TRACKING SURVEILLANCE Surveillance creep has made the leap front and centre as the world responds to COVID-19. EWAN SUTHERLAND charts the shifts in technology, practice and norms

he practice of surveillance began with the covert At the time of writing, governments of all persuasions interception of mail, with telegram and telephone are moving to utilise surveillance technologies to address interception being added centuries later. These the profound health and economic challenges wrought T activities were undertaken by the police and secret by the COVID-19 pandemic. police, later intelligence services, together with the post office, often without an explicit legal framework or checks SURVEILLING THE SURVEILLERS and balances, but constrained by limited resources. Although the public was rarely told directly about Over time these practices had to be reconciled with the surveillance techniques or the scale of their use, some growing recognition of privacy as a human right under information found its way into newspaper reports of national constitutions and international treaties, with trials and into crime and spy fiction and, later, the the creating a right to data protection. cinema. Nowadays, universal and regional treaties exist Liberalisation of markets demanded to protect human rights, including privacy, in countries the clarification of authorisation for wiretapping, and the with significant observance of the rule of law. But payment of costs and legal liabilities through legislation and surveillance technologies are also embedded in network licensing. equipment as “lawful interception” and available to The scope of surveillance was expanded with the countries with little, if any, regard for human rights. profusion of new services, enabled by advances in While there are formalised mechanisms in some technology, the increasing use of over the top applications, jurisdictions, such as complaints bodies, and annual often without providers having a legal or physical presence reporting, the level of privacy protection is inconsistent in the particular jurisdiction. overall and transparency and oversight around Perceptions of the threats, especially of the rise of surveillance remains patchy, with governments often terrorism, changed views of the scale and scope of the data closely guarding and actively concealing information. and metadata that should be collected, often under pressure Countries treat matters of national security very for immediate action and fear of criticism for the failure to differently, with too many parliaments entirely have intercepted or passed information between agencies. excluded from such topics and power reserved to the The result has been varied national regimes, offering head of state and security agencies. While parliaments different levels of protection for individuals, with should be overseeing police and intelligence services governments using tools purchased, sometimes covertly, and scrutinising budgets and practices, the use of from a complex surveillance industry ecosystem. technologies such as international mobile subscriber Surveillance has moved into the internet of things, with identity-catchers (IMSI-catchers) and surveillance the plethora of internet-enabled devices, some wearable, and malware have almost never been discussed. Whereas the complications of often unencrypted transmission of data the collection of metadata has been debated in some to service providers. Increasingly, citizens and consumers parliaments, being an obligation imposed on commercial transmit and share their data in the name of security and operators. health, or for convenience, lifestyle and entertainment. Reports on the use of interception and surveillance For example, local police forces in the have are presented to a small number of more powerful partnered with home security company Ring to offer free parliaments, but the vast majority of countries do not or discounted smart camera systems to local residents. In publish policies, list equipment available to their police addition to features such as video-enabled doorbell ringing and intelligence services or indicate the scale of their on homeowner smartphones, Ring facilitates police access surveillance activities. The United Nations frequently 1 to images taken from doorbell cameras. There are concerns reports violations of human rights, but is unable to these can be intercepted directly or images obtained from enforce them. There is commendable work by groups the service provider without a court order or the consent of such as the Citizen Lab and Privacy International, but the customer. these are too few in number for the task they face.

