Boundaries of Law Exploring Transparency, Accountability, and Oversight of Government Surveillance Regimes

Global Report – January 2017 Boundaries of Law Exploring Transparency, Accountability, and Oversight of Government Surveillance Regimes

Electronic copy available at: https://ssrn.com/abstract=2894490 Electronic copy available at: https://ssrn.com/abstract=2894490 Authors: Prof. Douwe Korff Dr. Ben Wagner Dr. Julia Powles Renata Avila, LL.M. Dr. Ulf Buermeyer, LL.M.

This work is licensed under the Creative Commons Attribution 4.0 Interna- tional License. To view a copy of this license, visit: http://creativecommons. org/licenses/by/4.0/.

This research project was conducted with support from the World Wide Web Foundation. The opinions expressed in this report do not necessarily reflect the views of the World Wide Web Foundation.

The report is based on data collected until December 2015. There have been changes in some of the countries surveyed during 2016, in particular in the UK and Germany. Which could not be reflected within this report. I boundaRIeS of LaW

Table of Contents

Executive Summary 07 Key Findings 08 Proposed Standards 12

1. Introduction, Concepts, Methodology & Case Selection 1.1 Introduction 13 1.2 Terminology 14 1.3 Methodology 15 1.3.1 Country Selection 15 1.3.2 Methodology and Sources 16 1.3.3 Rankings of Selected Countries with Their Legal Systems 17

2. Surveillance and Accountability Frameworks 2.1 Introduction 18 2.2. International human rights law: Judicial and political demands for compliance 19 2.2.1 Basic human rights principles 19 2.2.2 The Basic Principles Applied to Surveillance 20 2.3 National legal and practical arrangements – A comparative analysis 26 2.3.1 What is being compared 26 2.3.2 Constitutional Protections and Exceptions 27 2.3.3 Targeted lawful intercepts by law enforcement agencies 28 2.3.4 Untargeted Generic Access (“Mass Surveillance”) 31 2.3.5 Special Powers in Official Emergencies 51 2.3.6 Secret “Extralegal” Operations 52

4. Overview of the Cases 4.1 Colombia 55 4.2 DR Congo 55 4.3 Egypt 56 4.4 France 57 4.5 Germany 58 4.6 India 59 4.7 Kenya 60

4.8 Myanmar 61 I BOUNDARIES OF LAW 5 4.9 Pakistan 62 4.10 Russia 62 4.11 South Africa 64 4.12 Turkey 65 4.13 United Kingdom 66 4.14 United States 67

5. Conclusion and Recommendations 68

Endnotes 70

Executive Summary

Modern information technologies have given governments an unprecedented ability to monitor our communications. This capability can be used to fight terrorism and serious crime through targeted surveillance that is proportionate and subject to judicial control. What we have witnessed, however—as evidenced by the revelations of whistleblower Edward Snowden—is exponential growth in indiscriminate, generalised access to bulk communications and Internet data (often referred to as “mass surveillance”).

Why does this matter? Our entire lives are online. We generate and share more information than ever before; information that could be abused in the wrong hands. If not tackled, this untargeted, suspicionless mass surveillance will create a chilling effect on speech, trade, and creativity online, and people will refrain from utilizing the Internet to realise its full potential for economic, social, and democratic progress.

In addition, companies are increasingly called upon by law enforcement and national security agencies to cooperate in investigations, resulting in a loss in consumer confidence and damage to a company’s bottom line.

Public opinion has shifted since the Snowden revelations. Now more than ever, we need an informed debate on the role of government surveillance in national security and law enforcement. We need to ensure that such surveillance is accountable and transparent.

Experts surveyed in the 2014 Web Index1 concluded that 84% of the 86 countries covered lacked even moderately effective oversight and accountability mechanisms to protect Internet users from indiscriminate surveillance. A finding as worrying as this needs to be tested, so we carried out a deeper comparative analysis of a smaller sample of countries: Kenya, DR Congo, South Africa, Colombia, Germany, Myanmar, India, Pakistan, France, Turkey, Egypt, Russia, the United Kingdom and the United States. We conducted interviews and desk research on each jurisdiction to get a better idea of the current state of affairs. We have also tried to analyse intra-country intelligence sharing networks and “clubs”, but since much of this occurs without accountability, transparency, or meaningful oversight, there are limits to that analysis. I BOUNDARIES OF LAW

7 8 I BOUNDARIES OF LAW 2 1 Key findings and Turkey, ajudicial warrantisnotrequired, butin In theDRCongo, India,Kenya,Myanmar, Pakistan, subject tootherwisesimilarconstraints. ordered byaprosecutor ratherthanajudge, butisstill USA. InColombia,interception incriminalcasescan be the lawsofFrance,Russia,South Africa,theUKand meaningful statistics.Similarconstraintsare laiddownin use ofsuchwarrants,withthepublicationdetailed, with furthersafeguards including transparency aboutthe the targetofsurveillance,validforalimitedperiod, the basisofajudicialauthorisationclearlyspecifying for targetedinterception incriminalinvestigationson equivalent laws.TheGermanCPC,forexample,allows contained inthedomesticCriminalProcedure Codeor tions, thesecircumstances andformalitiesare typically In relation tospecific,targetedcriminalinvestiga- in certaincircumstances. dentiality ofcommunicationscanbeinterfered with), countries, therightcanberestricted (i.e.,theconfi- there isreluctant tobeactiveinthatrespect). Inall life andpersonalliberty”(India—althoughthejudiciary “privacy ofthehome”(Pakistan)oreven“rightto it canberead intowiderconstitutionalrightssuchas dards intothedomesticlegalsystem(UK,France),or humanrightsstan- the incorporationofinternational nications. Intheotherfour, thatrightisprotected by pressly protects therighttoconfidentialityofcommu - Africa, Turkey, USA)haveaconstitutionwhichex- go, Egypt,Germany, Kenya,Myanmar, Russia,South Ten ofthe14countriessurveyed(Colombia,DRCon- principle, butnotrespected inpractice. without proven causeforsuspicion. millions ofpeopleworldwidebycollectingdatainbulk to confidentialityofcommunicationshundreds of tointerfereallow governments arbitrarilywiththeright worse. Theseframeworksare sofeeblethatthey other countriesare justasbad,andinsomecases, US andtheUK,butlawspracticesinmany communications”veryweakintheon “international powers. Notonlyare legalsurveillanceframeworks effective checksandbalancesonmasssurveillance Index thattheoverwhelmingmajorityofcountrieslack one, confirmingtheglobalfindingsof2014Web The picture thatemergesfrom ourstudyisableak are ineffectual. Therighttoprivacyisguaranteedin Globally, legalsurveillanceframeworks

3 these safeguards inpractice. telecommunications serviceproviders soastoweaken ceedings andinterference withnetworkoperatorsand undermined byloopholes,secret laws,extralegalpro- communications, andasdetailedbelow, theyare often to onlyapplytheinterception ofthecontents interception incriminalcase,theseconstraintstend impose serioussubstantiveandformalconstraintson Nevertheless, eveninthecountrieslistedabovethat use ofinterception powers. meaningful substantiveorformalconstraintsonthe addition, inthesecountries,thelawsdonotcontain 4 “mine” forrelevant information) thancontentdata. than content,metadataare mucheasiertoanalyse(i.e. tions. Whatismore, by being muchmore structured even more revealing than—thecontentofcommunica- location data,canbeasrevealing as—andsometimes of mobilecommunications,suchmetadata,particularly devices (andthusthelocationofparties).Inera linked tospecificindividuals),andthelocationof of thedevicesused(whichare ofcourseoftenclosely a call,theidentityofpartiesinvolvedincallor munications”, suchasthetime,date,anddurationof to as“communicationsdata”)are “dataaboutcom- largely uncontrolled). “Metadata”(intheUKreferred and Turkey, accesstometadatais,ofcourse,also such asDRCongo,India,Kenya,Myanmar, Pakistan seriously limitinterception ofcommunicationscontent, ject tomuchlessconstraint.(Incountriesthatdonot restrictions, accesstoso-called“metadata”issub- principle subjecttoimportantsubstantiveandformal which interception ofcommunicationscontentisin many, Russia,SouthAfrica,theUKandUSA, in Even incountriessuchasColombia,France,Ger metadata thanoncontentdata. —a Freedom of Expression andAccess toInformation—a The Johannesburg PrinciplesonNationalSecurity, tions inthenameof“national security”. outside ofthenormalframework forcriminalinvestiga- law enforcement and/ornationalsecurityagencies, metadata andthecontentof user communicationsby allow unlimitedorbarely limitedaccesstoboth Our mostworryingfindingisthatvaguelawsoften it ismeaningless.

There isevenlessconstraintonaccessto “National security”issobroadly defined, - document which was drafted by civil society and en- allow the agencies to collect data in bulk, untargeted dorsed by UN Special Rapporteurs and other interna- and without identifying any specific suspects or even tional—stresses that the notion of “national security” people associated with suspects; the Court of Justice should be limited to real, immediate threats to the very of the EU calls this “generic access” to communi- existence of the state or the democratic order. How- cations data. The power to demand such “generic ever, we found that in many countries the concept is access” (or carry it out directly), at least to “external” stretched to include, for example, the fight against communications, is either expressly allowed or can be organised crime and the protection of the economic read into the law in 13 out of the 14 countries studied. interests of the state (France, Germany), the preven- In South Africa, it is not clear from the law whether tion of incitement to commit [apparently any] offences this is allowed, but the authorities there have nonethe- (India), anything relevant to the country’s “international less indiscriminately accessed Internet communica- affairs” (USA), or any “national interest” (Kenya). In tions in secret, irrespective of the law. other cases it is deliberately undefined (UK), or left to the discretion of the authorities (Egypt). 5 Mass surveillance rarely requires In other countries, without necessarily formally stretch- judicial authorisation. ing the concept of “national security”, these kinds of In many countries, mass surveillance does not require broad targets are still added to the tasks of the national judicial authorisation. It can be authorised by the gov- security (or “intelligence”) agencies. This is the case in ernment (Myanmar and Pakistan), a minister (the UK), Myanmar, Pakistan, South Africa and Turkey. or the prime minister (France), or the president (USA), senior officials (India), the police, the military and the The special laws covering state activities in relation to intelligence services (Colombia, DR Congo, Egypt), or such “national security” issues and/or the activities of indeed “any authorised agency” (Turkey, in undefined the relevant national security or intelligence agencies “non-delayable” cases). typically grant the relevant agencies special powers of interception of communications data (both meta- In Kenya, Russia, and South Africa a judicial authori- data and content), in particular in relation to “external sation is required. In all three countries, however, communications” (i.e., to communications travelling no evidence of any actual crime or plot is required, over Internet or other digital communication networks, and “national security” is defined so broadly that the including mobile networks, that are physically out- threshold for granting authorisation is very low. As a side the country, or that involve at least one “foreign” result, the relevant judges are given such little leeway party). Not only are such practices discriminatory and to reject requests that it cannot be considered effec- contrary to the concept of universal human rights, the tive judicial control in practice. distinction between “internal” and “external” communications is also largely meaningless in the digital Governments can demand direct access to world. For example, most Internet communications 6 telecommunications infrastructure through I BOUNDARIES OF LAW between two parties even in the same country will in- 9 “back doors”. volve sending data over global (“external”) pathways. We also concluded that the authorities in almost all The “internal”/“external” distinction also loses much countries surveyed can, under their laws, demand of its meaning in light of the existence of intelligence that Telecommunications Service Providers (TSPs) and sharing practices among countries. One participating (Mobile or other) Network Operators ([M]NOs) install country’s “internal” communications are other coun- devices to facilitate interception, and that in essen- tries’ “external” communications. When these commu- tially all cases this could be interpreted as including nications are shared and combined, their provenance “back doors”, which grant those authorities direct becomes irrelevant. access to the systems of these providers and operators that can be not be monitored by the companies At the same time, the relevant special laws impose themselves. fewer procedural safeguards or restrictions on the scope, targets, or duration of the surveillance than are Apart from gaining entry to systems through officially typically imposed on law enforcement agencies acting mandated “back doors” under the above laws, intel- in “normal” criminal cases. In particular, they often ligence agencies are also increasingly “hacking” into 10 I BOUNDARIES OF LAW surveillance (“genericaccess”) odd “historical” datum,itwouldappearthat either As forMyanmar, onwhichTelenor provides onlyone and Turkey, onwhichstatisticsare alsonotprovided. TSPs involved.Thismayalso bethecaseinIndia to betheresult ofthishavingbeenmadecleartothe mation onDRCongo,Egypt and Kenyaisalsolikely The absenceofthesefigures intheoperators’infor powers havebeenusedtoprevent suchpublication. available through theTID websitesuggeststhatthose tistics onthesecountriesfrom theoperators’reports interpreted inthatway) and theabsenceofsuchsta- allows theauthoritiestoprohibit it(orthelawcanbe releasing statisticalinformation oninterception, or either expressly prohibits theTSPsand(M)NOsfrom es. InColombia,Pakistan,RussiaandtheUK,law There isevenlesstransparency aboutactualpractic - breaches thelaw. carry outsurveillancewhichconstitutionalexpertssay relied onsecret, “creative” interpretations ofthelawto in Germany, themainintelligenceagency, theBND, regulate thedetailsofrelevant surveillance.And that allowsforsecret decrees bytheConseild’État to law, adopted on1October2015,containsaprovision the openinlitigation.Therecent French surveillance kept secret untilexposedbySnowdenorforced into interpretations underpinningsurveillancehavebeen UK, themostimportantrulesandguidelineslegal South AfricaandTurkey. EvenintheUSAand secret rulesorguidelinesinterpretations inIndia, and italsoquiteprobably thecasethatthere are such the caseinDRCongo,Egypt,KenyaandMyanmar; research andinterviews,webelievethisislikelytobe ance onorinterpretations ofthelaw. Basedonour be thecasewithregard tosubsidiaryrulesorguid - kept secret. Inmanyothercountries,thisappearsto appear thatevensomelawsorotherprimaryrulesare However, inColombia,RussiaandPakistan,itwould with fundamentalrights—mustbepubliclyaccessible. and certainlyalllegalrulesthatallowforinterferences The ruleoflawimplicitlyrequires thatalllegalrules— are secret oropaque. 7 such reports are difficult toverify). and there are somereports tothateffect (although and China,are likelytotrydoatleastthesame, technologically advancedcountries,suchasRussia done thisinrelation “giants”.Other toseveralInternet revealed thattheNSA(US)andGCHQ(UK)have the providers oroperatorsinquestion.Snowdenhas systems theywanttomonitor, behindthebacksof Laws underwhichuntargeted mass 2 takesplace - law inthesurveillanceprocess. challenges toaccountability, transparency, andruleof intelligence-sharing agreements posesconsiderable available tothepublic.Theinformalityandopacityof ing mechanismswhere precious littleinformation is This lackofdataalsoextendstointelligence-shar millions ofcommunicationsbyindividuals. relating toanunderseacablecouldrelate todataon warrantcan bemisleading.IntheUK,oneexternal in itsreports). Figures aboutnumbersofwarrants reallynies (TID)orthosegovernments are stresses released bytheTelecom IndustryDialoguecompa- There are alsocaveatsabouthowmeaningfulthedata extralegal operations,notedbelowinFinding9). or limitedanddisputed(inparticularinrelation to partially omittedandblackedout(intheUK), our studyshowsthattheofficial statisticsare either tion ontheuseoftheirsurveillancepowers.However, the authoritiesthemselvesdoprovide someinforma- regardWith toFrance,Germany, RussiaandtheUK, data, eventhoughthere isnolawprohibiting it. it iseffectively prevented from publishingtherelevant through “backdoors”thatitcannotmonitor),or relevant powers(becauseinterception isdonedirectly, the companydoesnotknowwhatuseismadeof 8 gency was,infact, declared inresponse tothe“9/11” otherwise reserved fortimesofwar. Suchanemer emergency” andthenclaimcertain exceptionalpowers Thus, intheUSA,President candeclare a“national seen asemergencylaw. accordance withthenormalrulesbutalsonotformally nent quasi-emergency”legalframework,notfullyin countries surveyed.Theyare creating a“semi-perma - an ingrainedpartofthepermanentlegalfabric not normallybedeemedacceptableare becoming challenge theseframeworks.Thus,lawsthatwould constitutional frameworks–yetatthesametime,they laws thatare supposed toapplywithinthenormal Rather, themasssurveillancepowersare grantedin limited totimesofwarorsuchnationalemergencies. special lawswehaveexamineddonotpurporttobe of onlylimitedrelevance toourtopicasmostofthe human rightstreaties). However, wefoundthatthisis of thenation”(tousewords oftheinternational of warandnationalemergencies“threatening thelife ities are givenextremely wide-rangingpowersattimes We alsonotedthatinalmostallcountries,theauthor states ofquasi-emergency. conducting surveillanceundersemi-permanent There isatrend toward countries - - - attacks—and this declared state of emergency formally In countries with generally weak legal systems, such remains in effect. However, the President did not need as Colombia and Kenya, oversight regimes are also to rely on a the declared state of emergency to issue limited in their real effectiveness. In South Africa, the Executive Order 12333, which is the main basis for the low threshold for authorisations of surveillance un- bulk interception of “international communications”, dermines the supervisory function of the “designated” because he had the power to issue that order under judges that must issue them. the President’s “inherent authority” under Article II of In other countries studied, oversight systems are in the Constitution to conduct foreign intelligence. place but they have proved to be ineffective. This is in By contrast, following the recent massacre in Par- particular the case in the two countries to which the is by Belgian and French jihadists, the President of Snowden revelations related most directly—the USA France has declared the country to be “at war” with and the UK—but it also applies to Germany, where the “Islamic State”, and is seeking to change the large surveillance operations, including some carried constitution to give the authorities wider, less judicially out with or at the behest of the USA’s NSA, were not constrained powers. Changing the constitution rather known to the oversight body, the G10 Commission. than relying on a temporary derogation for a defined war or emergency underlines the insidious effects of permanent “special” anti-terrorist laws. What can be done to improve the current state of affairs? The discrepancy between continuing government 9 An alarming amount of mass surveillance surveillance practices and the relevant interna- happens illegally anyway. tional human rights and rule of law standards is In many countries mass surveillance was conducted breath-taking. The resulting concentration of secret outside of the official, known legal framework alto- power in the hands of intelligence agencies may gether. Extralegal operations have been revealed in prove deeply corrosive to democracy, commerce, France, Germany and South Africa – and in many and the rule of law. However, in most of the coun- other countries: Colombia, Egypt, Kenya, and Paki- tries studied, citizens and their elected representa- stan. In Myanmar, Russia, and Turkey the law itself tives still have the ability to call the State to order is so unclear as to make it impossible to distinguish and establish appropriate checks and balances on between legal and extralegal activities. Up to a point, its surveillance powers. Guided by the Necessary the programmes of the USA and the UK are also of and Proportionate Principles, this report propos- dubious legality, since they rely so much on secret es a set of standards for minimum transparency, rules and secret interpretations of the law. accountability and oversight of government surveillance practices.

