Surveillance and Privacy Protection in Latin America
Surveillance and Privacy Protection in Latin America
Examples, Principles, and Suggestions
Abstract and Keywords
This chapter covers surveillance and privacy protection in Latin America providing examples, principles, and suggestions. The first part offers an overview of governmental surveillance regulation through an analysis of existing legislation in Argentina, Colombia, Mexico, and Peru. It should be noted that this analysis merely seeks to identify trends in legal frameworks, rather than provide a comprehensive account of existing laws. Regulating state surveillance and creating a precedent of rights protection both off- and online is critical. To provide a more nuanced and updated understanding of how human rights should be protected online, the second part of this chapter examines several sets of principles that have been created by civil society actors, technical experts, and human rights specialists. The chapter compares those principles with the actual legislation in the four countries surveyed. Finally, the chapter concludes with some suggestions for future policymaking concerning communications interceptions and surveillance in Latin America.
This chapter covers surveillance and privacy protection in Latin America providing examples, principles, and suggestions. The first part offers an overview of governmental surveillance regulation through an analysis of existing legislation in four Latin American countries: Argentina, Colombia, Mexico and Peru. It should be noted that this analysis merely seeks to identify trends in legal frameworks, rather than provide a comprehensive account of existing laws. Regulating state surveillance and creating a precedent of rights protection both off- and online is critical. To provide a more nuanced and updated understanding of how human rights should be protected online, the second part of this chapter examines several sets of principles that have been created by civil society actors, technical experts, and human rights specialists. The chapter compares those principles with the actual legislation in the four countries surveyed, and concludes with some suggestions for future policymaking concerning communications interceptions and surveillance in Latin America.
Debates concerning the protection of personal privacy and freedom of expression certainly predate Edward Snowden’s 2013 revelation of massive national and international surveillance operations in the United States and beyond. In recent years, however, three interrelated factors have made discussions of privacy protection more salient: the permeation of Internet use across all facets of modern life, the resulting ease of data collection on an unprecedented scale, and the demonstrated existence of governmental programs to collect and store such (p.326) data on a massive basis. To be clear: governmental surveillance might be justifiable in certain cases—for example, for the prosecution of serious crimes or human rights abuses. However, permitting any government unfettered access to citizens’ private communications violates fundamental rights, jeopardizes democratic institutions, creates a culture of fear or self-censorship, and has proven ineffective in preventing future crimes.
In Latin America, historical context is important for discussions of privacy protection and judicial restrictions on governmental surveillance. In many cases, the most egregious violations of human rights under Latin American dictatorial governments were fundamentally linked to surveillance operations conducted by intelligence agencies. Such surveillance operations typically targeted dissident groups, journalists, students, and trade unions,1 even though the right to privacy was and is included in the constitutions of these countries.
The first part of this chapter provides an overview of governmental surveillance regulation through an analysis of existing legislation in four Latin American countries: Argentina, Colombia, Mexico, and Peru. These countries represent a diverse sample group geographically and institutionally, and in terms of Internet penetration.2 It should be noted that this analysis merely seeks to identify trends in legal frameworks, rather than provide a comprehensive account of existing laws.
Regulating state surveillance and creating a precedent of rights protection both off- and online is critical. To provide a more nuanced and updated understanding of how human rights should be protected online, the second part of this chapter examines several sets of principles that have been created by civil society actors, technical experts, and human rights specialists. The chapter compares those principles with the actual legislation in the four countries surveyed.3
Finally, the chapter concludes with some suggestions for future policymaking concerning communications interceptions and surveillance in Latin America.
In Latin America, surveillance legislation is frequently taken as a suggestion instead of a firm rule, and the reality of government activities frequently oversteps legislated constraints. However, understanding the legal frameworks remains important for making valid and practical policy recommendations. In Latin America, two commonalities can be identified among intelligence activities: first, partisan abuse of surveillance techniques to monitor the opposition; and second, habitual attempts of police and intelligence forces to increase autonomy and limit checks on authority. Although the implications of such will be further explored later on, it is important to acknowledge that governments’ simultaneous obligations to safeguard individual rights while addressing threats to public safety are neither aligned nor mutually exclusive. Instead, these two imperatives are manifested as a balancing act for which there is no universal solution. In the following subsections, the legal frameworks for Argentina, Colombia, Mexico, and Peru are briefly explored.