8 InterMEDIA | April 2020 Vol 48 Issue 1 www.iicom.org IIC EVENTS

The growth of corporate social responsibility block the use of the Consolidated ICT Regulatory has seen some multinational corporations adopt Management System were rejected on appeal, policies and report on the surveillance activities despite lower courts accepting arguments that the they conduct in response to judicial and police collection of call data records violated the right to orders. As Vodafone noted, it was forbidden by the privacy.8 A case that the mandatory registration governments of Egypt and South Africa to disclose of SIM cards in South Africa violated the right to anything more than the legal provisions, despite privacy was launched a decade ago, but has yet to concerns about both regimes.2 While the MTN conclude.9 Group has published its human rights strategy, it Cross-border. The issue of court-ordered access manages to reconcile this with the surveillance to servers came to prominence with BlackBerry, and wiretapping obligations of the repressive which encrypted its BlackBerry Messenger service governments of Iran, Syria and Yemen, apparently on servers in Canada. Governments in, for example, to the satisfaction of its investors.3 India and the United Arab Emirates worked to persuade BlackBerry to place servers in their LITIGATION AND LOCATION jurisdictions so that they might have access to the Litigation has been a source of insight into the contents.10 A different approach has been taken in workings of lawful intercept regimes, which often Russia where, following the “colour” revolutions have a cross-border dimension, and has shaped and the Arab Spring, systematic monitoring that approaches to surveillance. had been reduced in post-Soviet times was reinstated United States. The Electronic Frontier with expanded capacity, notably of social networks.11 Foundation (EFF) sued the US National Security The Putin administration has attempted to force Agency, challenging its right to operate the social network providers to locate servers in Russia Orwellian sounding “Room 641A”, an interception and to store user data for one year, in order to bring facility at AT&T. The case was dismissed by the them within its control, reinforced by blocking non- Court of Appeals, because of retroactive immunity compliant services at the international gateway.12 granted by the US Congress,4 which the US Supreme Court consequently declined to hear.5 A SURVEILLANCE ECOSYSTEM A further case by the EFF was dismissed by the Governments have imposed obligations on operators District Court, then reinstated by the Court of and service providers to collect and store data Appeals, but has yet to reach judgement.6 and metadata about their customers. Standards United Kingdom. Public interest litigation have evolved under the term “lawful interception” is underway in the United Kingdom, following used in what is now a complex global market for freedom of information requests, to determine how hardware and software, that includes well-known many IMSI-catchers have been purchased by the and specialist firms, including some venture capital police and what the policy is for their use, since funded start-ups.13 Police and intelligence services there had been no public disclosure.7 purchase equipment to undertake surveillance, Africa. There have been occasional cases about at best with limited reporting to parliaments and human rights, but there is no right to privacy in the public. Access to surveillance, encryption and the African Union treaty. In Malawi, attempts to decryption tools is no longer the exclusive www.iicom.org April 2020 Vol 48 Issue 1 | InterMEDIA 9 SURVEILLANCE

domain of governments and security or law light aircraft to scan wider areas. enforcement agencies. A number of firms supply IMSI-catchers, Supposedly, the export of surveillance purportedly only to law enforcement authorities, technologies from Western countries is controlled but devices are available for sale on Alibaba,14 by the Wassenaar Arrangement, to ensure they while GitHub has instructions for a do-it-yourself are not available to autocratic or authoritarian device. Last year, Bangladesh tendered for a governments. However, some exports appear backpack IMSI-catcher for its notorious Rapid to avoid the controls and some vendors are Action Battalion15, building on prior equipment in countries that are not signatories. It seems and training procurements by the same unit. likely that just as demand is met for encryption In many African countries there are technologies, demand will also be met for requirements that SIM cards be registered in interception and decryption technologies, a database, which when linked to an IMSI- regardless of concerns for human rights. Indeed, catcher would generate names and addresses, some countries may see the supply of surveillance even biometric data. However, there are many technologies to authoritarian regimes as politically problems with inaccuracies in such databases, beneficial. potentially leading to serious difficulties for IMSI-catchers. One device that has received little wrongly identified individuals. Unusually, one publicity is the IMSI-catcher or “stingray”, the IMSI-catcher turned up in the South African latter being a brand name assigned by the Harris parliament where it had been used to jam mobile Corporation. These devices are designed to perform phone signals, purportedly to stop the detonation some of the functions of a mobile telephone base of any bombs. In the absence of permission from station, interrogating mobile phones over short the parliament, this was held to be unlawful.16 distances to obtain their international mobile Backdoors. One of the more controversial subscriber identity (IMSI) and international mobile demands of government has been for “backdoors” equipment identity (IMEI), the serial numbers of in devices and services. There was a long debate the SIM card and handset respectively. in the United States about this for the Clipper An IMSI-catcher at an airport could monitor chip in the early 1990s. With the growth of arriving customers, capturing IMEI numbers relatively secure mobile apps, the Five Eyes before customers switch to local SIM cards, and Thermal alliance of interception agencies has again called potentially link them to passenger and passport temperature for backdoors so they can more easily decipher measuring drone records. Similarly, at a protest or political communications.17 used as part of demonstration, IMSI-catchers might capture Given widespread uptake of encrypted COVID-19 details of those marching past an office or van. interventions in communications, venture capital-based firms IMSI-catchers have also been used in drones and Istanbul have emerged that offer to intercept and decipher