10 Oversight systems are often non-existent or ineffective because they are not independent. In six of the countries studied there is effectively no I BOUNDARIES OF LAW independent oversight over the use of the above-men- 11 tioned powers of “generic access”, not even on paper. This is the case in DR Congo, Egypt, Myanmar, Pa- kistan, Russia and Turkey. At most, in some of these countries (like Myanmar and Russia), there are internal oversight systems by officials or bodies that are part of the executive branch, but these are, by their very nature, not independent or detached from the system.

In France, the use of the “generic access” powers provided for in the recent law is only subject to “advice” from various bodies rather than real oversight. In India, there is oversight only by a “review committee” made up of high officials, but by law the committee must maintain “utmost secrecy” and destroy its own files after six months. 12 I BOUNDARIES OF LAW Standards Proposed allow forindiscriminate,“generic” Surveillance shouldnotallowfor allow foractivitiesonthepartof responsibilities basedonclear, published law, withforeseeable intelligence orlawenforcement international humanrightslaw.international types ofdata,andshouldnot enforcement agenciesshould collection orretention ofany Surveillance lawsshouldnot agencies thatwouldviolate suspicionless mass(bulk) have roles, powers,and application andeffects. All intelligenceandlaw Ru access todata. le

o f L a w

ciencies intheuseofsuchpowers. post factooversightbyatrulyin- ternational -shouldbefullypublic. ternational and fully-empowered supervisory necessary, proportionate, effective There shouldbeappropriate public powers, andofanyabusesordefi- cial control overintelligenceand agencies -bothdomesticandin dependent, technicallycapable, and fairintheirownterms in intelligence andlawenforcement internal administrativeandjudi- internal body whichavoidscapture and publish areport atleast annually reports mentionedabove should There shouldbeclosepolitical, reporting ontheexercise ofsuch There shouldbefull,regular ex should publiclyreport on anyad independent expertiseandac- All intelligenceandlawenforce- Information andstatisticsinthe ensure technicalcompetence, critically review whetherallthe ment oversightbodiesshould All intelligence-sharingagree- actions oftheagencieswere be meaningfulandallowreal law enforcement agencies. insights. Thereports should hoc inquiryorinvestigation. ments betweenandamong cess torelevant systems. on itsregular reviews, and a T terms oftheiroutcomes. ra nd Ov n spare ers i n g c h y t

Whistleblowers shouldbestrong- dent supervisorybody. Thepress Intelligence andlawenforcement and theirsources shouldbepro- found tohavetakenplace,there ularly beauditedandtheresults protection law. Compliancewith ly protected andwhistleblowing mechanisms shouldbestrongly activities oftheintelligenceand data protection lawshouldreg- nal and external whistleblowingnal andexternal published aspartoftheannual should befullcivilandcriminal tected intheirreporting onthe encouraged. Reportsoninter should besenttoanindepen- liability, intheordinary courts, without undueprotections for intelligence sharingpractices When seriouswrongdoing is the agenciesortheirstaff or law enforcement agencies. should becovered bydata A reporting requirements of cco their information. the agencies. un tab i l i t y

1 I2ntroduction, Concepts, MethodologIntroducing:y This and that &in Casetwo lines Selection

1.1 Introduction

In 2013, Edward Snowden exposed massive global surveillance programmes by the USA and the UK. Since then, his further revelations as well as information obtained in official inquiries or unearthed by other whistleblowers, journalists, academics, civil society, and the private sector have provided more details about government surveillance, and the exposures are continuing. Despite these efforts, government surveillance practices and the legal frameworks that surround them are not often subject to public scrutiny, and indeed, often deliberately obscured. Most public attention in the past two years has focussed on the revelations about domestic and global surveillance by the USA and the UK, with little focus on the laws and practices of other countries. In this study we have decided to explicitly broaden the focus to include Russia and the Global South in order to help redress this imbalance and to motivate a wider international debate about surveillance regimes.

In order to ensure transparency and accountability of surveillance practices, meaningful information must be made available and subject to rigor- ous analysis. This report is an attempt to shed some light on surveillance practices by both intelligence services and law enforcement in a range I BOUNDARIES OF LAW 13 of countries. By taking a more global and comparative view than many existing studies, we hope to provide a broader perspective on whether state practices in this field are, in fact, transparent, accountable, overseen properly, and grounded in law.

We also provide a basic overview of multilateral intelligence sharing agreements insofar as information about these agreements can be gleaned from public materials. While these multilateral agreements are complemented by extensive sets of bilateral arrangements between states, bilateral agreements are beyond the scope of this study. Nevertheless, both types of agreements represent important components of international intelligence sharing which deserve greater awareness and analysis.

Our ambition is to assist in the task of understanding, characterising, and improving laws governing surveillance through analysing and comparing a selective sample of 14 countries through the framework of international law and 14 I BOUNDARIES OF LAW TID PI LI NSA LEA (M)NO TSP Acronyms

Dialogue (TID) T Privacy Inter Lawful Inter National SecurityAgency Law Enfor as “operator” Operator; alsor (Mobile orother)Network as “pr Pr T elecommunications Industry elecommunications elecommunication Service ovider; alsoreferred to ovider” cement Agency cept national eferred to we note“extralegal”practicesthathavebeenexposedinseveralcountries. andaboutthetransparencycerned aboutthosepractices(orlackofit);and make generalremarks onimplementationofthoselawsinthecountriescon- human rights.We focusonlawsastheyappear“onthebooks”,butwealso collection ofthe latter. Here, wemayalready note (as wealsoagainstress gime forcollection oftheformertendstobe more laxthantheregime for hand, and“content”ofcommunicationsontheother, andthatthere- guish betweencommunications “traffic data“or“metadata ” ontheone Also insub-section2.3.4,we notethatthelawsinmanycountriesdistin- access” powers. oversight over, andtransparency inrelation to,theuseofsuch“generic formalities are imposed onsuchaccess,andwhetherthere ismeaningful tion 2.3.4,weassesswhetherthelawsauthorisesuchaccess, what access” todata,ofthekinddefinedbyCJEU.Inparticular, insub-sec- laws inthecountriesstudied(section2.3),wehavefocussed on“generic In thisreport, andinparticular inourcomparativeanalysesofthevarious Charter ofFundamentalRights. the rightstoprivacyanddataprotection, whichare guaranteedintheEU and theindiscriminateaccesstheyhavetoit,asseriousinterferences with regards boththeobtainingbyauthoritiesof relevant datainbulk, by Snowdenamountto“masssurveillance”.However, theCJEUclearly national securityagencies(inparticular, the NSA andGCHQ)revealed The USAandtheUKbothstrenuously denythattheactionsoftheir basis tothecontentofelectronic communications”. mitting thepublicauthorities[inUSA]tohaveaccessonageneralised European UniontotheUnitedStates...”andreferred to“legislationper personal dataofallthepersonswhosehasbeentransferred from the “legislation ...[that]authorises,onageneralisedbasis,storageofallthe not usetheterms“bulkdata”or“masssurveillance”.Rather, itreferred to In itsSafeHarborjudgment(discussedinsection2.2.2),theCJEUdid the groups towhichtheymaybelong—under“closeobservation”. over thosetowhomthedatarelate, i.e.,tokeepthepeopleconcerned—and very largedatasets,andthe“datamining”ofthem,tocarryout“surveillance” The term“masssurveillance”isusedtodenotetheuseofsuchaccess Google, Microsoft, Facebook,etc. Giants”,suchasthe similarlylargedatabasesmaintainedby“Internet on theactivitiesoftheirend-users,ortoall“metadata”theyhold, Service Providers (ISPs)or(Mobileother)NetworkOperators([M]NOs) full accesstosuchlargecollections,i.e.,allthedataheldbyInternet large amounts;theterm“bulkdatacollection”tendstorefer toobtaining Strictly speaking,“bulkdata”simplyrefers totheexistenceofdatain European Union(CJEU)hascoinedtheterm“genericaccess”todata. collection” fora,referencecountries andininternational isoftenmadeto“bulkdata In thediscussionsthathavefollowedSnowdenrevelations inmany 1.2 Terminology and “masssurveillance”,whiletheCourtofJustice - in that sub-section) that such a distinction is difficult to make in practice. Metadata can be as revealing as—and sometimes more revealing than—the contents of communications (and therefore should not be subject to lesser protection); and that automatic analysis and aggregation of metadata is often significantly easier to accomplish than content parsing.

1.3 Methodology 1.3.1 Country Selection Our comparative analysis is based on a diverse selection of 14 country cases from five different continents: Colombia, DR Congo, Egypt, France, Germany, India, Kenya, Myanmar, Pakistan, Russia, South Africa, Tur- key, United Kingdom, and the United States of America. The intention is to provide a globally inclusive, albeit selective, comparative perspective on surveillance regimes, in order to ensure that any conclusions drawn are not limited to any one region, legal system, political or economic system, or historical context.

Although a primary objective of the study was to be globally inclusive, and in particular to include the global South, the analysis also necessarily included three Western European countries (the United Kingdom, France, and Ger- many), Russia and the United States, as these countries provide essential context, both historical and contemporary. The United Kingdom, on the one hand, and France and Germany, on the other, have heavily influenced the two main legal systems of the world— common and civil law, respectively. All three are former colonial powers and have deeply influenced the laws in the neigh- bouring countries and in their former colonies. Russia, as the central country in the former Soviet Union, has similarly influenced the law in many current and former socialist countries, and continues to maintain close links with them.

Intriguingly, when former colonies gained independence, they often still retained the (repressive) emergency and anti-terrorist laws of their former colonisers. In relation to more recent surveillance laws, the Snowden materials show that there is significant “technical-legal assistance” provided by US and UK security agencies’ lawyers to governments drafting such laws in countries with which they are allied (not just in the “Five Eyes” arrange-

ment, but also in other NATO countries). It is reasonable to assume that I BOUNDARIES OF LAW similar cooperation is in place in other intelligence “clubs”. One can there- 15 fore discern “families” of such laws with similar features.

The resulting comparative overview provides a broad globally inclusive picture of surveillance practices as well as commonalities and differences between these laws. However, specific findings should not be interpreted as necessarily proportionate to what we might find on a global level. We cannot claim that our selection is representative in that sense.

In the chart on page 17, we indicate (in green) the ranking of the selected countries on the World Wide Web Foundation’s Web Index; the countries’ per capita GDP (in blue); and the character of their legal systems: civil law, common law, and Islamic law (indicated by lines; when there are lines linked to more than one such system, this means the legal system in the country concerned is hybrid, showing elements of two, and in one case three, of these main systems). 16 I BOUNDARIES OF LAW Frameworks” publishedbytheTelecommunications IndustryDialogue(TID). still limited)publisheddatawedrew onwascontainedinthe“CountryLegal regimes across theworld.Themostreliable andconsistentlycomparable(though readily available,reliable comparativedatasources surveillance ofgovernment sive primaryresearch intothelawsofselectedcountries.Norare there any It wasnotpossiblewithinthescopeofthisshortstudytocarryoutcomprehen- • • • • • • better understand: framework, focussingonthefollowingresearch objectivesinorder to W Comparativelegalanalysis a. 1.3.2 MethodologyandSources that bodyintothestatusofhumanrightsinUNMemberStates. Council inconnectionwithUniversalPeriodicReviews(UPRs)carriedoutby ety analysissubmitted(likeseveralofPI’s reports) totheUNHumanRights where suchexisted,andinrelation totheUSA,from anextensivecivilsoci- ed countrieswasgleanedfrom countryreports(PI) by PrivacyInternational Broader informationandcontextonthesurveillancesituationinselect- tion tothefight againstterrorism. between lawenforcement andnational securityagencies,particularly inrela- which furtherresearch isurgentlyneeded,giventheever-closer cooperation enforcement datasharing“umbrella” agreement. Butthis,too,isanarea into note thecriticalcommentson that aspectofaproposed newEU-USAlaw cies bothwithinasinglecountry andacross borders. Inthisreport, wemerely data sharingbetweenlawenforcement agenciesand national securityagen- In future, thisopenness andresearch shouldalsoextendtothequestionof issues, andcallformore research andmore opennessinthisregard. the relevant datasharing“clubs”.Allwecandointhisreport ishighlightthe was severely limitedbythe extreme secrecy surrounding theseagreements and data, butalsohowitcanbeshared anddistributed.Thisresearch, however, them toensure thatcitizensacross theworldknow notjustwhocancollecttheir tain someinsightintothesearrangements,andtoincrease publicdebateabout law enforcement andintelligence services.We believethatitisimportanttoob- sharing agreements between countriesthatare believedtobeinplaceforboth Separately wehaveattemptedtoprovide anoverviewofmultilateralintelligence Datasharingarrangements b. surveillance fromperspective ongovernment agloballyinclusiveperspective. surveillance ontheground. Thustheoriginalresearch here provides anovel and technologiststobetterascertaintheactualimplementationofgovernment we conducted29interviewswithindustryrepresentatives, civilsocietyactors, rise thecurrent policylandscapeintherespective Internet countries.Finally, used datafrom theWeb Web IndexoftheWorld Foundationtocatego- Wide e assessedtheselectedcountriesaccording toacomparativelegal publication oflawsandaggr oversight overtheuseofpowers;and special powersincasesofnationalemergency; in r data bylawenfor powers ofuntargeted“genericaccess”tocommunications by lawenfor powers oftargetedlawfulinter as afundamentalrightinthedomesticlegalsystem; whether communicationsprivacyisr elation toterrorism and/ornationalsecurity; cement agenciesinordinary criminalcases; cement and/ornationalsecurityagencies cepts (LI)ofcommunications egate dataontheuseofpowers. ecognised 4 We also 3 1.3.3 Rankings of Selected Countries with Their Legal Systems

Web Index 2014, Subindex Freedom and Openness GDP per capita in US$ Germany Germany Legal Power USA Former Colonial Power France France Former Colonial Power UK Former Colonial Power India Former British colony South Africa Former colony Colombia developing country Turkey Ottoman Empire Russian Russian Federation former Communist country Kenya Kenya former British c olony Pakistan Pakistan former British colony Myanmar Myanmar former British colony Egypt former quasi British colony DR Congo former Belgian colony

85,84 81,04 78,72 76,25 57.42 56.89 55.46 41.72 39.60 38.62 27.46 13.84 12.08 n.a. 46.268 53.041 42.503 41.787 1.498 6.617 7.831 10.971 14.611 1.245 1.275 1.200 3314 485 I BOUNDARIES OF LAW