Though government surveillance capabilities are abundant and well known in Argentina, the right to privacy in personal communications is specifically defined in the Argentine Constitution.4 In terms of legislation for data protection and the right to privacy, the pendulum has swung in both directions. In addition to the requirement for judicial authorization and other specific protocols for communications interceptions specified in the Federal Criminal Procedure Code,5 the Personal Data Protection Law, passed in 2000, addressed the administration of public and private databases with provisions for user consent and its revocation,6 the mandatory destruction of irrelevant data,7 and the requirement for legal authorization when releasing personal data.8 Four years later, the Mobile Communications Services Law 25.891 mandated that telecommunications companies maintain databases of personal data (name, address, etc.) to enable the (p.328) clear identification of their customers,9 which many considered an unnecessary violation of privacy.10 Most recently, the 2014 Argentina Digital Law reiterated the inviolability of communications and granted all communications, electronic or otherwise, protection equal to that previously granted to postal services, permitting interception only with authorization from a competent judge.11
Other limits and safeguards for surveillance and intelligence gathering exist on the books. For example, the 1991 Domestic Security Law established the Bicameral Auditing Committee to monitor domestic security and intelligence activities.12 The first oversight mechanism of its kind in Latin America, the Committee had one widely publicized success case when it identified illegal state surveillance of unions and student organizations in 1993. However, its oversight and enforcement powers were limited.13
In 2001, the National Intelligence Law expanded the aforementioned committee, renaming it the Bicameral Committee for the Oversight of Intelligence and Internal Security Bodies and Activities.14 This Committee is now charged with the task of supervising all communications interceptions and has been granted the power to investigate intelligence activities on its own initiative.15 By law, all parts of the National Intelligence System must honor any of the Committee’s requests for information or documentation and must submit to it annual reports.16 The reports are approved by the Intelligence Secretariat’s Directorate of Judicial Surveillance, which is also the sole overseer for judicial authorizations for communications interceptions.
These oversight mechanisms are frequently criticized by advocacy groups, on several grounds. First, the Intelligence Secretariat reports directly to the executive, effectively giving the president power over the subsidiary branches dealing with criminal and military strategic intelligence.17 Some suggest that under (p.329) the control of the executive, the Secretariat has been used for political ends.18 Moreover, the NGO Asociación por los Derechos Civiles (ADC) has found that none of the deputies from Congress has ever received an annual report from the oversight Committee, meaning the check exists only in theory.19 Third, the Regulatory Decree 950 makes the Bicameral Committee’s capacity to access classified information dependent on the Secretariat’s authorization—effectively subjecting the oversight mechanism to the will of the institution being monitored.20
In January 2015, following the controversial death of federal prosecutor Alberto Nisman, President Cristina Fernandez de Kirchner held a televised address to present a bill to dissolve the Intelligence Secretariat. That bill became the Federal Intelligence Agency Law, transferring the “personnel, assets, current budget, and equity” of the Intelligence Secretariat to a new entity, the Federal Intelligence Agency (AFI).21 Responding to criticisms, one improvement is that the executive-designated Director and Subdirector of the AFI must be approved by the Senate, providing a legislative check.22 Despite these changes, there is ongoing concern that surveillance and intelligence activities in Argentina remain convoluted, politically charged, and, in practice, free of oversight from the public or independent bodies.
As the most technologically advanced country of those in question, Argentina’s state and intelligence activities boast access to sophisticated techniques for data collection. One such measure is the new federal biometric system for the identification of citizens, SIBIOS, which was introduced by President Cristina Fernandez de Kirchner in 2011 and uses physical traits such as fingerprints and face scans to uniquely identify nationals and foreigners alike.
In terms of codified law, Colombia has clearly-defined processes and oversight mechanisms for data interception. Under the Criminal Procedure Code, requests for communications interceptions must be approved by the attorney general’s office.23 Such requests must have a stated investigative purpose and must specify the data subjects, the type of data to be collected, and the duration of the (p.330) surveillance.24 Furthermore, communications interceptions must be authorized by a competent judicial authority (although retroactive approval is permitted),25 and the Penal Code specifies that illegal interception of data without judicial order carries criminal penalties of 36 to 72 months in prison.26
In addition to the protocols and safeguards for data collection indicated in the penal and criminal procedural codes, there are several laws that deal directly with governmental surveillance and personal data. Expanding upon The Telecommunications Law of 2009 and the Citizen Security Law, which expanded investigatory powers in 2011.27 Decree 1704 mandated that service providers must maintain accurate subscriber details such as identity, address, and connection information for a period of five years.28 Although there is no specific provision for the companies to retain other communications metadata, the law specifies that if any additional metadata is retained for business purposes, the government can request it for up to five years.29
Colombia’s Data Protection Law, passed in 2012, was intended to expand the constitutional “Right to Know” as applied to personal information stored in public or private databases.30 Under the law, the data subject must always give prior, express, and informed consent for all activities pertaining to the collection, use, and transfer of personal data—except those specifically exempted from the law, such as credit data.31 The Data Protection Law established the National Register of Databases as a public directory of all databases in the country to be consulted by any citizen.32 However, personal data acquired by the various law enforcement agencies’ mass data collection platforms do not appear in these registers.