10 InterMEDIA | April 2020 Vol 48 Issue 1 www.iicom.org SURVEILLANCE

communications, or get around encryption. A number have appeared in Israel, notably the NSO Group, owned by London-based private equity fund Novalpina Capital, which has controversially denied supplying surveillance technologies to authoritarian governments that use them to spy on human rights campaigners and journalists. In the US, as part of a high-profile stand-off between the Federal Bureau of Investigation (FBI) and Apple in 2015-16 over access to an iPhone during a criminal investigation, the FBI successfully turned to a third party to build a tool to break into the iPhone and retrieve files from it. In Uganda the intelligence service deployed surveillance malware from fake Wi-Fi hotspots.18 This enables it to bypass any encryption by seizing control of the smartphone or tablet computer, capturing keystrokes and copying files. Personal tracking app with QR code showing whether a person is infected with COVID-19

THE PANDEMIC PANOPTICON of a contact-tracing mobile app that has a memory of proximity contacts over recent days that can be notified if and when a contact At an early stage the distinction was drawn between is found to be positive.19 Thus digital controls are available for “Before COVID-19 (BC)” and “After COVID-19 (AC)” in epidemics, provided they are used by enough people, allowing for the expectation of significant cultural, economic, those without a smartphone. political and social changes. Dr Anthony Fauci, the With governments adopting lockdown policies they sought data leading US epidemiologist, forecast the permanent about the movement of people through the proxy of the location demise of handshaking. Such changes are not of their mobile phones, already widely used by many apps (e.g. unexpected, with 9/11 having brought increasingly Fitbit, Google Maps and Instagram) and more narrowly by law sophisticated detectors to airports and AIDS having enforcement. In some countries mobile operators provided heat changed sexual practices. Inevitably, there has been maps to show movements of their customers, arguing that the fraud, price gouging and quackery by opportunists data were sufficiently aggregated to prevent the identification of exploiting human weaknesses. individuals and thus complied with data protection legislation. The explosive growth of Zoom by people suddenly In some countries the police used drones with cameras and even switching away from in-person meetings revealed facial recognition and automatic number plate recognition to that security had not been included in its basic identify citizens who might be violating lockdown rules. design, causing many prohibitions of its use and An economic argument is made that as lockdowns are being a scramble by the company behind the service to lifted an app might signal a clean bill of health for some short catch up. period of time, thus aiding our increasingly service-based To flatten the peaks of those being infected, economies, so much of which is delivered in person (e.g. coffee ventilated and dying, governments and medical shops, gyms and restaurants). Wearing masks and gloves, washing authorities turned to a traditional practice of hands and socially distancing, and wiping down surfaces could be tracking and tracing those who had had contact supplemented by controlling those entering a bus or a building by with persons infected with the SARS-Coronavirus-2 requiring a clean app and a temperature check. that causes the COVID-19 disease. In China, some home delivery services provide the body Outbreaks of SARS in 2003, MERS in 2015, and temperatures of the cook and of the person delivering the food novel influenzas had mostly been confined to in efforts to reassure customers. A number of governments are East Asia, where governments had transformed developing their own apps, some more rapidly than others, in these processes by adopting digital methods. parallel with the expansion of testing. The app released in Moscow For example, South Korea had both legal and was said to be able to access data stored on the smartphone, technical frameworks for testing and tracking, including calls made and received, location data, stored files, which were deployed rapidly in its successful network information and other data, all to ensure an individual suppression of COVID-19. China has its routine does not leave home while contagious. A QR code was to be issued mass-surveillance system including CCTV cameras to prove the individual was permitted to go shopping or do some with facial recognition and was able to insist on the other activity and could be demanded by the police. downloading of software for smartphones that gave In an extraordinary move, Apple and Google offered to make individuals colour-coded quick response (QR) codes concerted modifications to their operating systems to enable to signal whether they could pass freely or must smartphones to identify other phones that had been within remain quarantined. Bluetooth range, potentially creating for users of almost every The unusually fast spread of the coronavirus smartphone a list of the other phones whose owners had been means that manual tracing would have been close enough to transmit or to receive the coronavirus. While overwhelmed, requiring the speed and efficiency www.iicom.org April 2020 Vol 48 Issue 1 | InterMEDIA 11 SURVEILLANCE