LAW civil islamic common Legal System 18 I BOUNDARIES OF LAW colonies, which willbediscussedinsection 3 ingreater detail. services andthe secret servicesofthe newlyindependentformerBritish creation of“intelligenceclubs”andthecloselinksbetween theBritishsecret USA, Australia,Canada,and New Zealand.Collaborationcontinuedwiththe 1946 anditsgradualexpansion tothecurrent FiveEyes states:theUK, counterparts duringthewar, leadingtothemore formalUKUSATreaty of ing ofintelligenceliaisonofficers bytheUKandUSA withtheirrespective tical frameworksthatpersisttoday. FortheWest, thisstartedwiththepost - During World War II,statesalsobegantocreate legalandprac- international dards ofconduct. national law. Theyare therefore anathematoallacceptedstan- generally are regarded asoutsidethescopeofnationaland inter theoperationsofspies,saboteursandsecretgovernment, agents In allsecret serviceactivities, whichare handledbythecentral Cold War. Thisledtotheexistence ofsecrecy beyondthelaw: during World War II,andremained activebehindthescenesduring traced backtoWorld War I,buttheygainedmuchoftheircurrent form The originsofintelligenceagenciesinWesterndemocraciescanbe terrorist and“asymmetricwarfare” contexts. from non-stateactors(oratleastnotofficially state-backedactors)in quasi-war, totryingdealwithmuchmore diffuse andinsidiousthreats tioned from counteringknownforeign stateenemies intimesofwaror in thefocusofnationalsecurityagencies.Theseagencieshavetransi- es inrecent decades,andespeciallysinceSeptember11,2001,isashift One reason forthemassive,globalincrease in broad surveillancepractic- agencies relating totheseareaslevels. atbothnationaland international national securityandlawenforcement, andblursdistinctionsbetweenthe selves partofawidertrend. Thistrend increasingly blursthelinesbetween increased scrutinyfollowingtherevelations ofEdward Snowdenare them- textualisation. Theglobalsurveillanceprogrammes thathavecomeunder and practicesrelating tosurveillance.Thisanalysisrequires proper con- In thissectionofthereport,andnationallaws weanalyseinternational 2.1 Accountability and Surveillance 2

I ntroduction 5 F

rameworks 6 - Accountability F and Surveillance 2 rameworks compliance withtheAfrican Charter onHumanandPeoples’Rights. the • cial andquasi-judicialtreaty bodies,require thefollowing: Essentially, allthese treaties, asinterpreted andappliedbyallthese judi- mentation oftheAmericanConventiononHumanRights (ACHR) can CommissionandCourtofHumanRightsoverseeingtheimple - But thesameapproach isalsoessentiallyadoptedbytheInter-Ameri- mental Rights(EUCFR),theCourtofJusticeEU (CJEU). Human Rights(ECtHR),andthecourtapplyingEUCharterofFunda - European Conventionon HumanRights(ECHR),theEuropean Courtof Rights Committee(hereafter: theCommittee), thecourtupholding CovenantonCivilandPoliticalRights(ICCPR),theHumanInternational approach ofthebodyguarding themainglobal humanrightstreaty, the rights. Inparticular, there iscloseconvergenceinthisregard betweenthe with fundamentalrightsare compatiblewiththetreaties thatprotect those proach tobetakeninanyassessmentofwhethercertaininterferences humanrightsbodies andforaagreeAll international onthebasicap- 2.2.1 Basichumanrightsprinciples and politicaldemandsforcompliance humanrightslaw:Judicial2.2. International 2.2 Republic ofGermany. tained fullandclosecooperationfrom theintelligenceservicesofFederal pendence, France,UK,andUSAeffectively retained theserightsand/orob- surveillance rightsovertheFederalRepublicofGermany. AfterGermaninde- After World War II,thethree Westernoccupationpowersgrantedthemselves collection, storage,andanalysis. veillance anddataanalysis,alongsideadramaticfallinthecostof surveillance hasbeenthevastlyincreased technicalcapabilitiesforsur of targetsandactivities. terrorism orextremism, andinthecollectionofintelligenceonawiderarray law enforcement agenciesare increasingly taskedwiththeprevention of and otherevenless-definedthreats againstnationalsecurity. Inparticular, reserved forintelligenceagencies,especiallyinthefightagainstterrorism agencies are increasingly givenpowersandroles thatwere previously practical arrangements enforcement agenciesintheirhomecountry. clubs. Increasingly, intelligenceagenciesare workingcloselywiththelaw have changedtherole oftheagencies,aswellrole ofintelligence The conclusionoftheColdWar andthe riseofnon-stateglobalterrorism an satellites,butrelated documentationhasbeenscarcer. Europeprivileges intheGermanDemocraticRepublicanditsotherEastern - African CourtonHumanandPeoples’Rights,whichassesses “quality” r r on pr Any interfer estrictions or penalties) must bebased on a“law” that meets certain

I nternational legaland otected rights, includinganyformalities,conditions, equirements. Therelevant legal rulesmustbeclear, specific ence (atermthatincludesanything thathasanimpact 7 TheSovietUnionislikelytohavegranteditselfsimilar 9 Atthesametime,lawenforcement 8 Afurtherdriverforincreased 11 and 10 12 - 19 I BOUNDARIES OF LAW 20 I BOUNDARIES OF LAW • • • • • • • • ments ofEuropean human rightslawrelating tosurveillance: The caselawoftheECtHRshowsfollowingconsiderations andrequire- ECtHR caselaw the USA. data and“genericaccess”toonEUpersonsbystate authoritiesin issues suchascompulsorysuspicionlessretention ofcommunication cently alsobytheCourtofJusticeEU,inrelation tomore specific Human Rightsinaseriesofcasesgoingbackmanyyears;andmore re- been appliedmostspecificallytosurveillancebytheEuropean Courtof The globallyacceptedbasichumanrightsprinciplesoutlinedabovehave 2.2.2 TheBasicPrinciplesAppliedtoSurveillance relation tosurveillance. “Necessary andProportionate Principles”)developedbycivilsocietyin cation ofHumanRightstoCommunicationsSurveillance(alsocalledthe This approachPrinciplesontheAppli- alsounderpinstheInternational • • Ther the allegedviolation. violates theabovemustbepr Anyone whoserightshavebeeninterfer r the leastintrusivemeansthatar if astateinterfer “least intrusivemeans”oroner The pr to usetheterm“adequate”,buttestsr “pr corr a measur “necessary” topr Interfer shall seeisr tr No interfer constitute suchlegitimateaims. security society”). Thehumanrightstr in astateundertheruleoflaw(theECHRsays“indemocratic Interfer those authorisingorexer excessively vagueand/orplacesexcessivediscr use ofinterfer application. Mor and, aboveall,accessible(published)andfor E guarantees against abuseofsurveillancepowers. In viewoftheserisks,ther of communicationsentailsa thr The mer defending it. may undermineorevendestr A systemofsecr elevant legitimateobjective. ffective guarantees include that surveillance powers must be set out eaties ifitcompromises theveryessenceofright–whichaswe oportionate” tothatneed.(TheInter-American jurisprudencetends espond toa“pressing socialneed”,anditmustbe e mustbenodiscriminationintheenjoymentofright. oportionality principlecanbeunderstoodascomprisinga ences thatrespect theessenceofarightmuststillbe ences withfundamentalrightsmustservealegitimateaim , publicsafety, andtheprevention ofdisorder orcrime e existenceoflegislationsupporting thesecret monitoring e thatinterferes witharighttobe“necessary”,ithas ence withafundamentalrightispermissibleunderthe 14 elevant inthepresent context. ence powers,suchasmayoccurifthelawis e specifically, thelawmustprotect againstarbitrary es withafundamentalhumanright,itmustchoose et surveillancefortheprotection ofnationalsecurity otect thelegitimateinterest inquestion;andfor cising therelevant power. e mustbeadequateandeffective 13 oy democracyunderthecloak of eaties allrecognise thatnational ovided withaneffective remedy against eat ofmasssurveillance. e stillcapableofachievingthe ous means”test–meaningthat ed withinawaythatallegedly emain essentiallythesame.) eseeable intheir etion inthehandsof

in statute, or primary law, rather than in subsidiary rules, orders or manuals. The rules must be in a form open to public scrutiny and knowledge. Secret, unpublished rules are fundamentally contrary to the rule of law and the European Convention on Human Rights.

Furthermore, the ECtHR requires the following “minimum safeguards” to be provided for in published laws on surveillance: • offences and activities warranting surveillance should be clearly and precisely stated; • categories of people that may be subjected to surveillance should be stated; • strict limits on the duration of any ordered surveillance must be set; • strict procedures for ordering the examination, use, and storage of data obtained through surveillance must be followed; • strong safeguards against abuse of surveillance powers, including strict purpose and use limitations (e.g., preventing easy disclosure of intelligence data for criminal law purposes) and strict limitations and rules on when data can be disclosed by national security agencies (NSAs) to law enforcement agencies (LEAs), etc., must be provided; • strict rules on the destruction/erasure of surveillance data must be established to prevent surveillance from remaining hidden after the fact; • persons who have been subjected to surveillance should be informed of this as soon as it is possible without endangering national security or criminal investigations, so that they can exercise their right to an effective remedy, at least after the fact; and • bodies charged with supervising the use of surveillance powers should be independent and responsible to, and be appointed by, Parliament rather than the executive branch.

Under the ECHR, these principles must be applied to anyone who is affected by surveillance measures taken by any Council of Europe member state. In addition, European states have a “positive obligation” to protect their citizens from surveillance contrary to the above, perpetrated by any other State. They are under a legal obligation not to actively support, participate, or collude in such surveillance by a non-European state.

The above principles were clearly and strongly re-affirmed in the very recent ECtHR judgment, Roman Zakharov v. Russia.15 Further clarification of the law is expected in the pending case Big Brother Watch, Open Rights Group, English PEN and Kurz v. the United Kingdom which specifically deals with the surveillance revealed by Snowden, insofar as carried out by I BOUNDARIES OF LAW 21 the UK (i.e., by GCHQ).16

Case Law of the CJEU There have been two important recent judgments of the Court of Justice of the EU that have a bearing on the issues addressed in the present report.

The data retention judgment:17 Under Directive 2006/24/EC, EU Member States were required to impose on telecommunication service providers in their jurisdiction a duty to retain considerable amounts of so-called “traffic data” (or “metadata”) on the communications of the end-users of their services (i.e., on the calling number, the called number, the length of the call, the location from which the call was made, details of the devices used, etc., but not the content of the communications). The directive was challenged, and the High Court of Ireland referred the case to the Court in Luxembourg for a preliminary 22 I BOUNDARIES OF LAW invalid principles oflawfulness, proportionality, andnecessity, andwastherefore relation to datasecurity, theCJEUheld thatitfailedtocomplywiththe After assessingtheDataRetention Directive inthese regards, andin cedural safeguards, andthenature andeffectiveness ofthosesafeguards. the restrictions andlimitationsonaccessuseof thedata;andatpro- lawyers, etc.;atto seriouscrime,andatany exceptions forjournalists, may beaffected byitand whethertheyare reasonably linkedinsome way ity—of thelawinquestion;atscopeoflaw, inparticularatwho dards, oneshouldlook at theclarityandprecision—i.e., theforeseeabil - the compatibilityofsurveillancelawswithEuropean humanrightsstan- let-points above.ThetwoEuropean courtsclearlyagree thatinassessing way, theyare thenegativeexpression ofthesamepointsnotedinbul- tially thesameissuesasthosehighlightedinECtHR case law. Ina It isnotablethatthepointsofcriticisminthisjudgmentrelate toessen- that itisactuallylimitedtowhatstrictlynecessary. (para.65) interference beingprecisely circumscribed byprovisions toensure fundamental rightsinthelegalorder oftheEU,withoutsuchan a wide-rangingandparticularlyseriousinterference withthose spectively]. Itmusttherefore beheldthatDirective 2006/24entails Charter [guaranteeingtherightstoprivacyanddataprotection, re- with thefundamentalrightsenshrinedinArticles7and8of clear andprecisetheextentofinterference rulesgoverning It followsfrom theabovethatDirective 2006/24 doesnotlaydown concluded that: body”. Taking allthesemattersintoaccount,theCourt “prior review carriedoutbyacourtoranindependentadministrative access toorsubsequentuseofthedata;failure toprovide forany prosecution ofseriousoffences; theabsence ofanyprescribed limitson contribute, bytheretention oftheirdata,totheprevention, detectionor serious crime,orinrelation to(ii)personswhocould,forotherreasons, of particularpersonslikelytobeinvolved,inonewayoranother, ina lar timeperiodand/oraparticulargeographicalzonetocircle compulsory dataretention inrelation to(i)data pertainingtoaparticu- priests ormembersofparliament);theabsenceanyrestrictions on protect professional doctors,lawyers, confidentiality(e.g.,ofjournalists, the lackofdefinitionsuchcrimes;absenceanyexceptionsto might havealink,evenanindirect orremote one,withseriouscrime”; whom there isnoevidencecapableofsuggestingthattheirconduct of fightingagainstseriouscrime”;itsapplication“eventopersonsfor entiation, limitationorexceptionbeingmadeinthelightofobjective electronic communication“inageneralisedmanner...without anydiffer entire European population”;thecoveringofallpersonsandmeans “entail[ing] aninterference withthefundamentalrightsofpractically application ofthedataretention dutytoallmannersofcommunications, In thelatterrespect, theCourttookintoaccountarangeofissues: tive were disproportionate tothelegitimateaimofpreventing crime. cessed byofficials); and(ii)thattherequirements imposedbythedirec- there wasonlyaninterference ifandwhenthedatawere actuallyac- tiality ofcommunicationstheend-users(somestateshadarguedthat in itselfconstitutedaninterference withtherighttoprivacyandconfiden- ruling. TheCJEUheld:(i)thatthemere compulsoryretention ofthedata in totoandabinitio.