(p.331) In 2013, the government attempted to increase the checks on intelligence activities with the Intelligence and Counterintelligence Bill, which became Law 1621. The law created the Legal Commission for Monitoring the Activities of Intelligence and Counterintelligence, as well as an advisory committee for data and archive management.33 However, these committees may only scrutinize documents provided by the agencies themselves, resulting in no direct supervision from independent organizations.34 In addition, the intelligence bodies must submit an annual report to Congress. However, as in the case of Argentina, the entity being monitored determines which information to submit for review. Moreover, such checks have proved to be largely irrelevant as the Directorate of Criminal Investigation and Interpol (DIJIN)’s highly contested phone and Internet monitoring system, PUMA, was advanced in 2014, the same year that the government carried out the widely-publicized Andrómeda surveillance operation, which is further discussed below.
Mexico’s Constitution clearly enshrines the inviolability of private communications and further specifies that only designated federal authorities may employ surveillance methods, and then only with judicial authorization and under threat of criminal prosecution for noncompliance.35 Yet the Law Against Organised Crime of 1996 expanded investigative and prosecutorial tools including electronic surveillance, undercover operations, and the prosecution for criminal association.36 Although some criticized the law as a violation of the right to privacy or even a case of constitutionally-sanctioned espionage,37 the text of the law does provide safeguards. Requests for communications interceptions, for example, must be made in writing to a district judge and must state the objective and necessity of the intervention as well as a detailed plan of investigation, including specific people, places, and type of communication to be intercepted and the duration of the operation.38 The Mexican Supreme Court has further established the precedent that the phrase “private communications” in the Constitution (p.332) encompasses any extant technologies and those that may evolve in the future, including communications via the Internet.39
Mexico is a federation like the United States or Argentina, but until recently, there were separate and inconsistent penal codes for each of Mexico’s 32 states. With the implementation of the Federal Penal Processing Code in 2014, the country’s judicial proceedings were streamlined and made uniform nationwide.40 In terms of communications surveillance, the Code designates the attorney general as the governmental authority that may carry out surveillance activities for the purpose of criminal proceedings. The Code also establishes penalties for those who misuse data obtained during the interception of private communications or conduct such interventions without authorization from the attorney general’s office and a competent judge.41 However, the Penal Procedural Code lists “the placement of tracking and surveillance devices” as a recognized security tool,42 and Article 178 requires that any person “required by the Attorney General or competent authority [shall] collaborate or provide information to geo-locate communication devices in real time.”43
This stipulation is based on the 2014 Federal Telecommunications and Broadcasting Law, which significantly increased the state’s capacity to surveil private communications. Although the Telecommunications Law lists “the protection of personal data” as a user right,44 Article 190 establishes an ample list of obligations for telecommunications service providers to comply with law enforcement activities. In addition to providing real-time location data upon request, the service provider must maintain a registry of communications made from any of its lines, identifying the following data: names, corporate name, and address of subscriber; types of communication or of services used; origins and destinations of communications; the date, hour, and length of the communications; and the activation and localizations tags, among others.45
(p.333) Despite the mandate for companies to collect and store massive quantities of personal information ex ante, the lengthy Article 190 concludes with a reiteration of the inviolability of private communications and the affirmation that only requests made by specific authorities will be honored, and only if they are authorized by a federal judge. Regardless, the mandatory retention of metadata opens the door for breaches or unlawful transfers of information. It also has a chilling effect on freedom of expression. Considering Mexico’s current National Digital Strategy, which has the stated goal of incorporating “information communication technologies into every aspect of the everyday lives of people, organisations, and government,”46 the potential for misuse becomes all the more critical.
Peru has a similarly solid legal base for personal data protection. In the 1993 Political Constitution, there are numerous provisions that pertain directly to data privacy. In addition to specifying the Freedom of Expression, Right to Privacy, and reputation protection,47 the Peruvian Constitution explicitly specifies the Right to Communications Privacy in Section 10 of the Bill of Rights.48
The 2011 Personal Data Protection Law expanded upon these rights.49 After giving a broad definition of data as any information on an individual that identifies him or makes him identifiable, the Law continues with a series of articles that directly require Legality, Consent, Purpose, Proportionality, Quality, Security, Recourse, and Protection in the interception, transfer, management, or processing of data. The law also includes a provision stating that these principles will be the guiding force in future decision-making.50 Furthermore, the protocol for processing data requires authorization by a judge for data interception, and requires that any data obtained in violation of the Law be destroyed.51
(p.334) Similarly, the Protocol on the Interception and Recording of Communications, enacted in 2014, clearly plots the procedure for communications interception in seven stages, including an opportunity for control or reexamination at the request of the affected.52 Permission for surveillance may be requested only by specific authorities (the criminal prosecutor, attorney general, or national prosecutor), must receive authorization from a federal judge, and may only be used in investigations concerning 15 serious crimes, which are specified within the text. Additionally, those under surveillance must be notified upon completion, and data that is outside the pre-specified scope of an approved investigation must be destroyed.
