies that do not lie within their jurisdictions. This form of access is complicated because it is not always clear which country’s laws apply or to what extent. Because of the complex nature of these requests, governments often look for “easy” solutions that call for voluntary disclosure of information or simply allow full access to the user data.
For example, government officials in India have been pushing for real-time interception capabilities for all BlackBerry services. In response to demands from the Indian Government, BlackBerry parent company Research in Motion (RIM) set up a Network Operations Center in Mumbai, providing security agencies with access to BlackBerry Messenger services and Internet services. In addition to asking RIM for real-time access to communications, the Government of India required in-country service providers to adopt the solution provided by RIM by the end of 2012 or risk being shut down.
According to Elonnai Hickok from the Centre for Internet and Society in Bangalore, India, what happened between RIM and the Indian Government is just one example of how governments are trying to negotiate their interests in light of the challenges posed by communications stored in the cloud and in multiple jurisdictions.
While the Internet is technically borderless, in reality, state actors impose their sovereignty onto online environments with increasing frequency. The exercise of sovereignty over shared spaces can subject individuals to the laws of another country without any awareness on their part that this has happened. This in effect transforms the surveillance efforts of one country into privacy risks for all the world’s citizens.
State agencies and law enforcement are increasingly outsourcing investigations to private companies that are not under the same terms of judicial oversight as official law enforcement entities would be. The increasingly closed and non-transparent connection between the private sector and law enforcement needs to be addressed, as it poses a risk to the rights and freedoms of users. Of major concern to all Camp participants was the notion that private companies routinely comply with the requests of law enforcement in the absence of due process. We encourage further research and documentation of this phenomenon. To highlight this issue, we will be blogging next about the privatization of public security in Latin America.