- ance withrespect forumtodate. tosurveillancein anyinternational security. Thisconstitutesthemost precise andspecificlegal guid- proportionate tothelegitimateaimsofcrimeprevention ornational provide for“effective judicialprotection”, cannotbenecessaryor accesseventometadata,andlegislationthat does notgoverning tions; andlegislationthat“does notlaydownclearandprecise rules” “essence” oftherighttoprivacy andconfidentialityofcommunica- access tothecontentofcommunications“compromises” thevery legislation allowingstateauthorities“generic”andindiscriminate In otherwords, interms oftheEUCharterFundamentalRights, of law. (paras.93–95,references omitted) compliance withprovisions ofEUlawisinherent intheexistenceofrule article. Theveryexistenceofeffective judicialreview designedtoensure remedy before atribunalincompliancewiththeconditionslaiddownthat the lawofEuropean Unionare violatedtohave therighttoaneffective the Charterrequires everyonewhoserightsandfreedoms guaranteedby enshrined inArticle47oftheCharter. Thefirst paragraphofArticle47 the essenceoffundamentalrighttoeffective judicialprotection, as him, ortoobtaintherectification orerasure ofsuch data,doesnotrespect pursue legalremedies inorder tohaveaccess personaldatarelating to Likewise, legislationnotproviding foranypossibilityanindividualto for privatelife,asguaranteedbyArticle7oftheCharter. regarded ascompromising theessenceoffundamentalrighttorespect a generalisedbasistothecontentofelectronic communicationsmustbe In particular, legislationpermittingthepublicauthorities tohaveaccesson access tothatdataanditsuseentail. restricted andcapableofjustifyingtheinterference whichboth and ofitssubsequentuse,forpurposeswhichare specific,strictly mine thelimitsofaccesspublicauthoritiestodata, without anobjectivecriterionbeinglaiddownbywhichtodeter or exceptionbeingmadeinthelightofobjectivepursuedand Union totheUnitedStateswithoutanydifferentiation, limitation all thepersonswhosedatahasbeentransferred from theEuropean thorises, onageneralisedbasis,storageofallthepersonaldata Legislation isnotlimitedtowhatstrictlynecessarywhere itau- was thattheCourtreiterated itsrulingintheDataRetentioncase: For thepresent purposes,themostimportantaspectofjudgment “adequate” protection fordatatransferstotheUSAwasinvalid. Commission decisionholdingthatthe“SafeHarbor”Agreement ensured to theCJEUforapreliminary ruling.TheLuxembourgCourtruledthatthe Just asinthedataretention case,theIrishHighCourtreferred thecase mission haddeclared toprovide “adequatesafeguards” forsuchtransfers. Agreement concludedbetweentheEUandUSA,whichCom- the transfersofdatahadtakenplaceunderso-called“SafeHarbor” Agency (NSA).TheIrishDPChadrefused toinvestigate,ongrounds that indiscriminately accessedbyUSauthoritiesincludingtheNationalSecurity pany FacebooktoaserverintheUSAwhere, heargued,thedatacouldbe com- complaint hehadlodgedaboutthetransferofhisdatabyInternet the IrishDataProtection Commissioner(DPC)hadrefused toinvestigatea An EUcitizen,MaximilianSchrems, complainedtotheIrishHighCourtthat The “SafeHarbor”Judgment 18 - 23 I BOUNDARIES OF LAW 24 I BOUNDARIES OF LAW in thewiderdigitalworld. andCommissioner forHumanRights onTheruleoflawtheInternet The samegoesforanissuepaperreleased bytheCouncil ofEurope (para. 51). guards, aswellon their role inproviding effective remedies. human rights,includingduediligenceandriskmanagement safe- would assistbusinessentitiesinmeetingtheirresponsibility torespect impartial oversight;andonremedial measures. Furtheranalysisalso to surveillancepractices;onmeasures foreffective, independentand on theprinciplesofnecessity, proportionality andlegitimacyinrelation further practicalguidance,groundedhumanrightslaw, ininternational missioner forHumanRightsalsoechoedtheabove,bycallingfor: specific astheEuropean ones. or takenituponthemselves,toadoptrulingsviewsonsurveillanceas humanrightsbodieshavenotyetbeencalledupon,Other international humanrightsbodies ofotherinternational Views rule onwhetherthissameapproach isalsofollowedbythatcourt. As already noted,theEuropean CourtofHumanRightswillsoonhaveto In herreport onTheRighttoPrivacyintheDigitalAge, in casesofabuse. Ensure thataffected personshaveaccesstoeffective remedies (e) parties; and Refrainfrom imposingmandatoryretention ofdatabythird (d) sight mandateswithaviewtopreventing abuses; and consideringtheestablishmentofstrong andindependentover ment intheauthorizationormonitoringofsurveillancemeasures, ensure itseffectiveness, includingbyproviding forjudicialinvolve- Reformthecurrent oversightsystemofsurveillanceactivitiesto (c) and (iv)provide foreffective safeguards againstabuse; surveillance; procedures fortheuseand storageofdatacollected; who maybeplacedundersurveillance,thelimitondurationof mitted, theprocedures forauthorization, thecategoriesofpersons precise circumstances inwhichanysuchinterference maybe per legitimate aims;(iii)are sufficiently precise andspecifyindetailthe access toanduseofcommunicationsdataare tailored tospecific ly accessible;(ii)containprovisions thatensure thatcollectionof, home, orcorrespondence isauthorizedbylawsthat:(i)are public- Ensure thatanyinterference withtherighttoprivacy, family, (b) communications are underdirect surveillance; regardless ofthenationalityorlocationindividualswhose plies withtheprinciplesoflegality Ensure thatanyinterference withtherighttoprivacycom- (a) [States] should bringtheactivitiesofnational securityandintelligence compulsory retention ofdatabythird parties. principles andineffective. [States]shouldnotresort toitorimpose ly contrarytotheruleoflaw, incompatible withcore data-protection Suspicionless massretention ofcommunications dataisfundamental- USA—and byimplicationanyotherStatePartytotheICCPR—should: aboutthesurveillancerevealedits concern bySnowden,itheldthatthe States ofAmericaclearlyechotheabove.Specifically, havingexpressed Concluding ObservationsontheFourthPeriodicReportofUnited 22 Itconcludes,interalia,that: 19 However, theHumanRightsCommittee’s , proportionality, andnecessity, 21 theUNHighCom- 20 - - inquiry byitsLIBE(CivilLiberties)Committee. the electronic masssurveillance ofEUcitizens”onthebasisanextensive On 29October2015,theEuropean Parliament adoptedaresolution “on shortcomings intheiroversightfunctions. independent andimpartialoversightmechanisms”toinvestigateany tionals”; and“strongly urge[d]parliaments toreview andestablisheffective, tive andinformaldata-sharingagreements withforeign Statesormultina- “[by-passing of]privacyprotections innationallaw...by reliance onsecre- the datacollected,andsafeguards againstabuse”,andactiontoprevent procedures, limitsonthedurationofsurveillance,security andstorageof of communicationssurveillanceandtomonitortheimplementationthose data collection;demanded“strictjudicialprocedures fortheauthorization to ensure this;calledforaprohibition ofextraterritorial oruntargetedbulk portionality, necessityandtheruleoflaw”;urgedreviews ofexistinglaw must bebasedontheprinciplesoflegitimacy, legality, transparency, pro- that the Threat toPrivacyandIndividualFreedoms, which inter aliastressed countries, ofastrongly worded resolution, DemocracyintheDigitalEraand liamentary Union(IPU),whichrepresents parliamentariansfrom 160 This wasfollowed,on21October2015,bytheadoptionInter-Par “intelligence codex”fortheintelligenceservices. lance technologytoauthoritarianregimes; andtheadoptionofamultilateral economic andpoliticalespionage;abanontheexportofadvancedsurveil- regard tothe‘originatorcontrol’ principle,onamutualbasis”;ban services, including“thepowertoreviewco-operationwithout international judicial and/orparliamentarycontrol mechanisms”overtheintelligence cumvent security measures or exploit their existing weaknesses”; “adequate on “thecreation of‘backdoors’oranyothertechniquestoweakencir called forabanonuntargetedsurveillance,calling“strictprohibition” Omtzigt, theParliamentaryAssemblyofCouncilEurope also In April2015,followinganinquiryandreport byitsrapporteur, Pieter Parliamentary Bodies ofInternational Views sions &Recommendations6,20and21) be promoted, inparticularamongsecurityserviceofficers. (Conclu- sight, aculture ofrespect forhumanrightsandtheruleoflawshould national securityservicesisinplace.Foreffective democraticover [States] shouldalsoensure thateffective democraticoversightover of law. theiractivitiescannot beassumedtoinaccordance withtherule – domestically, extraterritoriallyand/orinco-operationwitheachother – creased transparency ontherulesunderwhichtheseservicesoperate agencies withinanoverarching legalframework.Untilthere isin- ECtHR caselaw on“generalprogrammes ofsurveillance”;stressed that to theCJEU’s Data RetentionDirective judgment anditsconcurrence with EU citizens’trustandtheirfundamental rights”.Itdrew specialattention of “thereported actionsbyintelligenceservicesthat haveseverely affected ities andbulkprocessing ofpersonaldatacitizens”, anditsdenunciation ties andtheEUmemberstates “toprohibit blanketmasssurveillanceactiv- treaty (MLAT), theresolution reiterated Parliament’s callto theUSauthori- Tracking Programme andareview of theEU-USMutualLegalAssistance suspension oftheEU-US“SafeHarbor”Agreement andTerrorist Finance “all legislationinthefieldofsurveillance,privacyandpersonaldata 25 23 26 Inadditiontocallingfor 24 - - -

25 I BOUNDARIES OF LAW 26 I BOUNDARIES OF LAW welcomed bytheabovekindsoffora,includingIPU. organizationsandtheGlobalNetworkInitiative,alsonon-governmental as of HumanRightstoCommunicationsSurveillance(commonlyreferred to lectively expressedPrinciplesontheApplication themintheInternational by The standards setoutontheprevious pagesare alsostrongly supported Organisations Non-governmental ofInternational Views can a‘surveillancearmsrace’beavoided”. that“onlyifcredibleand warned normsare establishedatthegloballevel specific limitationswithregard tocollectionfornationalsecuritypurposes”; Rights, inorder tocreate aglobalframeworkfordataprotection, including CovenantonCivilandPoliticalUN level,inlinewiththeInternational standards/principles“contribute tothedevelopmentofinternational at ough assessmentofnecessityandproportionality”; calledfortheEUto “any decisiontousesurveillancetechnologyshouldbebasedonathor “normal” powers oftheordinary lawenforcement agencies(LEAs) usedin eations here, andinparticularthatone canclearlydistinguishbetween It wouldbewrong toassume,however, thatonecandrawcleardelin- being carriedoutbytheUSA andUKnationalsecurityagencies. surveillance inthekindsofprogrammes exposedby Edward Snowdenas do wecometothemaintopic ofthisreport: broader, “mass” or “bulk” reference totheGermansystembywayofillustration.Onlythen,in2.3.4, to “ordinary” criminalinvestigations bylawenforcement agencies,with describe the“typical”ornormallegalframeworkforinterception inrelation corded totherightconfidentiality ofcommunications.We then,at2.3.3, studied. We first,at2.3.2, brieflylookattheconstitutionalprotections ac- surveillance overdigitalcommunicationsare regulated inthecountries In thissection,welookathowinterception ofcommunicationsandwider 2.3.1 Whatisbeingcompared ments –Acomparativeanalysis 2.3. Nationallegalandpracticalarrange- these increasingly establishedprinciples. fora. Inthenextsection,wewillexaminenationallawsinlightof courts, butwithguidanceandrecommendations from additionalglobal for thisisbecomingclear, inparticularthe case lawoftheEuropean secret) transnationalcooperationarrangements.Thebasiclegalframework tivities ofnationalsecurityagencies,andonovertheir(todate,largely favour oftightrestrictions on,andeffective oversightover, surveillanceac- In sum,there isacleargroundswell ofopinion—judicialand political—in Conclusions separate document. with more technical/legalanalysesunderpinningeachofthemprovided ina fective remedy. Theprinciplesthemselvesbrieflyexpandoneachofthese, cooperation; safeguards againstillegitimateaccess;andarighttoanef- sight; integrityofcommunicationsandsystems;safeguards forinternational independent”; dueprocess; usernotification;transparency; publicover tions tobemadeby“acompetentjudicialauthoritythatisimpartialand necessity; adequacy;proportionality; theneedforsurveillanceauthorisa- ontheconceptsdiscussedearlier:legality;legitimateaim;specifically turn “Necessary andProportionate Principles”),endorsedbymore than400 non-governmental organisationsnon-governmental allovertheworld,whohavecol- 27 Theprinciples - - and/or privatelife. usually inthesamearticleas theonethatguaranteesrespect forthehome protect therighttoconfidentiality ofcommunicationsintheirconstitutions, many, Kenya,Myanmar, Russia,SouthAfrica,Turkey, USA)expressly Ten ofthe14countriessurveyed(Colombia,DRCongo,Egypt, Ger 2.3.2 ConstitutionalProtections andExceptions secret “extralegal”operations. granted intimesofwarorofficial (declared) “national emergencies”and 2.3.6, wewillbrieflylookattheevenwiderpowersthat authoritiesare “terrorism” or“seriousorganisedcrime”.Finallyinsub-sections2.3.5and involved instipulatedmatters(oftenrathervaguely),e.g.,thefightagainst and technologiesare made availabletoanyagency—LEAorNSA—thatis without discriminationbetweenthedifferent agencies.Rather, thepowers other countries,new, specialpowersandtechnologiesare granted be madebetweentheroles andpowersofLEAsthoseNSAs.In tries: insome(likeGermany),arelatively cleardistinctioncontinuesto increased bythefactthattheseoverlapsare different indifferent coun- increasingly overlappingmandatesandshared powers. Thecomplexityis powers byagencies(lawenforcement andnationalsecurityagencies)with As aresult, sub-section2.3.4iscomplex,inthatitcoversoverlapping but inthe security agencies,andindeedbetweentheagenciesthemselves. between themandatesgiventolawenforcement agenciesandnational ly inrelation toterrorism, andbecause,withthat,soare thedistinctions law and“threats tonationalsecurity”are increasingly blurred, particular This ambiguityisbecausethedistinctionsbetween“ordinary” criminal gence” onthreats tonationalsecurity, outsidetimesofwar. to nationalsecurityagencies(NSAs),foruseinthegatheringof“intelli- “normal” criminalinvestigationsandseparate,specialpowers,grantedonly forcement agencies. security. TheUSFederalBureau ofInvestigation (FBI)isaprimeexample ing hybrids,withthedualroles offightingcrimeandprotecting national property). Indeed,insomecountries,theagenciesthemselvesare becom- online childabuse(andthisisevenslippingintoprotection ofintellectual tackling relevant “special”crimes:from terrorism andseriouscybercrime to “intelligence”/national securityagenciesare increasingly assignedarole in of perpetratorscrimesthathavebeencommitted.Atthesametime, threats ratherthanongatheringevidenceforapprehension andprosecution i.e., theyare increasingly focussingonobtaining“intelligence”future focussed onprevention ratherthanexpostfactoapprehension ofcriminals, the lawenforcement agenciesare becomingincreasingly pro-active and in relation tocriticalnationalinfrastructure). Inrelation tosuchmatters, ty” are increasingly regarded asmattersofnationalsecurity(inparticular criminal activitiesandmoneylaundering.“Cybercrime” and“cybersecuri- other formsofserious,organised,transnationalcrime,includingonline rorism”, whichisitselfanill-definedterm,ininseparablyentangledwith case intheother countries. not “non-derogable” intimesofemergency, butthatis generallyalsothe One (SouthAfrica)specificallyclarifiesinitsconstitution thattherightis legal limitationsisinherent intheconstitutionallegal systemofthecountry. right canbelimitedbylawor bycourtorder; orthis possibilityofimposing UK, too,GCHQisworkingincreasingly closelywiththelawen- 32 Butallcountriesalsoeither expressly clarifythatthe 31 28 29 “Ter - - 30 - 27 I BOUNDARIES OF LAW 28 I BOUNDARIES OF LAW extend to“non-USpersons”. nationals andlawfulUSresidents (so-called“USpersons”)anddoesnot tection alsoofcommunications.However, thisprotection islimitedtoUS “unreasonable search” butisquiteextensivelyinterpreted asproviding pro- The FourthAmendmenttotheConstitutionofUSAprotects against the judiciarythere isreluctant tobetooactiveinthatrespect). (Pakistan) oreventhe“righttolifeandpersonalliberty”(India–although stan, therightcanberead intootherrightssuchas“privacyofthehome” similarly givesdomesticlegaleffect totheECHR.AndinIndiaandPaki- constitution, theserightsare protected undertheHumanRightsAct,which on HumanRightsindomesticlaw. IntheUK,where there isnowritten Communications, andthrough theapplicationofEuropean Convention other rightsthrough theCivilCodeandonMailElectronic communications—but therightisgivenessentiallyequalprotection with which doesnotcontainarighttoprivacyorprivatelifeconfidentialityof the Constitutioncross-refers tothe1789DeclarationofHumanRights not necessarilyrequire anexpress constitutionalguarantee.InFrance, Strong legalprotection ofconfidentialitycommunications,however, does investigations andpre-trial criminalinvestigations terrorism ornationalsecurity)isprovided forunderthenormallawonpolice agencies inthecourseofordinary criminalinvestigations(i.e.,notrelated to nication interception (“lawfulintercept”) bythenormal lawenforcement In mostdevelopedlegalsystemsundertheruleoflaw Thenormalcriminalprocedure system a. 2.3.3 Targeted lawfulintercepts bylawenforcement agencies lated quitestrictly. • The StPOfurthermor • • if thefollowingconditionsare met: “monitored andrecorded” withouttheknowledgeofpersonconcerned tration, theGermanStPOstipulatesthattelecommunicationsmayonlybe Pénal, CPP, andtheStrafprozeßordnung orStPO).To usethelatterasillus- German CriminalProcedure Codes(respectively, theCodedeProcedure This normallystrictregulation iswellreflected in thetypicalFrench and Illustration b. normal rules. where weshallseethattheyoftendepartmuchmore seriouslyfrom the We willlookatthelawsapplyingtonon-“normal”cases2.3.4,below, approaches totheserules,alsoinGermany. that eveninnormalcases,there are certainexceptions andcontradictory “normal” ruleswithreference toGermany.However, wealsonote,atc), whom itmaybe assumed,onthebasisofspecific facts,thattheyac- be issuedagainst thesuspectoragainstother persons“withregard to unachievable. (§100a(1)StPO) by othermeanswouldbeconsiderably mor the establishingoffactsor ofthelocationsuspect the specificactisalsoseriousincase;and pr serious criminalof specific factsjustifythesuspicionthatsomeoneisinvolved i eparation ofsuchanoffence bycriminalmeans; 35 Below, wewillprovide anillustrationofsuch“typical”, e stipulatesthattheLawfulIntercept Order mayonly fence (aslistedin§100a(2)StPO)orthe 33 e difficult or 34 ; andintercepts regu- , “normal”commu- n a also intheformer French andGerman colonies. directly inspired codesandlawsnot onlyinmostofContinentalEurope but ples containedintheGerman CriminalProcedure Code—andthesecodes The tutes “bestpractice”inthisfield. rights andremedies, and transparency andaccountability. Itclearlyconsti- gality, necessityandproportionality, aswellthoserequiring dueprocess, This ”typical”or“normal”systemreflects thefundamentalprinciplesofle- transparency (intheformofabove-mentionedstatistics). monitoring orrecording ofparticularlyintimateinformation);andgeneral ex ante,andpostfactoonlywhenclearlynecessary); limitations(no “specific” facts);intermsofprocess (judicialauthorisation,inprinciple directly linked to a case under investigation, as demonstrated by objective ing interception andmonitoring tospecifiedseriouscasesandpersons humanrightsrequirementsand international intermsofsubstance(limit- is agoodexampleoflegalarrangementsclearlymeetingtheconstitutional The Germanframeworkforordinary, non-terrorist/national securitycases includes bothformalillegalityanddisproportionality). as erasure ofrecorded information)ifthemeasures were unlawful(which challenge thelegalityofmeasures andobtaincompensation(aswell ing whenithasended(unlessthisendangersoverridinginterest), andcan Individuals mustfurthermore beinformedoftheinterception andmonitor • • • prosecutor, exceptinurgentcaseswhentheprosecutor tercept Order mayonlybeissuedbyacourtattherequest ofthepublic In addition,there are crucialprocedural safeguards. Thus,aLawfulIn- obtaining anddeletionofthedata(§100a(4)StPO). must beimmediatelyerased,withaformalnotemadeinthefileabout private life”.Ifsuchhighlyintimateinformationisaccidentallycollected,it the collectionof“informationaboutessence[thesurveilledperson’s] Moreover, anintercept isnotallowedifitlikelythatwillonlyresult in the suspect,orthatsuspectusestheirconnection.”(§100a(3)StPO). cept orpassonmessagesbehalfofthesuspectwhichcomefrom annually, whichtheMinistrymustpublishonits website: ties responsible mustprovide thefollowingdetails totheMinistryofJustice interception (§100b(4) StPO).Finally, thestate(Land-)andfederalauthori- longer met;andthecourtmustthenbeinformedaboutresults ofthe interception mustcease assoononeoftheconditionslistedaboveisno nications LawandtheTelecommunications Interception Regulation.The for thiscooperationare determinedinaccordance withtheTelecommu- the implementationoforder (§100b(3)StPO).Thetechnicaldetails Telecommunication serviceproviders (TSPs)are required tocooperatewith on thesameconditionsasbefore (§100b(1)and(2)StPO). monitored. Itcanbevalidfornomore thanthree months,butisrenewable days. Theorder mustbeinwriting,withdetailsaboutthedevicesto der, butinthatcasetheorder mustbeconfirmedbythecourtwithinthree the crimeunderinvestigation,inr to landline,mobile,orInter original or the numberofsuchor the numberofcriminalcasesinwhichLawfulInter French CriminalProcedure Code(Art.100)reflects- thesameprinci ders orcontinuationorders; andastowhethertheyrelated ders issued,withdetailastowhethertheywere net communications;and elation towhichtheorders were issued. cept Orders were issued; 36 37 mayissuetheor - - 29 I BOUNDARIES OF LAW 30 I BOUNDARIES OF LAW metadata canoftenbea“proxy forcontent”. the firstChiefTechnologist attheUSFederalTrade Commission,putit, more revealing than—thecontentsofcommunications. AsEdward Felten, interception in“normal”criminalinvestigation. Many commonlawcountriesnowalsorequire judicialwarrantsforlawful in practice. tent” asanother, inspiteofthefactthatthisdistinctionisdifficult tomake primarily between“traffic data“or“metadata”asonecategory, and “con- Many othercountriescreate lessgradedlevelsofaccess,distinguishing range ofauthorities(§111TKG). can beobtainedondemandinrelation toevenminoroffences byawide identification” dataandotherlimited(notamountingtofull“metadata”) munications. Thus,eveninGermanywithitsstrong basicstructure, “line their application.Inparticular, theyrelate toaccessthecontentsofcom- these regards, thestrong principlesillustratedaboveare oftenlimitedin Secondly, eveninthecountriesthatwere originallystandard-setting in by apolitician,theHomeSecretary. apparently beingdrafted. Finally, intheUKintercept warrantsare issued work isuncleartosaytheleast,althoughregulations onlawfulintercept are require judicialauthorityforinterception. InMyanmar,thecurrent frame- go, India,KenyaandTurkey aswellthelawissweepinganddoesnot authorities, withouttheneedforjudicialwarrantsororders. IntheDRCon- (PTRA) whichgivessweepingpowersofinterception toawiderangeof Order, butinthePakistanTelecommunication (Re-Organisation)Act1996 tions isregulated, notintheCriminalProcedure Codeorthe2002Police ordered bytheprocurator (fiscal).InPakistan,interception- ofcommunica in thisreport. Thus,theColombianCPCallowsforinterception tobe First ofall,ajudicialorder isnotrequired inallthecountriessurveyed ExceptionsandContraryApproaches c. practice aswellapproaches thatunderminetheaboveprinciple. However, there are anumberofimportantexceptionstosuchlegislative countries asRussiaandSouthAfrica. and subjecttoacourtorder, iscontainedalsointhelawsofsuchdiverse communication) shouldbeallowedonlyincertainrelatively seriouscases, The principlethat“normal”lawfulintercepts (atleastofthecontent bility oftheFourthAmendmentto“non-USpersons”). Fourth AmendmenttotheConstitution(ifoneleavesasidenon-applica- the strong protection ofcommunicationsnowadaysprovided underthe procurator orajudge.IntheUK,eveninterception ofcontentcommu - Egypt, accesstoboth metadataandcontentcan be ordered byeither a a courtorder, whileinterception ofthecontentcommunicationdoes. In be ordered byajudge. InRussiatoo,accesstometadatadoes notrequire in acriminalinvestigation),while accesstocommunicationcontentmust a judge(more specifically, theinvestigative judge[juged’instruction]acting In than contentparsing. ysis andaggregation of metadataisoftensignificantlyeasiertoaccomplish as theend-result maybequitedifferent. sioner”, butonlyinamarginalway. Itistooearly toassessthisproposal, report wasbeingwritten,suggeststheinvolvementofa“judicialcommis- France, accesstometadatacanbe authorised byeitheraprocurator or 41 Andthat“metadata”canbeasrevealing as—andsometimes 39 Anewdraftlaw, introduced whilethis 40 42 38 Inaddition,automaticanal- IntheUSA,thisflowsfrom as well),onessentially thesamebasis. national security byeitherLEAsorNSAs(and sometimesotherauthorities access” (astheCJEUcalled it) canbeexercised inrelation toterrorism or disentangled. Inalmostallthe countriessurveyed,thepowersof“generic ment agenciesandthoseofthe nationalsecurityagenciescannolongerbe and theprotection of“nationalsecurity”,thepowers ofthelawenforce- One ofourmainfindingsisthat, inrelation tothefight against“terrorism” Which agenciesare granted genericaccesspowers? what conditions. outside timesofwarandemergency, inthecountriessurveyed,andunder This sub-sectionlooksatwhethersuch“genericaccess” is legallyallowed, probably ofsimilarprotections inotherhumanrightstreaties. tion, inviolationoftheEUCharterFundamentalRightand hencealso communications, it“compromises theessence”ofrighttodataprotec- no longeranydoubtthatwhenthisgenericaccessrelates tothecontentof amount towhatitcalls“genericaccess”(asdefinedabove).There isalso Snowden amountto“masssurveillance”.ButtheCourtruledthattheydo national securityagencies(inparticular, the NSA andGCHQ)revealed by The access tothatdataanditsuseentail. restricted andcapableofjustifyingtheinterference whichboth and ofitssubsequentuse,forpurposeswhichare specific,strictly mine thelimitsofaccesspublicauthoritiestodata, without anobjectivecriterionbeinglaiddownbywhichtodeter or exceptionbeingmadeinthelightofobjectivepursuedand [Access authorisedbyalaw]withoutanydifferentiation, limitation the CJEUdefineditinSchrems case: nication data–bethatmetadataorcontentona“generic”basis,or, as In thissub-section,wewillanalysethelawsallowingforaccesstocommu- What isgenericaccess? 2.3.4 Untargeted GenericAccess(“MassSurveillance”) discuss theseemergencypowersand“extralegal”practices. and disturbingdepartures from thetraditionallystrictrules.We willbriefly interception ofcommunicationsapparently outsideofthelaw–inclear strictions. Andfinally, there havebeenrevelations aboutextensivemass Moreover, inofficial (declared) emergencies,there are evenfewerre- national securityagenciesbutalsotolawenforcement agencies. “national security”matters,butthespecialpowersare extendednotonlyto ing legalrules.Typically, thesespecialcasesrelate toterrorism orother now oftengrantedin“special”casesunderseparate,new, lessdemand- broad, “genericaccess”tocommunicationdata(metadataandcontent)is having compliant,ruleoflawframeworksfor“normal”lawfulinterception) Furthermore, inmanycountries(includingtheonesmentionedaboveas scribers automaticallyprovide toaTSPor(M)NOeverytimetheyplacecall. longer qualityforprivacyprotection—such asthephonenumbersthatsub- doctrine: thedatahavebeen“voluntarily”disclosedtothird partiesandno metadata isgenerallyunregulated asaresult oftheso-called“third party” by awiderangeofpublicbodies.IntheUS,accessauthoritiesto does notrequire one.Infact,accesstometadatacanbe“self-authorised” nication doesnotrequire ajudicialwarrant,interception ofmetadataalso USA andtheUKbothstrenuously denythattheactionsoftheir 43 - 31 I BOUNDARIES OF LAW 32 I BOUNDARIES OF LAW nomic information“ofinterest” tothestate. on [apparently anykind of]foreign-based political organisations,andeco- threats tothestatebut also gatheringinformationonorganisedcrime,or very widelydefinedtoincludenotjustcounteringterrorism andothermajor national securityagenciesserve“foreign intelligence”purposeswhichare Federal IntelligenceandSurveillanceAct[FISA]Amendment Act),the Thus, underUSlaw(inparticular, 50U.S.C.§1881a,introduced bythe carry themout. cies, whichare thengranted“special”powersofgenericinterception to these lattertargetsare addedtothetasksoflawenforcement agen- of thestate;orislefttodiscretion oftheauthorities(Egypt).Inothers, fight againstorganisedcrime,ortheprotection oftheeconomicinterests many countriestheconceptof“nationalsecurity”includes,forexample, from theincreasingly broad mandatesoftherelevant agencies.Thus,in conventional lawenforcement are increasingly blurred. Inpart,thisstems The linesbetween“nationalsecurity”and“anti-terrorism” activitiesand National SecurityandTerrorism not inrelation communications. to“domestic”or“internal” communications,butit isallowedinrelationor“international” to“external” security” and“terrorism” threats. Andsecondly, atleastinsomecountries, access”. Firstofall,ittendstobeallowedforinvestigation“national Our studyindicatesthattwomattersare crucialinrelation to“generic cess canbeauthorised The purposesandtypesofcommunicationforwhichgenericac- transparency, orlackofit,inrelation totheuseofpowers. individuals affected bytheexercise ofthepowers.Finally, wediscussthe ers, andtheexistence(ifany)effectiveness ofavailableremedies for We discusstheoversightregimes (ifany)overtheuseofrelevant pow - the useoffacility. or the(M)NOs,indeedwiththempossiblybeingunaware oftheextent cies candirectly accessthedata,withoutfurtherinvolvementofTSPs in of“backdoors”intotheirsystems,through whichthesurveillanceagen- In particular, weexaminewhetherthisincludesadutytoallowthebuilding NOs]) complywithcertain“technicalrequirements” tofacilitatetheaccess. vice Providers [TSPs]and/orthe[Mobileorother]NetworkProviders [(M) assist intheobtainingofinformation(i.e.,Telecommunication Ser low, aswelltherelated powertodemandthattheentityisasked authorisations are theysubject.We willlookattherelevant conditionsbe- powers of“genericaccess”;howare thosepurposesdefined;andtowhat ers, butrather, forwhatpurposescananagency(anLEAorNSA)use The mainissueisnotsomuchaboutwhichagenciescanusethesepow- retain “flexibility”.Inthewords oftheCourtAppeal,itisa“protean concept”, In theUK,authoritiesactuallyrefuse todefine“nationalsecurity”soas in similarlysweeping termsinPresidential Decree No.24of10January 2000. President has setoutthe“NationalSecurity ConceptoftheRussianFederation” “national security”coverstheprotection ofany“national interest”. TheRussian discretion oftheauthorities;andinKenya,Constitutionitselfstipulates that In ways inwhichthesecurityof thenationmaybestbepromoted’. “designed toencompassthemany, variedand(itmaybe)unpredictable Egypt, notdissimilarlybutmore bluntly, national securityisdefinedatthe 44