Despite the clarity of this communications interception regulation, the Legislative Decree 1182, or “Stalker Law,” has been flagged by many as an unwarranted expansion of police power. The Decree states that service providers are immediately required to provide to authorities real-time location information about suspects of a serious crime, and no prior authorization from a judge or the prosecutor’s office is necessary provided the information is vital to the investigation of a blatant crime for which the penalty would be more than four years in prison.53 Although there is a liability regime in place for those who use the system maliciously, compliance with the limited requirements set out is assessed retroactively, and the system entirely removes the check of judicial authorization. Furthermore, the Decree requires all public telecommunications licensees (fixed and mobile) to retain data for 36 months minimum and up to three years in special storage systems that are easily accessible by authorities.54
Decree 1182 was passed in July 2015, months after the DINI (National Intelligence Directorate) was shut down after allegations of misconduct, but in September 2015 Bill 4809 was introduced to repeal it.55 Bill 4809 maintains many of the articles from the Decree, but requires authorization by a criminal judge on duty in advance of, or within 24 hours after, requesting information from a service provider. It also restores the central role of the attorney general in investigations, as Decree 1182 refers to the police force in general.56 As evident by the legislative volleying and coinciding closure of the Intelligence Directorate, Peru remains equally mired in conflict and scandal concerning surveillance operations, despite its comprehensive legal framework for communications interceptions.
Massive governmental surveillance operations capitalizing on modern technologies are a phenomenon not limited to Latin America, and generally speaking legislation intended to regulate surveillance lags behind the pace of innovation in most countries. The protection of human rights and civil liberties in the digital realm is therefore an ever-evolving endeavor requiring participation and cooperation from states, the private sector, civil society, and beyond. Given the incomparable power that states maintain over safeguarding—or violating—the human rights of their citizens, regulating state surveillance and creating a precedent of rights protection online is critical.
To provide a more nuanced and updated understanding of how human rights should be protected online, several sets of principles have been adopted by groups of civil society actors, technical experts, and human rights specialists. Below, brief overviews of four of these sets of principles are included to indicate their general directions and, more important, to highlight the ways in which many of the aforementioned national laws are similar. The principles under review are: the Necessary and Proportionate Principles, the Tshwane Principles, the Manila Principles, and the OAS Juridical Committee Principles.
A. The Necessary and Proportionate Principles
The most directly applicable of the principles mentioned above are the International Principles on the Application of Human Rights to Communications Surveillance (2014), alternately referred to as the Necessary and Proportionate (NP) Principles.57 The Principles include four key elements:
• Any limitations to privacy must be explicitly provided for by law.
• Communications interceptions must be necessary for a legitimate aim and must be undertaken only after the exhaustion of alternative, less intrusive courses of action.
• Interceptions must be proportional to their intended aim, and must never exceed their stated purposes.
• Checks and safeguards against surveillance abuse must be established, legally and systematically, to ensure the continued protection of human rights.
The NP Principles gained many signatories from organizations based in Argentina, Colombia, Mexico, and Peru.58 Indeed, language employed in the Principles appears nearly verbatim in some legislation, such as Peru’s 2011 (p.336) Personal Data Protection Law. Overall, each of the countries in question has legislation specifying the processes for authorizing and carrying out surveillance, as well as criminal penalties for noncompliance or the misuse of personal data—all elements of a sound surveillance system called for in the NP Principles. Yet despite the specified processes for communications interceptions, illegal surveillance persists in criminal proceedings and intelligence gathering. Moreover, the patchwork of oversight mechanisms involving the judiciary and/or legislature is often crippled because the overseers obtain only official information from the bodies that they seek to monitor, and there are virtually no provisions for public or independent oversight.
B. The Tshwane Principles
The Tshwane Principles on National Security and the Right to Information (2013) acknowledge this deficiency, further recognizing that within police and intelligence departments “illegal, corrupt, and fraudulent conduct may occur and may not be uncovered, and violations of privacy and other individual rights often occur under the cloak of national security secrecy.”59 As evident in the aforementioned cases where surveillance is suspected, assumed, or even documented but rarely confirmed or curtailed, the public has very little knowledge about systems of surveillance and the procedures for authorizing them.60 For example, although habeas data is an established right in Latin America and many countries have comprehensive databases so that citizens may seek information gathered about them, governmental operations are often hidden from such registries.