they promise this will be secure, it offers a to cope with such volumes and individuals potential mechanism for governments to use for may escape surveillance by being lost in the repressive purposes, with obvious concern that crowd. Given ubiquitous CCTV cameras with the supposed controls over the anonymity of the facial recognition, IMSI-catchers, social media owners of phones might prove illusory. It offers and services like Clearview AI, it is becoming yet another route for attacks using a variant of the increasingly difficult to be lost in the crowd. IMSI-catcher. Since it is possible to track down and arrest The European Data Protection Supervisor has individuals from their faces, gaits, and mobile called for a pan-European model, applying data telephones, increasingly individuals may be protection by design principles, for the COVID-19 discouraged or afraid to dissent or protest mobile app, with an initiative already begun called against governments. Would the Christopher the Pan-European Privacy-Preserving Proximity Street riot at the Stonewall Inn of just over Tracing (PEPP-PT) to allow people to receive or to half a century ago have happened today? Anti- trigger an alert when moving between countries.20 government protestors in Hong Kong last year Additionally, where the data are held in a central employed a range of measures to hide their data base there is a significant risk of hacking identities, from wearing face coverings and leading to data breaches. holding umbrellas, to destroying “smart” lamp The pursuit of the pandemic panopticon posts, and arrests of pre-democracy campaigners began in China and in South Korea, presenting are still occurring months later. significant challenges to privacy. Its wider The significant health and economic impacts adoption risks offering tacit support for of COVID-19 mean that surveillance-based authoritarian governments that might extend tracking and tracing tools are being taken such measures and technologies long after the risk up worldwide. There is a need for enhanced of infection has been eliminated by a vaccine. parliamentary oversight to ensure policies and One way to consider the correct response would practices comply with human rights from the be whether the use of such apps would be thought outset. Given the rapid advances in surveillance appropriate in a virus that spread less easily or in and interception technology, much greater more limited ways, such as HIV. attention to transparency and reporting is A central concern where privacy is involved, required if governments are to be held to is whether the supposed anonymity of the data account. The courts will also be called upon to is effective or whether it can be de-anonymised, test practice against human rights. whether by criminals or by corporations. Linking Warhol claimed that in the future we would such data to medical records raises obvious and be famous for fifteen minutes, now we might very serious concerns, especially when names wish for fifteen minutes of anonymity. such as NSO Group and Palantir (surveillance technology providers) are mentioned. EWAN SUTHERLAND is an independent telecommunications policy analyst, a research associate at the LINK Centre, University of the CONCLUSION Witwatersrand, Johannesburg, South Africa and a trustee of the Citizens living under authoritarian regimes International Institute of Communications (IIC). have learned to be circumspect in their communications, whether conversations in cafés REFERENCES 1 Fund J (2019). How much do we trust Alexa, Siri, Nest, and Ring - and their makers? National Review. 