- 45

human rights, the 1789French Itisreflectedconcerned. inthenameof “grandmother”documentof a country’s domesticconstitution are grantedtothecitizens ofthestate fundamental rightsare “citizens’rights”–i.e.,thatthe rightslaiddownin The constitutionaljustification forthedistinctionliesinideathat as animportantdistinction,for constitutionalandhistoricalreasons. communications.However,(“international”) inothercountriesthisisseen (i.e.,national domestic)communicationsortoexternalaccess istointernal the abovekindsofwidelydefinedpurposes,irrespective ofwhetherthe powers toauthorisegenericaccesscommunicationsdata inrelation to In mostofthecountriessurveyed,relevant authoritiesare givenwide Communications (or“International”) and“External” “Internal” law byexecutivesandintelligencecommunitiesintheEU. allows forarbitrarinessandabusesoffundamentalrights andtheruleof Member Statestoensure legalcertainty;...thelackofacleardefinition a commondefinitionof‘nationalsecurity’isneededfortheEUandits Understandably, theEuropean Parliamenthastakentheviewthat: security” intermsoftheJohannesburgPrinciples. are grantedinrelation tomatterswellbeyondwhat iscovered by“national etc. InSouthAfricaandTurkey, aswell,widepowersofgenericaccess state and“majoreconomic,industrial,scientificinterests” ofthestate, ism butalso,interalia,insupportof“majorforeign policyinterests” ofthe the purposesnotjustofdefendingnationorprevention ofterror communicationsdatafor i.e., “external”) generic accessto(“international”, CommunicationssimilarlyallowsforLaw onSurveillanceoverInternational to broadly definedpurposesandoffences. And the recent, specialFrench cess undertheTelecom Re-organisationAct(PTRA)canbeusedinrelation it issimply“inthepublicinterest”. InPakistan,too,powersofgenericac- security oftheStateorrulelawisadverselyaffected, butalsowhen For example,Myanmarlawallowsgenericinterception notonlywhenthe relation tosuchbroadly definedmatters. many other“special”powers)tolawenforcement andsecurityagenciesin their scope,andgrantgenericaccesstocommunicationsdata(aswellas “anti-terrorist” lawsthattendtoincludemanysuchbroader activitieswithin for whichthepowerscanbeused.Thisiscaseinparticularspecial rather thanbeingbrought withintheconcept,are addedtothepurposes butthegenericaccesslawsare stillsweeping,becausetheotheraims, – In othercountries,theconceptofnationalsecuritymaybemore limited violent overthrow ofthegovernment. as amilitarythreat,source, oraninternal suchasincitementto the useorthreat offorce, whetherfrom source, anexternal such against theuseorthreat offorce, or[of]itscapacitytorespond to [The protection of]acountry’s existenceoritsterritorialintegrity that theconceptshouldbelimitedto: Special Rapporteursandotherglobalregional fora,whichstipulates burg Principles,developedbytheNGO“Article19”andendorsedUN Such sweepingdefinitionsofnationalsecuritycontravenetheJohannes- prevention ofincitementtocommit[apparently any]offences”. (older) IndianTelegraph ActandIndianTelegraph Rulessoastoinclude“the In India, “nationalsecurity”isdefinedintheInformation Technology Actandthe Declaration of the RightsofManand 46 47 -

33 I BOUNDARIES OF LAW 34 I BOUNDARIES OF LAW provenance becomesirrelevant. The differential legaltreatment of“exter communications. Whentheseare“external” shared andcombined, their One participatingcountry’s communicationsare “internal” othercountries’ light oftheexistenceintelligence sharingpracticesamongcountries. distinctionalsoloses muchofitsmeaningintheThe “internal”/“external” are,be “international” infact, betweenpeopleintheirowncountry. makes nosense,andmanycommunicationsthatare technicallydeemedto cations are therefore essentiallydisingenuous:inpractice,thedistinction by restricting communi- theiragencies tothemonitoringof“international” are Statesthatpretend “international”. tolimittheirsurveillanceoperations global digitalcommunicationsenvironment, effectively allcommunications structure, includingterrestrial andunderseahigh-speedcables.Inthewider ple inonecountryare still likelytotravelthroughinfra- theglobalInternet communications (e.g.,textsor“chats”VoIP calls,etc.)between twopeo- Thus,Internetglobalised communications,inparticularovertheInternet. distinctionmakeslittlesenseintheeraofIn fact,the“internal”/“external” than ashavingapurely geographicalmeaning). are affected (rather bytheactions(orinactions)ofstateconcerned “jurisdiction”—which mustberead asmeaning,toeveryonewhoserights shrined initmustbegrantedbyeachstateto“everyone”withinthestate’s Universal DeclarationofHumanRightsin1946,thebasichumanrightsen- an oddity. Rather, sincetheendofWorld War IIandtheadoptionofUN sons. However, intherest oftheworldthisisnowadaysanexception,even the FirstandFourthAmendmentrights–are notextendedtonon-USper is theUSA:underUSlaw, manyofthecore constitutionalrights–including The countryinrelation towhichthisismostpertinentinthepresent context rights setoutintheDeclarationare nowextendedto“everyone”. thinking,inFrancetodaythemainCitizen, althoughinlinewithmodern re-unification—do stilloftenappeartoretain suchdistinctions. occupying powers—bothbefore anduponregaining fullsovereignty after ent contradictiontothis,thetreaties Germanyconcludedwiththeformer basic righttoprivacyoftelecommunicationsanyone.However, inappar law. Most constitutionallawscholarsagree thattheconstitutiongrants ligence Servicesmakesuchadistinction,withlittlebasisforitindomestic (UK-domestic)communications. AndinGermany,too,theIntel- “internal” tions, where itwouldnotbelegaltoauthorisesuchaccessinrelation to communica- can equallybeauthorisedtosuch“external”/“international” an authorisationissuedbythePrimeMinister. IntheUK,genericaccess communications” (metadataandcontent)onthebasisofto “international tional CommunicationSurveillanceMeasures thatallowsforgenericaccess - For instance,France,on1October2015,adoptedanewLawInterna communications. a muchlessstrictbasisthanappliestoaccessdomesticorinternal munications, andindeedforgenericaccesstosuchcommunications,on com- laws thatallowfortheinterception or“international” of“external” than theUSA(includingtraditionallystandard-setting ones)there are This historicalcontexthelpstoexplainwhyinanumberofcountriesother war, itisaslegitimatetospyontheenemyshootathim. activities ofthesecret intelligenceagenciesrelated totimesofwar;andin There isalsoafurtherhistoricalexplanation,whichthattraditionallythe 48 49 - - - access to the Internet andglobalcommunications infrastructure).access totheInternet cies, especiallyinrecent years(eveniftheyperhapsdonothaveasmuch But othercountrieshavegivensimilarlysweepingpowertotheiragen- to thosecommunications. andothercommunicationsdata,i.e.,for“genericaccess”of globalInternet the underseacablesenteringthesecountries,whichcarrylargeproportions used bytheUSA now know, thankstoSnowden,thatthesepowerswere—and stillare— or content),whereas warrantsissuedunders.8(1)donot.We “internal” under RIPA s.8(4)(a)allowforinterception ofbulk ormassdata(metadata Regulation ofInvestigatoryPowersACT(RIPA), warrantsissued “external” This appliestobothmetadataandcontent.Similarly, intheUK,under nationals andlawfulresidents (“USpersons”)are notspecificallytargeted. tions from ortoanothercountry, provided thatthecommunicationsofUS targeted judicialwarrant,any“foreign” communications,i.e.,communica- are giveneffectively unlimitedpowertointercept inbulk,withoutaproper FISA AmendmentAct,thenationalsecurityagencies(includingNSA) In theUSA,underForeign IntelligenceSurveillanceAct[FISA]andthe schemes ofauthorisationforgenericaccesstocommunicationdata. Taking theaboveintoaccount,wemaydistinguishfollowingbroad Formal Requirements place ofresidence. of theprohibition ofdiscrimination,interaliaonthebasisnationalityor in fundamentalbreach oftheprincipleuniversalityhumanrightsand persons” and“foreigners” –whichiseffectively whatthisamountsto–is But mostimportantly, thedistinctioninprotection between“national ers’” communications. that theircommunicationsenjoyhigherprotection compared to“foreign- assurance toonecountry’s citizensandotherpersonswithinitsterritory communicationsthusservesaslittlemorenal” and“internal” thanafalse more traffic thanwhatamountsto20% oftheircapacity, so“hooveringup”up cablesonlyrarelycable-based telephone communications.But Internet carry rule” mayhave amounted toaneffective wiretapping restriction foranalogue rules, ineffect allowingunrestricted genericaccess.Forexample,the“20% agency, theBND, hadgivenexcessivelybroad, “creative” interpretations tothe into theSnowdenrevelations, itwasrevealed thatthemainnationalsecurity special “G10”Commission.However, intheparliamentarycommitteeofinquiry “key words” usedinthe filteringofthebulkdatamustbeapproved bya interception” mustbeaimed atterrorism andotherseriouscrimes,that restrictions notfoundin othernationallaws,inparticularthatthe“strategic communications”—albeit subjecttosomeof similarlydefined“international capacity), bytheintelligenceservicesinso-called“strategic interception” bulk (aslongasthisdoesnotamounttomore than20%ofthecables’total broader communication surveillance,includingthe“hooveringup”ofdatain In from abroad”, inrelation tocounter-terrorism andotherseriouscrime. al communication”,definedas“communicationsthatare senttoorreceived involvement, theinterception- ofbothmetadataandcontents“internation Prime Minister(orsomeonedelegatedbyhim)toauthorise,withoutjudicial national CommunicationSurveillanceMeasures thatexpressly allowsthe noted earlier, France,on1October2015,adoptedanewLawInter Germany, thewell-known“Article10Law”allowslawfulinterception and and UKto“hooverup”essentiallyalldataflowingthrough 50 51 52 Thus,as - 35 I BOUNDARIES OF LAW 36 I BOUNDARIES OF LAW to contentdata, butincasesrelating to nationalsecuritynosuspicion or police norbythe intelligenceservices.Such anorder isrequired foraccess In adversely affected. “public interest”, andwhenthesecurityofState ortheruleoflawis ception onanumberofvaguely statedgrounds, including whenitisinthe broadcommunications Law2013givesthegovernment powers ofinter warrant cannotberegarded aseffective. InMyanmar,s.77oftheTele- substantive limitations,theprocedural safeguard ofaHighCourtjudge’s tion. Giventhissweepingdefinitionof“nationalsecurity”and absenceof Furthermore, thelawdoes notrequire anykindoftargetingtheintercep - in Article238(1)oftheConstitutionasincluding[any]“national interest”. monitoring toprotect “national security”—but“nationalsecurity”isdefined In es ofactualemergency, butmore broadly inrelation to“nationalsecurity”. tercept ortracecommunications(through thePT Authority),notjustincas- toauthorise “anyperson”toin- 54ofthePTRAallowsGovernment s. arbitrary, “generic”interception ofcommunications.Similarly, inPakistan, would seem,any)[specified]subject.Ineffect, theserulesalsoallowfor relating towholeclassesofmessages;persons;and(it offences”. Theseprovisions grantsweepingpowers toorder interception relations withforeign states”and“toprevent incitementtocommit[any] just whenthere isanactualemergency, butalso“intheinterests offriendly out intheseactsandtheIndianTelegraph Rulesthatcanbeinvoked,not any computer. Furthermore, there are exceptionalemergencypowersset cept ormonitorinformationtransmitted,generated,received, orstored in officialswider powerstoawiderangeofauthorisedgovernment inter the InformationTechnology ActandtheIndianTelegraph Actgranteven powers ofinterception for“ordinary” criminalcases undertheCPC;and In this tothediscretion oftheauthorities. defining“nationalsecurity”; andthuseffectively leavingcerns—without data, bothmetadataandcontent)inrelation to“nationalsecurity”con- to obtaininformation(whichmustbeassumedincludecommunications security agencies(includingboththepoliceandintelligenceservices) Law givesbroad andill-definedpowerstothearmedforces andthe without judicialinvolvement.AndinEgypt,the2003Communications interceptions ofbothmetadataandcontentbytheMinisterInterior, the policeandintelligenceagenciescanbeauthorisedtocarryout potential ofthecountry, ortheprevention ofcrimeandorganisedcrime”, tection oftheessentialelementsscientific,economicandcultural technical means.IntheDRCongo,inrelation to“nationalsecurity, pro- a judicialorder. However, itseemsthatthissafeguard canbeevadedby investigating aspecificcrime.Thisis,unusuallyinthiscontext,subjectto cations forthepurposesofnationalsecurity, evenwhere theyare not under Article17ofLaw16212013,intercept privatetelecommuni- In were notsubjecttotheconstitutionalprotection oftheircommunications. the consensusamongstexpertsinGermanconstitutionallaw)thatforeigners traffic. Intheinquiry, theformerBNDin-houselawyeralsoargued(contraryto to 20%oftheircapacityeffectively results ina“fulltake”ofanygivencable’s Russia, nocourtorder isrequired foraccesstometadata, neitherbythe Kenya, theNationalIntelligenceServicesActallowsinterception and India, asfurtheroutlinedinsection4.6,below, there are already broad Colombia, themilitary, thepoliceandintelligenceservicesmay, 53 - - the law-enforcement authorities’technical ability...to intercept directly tions carriedout withoutproper judicial authorisation.Combined with makes itimpossibleforthe supervising authoritytodiscoverintercep- [Moreover, a]prohibition onloggingorrecording [of] interceptions... vice provider, ortoanyoneelse,isparticularly prone toabuse. them toshowaninterception authorisationtothecommunications ser directly thecommunicationsofeachandeverycitizen withoutrequiring a system...whichenablesthesecret servicesandthepolicetointercept Zakharov judgment: ity systems.AstheEuropean CourtofHumanRightsputitinitsrecent to theirsystems,thisseriouslyunderminesanyoversight and accountabil- TSPs and(M)NOscannotseewhataccesstheauthorities inpracticehave The inclusionofa“handoverinterface”iscoursecrucial, becauseifthe a whole. do nothavedirect oruncontrolled accesstothe operators’networksas be] aformalhandoverinterfacetoensure thatagenciesandauthorities mobile, broadcasttechnologies[stipulatethatthere andinternet should operator’s network[andwhich]are globally applicableacross fixed-line, tion required betweentheagencyorauthoritymonitoring centre andthe Telecommunications Standards Institute(ETSI),whichdefinethesepara- the lawfulinterception technicalstandards set downbytheEuropean mented onthis,pointingoutthat: Vodafone is,asfarwecansee,theonlyprovider thathasfurthercom- specific “lawfulintercepts” andthe“genericaccess”discussedinthissection. TSPs and(M)NOs,whichrequire themtoinstallequipment to“facilitate”both that most,indeedprobably all,countriesimpose“technicalrequirements” on It isclearfrom theoperators’informationprovided through theTIDwebsite Legally imposed“backdoors” cooperation ofproviders door”); andthe“hacking”ofsystemswithoutknowledgeor Technical requirements (includingarequirement toinstalla“back Transport andCommunications. interests”, afterobtaining a(positive)“opinion”onthisfrom theMinistryof data andcontents)forthepurposesofprotecting publicsafetyand“public can alsoorder theinterception ofcommunicationdata(again,bothmeta- Moreover, theInformationandCommunicationTechnology Authority, BTK, security services.Thelawdoesnotdefinewhat“non-delayable”casesare. has beenissuedbyany“agencyauthorisedlaw”,whichincludesthe a courtorder butin“non-delayable”cases,itsuffices ifawrittenorder tion oftherightsandfreedoms ofothers”.In“normal”cases,thisrequires prevention ofcrime,protection ofpublichealthandmorals,protec- contents) canbeordered ongrounds of“nationalsecurity, publicorder, And finally, inTurkey, interception ofcommunications(bothmetadataand content. Whetherthispowerisusedinway, wedonotknow. demand unrestricted accesstocommunicationsdata,bothmetadataand outside ofadeclared emergency. Presumably, thisincludesthepowerto FSB, canalsomore broadly takecontrol ofprivatecommunications,also try’s Counter-Terrorism Law, moreover, thenationalsecurityagency, the leeway todenytheorder (evenifitwere tobesoinclined).Underthecoun- authorities claimanationalsecurityissueisatstake,thecourtgivenlittle evidence ofanyspecificcriminaloffence needstobeshown.Thus,ifthe 56 55 54 - 37 I BOUNDARIES OF LAW 38 I BOUNDARIES OF LAW ance. Theemployees inquestion,moreover, whoare allextensivelyvetted access demands ongrounds otherthan suchobviousformalnon-compli - how anytelecommunications serviceprovider could effectively challenge and Vodafone couldrefuse tocomplywiththeorder. Butwecannot see on arequest form),sheorhecouldreport thistoherorhislinemanager, formal requirements (e.g.,theabsenceofarequired [electronic] signature vetted andselectedemployeeswere tonoteaclearbreach ofrelevant proportionality. Presumably, allthismeansisthatifanyofthespecially purpose ofanaccessrequest, itisdifficult toseehowitcanassessits given that(asitacknowledgesinthesamesentence)cannot knowthe not compliantwithlegaldueprocess orseemdisproportionate”. However, Vodafone claimsthatit“can–anddo[es]challengedemands thatare within theircompanies. law enforcement assistance technicalcapabilitieshavebeenestablished reveal [NB:eventotheir ownlinemanagersoremployer]thatspecific national security. Additionally, insome countries,theycannoteven mise anactivecriminalinvestigationorunderminemeasures toprotect demand hasbeenreceived atall,asdoingsocouldpotentiallycompro- line managementoranyothercolleagues,norcantheyreveal thata are notpermittedtodiscussanyaspectofademandreceived withtheir ty-cleared toahighlevelandare boundbylaw toabsolutesecrecy. They to process demandsreceived. Thoseemployeesare usuallysecuri- employees are taskedwithliaisingagenciesandauthoritiesinorder In eachofouroperatingcompaniesaround theworld,asmallnumberof said toberetained byVodafone (oranyTSP).AsVodafone explains: We alsohavedoubtsastothesupposedly“fulloperationalcontrol” thatis provider’s systemsbythesecurityagencies. are installedthatallowunmonitored—and unmonitorable—access tothe standards are clearlynotcompliedwith,anddirect-access “backdoors” thorities toconformETSItechnicalstandards”, insomecountriesthose Thus, althoughVodafone “continuouslyencourage[s]agenciesandau- own direct link. already havepermanentaccesstocustomercommunicationsviatheir for lawfulinterception accessastherelevant agenciesandauthorities tor. Inthosecountries,Vodafone willnotreceive anyformofdemand operational control overlawfulinterception onthepartofopera- have direct accesstoanoperator’s network,bypassinganyformof countries thelawdictatesthatspecificagenciesandauthoritiesmust ceipt ofanagencyorauthoritydemand.However, inasmallnumberof technical infrastructure usedtoenablelawfulinterception uponre- In mostcountries,Vodafone maintainsfulloperationalcontrol overthe In anycase,Vodafone addsthatinpractice: ous) search commands,there isnocheckonthis. stipulates thatonlytheserviceproviders shouldusethespecified(numer enforcement andnationalsecurityagencies,becausealthoughtheprotocol for effectively allowingindiscriminate(“comprehensive”) surveillancebylaw However, asfarback2001,theETSIstandards were severely criticised ineffective. rangements incapableofdetectingunlawfulinterceptions andtherefore all communications,[suchaprohibition] renders anysupervisionar - - Google, FacebookandApple operating direct (generic)accesstothesystemsofUSTSPsand(M)NOsglobally We knowthat,underitsPRISMprogramme, theUSNSAhasdemanded the Vodafone LawEnforcement Disclosure Report2014suggests. would appearthattheimpositionof“backdoors”ismore widespread than what exactuseismadeofthe“backdoors”.However, from oursample, it or allthecontentsdatawithoutTSPsand(M)NOsbeingabletosee to gaindirect accesstoallthedatainthesesystems,ormetadata systems, andifsowhetherthe“backdoor”canbeusedbyauthorities include arequirement tobuildina“backdoor”intotheTSPs’and(M)NOs’ it isnotalwaysclearwhetherthe“technicalrequirements” inacountrycan From theinformationavailableon14countriesincludedinoursurvey, employer, theTSP. intheirloyaltiesbetweenthesecurityagenciesandformalto betorn by thesecurityagenciesandoftenhadearlierlinkswiththem,are likely of 2012);and certain officials, rather confusinglyreferred toas“judicial equipment tofacilitate interception and monitoring(underDecree 1704 In the But itwouldappearthatthese practicesare farfrom limitedtotheUKand ways similartotheUS’s NSA. surprising ifinthisregard theUK’s GCHQwasnotusingsuchdevicesin oversee this.InthelightofSnowdenrevelations, wefeelitwouldbe doors” intometadatacanbelimitedtosuchdata–orwho canreally difficult toseehowthe reported restriction ofthenow-revealed “back communications, evenifthishasnotbeen“avowed”.Itis, inanycase, to order evenwider“back doors”,providing direct accesstocontent of utterly unfettered power toorder anything,s.94canclearlyalsobeused power, buthadbeenbarred from revealing itintheirreports. Giventhe sight bodyovertheintelligenceservices)hadbeentoldof thisuseofthe and Parliament’s IntelligenceandSecurityCommittee(theofficial over of thelegislation,DavidAndersonQC. bulk accesstocommunications(i.e.,metadata),bytheofficial reviewer urged to“avow”(i.e.,ownupto)theuseofpowergaindirect, recently afterithadbeen beenconfirmedformallybythegovernment, veillance programmes revealed byEdward Snowden,butthishasonly It waslongsuspectedthatthispowerusedinrelation tothesur public electronic communicationsnetworkstodo,ornotanything. thepowertoissue“directions”This givesthegovernment toproviders of broadest ofallprovisions iss.94oftheTelecommunications Act1984. unknown whetherthisisdoneundertheseinstruments.However, the Act, canallberead asallowingtheimpositionof“backdoors”,butitis Powers Act(RIPA), andindeedRIPA Part IIIandtheIntelligenceServices In theUK,a2002Order issuedundertheRegulationofInvestigatory cessible toandaccessedbytheUSNSA. States, ofthefactthattheirdataare thusdirectly andindiscriminatelyac- protection authoritiesintherelevant countries,including theEUMember their customers(thedatasubjects)anywhere intheworld,orevendata placed undera“gaggingorder”, legallypreventing themfrom informing Colombia, too,TSPsand(M)NOsmay berequired toinstalltechnical USA. Internet ServiceProvidersUS Internet andsocialnetworks,including 58 —withthecompaniesinquestionbeing 59 Andersonrevealed thatbothhe 57 - - 39 I BOUNDARIES OF LAW 40 I BOUNDARIES OF LAW police” provide reliable statisticsonsuchsecret practices. doors” are imposedandsubjecttosecrecy, but by definitionwecannot In ourview, itislikelythatinmanyof thecountriessurveyed,such“back all ofthesesituations,theTSPs canbeprevented from reporting onthis. mand thatTSPsinstall“back doors”intotheirsystems.Andinmost,ifnot there are lawsorrules thatcanberead asallowing theauthoritiestode- In sum:itwouldappearthatinthevastmajorityofcountries surveyed, which, again,amountstomandatory“backdoors”. on TSPsand(M)NOsthatincludetechnicalrequirements forinterception doors”. AndinTurkey, theICTAuthority, BTK,canimposeconditions ment ontheserviceproviders, includingallowingtheinstallationof“back In can beusedforsurveillance. will havededicatedserversandextensivedata-miningcapabilities that data-service networks.According totheHindunewspaper, thesystem rectly, usingexistinginterception systemsthatare builtintotelecomand tion from [telecommunicationscompanies].They’llbeabletogetitdi- with theCMS,securityagencieswon’t needtorequest users’informa- the reports: users.”Accordingmillion telecomsubscribersand120internet to ambitious program thatwilllet[theauthorities]monitoranyoneofits900 System” (CMS)wouldbeestablishedbytheendofthatyear, aspartof“an In 2013,itwasreported intheIndianpress that a“CentralisedMonitoring of theISPmustbeavailableinreal timetothegovernment. the packetsoriginatingfrom theCustomerPremises Equipment(“CPE”) required tomaintaineveryoutward login.Thelogsandthecopiesofall all connectedusersandtheservicethattheyare using.TheISPisalso Clause 34.8oftheISPLicense,requires eachISPtomaintainalogof India, according totheTIDinformation: and withwhichtheymustcomplyonpenaltyoflosingthelicense.Thus,in es thatTSPsand(M)NOsmustobtaininorder toprovide theirservices, Elsewhere, mandatoryaccessarrangementsare imposedunderthelicens- citizens whoare speakingoutagainstthegovernment. aswell accounts andidentifypotentialdissidents,activists,journalists capacity tocarryoutsurveillanceofsocialmediausers,accesstheir reportedhasthetechnologicalInternational thattheEgyptiangovernment or (M)NOsbeingabletocheckhowthisaccessisused.Moreover, Privacy demand accesstotheTSPs’and(M)NOs’infrastructure, withouttheTSPs installation of“backdoors”.Similarly, inEgypt,themilitaryauthoritiescan ship betweentheTSPsand(M)NOsIntelligenceServicesrequire the In “back doors”. the lawiscomplexbutsaidtonotallowformandatoryinstallationof must beassumedtheauthoritiescanalsodemandthis.InSouthAfrica, allowing direct access.IntheDRCongo,lawissosweepingthatit In likely thatthese“connectionandaccesspoints”amounttoa“backdoor”. a judicialintercept order (ConstitutionalCourtDecisionC-594).Itseems dated “connectionandaccesspoints”forthepurposeofgivingeffect to Russia, the“RulesonCooperation”thatsetouttermsofrelation- Myanmar too,therelevant licenses mayimposeeffectively anyrequire- Kenya andPakistan,thelawalsorequires theinstallationofdevices 60 mayaccesstheTSPs’and(M)NOs’networksviaofficially man- 62 61 and there are somereports thatmaysuggestthis. it wouldbesurprisingiftheyhavenotatleastbeentryingtoacquire them, Russia andChina,havedevelopedsimilartechnologiesisunknown,but law isonlysubject to“advice”from various bodies,ratherthanreal over In nature notindependentordetachedfrom thesystem. or bodiesthatare partoftheexecutivebranch,but theseare bytheirvery Myanmar neric access”,notevenonpaper. Atmost,insomeofthesecountries(like independent oversightovertheuseofabove-mentioned powersof“ge- Egypt, Myanmar, Pakistan,RussiaandTurkey), there iseffectively no The TIDinformationshowsthatinsixofthecountriesstudied (DRCongo, Oversight to report suchdatabreaches. come intoforce in2017), companiesoperatingintheEUwouldberequired Data Protection Regulation(duetobeadoptedbytheendof2015and incentive todisclosure. However, inthefuture, underthenewEUGeneral dermine thetrustthattheircustomershaveinthem,which isaseriousdis- revelation ofsuchsecuritybreaches (ifdiscovered expostfacto)wouldun- and (M)NOsotherstodetect,thusreport on.Moreover, any Such “hacked”accessis,byitsverynature, almostimpossibleforTSPs and Facebook. communicationservices, includingHotmail,Google,Yahoo,of Internet nologies havealsobeenusedtotryandaccessencrypteddatastreams involvement ofthe“hacked”companies.Thesehighlyadvancedtech- have developed“hacking”techniquestocreate “backdoors”withoutany UK. AsSnowdenrevealed in2013,theUK’sUS’s GCHQandthe NSA surveillance programmes exposedbyEdward Snowden, theUSA,and moot whenitcomestothecountriesmostdeeplyinvolvedinglobal such deviceshaveinfactbeenimposedonthem,hasbecomesomewhat TSPs and(M)NOstoinstall“backdoors”,and/orwhethertheinstallationof In away, thequestionofwhetherabovelaws canberead asrequiring The “hacking”ofsystems overseas territories). to orfrom orthrough theirterritories(including,inthecaseofFrance,its directly andelectronic intothemainInternet communicationcablesrunning been exposedthatsuggesttheIntelligenceServicesinanycasedotap NOs. Inanycase,intheselasttwocountriessurveillanceprogrammes have direct accesswithouttheknowledgeorinvolvementofTSPsand(M) ETSI standards thatinspired them.Ifso,thiswouldinpracticeleadto cations intheserulessuffer from thesameallegeddefectas“mother” Directive issuedunderit.We cannotjudgewhetherthetechnicalspecifi- tions, theTelecommunications Interception Ordinance, andtheTechnical technical andorganizationalstandards are containedinpublishedregula- terception. Thedetailedrequirements andspecifications,includingrequired many, theTSPsand(M)NOsmustalso“assist”inimplementationof- over theresponses tothose“requests” from theauthorities.AndinGer data, whichsuggeststhatthere issomecontrol bytheTSPsand(M)NOs plement relevantprocesses” internal to“respond torequests foraccess”to on MailandElectronic Communicationsrequires TSPsand(M)NOsto“im- The lawsandrulesinothercountriesare lessclear. InFrance,theCode France, theuseof genericaccesspowersprovided forintherecent and Russia),there are oversightsystemsbyofficials internal 63 Whetherothertechnologicallyadvancedstates,suchas 64 - - 41 I BOUNDARIES OF LAW 42 I BOUNDARIES OF LAW under theagreement. non-EU citizenswhosedatamightbetransferred from theEUtoUSA imum requirements. Italsofallsshortintermsofremedies, especiallyfor the parties), whichwashailedasleadingtojudicialredress forEUpersonsin changes betweentheEUandUSA(initialledbutnotyetsignedby Agreement” fordataprotection inrelation tolawenforcement dataex- system ledtomajortensionsbetweentheUSAandEU.An“Umbrella Indeed, theabsenceofanyreal remedies for“non-US persons”intheUS more illusory”. persons”) are weakandineffective, for“non-USpersons” theyare “even Moreover, ifremedies forUSnationalsandforeigners livingin the USA(“US never functionedeffectively. fairly besaidthatthiscriticalelementoftheoverallregime has [had] beensofrequently andsystematicallyviolatedthatitcan always obtained, andifitisvalid(e.g., sufficiently precise) isunder of contents communications, oversightover whethersuchanorder is although inColombiathelawrequires a judicialorder forinterception of oversight,theseare stilloftenunderminedorbypassed. Forinstance, Even incountriesthatappear onpapertohavehalfwaydecentsystems to “external” communications. to “external” stem ortemperindiscriminatesurveillanceand“genericaccess”inrelation because ofinherent defects,inneithercountrydidthesystemsserveto andnationalNGOshaveshown,UK. Asdetailedanalysesbyinternational to whichtheSnowdenrevelations related mostdirectly: theUSAand proved tobeineffective. Thisis,inparticular, thecaseintwocountries In othercountriesstudied,oversightsystemsare inplacebuttheyhave and destroy itsownfilesaftersixmonths. of highofficials, butbylawthecommitteemustmaintain“utmostsecrecy” sight. InIndia,there isoversightonlybya“review committee”madeup it imposedonthegovernment’s telephonemetadataprogramme: non-compliance withthelaw. FISCitselffoundthattheprivacysafeguards has torely ontheintelligenceagenciesthemselvestoreport andcorrect transparency aboutitsproceedings anddecisions.” Moreover, iteffectively oversight theFISCexercises isseverely hampered byaneartotallackof As theleadingUSNGOsthatanalysedsystemputit: lance activities,includingthoseauthorisedunderExecutiveOrder 12333. Court, orFISC,hasnojurisdictionovermanyofthemostimportantsurveil- The situationintheUSAisnobetter. TheForeign IntelligenceSurveillance none soughttorestrain them. flagged themasssurveillanceprogrammes untilSnowdenrevealed them; ited powersanditsprocesses are nontransparent. Noneoftheaboveeven deletions bythePrimeMinister. TheInvestigatoryPowersTribunal haslim- the PrimeMinister, anditsreports are moreover subjecttoredactions and of theparliamentaryoversightcommittee,ISC,are alsoappointedby ers are notindependentandreport tothePrimeMinister. Themembers under thelawofUSA,as itquitegenerallyis. agencies. There are noremedies againstthisdatasharingifthatisallowed enforcement agenciesfrom beingshared withtotheUSnationalsecurity prevent datatransferred byEU-basedlawenforcement agenciestoUSlaw , in fact falls far short of international andEU-constitutionalmin- USA, infactfallsfarshortofinternational 68 69 Specifically, theUmbrella Agreement wouldnot 65 IntheUK,variousoversightcommission- 70 66 “Whatlittle 67 - particular subsidiary rules or internal guidanceand interpretationsparticular subsidiary rulesorinternal ofthose tional security”. Thissuggeststhatcertainrules relating tosurveillance, in in theOrdinance, inparticularrelation towidelydefinedmattersof“na- makes suchaccesssubjectto thebroad exceptions toaccess,contained constitute informationinthe hands ofpublicauthorities).However, this follows thatinprinciplealllegal rulesshouldbeaccessible(becausethey information refers totheFreedom ofInformationOrdinance, from which it if so,whatthose“otherlaws”mightbe.Inrelation toPakistan,theTID to whetherthisexceptionactuallyappliesinrelation tosurveillance,and the case“unlessanotherlawstatesotherwise”.There isnoinformationas In surveillance apparently being allowedtobekeptsecret inthree countries. draw forouranalysishasspecificinformationonlegalrules relating to appear tobeaswidespread inreality. TheTIDinformationonwhichwe rules relating tosurveillance wouldbepubliclyaccessible,thisdoesnot Although onewouldtherefore assumethatinallcountriesthelawsand required “foreseeability”. cret andinwaysthatare notobviousfrom thetextitself,lawlacks what theymeanandhowwillbeapplied.Ifare interpreted inse- fora. Thisalsoappliestointerpretations ofthoserules,sincetheyclarify as interpretedandregional bytheinternational humanrightscourtsand publicly accessible.Thisrequirement flowsfrom theveryconceptof“law” rules thatinanywayinterfere withorlimitfundamentalrights—shouldbe The ruleoflawimplicitlyrequires thatalllegalrules—and certainlyalllegal Transparency aboutthelaw and second,transparency abouttheuseofthosepowersinpractice. surveillance, inparticular“genericaccess”;ency abouttherulesthatgovern In thissub-section,wediscusstwoaspectsoftransparency: first,transpar Transparency gence agencies,ofwhichtheG10Commissionwasapparently unaware. place, onthebasisof“creative” interpretations of thelawbyintelli- prevented secret andapparently indiscriminateinterception from taking obtained through “strategicinterception”. However, thisoversighthasnot in thechoiceof“keywords” or“selectors”usedinthefilteringofdata Commission”, thatinvolvesmembersofParliamentandhasadirect say In lected, “designated”(e.g.,retired) judges, - is underminedbythefactthatitcanbegivenspecial,government-se cumvented. InSouthAfrica,too,therequirement ofjudicialauthorisation system isweakanditsuspectedthatthesesafeguards are widelycir nominally haspowersofoversightoversurveillance.However, thelegal authorisations forinterception andthere isaparliamentarycommitteethat surveillance outsideofthelaw. Similarly, inKenya,thelawrequires judicial cions inthisregard are heightenedbyreports ofapparently widespread such “backdoors”isbytheirnature oftenimpossibletomonitor. Suspi- installation of“backdoors”intotheTSPs’and(M)NOs’systems:use tem, butalso,bythefactthatauthoritiescanapparently demandthe mined notonlybythewell-knowngeneraldeficienciesinjudicialsys- which were notprevented bytheserequirements. required forauthorisations.There havealsobeenreports ofseriousabuses, Colombia, alllawsmustbepublished,butthereport addsthatthisis Germany there is,inprinciple,someseriousoversightbythe“G10 74 71 andbythelowthreshold 72 - 73 - 43 I BOUNDARIES OF LAW 44 I BOUNDARIES OF LAW mass surveillanceprogrammes. And wenowknowthatthishasalsohappenedinrelation totheNSA’s on thestrength ofitsConstitution, thoseprinciplesare ignored attimes. than 10outofthe14countriesconcerned: laws andinterpretations are publiclyaccessibleinrelation tonofewer The TIDinformationdoesnotprovide anyinformationastowhetherthe if theydidpublishthem. they are required tooperate,inpracticetheyfeelmightbevulnerable nothing inlawtoprevent operatorsfrom publishingtherulesunderwhich these laws.Itseemstobeimpliedthatalthoughonthefaceofitthere is regulation toprohibit theoperatorsfrom publishinginformationrelating to not legallyregarded asconfidentialandeventhoughthere isnospecific laws andregulations towhichtheyare subject,eventhoughtheselawsare be construedsowidelyastoprevent theagenciesfrom evenpublishingthe network operator’s network,anditissuggestedthatthisprohibition could secret intelligenceagenciestoconductinvestigationsbyusingdatafrom a tactical ororganisationalactionstakenmethodsusedbythecountry’s information prohibit TSPsand(M)NOsfrom revealing informationaboutany rules, canbekeptsecret. InRussia,thelawsoncommunicationsand ruled thatthis was contrarytotheHuman Rights Act,followingwhich pletely secret untilFebruary2015,when theInvestigatoryPowers Tribunal its datasharingarrangements, inparticularwiththeUSA)were keptcom- activities underbroadly phrasedstatutoryprovisions (andthosegoverning Similarly, thecountry’s inthe UK,thedetailedrulesgoverning surveillance treatment, cogens norm(peremptorylaw)prohibiting principleofinternational such “torture memos”onwhichtheUSArelied tosystematicallyviolatetheius publicly accessibleandforeseeable. Sincetherevelations aboutthesecret partures from theprinciplethatalllegalrulesandinterpretations shouldbe models fortheruleoflaw, suchastheUSA,there- havebeenworryingde Furthermore, eveninthecountriesthatpubliclyholdthemselvesoutas rules fromlegaldatabase). anInternet of theECHRinthisregard sincetheapplicanthad beenabletounearththe detailed rulesoninterception inRussia(althoughitdidnotfindaviolation that there wasa“lackofgenerallyaccessibleofficial publication”ofthe In Zakharov, theEuropean CourtofHumanRightsfoundit“regrettable” cret rulesorguidelinesinterpretations inIndia, SouthAfricaandTurkey. and Myanmar;italsoquiteprobably thecasethatthere are suchse- and interviews,thisislikelytobethecaseinDRCongo,Egypt,Kenya kept secret, and/orsubjecttoarbitraryapplication.Basedonourresearch guidanceonandinterpretationsments andinternal oftheprimaryrulesare perhaps notwholeprimarylaws,thenatleastsubsidiaryrulesandinstru- the ruleoflawingeneral.Insuchcases,itmaybeassumedthat,although In someofthosecountriesthere areaboutadherence seriousconcerns to Germany, India,Kenya,Myanmar, SouthAfrica,Turkey andtheUK. lawful untilthesecret rulingswere revealed afterlitigation. (and eventheoriginalsponsorsofPATRIOT act)hadassumedtobe on “USpersons”,contrarytowhatmostexpertsUSconstitutional law which allowtheNSAtocollectmassiveamountsofcommunications data and “tangiblethings”intheinfamoussection215ofUSA PATRIOT Act, expansive, secret interpretations oftheterms“relevant”, “businessrecords” 77 we have learned thatevenincountry, wehavelearned whichpridesitself 78 Themostnotoriousexampleofthisisthe 76 75

DR Congo,Egypt,France, 79 operators involved inTIDhavenotreleased statisticsonRussia.However, lawful intercepts and“genericaccess”. Itmaybebecauseofthisthat the or methodsusedby, theintelligenceservices,includingbothtargeted disclose anyinformationabout anytacticalororganisationalactionstaken, Network Operatorsandso-called “Pure”ServiceProviders Internet maynot Communications andArticle 10.1 oftheLawonInformationstipulatethat In regarding interception ofbothcommunicationscontentsandmetadata. are barred from publishinginformation,includingaggregated statistics, alsoconfirmsthattelecommunicationscompaniesinPakistanInternational of courseoccasionallysomeinformationmaycomeoutin court).Privacy including thepublishingofaggregate data,issimplyforbidden(although more straightforward: disclosure ofallinformationaboutinterceptions, powers havebeensoused.InPakistan,thesituationisifanythingeven from theabsenceofsuch aggregate dataintheTIDinformationthat say whethertheservicesactuallyusedthispower, butitcouldbeassumed gence Servicestoprevent thepublicationofaggregate data.”Itdoesnot Article 33ofLaw1621-2013“allowstheIntelligenceandCounter-Intelli- regardincluding aggregate information.With toColombia,TIDnotesthat use oflawfulintercept andbroader “genericaccess” surveillancepowers, expressly forbidstherelease, byTSPsand(M)NOs, ofinformationonthe In fourcountries,Colombia,Pakistan,SouthAfricaandtheUK,law Transparency AboutPractice mechanisms. practice underminespublicconfidenceinthejudicialoversight courts usingsecret interpretations ofthe applicablerules,asthis the extensiveuseofsecret lawsandregulations, appliedbysecret uncertain terms: dressing itsownmemberstateswhenitunambiguouslycondemned,inno The ParliamentaryAssemblyoftheCouncilEurope wasclearlyad- Germany –andtheBNDappearstohavebeenactingonthatbasis. of confidentialitycommunicationsdidnotapplytoforeign peopleoutside amongst constitutionallawyers,hearguedthattheprotection had untilthenbeassumedtounlawful.Indeed,contraryaconsensus ing tappingintotheglobalcommunicationsystems,inwaysthatlawyers ative” interpretations ofthelawtocarryoutsurveillanceoperations,includ- intelligence service,theBND,hasrevealed thattheagencyrelied on“cre- As already noted,inGermany,too,theformerin-houselawyerformain late thedetailofrelevant surveillance(ArticleL.854-1). a provision whichallowsforsecret decrees bytheConseild’Étattoregu- The recent French surveillancelaw, adoptedon1October2015,contains of HumanRights. national andnineotherhumanrightsorganisationsintheEuropean Court remain secret. Thissecrecy iscurrently beingchallengedbyPrivacyInter most ofthedetailedrulesissuedunder, andinterpretations of,thelaw some small,selectiveportionsofthepolicieswere madepublic.However, that subject tosuchsecret interpretations, andthusstretched inthesameways communications”couldbeout that,forinstance,theterm“international criticised byhumanrightsgroups, lawyersandmagistrates,whopointed Russia, asfurtherdiscussedinsection 4.10,Article64oftheLawon UK lawhadsecretly beenstretched. 83 80 82 81 Thishasbeen 84 - 45 I BOUNDARIES OF LAW 46 I BOUNDARIES OF LAW regard intheothernineoutof14countriesincluded inthesurvey: The TIDinformationdoesnotincludeonthesituationinthis ulation ofInvestigatoryPowersAct. In theUK,release ofsuchinformationisprohibited under s. 19oftheReg- ble toverifywhethersuchaccesshadoccurred withoutwarrants. cations (contentandmetadata)bymeansof“backdoors”,itwasimpossi- ly prohibited thekeepingoflogsorrecords on“direct access”tocommuni- As already noted,however, theCourtalsoheldthat,sincelawexpress- doubled between2009and2013.85 the factthatnumberofinterception authorisationshadalmost under theOSAA(99%).Theapplicantdrew theCourt’s attentionto CCrP (93%)and416,045outof420,242interception requests lodged lowed 178,149outof189,741interception requests lodgedunderthe out of376,368requests undertheOSAA(99%).In2013courtsal- of 163,469interception requests undertheCCrP(95%)and372,744 329,415 requests undertheOSAA.In2012theygranted156,751out of 144,762interception requests undertheCCrPand326,105outof requests undertheOSAA.In2011courtsallowed140,047out interception requests undertheCCrPand276,682outof284,137 tivities Act](99%).In2010thecourtsallowed136,953outof140,372 out of246,228requests undertheOSAA[theOperational-Search Ac- requests undertheCCrP[CodeofCriminalProcedure] and245,645 tistics thatin2009Russiancourtsgranted130,083outof132,821 for theperiodfrom 2009to2013.Itcouldbeseenfrom thosesta- The applicantalsoproduced official statisticsbytheSupreme Court European CourtofHumanRightsasfollows: of warrantsissued.Theseare quotedintheZakharov judgmentofthe the ConstitutionalCourtapparently doesrelease statisticsonthenumber data”; there isnoexplanation ofthis). in theothercountrysectionsisheaded“communicationdata”, not“historical nication systemsofdevices,i.e.,certainmetadata(thecorresponding entries “historical data”,whichmaymeandataonthehistoryofuses oftelecommu- instances ofsomerelevant useofinterception powers, butthisisreferred toas country informationthatduringOctober-December 2014there hadbeennine regardWith toMyanmar , there istheratherodddatuminaTelenor report with in TID.ThismayalsobethecaseIndiaandTurkey . is likelytobetheresult ofthishavingbeenmadecleartotheTSPsinvolved the UK.We mayagainassumethatinDRCongo,EgyptandKenyathis Congo, Egypt,France,Germany, India,Kenya,Myanmar, Turkey and on theonesreleased bytheauthorities. in TIDdonotprovide theirownstatistics onthesecountries,orcomment on theuseoftheirsurveillance powers.Regrettably, theoperatorsinvolved do provide some(albeitratherlimited,censored, anddisputed)information regardWith toFrance,GermanyandtheUK , theauthoritiesthemselves the relevant data,eventhoughthere isnolawprohibiting it. the relevant powers,orthat thecompanyiseffectivelyprevented from publishing that inpractice,eithertheTSPsand(M)NOsdonotknowwhat useismadeof relating totheuseofpowers describedabove”, that “There isnolawinMyanmar preventing thepublicationofaggregate data “Lawful interception”. Although arelated Telenor report onthelegalissuessays 87 There isnoentryunderthe heading 89 88 itwouldtherefore appear 86