The Tshwane Principles acknowledge that some level of secrecy is expected in pursuing the legitimate end of national security. However, the Principles stress that burden of establishing the legitimacy of any restriction falls squarely on the state. They specify that citizens’ access to information should be interpreted broadly and state restrictions narrowly.61 Furthermore, information should be withheld on national security grounds for only as long as necessary to protect a legitimate national security interest, and no public authority, including the intelligence agencies, the armed forces, police, and other security agencies, should be exempt from disclosure requirements to the general public and for independent oversight.62
The Manila Principles on Intermediary Liability, released in 2015, advocate that technical intermediaries such as Internet Service Providers (ISPs), social networks, and search engines should be shielded from liability for the third-party content.63 These principles, which also count numerous signatories from the countries surveyed here, mandate that requests to intermediaries for the disclosure of personally identifiable information be made only via an order by a judicial authority.64 Although the Manila Principles focus mainly on content restrictions and freedom of expression, they state that intermediaries should not be required to ensure that they have the capacity to identify users.65 This is highly relevant to the direct obligation on telecommunications companies to conserve personal information and metadata for government retrieval, clearly seen in Mexico and Peru.
D. The OAS Inter-American Juridical Committee Principles
Perhaps a bit less idealistic in nature, the Inter-American Juridical Committee (IAJC) of the Organisation of American States created a set of Principles for Privacy and Personal Data Protection in the Americas in 2012,66 and a Legislative Guide on Privacy and the Protection of Personal Data in 2015.67 According to the IAJC, the Principles:
aim at encouraging Member States of the Organisation to adopt measures ensuring respect for people’s privacy, reputations, and dignity. They were intended to provide the basis for Member States to consider formulating and adopting legislation to protect the personal information and privacy interests of individuals throughout our hemisphere.
The goal of the Guide is “to expand upon the Principles by giving additional context and guidance to Member States to assist in their preparation of national legislation.”
(p.338) One key difference between this document and the NP Principles is its overt recognition of the exceptions and limitations to the public’s right to access information about themselves, specifically in the case of criminal investigations.68 Although the recommendations set forth in the Legislative Guide are often paired with a deference to extant national legislation, it is consistent with the NP and Tshwane documents in its assertion that communications interceptions must have a demonstrated necessity and legitimate ends and that only the citizenry, “physical people” as opposed to government operations, have an interest in privacy.69
V. Conclusions and Suggestions
A. The Disparity between Law and Practice
Perhaps the best example of the disconnect between law and principles, on the one hand, and actual practice, on the other hand, comes from Colombia. Although the right to privacy is cemented in the Colombian Constitution,70 illegal phone tappings are so common that there is a colloquial word for them—“chuzadas.” In recent decades, communications surveillance has played a large part in the ongoing armed conflict between the Colombian government and the rebel group Fuerzas Armadas Revolucionarias de Colombia, or FARC. In 2007, after years of bugging complaints from political opponents and journalists, then-president Alvaro Uribe’s Defence Minister acknowledged the existence of illegal wiretapping operations—although he claimed that the government had no knowledge of the information being procured.71 As a result, 12 members of Congress were jailed on charges of colluding with paramilitaries.
Indeed, nearly every legislative initiative in Colombia addressing privacy or surveillance has been preceded by a scandal. In one sensational incident, news came to light in 2009 that the Administrative Department of Security (DAS, now defunct) had illegally surveilled and actively harassed public figures. In 2014, the widely-circulated newspaper Semana revealed that a Colombian army unit had spied on the government’s negotiating team during peace talks with (p.339) FARC in Havana, Cuba, during an operation code named Andrómeda.72 Perhaps most strikingly, it is common knowledge that the attorney general’s office, the Directorate of Criminal Investigation, and the Police Intelligence Directorate each has its own separate mass data interception system—all of which are illegal according to Colombian law.73
Although provisions intended to ensure the necessity and proportionality of communications interception, judicial oversight, and penalties for illegal surveillance are present in Colombian law, there are clearly many shortcomings in the legal framework. For example, there is no way for individuals to know if they have been surveilled by the government, and there are no channels for recourse in the event that human rights abuses are discovered. Transparency is virtually nonexistent, and oversight bodies only have access to information provided by the same entities they seek to monitor. Furthermore, the government’s possession and employment of multiple illegal data interception systems clearly indicates that laws need to specify in greater detail the exact capabilities and limitations of law enforcement bodies.
