Saturday, June 1, 2013

The implications of States’ surveillance of communications for the exercise of freedom of opinion and expression

Frank La Rue
Frank La Rue, UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression

''The present report analyses the implications of States’ surveillance of communications for the exercise of the human rights to privacy and to freedom of opinion and expression. While considering the impact of significant technological advances in communications, the report underlines the urgent need to further study new modalities of surveillance and to revise national laws regulating these practices in line with human rights standards.''
Experts: 

V. Modalities of communications surveillance 

33. Modern surveillance technologies and arrangements that enable States to intrudeinto an individual’s private life threaten to blur the divide between the private and thepublic spheres. They facilitate invasive and arbitrary monitoring of individuals, who may not be able to even know they have been subjected to such surveillance, let alone challenge it. Technological advancements mean that the State’s effectiveness in conducting surveillance is no longer limited by scale or duration. Declining costs of technology and data storage have eradicated financial or practical disincentives to conducting surveillance. As such, the State now has a greater capability to conduct simultaneous, invasive, targeted and broad-scale surveillance than ever before.

A. Targeted communications surveillance

34. States have access to a number of different techniques and technologies to conductcommunications surveillance of a targeted individual’s private communications. Real-time interception capabilities allow States to listen to and record the phone calls of any individual using a fixed line or mobile telephone, through the use of interceptioncapabilities for State surveillance that all communications networks are required to build into their systems.(21) An individual’s location can be ascertained, and their text messages read and recorded. By placing a tap on an Internet cable relating to a certain location or person, State authorities can also monitor an individual’s online activity, including the websites he or she visits.

35. Access to the stored content of an individual’s e-mails and messages, in addition to other related communications data, can be obtained through Internet companies and service providers. The initiative of the European standards-setting authority, the European Telecommunications Standards Institute, to compel cloud providers (22) to build “lawful interception capabilities” into cloud technology to enable State authorities to have direct access to content stored by these providers, including e-mails, messages and voicemails, raises concerns.(23)

36. States can track the movements of specific mobile phones, identify all individualswith a mobile phone within a designated area, and intercept calls and text messages,through various methods. Some States use off-the-air mobile monitoring devices called International Mobile Subscriber Identity (IMSI) catchers, which can be installed in a location temporarily (such as at a protest or march) or permanently (such as at an airport or other border crossings). These catchers imitate a mobile phone tower by sending and responding to mobile phone signals in order to extract the unique subscriber identification module (SIM) card number of all mobile phones within a certain territory.

37. States are also increasingly acquiring software that can be used to infiltrate anindividual’s computer, mobile phone or other digital device.(24) Offensive intrusion software, including so-called “Trojans” (also known as spyware or malware), can be used to turn on the microphone or camera of a device, to track the activity conducted on the device, and to access, alter or delete any information stored on the device. Such software enables a State to have complete control of the device infiltrated, and is virtually undetectable.

B. Mass communications surveillance

38. Costs and logistical hurdles to conduct surveillance on a mass scale continue todecline rapidly, as technologies allowing for broad interception, monitoring and analysis of communications proliferate. Today, some States have the capability to track and record Internet and telephone communications on a national scale. By placing taps on the fibreoptic cables, through which the majority of digital communication information flows, and applying word, voice and speech recognition, States can achieve almost complete control of tele- and online communications. Such systems were reportedly adopted, for example, by the Egyptian and Libyan Governments in the lead-up to the Arab Spring.(25)

39. In many States, mandatory data retention is facilitating massive collection ofcommunications data that can later be filtered and analysed. Technologies enable the State to scan phone calls and text messages to identify the use of certain words, voices or phrases, or filter Internet activity to determine when an individual visits certain websites or accesses particular online resources. “Black boxes” can be designed to inspect the data flowing through the Internet in order to filter through and deconstruct all information about online activity. This method, called “deep-packet inspection”, allows the State to go beyond gaining simple knowledge about the sites that individuals visit, and instead analyse the content of websites visited. Deep-packed inspection, for example, has been reportedly employed by States confronted with recent popular uprisings in the Middle East and North Africa region.(26)

40. Another tool used regularly by States today is social media monitoring. States have the capacity physically to monitor activities on social networking sites, blogs and media outlets to map connections and relationships, opinions and associations, and even locations. States can also apply highly sophisticated data mining technologies to publicly available information or to communications data provided by third party service providers. At a more basic level, States have also acquired technical means to obtain usernames and passwords from social networking sites such as Facebook.(27)

C. Access to communications data

41. In addition to intercepting and tracking the content of individuals’ communications, States may also seek access to communications data held by third party service providers and Internet companies. As the private sector collects progressively larger amounts ofvaried data that reveal sensitive information about peoples’ daily lives, and individuals and businesses choose to store the content of their communications, such as voicemails, e-mails and documents, with third party service providers, access to communications data is an increasingly valuable surveillance technique employed by States.

42. The communications data collected by third party service providers, including large Internet companies, can be used by the State to compose an extensive profile of concerned individuals. When accessed and analysed, even seemingly innocuous transactional records about communications can collectively create a profile of individual's private life, including medical conditions, political and religious viewpoints and/or affiliation, interactions and interests, disclosing as much detail as, or even greater detail than would be discernible from the content of communications alone.(28) By combining information about relationships, location, identity and activity, States are able to track the movement of individuals and their activities across a range of different areas, from where they travel to where they study, whatthey read or whom they interact with.

43. Instances of access to communications data by States are growing rapidly. In the three years that Google has been reporting the numbers of requests for communications data it receives, such requests have almost doubled, from 12,539 in the last six months of 2009, to 21,389 in the last six months of 2012.(29) In the United Kingdom, where law enforcement authorities are empowered to self-authorize their own requests for communications information, approximately 500,000 such requests were reported every year.(30) In the Republic of Korea, a country of nearly 50 million people, there are approximately 37 million requests for communications data reported every year.(31) 

21 See, for example, the United States Communications Assistance for Law Enforcement Act 1994 (United States); Telecommunications Act 1997, Part 15 (Australia) ; Regulation of Investigatory Powers Act 2000, ss12-14 (United Kingdom); Telecommunications (Interception Capability) Act 2004.
22 A cloud provider offers services of networked online storage of data.
23 ETSI DTR 101 567 VO.0.5 (2012-14), Draft Technical Report: Lawful Interception (LI); Cloud/Virtual Services (CLI). 

24 Toby Mendel, Andrew Puddephatt, Ben Wagner, Dixi Hawtin, and Natalia Torre s, Global Survey on Internet Privacy and Freedom of Expression, UNESCO Series on Internet Freedom (2012), p. 41.
25 European Parliament, Directorate-General for External Policies, Policy Department, After the Arab Spring: New Paths for Human Rights and the Internet in European Foreign Policy (2012), pp. 9-10.
26 Mendelet al., op. cit., p. 43.
27 European Parliament,op. cit., p. 6
28 Alberto Escudero-Pascual and Gus Hosein,“Questioning lawful access to traffic data ”,Communications of the ACM, Volume 47
Issue 3, March 2004,pp.77–82.
29 See http://www.google.com/transparencyreport/userdatarequests/
30 See http://www.intelligencecommissioners.com/docs/0496.pdf
31 Money Today, 23 October, 2012, citing the disclosure made by the Korean Communication Commission for the Annual National Audit of 2013 to Assemblywoman Yoo Seung-Hui,http://www.mt.co.kr/view/mtview.php?type=1&no=2012102309430241764&outlink=1.



Human Rights Council
Twenty-third session
Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue*