Subscribe to Secularism is a Womens Issue

Secularism is a Women’s Issue

Home > Uncategorised > International Principles on the Application of Human Rights to (...)

International Principles on the Application of Human Rights to Communications Surveillance

Monday 24 February 2014, by siawi3

Source: https://en.necessaryandproportionate.org/text

10 JULY 2013

As technologies that facilitate State surveillance of communications
advance, States are failing to ensure that laws and regulations related
to communications surveillance adhere to international human rights and
adequately protect the rights to privacy and freedom of expression. This
document attempts to explain how international human rights law applies
in the current digital environment, particularly in light of the
increase in and changes to communications surveillance technologies and
techniques. These principles can provide civil society groups, industry,
States and others with a framework to evaluate whether current or
proposed surveillance laws and practices are consistent with human rights.

These principles are the outcome of a global consultation with civil
society groups, industry and international experts in communications
surveillance law, policy and technology.

PREAMBLE

Privacy is a fundamental human right, and is central to the maintenance
of democratic societies. It is essential to human dignity and it
reinforces other rights, such as freedom of expression and information,
and freedom of association, and is recognised under international human
rights law.[1] Activities that restrict the right to privacy, including
communications surveillance, can only be justified when they are
prescribed by law, they are necessary to achieve a legitimate aim, and
are proportionate to the aim pursued.[2]

Before public adoption of the Internet, well-established legal
principles and logistical burdens inherent in monitoring communications
created limits to State communications surveillance. In recent decades,
those logistical barriers to surveillance have decreased and the
application of legal principles in new technological contexts has become
unclear. The explosion of digital communications content and information
about communications, or “communications metadata” — information about
an individual’s communications or use of electronic devices — the
falling cost of storing and mining large sets of data, and the provision
of personal content through third party service providers make State
surveillance possible at an unprecedented scale.[3] Meanwhile,
conceptualisations of existing human rights law have not kept up with
the modern and changing communications surveillance capabilities of the
State, the ability of the State to combine and organize information
gained from different surveillance techniques, or the increased
sensitivity of the information available to be accessed.

The frequency with which States are seeking access to both
communications content and communications metadata is rising
dramatically, without adequate scrutiny.[4] When accessed and analysed,
communications metadata may create a profile of an individual’s life,
including medical conditions, political and religious viewpoints,
associations, interactions and interests, disclosing as much detail as,
or even greater detail than would be discernible from the content of
communications.[5] Despite the vast potential for intrusion into an
individual’s life and the chilling effect on political and other
associations, legislative and policy instruments often afford
communications metadata a lower level of protection and do not place
sufficient restrictions on how they can be subsequently used by
agencies, including how they are data-mined, shared, and retained.

In order for States to actually meet their international human rights
obligations in relation to communications surveillance, they must comply
with the principles set out below. These principles apply to
surveillance conducted within a State or extraterritorially. The
principles also apply regardless of the purpose for the surveillance —
law enforcement, national security or any other regulatory purpose. They
also apply both to the State’s obligation to respect and fulfil
individuals’ rights, and also to the obligation to protect individuals’
rights from abuse by non-State actors, including corporate entities.[6]
The private sector bears equal responsibility for respecting human
rights, particularly given the key role it plays in designing,
developing and disseminating technologies; enabling and providing
communications; and - where required - cooperating with State
surveillance activities. Nevertheless, the scope of the present
Principles is limited to the obligations of the State.

CHANGING TECHNOLOGY AND DEFINITIONS

“Communications surveillance” in the modern environment encompasses the
monitoring, interception, collection, analysis, use, preservation and
retention of, interference with, or access to information that includes,
reflects, arises from or is about a person’s communications in the past,
present or future. “Communications” include activities, interactions and
transactions transmitted through electronic mediums, such as content of
communications, the identity of the parties to the communications,
location-tracking information including IP addresses, the time and
duration of communications, and identifiers of communication equipment
used in communications.

Traditionally, the invasiveness of communications surveillance has been
evaluated on the basis of artificial and formalistic categories.
Existing legal frameworks distinguish between “content” or
“non-content,” “subscriber information” or “metadata,” stored data or in
transit data, data held in the home or in the possession of a third
party service provider.[7] However, these distinctions are no longer
appropriate for measuring the degree of the intrusion that
communications surveillance makes into individuals’ private lives and
associations. While it has long been agreed that communications content
deserves significant protection in law because of its capability to
reveal sensitive information, it is now clear that other information
arising from communications - metadata and other forms of non-content
data - may reveal even more about an individual than the content itself,
and thus deserves equivalent protection. Today, each of these types of
information might, taken alone or analysed collectively, reveal a
person’s identity, behaviour, associations, physical or medical
conditions, race, color, sexual orientation, national origins, or
viewpoints; or enable the mapping of the person’s location, movements or
interactions over time,[8] or of all people in a given location,
including around a public demonstration or other political event. As a
result, all information that includes, reflects, arises from or is about
a person’s communications and that is not readily available and easily
accessible to the general public, should be considered to be "protected
information", and should accordingly be given the highest protection in law.

In evaluating the invasiveness of State communications surveillance, it
is necessary to consider both the potential of the surveillance to
reveal protected information, as well as the purpose for which the
information is sought by the State. Communications surveillance that
will likely lead to the revelation of protected information that may
place a person at risk of investigation, discrimination or violation of
human rights will constitute a serious infringement on an individual’s
right to privacy, and will also undermine the enjoyment of other
fundamental rights, including the right to free expression, association,
and political participation. This is because these rights require people
to be able to communicate free from the chilling effect of government
surveillance. A determination of both the character and potential uses
of the information sought will thus be necessary in each specific case.

When adopting a new communications surveillance technique or expanding
the scope of an existing technique, the State should ascertain whether
the information likely to be procured falls within the ambit of
“protected information” before seeking it, and should submit to the
scrutiny of the judiciary or other democratic oversight mechanism. In
considering whether information obtained through communications
surveillance rises to the level of “protected information”, the form as
well as the scope and duration of the surveillance are relevant factors.
Because pervasive or systematic monitoring has the capacity to reveal
private information far in excess of its constituent parts, it can
elevate surveillance of non-protected information to a level of
invasiveness that demands strong protection.[9]

The determination of whether the State may conduct communications
surveillance that interferes with protected information must be
consistent with the following principles.

THE PRINCIPLES

LEGALITY:
Any limitation to the right to privacy must be prescribed by law. The
State must not adopt or implement a measure that interferes with the
right to privacy in the absence of an existing publicly available
legislative act, which meets a standard of clarity and precision that is
sufficient to ensure that individuals have advance notice of and can
foresee its application. Given the rate of technological changes, laws
that limit the right to privacy should be subject to periodic review by
means of a participatory legislative or regulatory process.

LEGITIMATE AIM:
Laws should only permit communications surveillance by specified State
authorities to achieve a legitimate aim that corresponds to a
predominantly important legal interest that is necessary in a democratic
society. Any measure must not be applied in a manner which discriminates
on the basis of race, colour, sex, language, religion, political or
other opinion, national or social origin, property, birth or other status.

NECESSITY:
Laws permitting communications surveillance by the State must limit
surveillance to that which is strictly and demonstrably necessary to
achieve a legitimate aim. Communications surveillance must only be
conducted when it is the only means of achieving a legitimate aim, or,
when there are multiple means, it is the means least likely to infringe
upon human rights. The onus of establishing this justification, in
judicial as well as in legislative processes, is on the State.

ADEQUACY:
Any instance of communications surveillance authorised by law must be
appropriate to fulfil the specific legitimate aim identified.

PROPORTIONALITY:
Communications surveillance should be regarded as a highly intrusive act
that interferes with the rights to privacy and freedom of opinion and
expression, threatening the foundations of a democratic society.
Decisions about communications surveillance must be made by weighing the
benefit sought to be achieved against the harm that would be caused to
the individual’s rights and to other competing interests, and should
involve a consideration of the sensitivity of the information and the
severity of the infringement on the right to privacy.

Specifically, this requires that, if a State seeks access to or use of
protected information obtained through communications surveillance in
the context of a criminal investigation, it must establish to the
competent, independent, and impartial judicial authority that:

* there is a high degree of probability that a serious crime has been
or will be committed;
* evidence of such a crime would be obtained by accessing the protected
information sought;
* other available less invasive investigative techniques have been
exhausted;
* information accessed will be confined to that reasonably relevant to
the crime alleged and any excess information collected will be promptly
destroyed or returned; and
* information is accessed only by the specified authority and used for
the purpose for which authorisation was given.
If the State seeks access to protected information through communication
surveillance for a purpose that will not place a person at risk of
criminal prosecution, investigation, discrimination or infringement of
human rights, the State must establish to an independent, impartial, and
competent authority:

* other available less invasive investigative techniques have been
considered;
* information accessed will be confined to what is reasonably relevant
and any excess information collected will be promptly destroyed or
returned to the impacted individual; and
* information is accessed only by the specified authority and used for
the purpose for which was authorisation was given.

COMPETENT JUDICIAL AUTHORITY:
Determinations related to communications surveillance must be made by a
competent judicial authority that is impartial and independent. The
authority must be:

* separate from the authorities conducting communications surveillance;
* conversant in issues related to and competent to make judicial
decisions about the legality of communications surveillance, the
technologies used and human rights; and
* have adequate resources in exercising the functions assigned to them.
DUE PROCESS:
Due process requires that States respect and guarantee individuals’
human rights by ensuring that lawful procedures that govern any
interference with human rights are properly enumerated in law,
consistently practiced, and available to the general public.
Specifically, in the determination on his or her human rights, everyone
is entitled to a fair and public hearing within a reasonable time by an
independent, competent and impartial tribunal established by law,[10]
except in cases of emergency when there is imminent risk of danger to
human life. In such instances, retroactive authorisation must be sought
within a reasonably practicable time period. Mere risk of flight or
destruction of evidence shall never be considered as sufficient to
justify retroactive authorisation.

USER NOTIFICATION:
Individuals should be notified of a decision authorising communications
surveillance with enough time and information to enable them to appeal
the decision, and should have access to the materials presented in
support of the application for authorisation. Delay in notification is
only justified in the following circumstances:

* Notification would seriously jeopardize the purpose for which the
surveillance is authorised, or there is an imminent risk of danger to
human life; or
* Authorisation to delay notification is granted by the competent
judicial authority at the time that authorisation for surveillance is
granted; and
* The individual affected is notified as soon as the risk is lifted or
within a reasonably practicable time period, whichever is sooner, and in
any event by the time the communications surveillance has been
completed. The obligation to give notice rests with the State, but in
the event the State fails to give notice, communications service
providers shall be free to notify individuals of the communications
surveillance, voluntarily or upon request.
TRANSPARENCY:
States should be transparent about the use and scope of communications
surveillance techniques and powers. They should publish, at a minimum,
aggregate information on the number of requests approved and rejected, a
disaggregation of the requests by service provider and by investigation
type and purpose. States should provide individuals with sufficient
information to enable them to fully comprehend the scope, nature and
application of the laws permitting communications surveillance. States
should enable service providers to publish the procedures they apply
when dealing with State communications surveillance, adhere to those
procedures, and publish records of State communications surveillance.

PUBLIC OVERSIGHT:
States should establish independent oversight mechanisms to ensure
transparency and accountability of communications surveillance.[11]
Oversight mechanisms should have the authority to access all potentially
relevant information about State actions, including, where appropriate,
access to secret or classified information; to assess whether the State
is making legitimate use of its lawful capabilities; to evaluate whether
the State has been transparently and accurately publishing information
about the use and scope of communications surveillance techniques and
powers; and to publish periodic reports and other information relevant
to communications surveillance. Independent oversight mechanisms should
be established in addition to any oversight already provided through
another branch of government.

INTEGRITY OF COMMUNICATIONS AND SYSTEMS:
In order to ensure the integrity, security and privacy of communications
systems, and in recognition of the fact that compromising security for
State purposes almost always compromises security more generally, States
should not compel service providers or hardware or software vendors to
build surveillance or monitoring capability into their systems, or to
collect or retain particular information purely for State surveillance
purposes. A priori data retention or collection should never be required
of service providers. Individuals have the right to express themselves
anonymously; States should therefore refrain from compelling the
identification of users as a precondition for service provision.[12]

SAFEGUARDS FOR INTERNATIONAL COOPERATION:
In response to changes in the flows of information, and in
communications technologies and services, States may need to seek
assistance from a foreign service provider. Accordingly, the mutual
legal assistance treaties (MLATs) and other agreements entered into by
States should ensure that, where the laws of more than one state could
apply to communications surveillance, the available standard with the
higher level of protection for individuals is applied. Where States seek
assistance for law enforcement purposes, the principle of dual
criminality should be applied. States may not use mutual legal
assistance processes and foreign requests for protected information to
circumvent domestic legal restrictions on communications surveillance.
Mutual legal assistance processes and other agreements should be clearly
documented, publicly available, and subject to guarantees of procedural
fairness.

SAFEGUARDS AGAINST ILLEGITIMATE ACCESS:
States should enact legislation criminalising illegal communications
surveillance by public or private actors. The law should provide
sufficient and significant civil and criminal penalties, protections for
whistle blowers, and avenues for redress by affected individuals. Laws
should stipulate that any information obtained in a manner that is
inconsistent with these principles is inadmissible as evidence in any
proceeding, as is any evidence derivative of such information. States
should also enact laws providing that, after material obtained through
communications surveillance has been used for the purpose for which
information was given, the material must be destroyed or returned to the
individual.

SIGNATORIES

=======================================
APC Forum is a meeting place for the APC community - people and
institutions who are or have been involved in collaboration with
APC, and share the APC vision - a world in which all people have easy,
equal and affordable access to the creative potential of information and
communication technologies (ICTs) to improve their lives and create more
democratic and egalitarian societies.