Illegal surveillance by the government is so common that it’s expected and assumed, which has produced a strong culture of self-censorship, or at least technological guardedness. Looking forward, Colombia’s widespread surveillance is especially troubling considering the government’s aggressive policies to increase Internet and telecommunications access across the country.74
The situation in Mexico is not so different: in 1998, reports revealed that the Mexican government had been electronically eavesdropping on political opposition members, journalists, and human rights activists for nearly a decade.75 In addition to thousands of pages of transcripts from bugged telephone lines, investigations revealed hidden microphones and cameras in government offices and receipts for the purchase of $1.2 million in Israeli surveillance equipment. “Everything I say and do, I assume that I am being spied on,” Vicente Fox, the Guanajuato governor who became president in 2000, told the Washington Post after learning that he was targeted in the operation.76
Peru had a similarly complicated experience with government surveillance throughout the 1990s. Until 2000, surveillance activities in Peru were conducted (p.340) mainly by the Peruvian National Intelligence Service (SIN), which President Fujimori dissolved in 2000 amidst reports of bribes and other illegal activities. At present, Peru’s non-military National Intelligence System (SINA) is controlled by the DINI, which reports directly to the executive. In February 2015, the DINI was closed for reorganization for 180 days following the release of evidence indicating that President Ollanta Humala had committed espionage against critical political figures using DINI’s capacities.77 Although SINA has a legislative check in place, the congressional oversight committee charged with monitoring the intelligence agency’s activities has little autonomy and relies exclusively on information provided by SINA itself to make its assessments.
Finally, Argentina has also followed these patterns. The SIBIOS biometric face- and finger-scanning system mentioned above led Julian Assange to refer to Argentina as having “the most aggressive surveillance regime in all of Latin America.”78 In 2012, shortly after implementing this new system, the Argentine gendarmerie cast doubts on its treatment of sensitive personal data when reports revealed that the government had committed espionage against political, labor, and social leaders, collecting the amassed data in a digital database ominously labeled “Project X.”79 Only months later, Argentina’s federal tax collection agency, AFIP, revealed the three pillars of their auditing strategy as: the maximum use of available technology, centralized data mining, and the employment of both operational and ex-ante inspection,80 further casting doubt on the government’s prudence in dealing with personal data.
To summarize—in Latin America, two commonalities can be identified among intelligence activities: first, partisan abuse of surveillance techniques to monitor the opposition; and second, habitual attempts of police and intelligence forces to increase autonomy and limit checks on authority.
B. Policy Suggestions
It is clear that legal surveillance measures may be necessary under some circumstances, and for that reason they will continue. However, if the parameters defining what is “legal” are insufficiently executed, law enforcement agencies will be tempted to continue illegal ongoing practices or worse—even if surveillance is carried out in many circumstances in good faith or for fair purposes. For this (p.341) reason, policy suggestions should be pursued on two axes: first, to strengthen accountability mechanisms within existing and future legal frameworks; and second, to increase human rights protection against governmental (understood in the broad sense) surveillance.
In terms of accountability, the first step would be pushing the existing oversight bodies, such as congressional committees, to better fulfill their assigned functions. This might involve granting them additional tools for monitoring the agencies under their control, or it might require the creation of third-party, independent oversight groups. A level of public oversight would not only increase accountability, but also serve to better inform civil society and reduce the chilling effect produced by covert and obfuscated mass surveillance activities.
Concerning the protection of human rights, it is clear that surveillance—which, as has been previously established in this chapter, may be necessary to certain ends—affects personal rights to privacy, among others. However, under national and international standards, the main problem is not surveillance per se, but the threat posed by abusive or arbitrary surveillance measures. The burden of proving the necessity and proportionality of surveillance measures should rest squarely on the agencies conducting such activities. In all cases, respecting human rights should be a foremost concern, integrally incorporated into the design of legislation and oversight regimes, and never circumvented via loopholes or reactive legislation in the wake of tragedy. In other words, “human rights by design” should be the rule for policymaking in this field.
At present, terrorist attacks plotted and carried out by ISIS and other extremist groups have drawn the issue of communications surveillance to center stage. Although increased access to wide arrays of personal data and communications may seem like a worthy exchange in the wake of mass and senseless violence, policymakers must resist the impulse toward hardline, tough-on-terror legislation that could easily transcend exceptional circumstances and become a new norm. At this moment in particular, policymakers must avoid perpetuating a dystopian culture of fear and guardedness, and governments around the world must not sacrifice the values of accountability, transparency, and human rights protection in the name of national security. (p.342)
(1.) R.A. Ugarte & E. Villa, Who’s Watching the Watchers?: A Comparative Study of Intelligence Organizations Oversight Mechanisms in Latin America, Privacy International, Asociación por los Derechos Civiles (2014). See https://www.privacyinternational.org/node/351.