14 July. bit. or use of the Internet, knowing that efforts are ly/2TrBdbp 2 Vodafone Group (2014). Law enforcement disclosure report. bit.ly/2VD9Pqs 3 MTN (2019). MTN position on online freedom of expression, privacy and security (digital human rights). bit.ly/36YyDgV 4 Foreign Intelligence Surveillance Act of 1978 made to intercept and to report them. Meanwhile Amendments Act of 2008. bit.ly/2QVUss6 5 Hepting v AT&T, 11-1200 (Supreme Court of the United States October 9, 2012).6 Jewel citizens of more democractic countries may be v NSA, 4:08-cv-04373-JSW (Northern District of California May 19, 2017). 7 Privacy International (2018). Privacy International v relaxed about sharing data, even when it is used Information Commissioner’s Office (IMSI Catcher FOIA). bit.ly/30uM4mG8 Malawi Communications Regulatory Authority v Hophmally to customise adverts for individuals in particular Makande and Eric Sabwera, 2013. 9 amaBhungane (2017). Advocacy: AmaB challenges snooping law. The amaBhungane Centre for Investigative Journalism. 20 April. bit.ly/2ToGxwm 10 Brady S (2012). Keeping secrets: A constitutional examination of encryption locations and states of mind, nudging them to regulation in the United States and India. Indiana International & Comparative Law Review 22(2): 317-346. bit.ly/34LQgAk; Abraham spend and boost corporate profits. Much more S & Hickok E (2012). Government access to private-sector data in India. International Data Privacy Law 2(4): 302-315. bit.ly/2z5eJF111 dangerously, this marketing model is used to Soldatov A (2015). The taming of the internet. Russian Politics & Law 53(5-6): 63-83. bit.ly/2xJ0TYB. On 12 November 2012 the Russian manipulate political actions, which can be Supreme Court upheld the right of the authorities to wiretap opposition politicians.12 Solon O (2015). Russia’s fist just clenched around the internet a little tighter. 31 August. bloom.bg/2TqkpSh 13 For example, European Union (1996). Council Resolution of combined with surveillance to control or repress 17 January 1995 on the lawful interception of telecommunications. Official Journal 39(C 329): 1-4. bit.ly/34RHG35 and European dissent or protest. Telecommunications Standards Institute (2019). Technical Committee Lawful Interception. bit.ly/2uLJOLN and 3GPP (2019). 3G security: A major constraint on surveillance in most Lawful interception architecture and functions. 3rd generation partnership project. bit.ly/2NuREA8 and the United States equivalent is section 103 of the Communications Assistance for Law Enforcement Act (CALEA) of 1994 (47 USC 1001-1010), which resulted in countries is the lack of technical skills, with standards and Telephone Industry Association (TIA) specification J-STD-025 and Packet Cable Electronic Surveillance Specification advanced economies taking action to boost (PKT-SP-ESP-101-991229). Russia has its own standard, the System of Operational-Investigatory Measures (SORM).14 Alibaba. their supplies of data scientists. Even a single (2019). IMSI catcher gateway. bit.ly/35Ri5X2 15 CPTU (2019). RAB Forces HQ/CPS/2018-2019/4112316/190. 11 February. Government of smartphone may yield many Gigabytes of data the People’s Republic of Bangladesh. bit.ly/2TsnTUn 16 Primedia Broadcasting and others v Speaker of the National Assembly and others, 2016 17 Barnes T (2019). Tory home secretary says government should be allowed to read people’s WhatsApp messages. that require processing, while some undersea Independent. 30 July. bit.ly/3arqh2F 18 Privacy International (2015). For God and my President: State surveillance in Uganda. bit. cables carry tens of Terabits per second. It is ly/2RSJy6C 19 Ferretti L et al. (2020) Quantifying SARS-CoV-2 transmission suggests epidemic control with digital contact tracing. little consolation that few governments are able Science. 31 March. bit.ly/3cylBJM 20 PEPP-PT (2020). Pan-European privacy-preserving proximity tracing. bit.ly/2zb5KCh

12 InterMEDIA | April 2020 Vol 48 Issue 1 www.iicom.org