(2.) According to the Internet Society (ISOC), the rate of Internet penetration in Latin America hovers around 30 percent (see http://www.internetsociety.org/what-we-do/where-we-work/latin-america-caribbean). Within the sample group, Argentina and Colombia have higher-than-average penetration rates, whereas Mexico and Peru have lower (see http://www.internetworldstats.com/stats10.htm). In all cases, the growth in the rate of penetration shows no signs of slowing—on the contrary, the Latin American Internet audience grew 23 percent in 2014 alone.
(3.) Principles that are included in the analysis are: Necessary and Proportionate, Tshwane, Manila, and OAS Inter-American Juridical Committee.
(4.) Constitution of the Argentine Nation. (1953, reinstated 1983). Art. 18: “The residence is inviolable, as are letters and private papers; and a law shall determine in what cases and for what reasons their search and seizure shall be allowed.” See https://www.constituteproject.org/constitution/Argentina_1994.pdf.
(5.) Argentine Criminal Procedure Code. (August 21, 1991). Art. 236. See http://www.infoleg.gov.ar/infolegInternet/anexos/0-4999/383/texact.htm.
(9.) Mobile Communications Services Law, Law 25.891, art. 2. (April 28, 2004). See http://servicios.infoleg.gob.ar/infolegInternet/anexos/95000-99999/95221/norma.htm.
(10.) V. Ferrari & D. Schnidrig, Vigilancia de las Comunicaciones por la Autoridad y Protección de los Derechos Digitales en Argentina, CELE, EFF (October 2015). See https://www.eff.org/files/2015/11/24/argentina-es-final.pdf.
(11.) Argentina Digital Law, Law 27.078, art. 5. (December 16, 2014). See http://www.infoleg.gob.ar/infolegInternet/anexos/235000-239999/239771/norma.htm.
(12.) Domestic Security Law, Law 24.059, art. 33. (December 18, 1991). See http://servicios.infoleg.gob.ar/infolegInternet/anexos/0-4999/458/texact.htm.
(20.) National Intelligence Law, Decree 950, art. 2. (June 5, 2002). See http://servicios.infoleg.gob.ar/infolegInternet/anexos/70000-74999/74896/norma.htm.
(23.) Colombian Criminal Procedure Code, art. 114, § 3. (August 31, 2004). See https://www.oas.org/juridico/mla/sp/col/sp_col-int-text-cpp-2005.html.
(24.) Colombian Penal Code, art. 269, § C. (July 24, 2000). See http://perso.unifr.ch/derechopenal/assets/files/legislacion/l_20130808_01.pdf.
(25.) J.C. Rivera & K. Rodriguez, “Vigilancia de las Comunicaciones por la Autoridad y Protección de los Derechos Fundamentales en Colombia,” EFF (May 2015). See https://www.eff.org/files/2015/05/19/colombia-principios-may-14.pdf.
(27.) The Telecommunications Law, Law 1341, art 4, § 10. (July 30, 2009). See http://www.mintic.gov.co/portal/604/articles-3707_documento.pdf. Citizen Security Law, Law 1453, arts. 52 and 53. (June 24, 2011). See http://www.mintic.gov.co/portal/604/articles-3709_documento.pdf.
(28.) Decree 1704, art. 4. (August 15, 2012). See http://www.mintic.gov.co/portal/604/articles-3559_documento.pdf.
(30.) Data Protection Law, Law 1581. (October 17, 2012). See http://www.sic.gov.co/drupal/sites/default/files/normatividad/Ley_1581_2012.pdf.
(31.) As specified in the Habeas Data and Database Management Law, Law 1266. (December 31, 2008). See https://www.bancoldex.com/documentos/1291_Ley_1266_de_2008_(Habeas_Data).pdf.
(32.) Data Protection Law, art. 14.
(33.) Intelligence and Counterintelligence Law, Law 1621, arts. 19–26. (April 17, 2013). See http://wsp.presidencia.gov.co/Normativa/Leyes/Documents/2013/LEY%201621%20DEL%2017%20DE%20ABRIL%20DE%202013.pdf.
(35.) Constitution of the Mexican States of American. (1917; last revision December 20, 2010). Art. 16. See http://www.te.gob.mx/gobernadores/edomex/data/legisloc/constitucion.pdf.
(36.) Federal Law Against Organized Crime, arts. 15–28. (1996, Nov 7). See http://www.diputados.gob.mx/LeyesBiblio/pdf/101_070417.pdf.
(37.) See E. Gallegos, “Con la Reforma Anticrimen, el Espionaje Entrará a la Constitución,” La Jornada (April 28, 1996). http://www.jornada.unam.mx/1996/04/28/LEY00-2704.html.
(38.) Federal Law Against Organized Crime, art. 16.
(39.) Suprema Corte de Justicia de la Nación. Primera Sala. Amparo en Revisión 1621/2010 y Contradicción de Tesis 194/2012.
(40.) Mexican Penal Procedural Code, art. 211, § 1. (August 30, 1934). See http://www.diputados.gob.mx/LeyesBiblio/pdf/9_120315.pdf. Code updated and applied nationwide via DOF Decree, (March 5, 2014). See www.dof.gob.mx/nota_detalle.php?codigo=5334903&fecha=05/03/2014.
(43.) “A la persona física o en su caso al representante de la persona moral que sea requerida por el Ministerio Público o por la autoridad competente para colaborar o aportar información para la localización geográfica, en tiempo real de los dispositivos de comunicación en términos de lo dispuesto por la Ley Federal de Telecomunicaciones y Radiodifusión …” Ibid., art. 178 bis.
(46.) National Digital Strategy del Gobierno de la República. (November 2013), p 7. See http://cdn.mexicodigital.gob.mx/EstrategiaDigital.pdf.
(48.) Ibid., art. 10: “Al secreto y a la inviolabilidad de sus comunicaciones y documentos privados. / Las comunicaciones, telecomunicaciones o sus instrumentos sólo pueden ser abiertos, incautados, interceptados o intervenidos por mandamiento motivado del juez, con las garantías previstas en la ley. Se guarda secreto de los asuntos ajenos al hecho que motiva su examen. / Los documentos privados obtenidos con violación de este precepto no tienen efecto legal. …”
(55.) Projected Law of Coordination for Use of Derived Data. (Rec. September 10, 2015). See http://www2.congreso.gob.pe/Sicr/TraDocEstProc/Contdoc03_2011.nsf/0/210d4d53cb946e2b05257ebc0082aaa9/$FILE/PL0480920150910.pdf.
(57.) International Principles on the Application of Human Rights to Communications Surveillance. “Necessary and Proportionate Principles.” (2014). See https://necessaryandproportionate.org/principles.
(58.) In total: 9 organizations from Argentina, 9 from Colombia, 17 from Mexico, and 6 from Peru. See https://en.necessaryandproportionate.org/signatories.
(59.) The Global Principles on National Security and the Right to Information (Tshwane Principles), New York: Open Society Foundations (June 12, 2013) p. 9. See https://www.opensocietyfoundations.org/sites/default/files/global-principles-national-security-10232013.pdf.
(66.) Inter-American Juridical Committee. (March 9, 2012). Statement of Principles for Privacy and Personal Data Protection in the Americas. 80th Regular Session. Mexico City: Organization of American States. See https://www.oas.org/en/sla/iajc/docs/ijc_current_agenda_privacy_personal_data_protection.pdf.
(67.) Inter-American Juridical Committee. (2015). Legislative Guide on Privacy and the Protection of Personal Data. 86th Regular Session. Rio de Janeiro: Organization of American States. See https://www.oas.org/en/sla/dil/docs/CJI-doc_474-15_rev2.pdf.
(70.) The Constitution of Colombia. (1991). Art 15: “All individuals have the right to personal and family privacy and to their good reputation, and the State has to respect them and to make others respect them. Similarly, individuals have the right to know, update, and rectify information collected about them in data banks and in the records of public and private entities.” See https://www.constituteproject.org/constitution/Colombia_2005.pdf.
(71.) D. Crowe, “Colombia Admits Wiretapping Operation,” The Washington Post (May 15, 2007). See http://www.washingtonpost.com/wp-dyn/content/article/2007/05/15/AR2007051501696.html.
(72.) “Chuzadas: Así fue la Historia,” Semana (August 2, 2014). See http://www.semana.com/nacion/articulo/chuzadas-asi-fue-la-historia/376548-3.
(73.) The Attorney General’s office runs Esperanza, the DIJIN has PUMA, and the DIPOL manages IRS.
(74.) D.M. Vega, “Colombia’s Digital Agenda: Successes and Challenges Ahead,” in The Global Information Technology Report, Beñat Bilbao-Osorio et al., eds. (New York: World Economic Forum, 2013). See http://www3.weforum.org/docs/GITR/2013/GITR_Chapter2.1_2013.pdf.
(75.) M. Moore, “Spy Network Stuns Mexicans,” The Washington Post (April 13, 1998). See http://www.washingtonpost.com/archive/politics/1998/04/13/spy-network-stuns-mexicans/a0314a5a-c22a-4802-a23a-c93fabbd64bc/.
(79.) “La Gendarmería en el Banquillo,” Página 12 (February 7, 2012). See http://www.pagina12.com.ar/diario/elpais/1-187784-2012-02-17.html.
(80.) “AFIP Refuerza el Control ‘en Línea’ de las Operaciones Económicas,” AFIP Gacetilla de Prensa (August 15, 2012). See http://www.afip.gob.ar/novedades/docsComunicados/com3369.htm.