DR DR examined, including 10,208,525emails.The report saysthatthisdid not previous year (2010),some10,213,329 communicationshadbeen further context. Ofthesecommunications, 327,557were emails. However, inthe year. In2011,329,628 communicationswere furtherexaminedinthis gen nach§5G10);and1660 suchkeywords inthe secondhalfofthat the righttoconfidentialityof communications, StrategischeBeschränkun- lance” ormore precisely “strategiclimitations”on[read: interferences with] of informationaccessedunderwhattheGermanscall“strategic surveil- “key search words” forthefilteringofgenericallyaccessedinformation(i.e., first halfyearof2011,theG10Commissionauthorised useof1450 According tothesame report, inrelation terrorism”, to“international inthe individuals ineachperiod(includingbothprimaryandsecondary targets). tion islessthan100ineachhalfyear, andaffected between800and 900 authorisations issuedtotheintelligenceservicesfortargeted intercep- G10 CommissionReport,from March 2013,indicatesthatthenumberof of theusethesepowersbyintelligenceservices.The mostrecent Commission” thatsupervisestheintelligenceservicespublishesdetails of lawfulintercept powersinrelation tocriminalinvestigations. The“G10 In volumes ofmetadatathuscollectedare deletedfrom thepublishedreport. ceive suchdatafrom their“overseaspartners”,includingtheUS’s NSA.The tercept inbulk(withoutinvolvingtheserviceproviders); andthattheycanre- extract “communicationsdata”(metadata)from thecommunicationstheyin- metadata collectedbytheagencies,becauseitmakesclearthattheyalso But thereport showsthatthisprobably constitutes onlyafractionofthe GCHQ submitted1,406andSIS672). to CSPs[CommunicationsServiceProviders] (MI5submitted56,918, notices orauthorisationsforCD[CommunicationsData=metadata] …during 2013,the[Intelligence]Agenciessubmittedatotalof58,996 does provide thissnippetofinformation: services ofthewider(“genericaccess”)s.8(4)authorisations–althoughit The report issimilarlyobscure inrelation totheuse,byintelligence providers). these numbers(orrather, thecorresponding numbersforeachofthese As already noted,theUKTSPsand(M)NOsare alsobarred from revealing investigatory capacity. these figures sincetheywouldprovide anindicationoftheAgencies’ GCHQ (***,***andrespectively). However, wecannotpublish We havebeengiventhenumberof8(1)warrantsforMI5,SISand offers anexplanationfortheretraction inthetext: However, thereport refrains from revealing more specificstatisticsand conduct interception underRIPA. ber 2013was1,649.)Theseincludeallninebodiesauthorisedto 2,757. (ThenumberofextantSection8(1)warrantsasat31Decem- The totalnumberofnewSection8(1)warrantsissuedin2013was cording tothemostrecent report bytheIntelligenceServicesCommittee: er thantheintelligenceagencies,includinglawenforcement agencies.Ac- 8(1)ofRIPA, butitislimitedtotheissuingofsuchwarrantsbybodiesoth- s. ber ofwarrantsusedfortargetedinterception warrantsissuedunder Thus, intheUK,informationismadeavailablebyauthoritiesonnum- Germany, theMinistryofJusticeannuallypublishesdetailsuse 91

90 92 93

47 I BOUNDARIES OF LAW 48 I BOUNDARIES OF LAW 2011 or2010. surveillance” to“specificforeign publicbodies”,thisdidnothappenin gence servicestodisclosepersonaldataobtainedasaresult of“strategic The report alsosaysthat althoughtheG10LawallowsGermanintelli- than 2milliondatasets. indefinitely 220 milliontelecommunicationdatasetseachday, andretains about1% However, mediahavereported thatinfacttheBNDalonecollectssome tions were markedasrelevant forintelligencepurposesinthiscontext. communications hadbeenfurtherexamined.In2011,98communica- leading tofurtherexaminationof436communications.In2010,45,655 were authorisedinthefirsthalfof2011,and294secondhalf, traffickingto international (presumably, ofhumanbeings),348keywords and containednorelated statistics. include anydetailsoftheactualprogrammes laterrevealed bySnowden, in theUNHRC’s UniversalPeriodicReviewoftheUSAin2011,didnot CovenantonCivilandPoliticalRights,forreview theInternational cerning States ofAmericatotheUnitedNationsCommitteeonHumanRightsCon- actual programmes andstatistics.TheFourthPeriodicReportoftheUnited ment isextremely reticent aboutwhatitisreally doing,andaboutthe as isavailablehascomefrom theSnowdenrevelations;- theUSGovern the firstandmainpointthatshouldbemadeissuchofficial information Finally, regarding theUSA(whichisnotcovered bytheTIDinformation), sive surveillanceevenbefore thelawwasadopted,clearlyoutsidelaw. use. However, aswithGermany,there havebeenrevelations aboutexten - tions hasonlyjustcomeintoforce, statisticsare notyetavailableonits Given thattheFrench communica- lawonsurveillanceoverinternational today, wedoknowthattheyare there, andifwearchive thedata in thebillions oftelephonecallsflowing through theUnitedStates not knowexactly where theterrorists’ communicationsare hiding ing thefollowingfundamental problem: although investigatorsdo Collecting andarchiving metadataisthusthebest avenueforsolv- bers dialledonatelephone”. “there isnoconstitutionallyprotected interest inmetadata,suchasnum- ACLU inseparatelitigation,expressly confirmedthatinUSlegalthinking, NOFORN” (“NOFORN”indicating“noforeigners”) butlaterobtainedbythe Intelligence SurveillanceCourt,originallymarked“TOPSECRET/NCS/SI/ A classifieddocumentproduced insecret litigationbefore theForeign marked as“relevant forintelligencepurposes”;in2010,ithadbeen29. communications thatwere furtherexaminedin2011,136were ultimately BND practicesresulted inthelargereduction innumbers.Ofthe329,628 claimed thiswasaspikeresulting from “aspamwave”.Anofficial review of communicationswithinGermany,include anyinternal andthattheBND gence purposesin2011;thefigure for2010hadbeen180. to 27,079,533in2010.Ofthese,56were markedasrelevant forintelli- to furtherexaminationof2,544,936communicationsin2011,compared ation were 13,521and13,786for20112010respectively, leading The comparativenumbersof“keyterms”inrelation toweaponsprolifer tions towhichithasaccess: NSA copiesandstores effectively allthemetadataoncommunica- 96 which suggests that its data mountain is growing daily by more 97 This claimalsoappearstobeuntrue. 100 99 Italsoconfirmed,indirectly, thattheUS’s 98 95 Inrelation 94 - more countries(if,asUSNGOsnoted,ifithasnotalready doneso). intendsto expandtheprogram,and thatthegovernment calledMYSTIC,to call madeinoroutofatleasttwoentire countries,includingtheBahamas; collectsandstoresgovernment forthirtydaysarecording ofeverysingle the rest oftheworld;that pursuanttoExecutiveOrder (EO)12333,theUS cations anddatapassingthrough networksthatconnectNorthAmericato inter alia,thatunderitsUPSTREAMprogramme, theNSAcopiescommuni- This isconfirmedbytheinformation“leaked”Snowdenwhichshows, technical limitationsonly, forlatersearching andanalysis. many ofthese“non-US”communicationsasitcanandstores them,within again quotetheNGOs: and atleasttemporarily archived inmassive NSAdatabases. literally and oflitigationbyUSNGOs, it hasbeenconfirmedthatthedataamountsto limitations onthosenumbers. Moreover, asaresult oftheSnowden revelations the statementsbyauthorities, however, thatthere are essentially nolegal numbers ofglobalcommunications thatare affected bythem.Itisimplicitin regarding eitherthe detailsoftheNSAsurveillanceprogrammes, oronthe In conclusion,there islittle official transparency onthepartofUSAofficials cial confirmthis. the world’s population. Recentstatementsfrom aformerU.S.offi - impact thecommunicationsandprivacyofalarge proportion of intelligence purposes.”There islittledoubtthatsuchactivities tion ofsignalstocollectinformationforabroad rangeof“foreign also operatepursuanttoEO12333,whichauthorizes theintercep- new records ofcommunicationsdata.Programs likeMUSCULAR the NSA“selected”andsentbacktoitsheadquarters 181,280,466 tion theNSAwants.BetweenDecember2012andJanuary2013, “buffer,” andsentthrough aseries offiltersto“select”informa- millions ofuseraccounts.Thisdataistemporarilyheldinadigital nal Yahoo andGooglenetworkstocollect data from hundreds of and theUKintelligenceagencyGCHQreportedly tapintointer For example,underaprogram code-namedMUSCULAR,theNSA companiesaroundthe datacentersofmajorInternet world. methods suchastappingintofiberopticcablesthatconnect dress booksandcontactlists)outsidetheUnitedStatesthrough The NSAalsosweepsupcommunicationsdata(e.g.,e-mailad- sons” and“non-USpersons”. indiscriminately collectedasmetadataonthecommunicationsof“USper words, thecontentsofcommunications“non-USpersons”maybeas of informationonthecommunicationsinvolving“non-USpersons”.Inother meaningful restrictions onthecollectionand“archiving” or“settingaside” Neither thePatriotAct,norFISA,FISAAmendmentActplacesany data relating to“billions”ofcommunications. searches andanalysesofthe“archived”/“set aside”fullcopiesofthemeta- The “carefully controlled searches andanalysis”referred toare clearly identify membersofalQaedaanditsaffiliates.” and analysiswillsubstantiallyincrease NSA’s abilitytodetectand metadata archive andsetitasideforcarefully controlled searches tomorrow...As theNSAhasexplained,“[t]heabilitytoaccumulatea now, wewillbeabletouseitinatargeted waytofindtheterrorists trillions ofdatasets billions ofindividualcommunications, collected 103 101 Theinference isthattheNSAcollectsas 104 102 - To To -

49 I BOUNDARIES OF LAW 50 I BOUNDARIES OF LAW statistics, forseveralreasons: practice verydifficult, especiallyforTSPsand(M)NOs,toissuemeaningful Secondly, asVodafone haspointedoutinitstransparency reports, itisin behind theirbacks. ency systems.Thisappliesevenmore clearlyiftheirsystemsare “hacked” course seriouslyunderminesanyoversightandaccountabilityortranspar itored –andunmonitorablebythoseproviders andoperators,thisof obtain direct accesstotheirsystems,andifthisdirect accessisunmon- to installbackdoorsintotheirsystemthrough whichvariousagenciescan with reference totheZakharov judgment,ifTSPsand(M)NOsare forced To theabovecomparativeoverview, wemustaddthree caveats.Firstofall, Three Caveats is currently theleastambiguousandmost meaningfulstatisticwhen seeking It feltthat“disclosure ofthenumber individualwarrantsservedin ayear warrants issued. statistics alsocollateand disclose thisinformationonthebasisof out ofthe29countriescovered inthisreport) thatpublishaggregate ty currently available.Therelatively (9 smallnumberofgovernments most reliable andconsistent measure ofagencyandauthorityactivi- mechanism) issuedtoourlocalbusinessesaswebelieve thisisthe focused onthenumberofwarrants(orbroadly equivalentlegal In its2014report, Vodafone explained thatit: two verydifferent datasetsinthepublicdomain. risk, whereas anotheroperator maytakeadifferent approach, leadingto ries ofdemandinformationonthebasisthatoperator’s appetiteforlegal sure isunclear, someoperatorsmaychoosenottopublishcertaincatego- demand from oneagency. Moreover, incountrieswhere thelawondisclo- operators’ disclosures wouldbearlittleresemblance tothefactofasingle tions ininterpretation explained[later]);andthecumulativenumberofall and disclosethedemanditreceived initsownway(withallofthevaria- the samedemandtofivedifferent operators;each operatorwouldrecord To addtothepotentialforconfusion,anagencyorauthoritymightissue or one. gitimately berecorded anddisclosedaseithermultiple separatedemands, to gainaccessasinglecustomer’s communicationsdata:thiscouldle- own operations....Similarly, multipledifferent legalpowersmaybeinvoked services, devicesorsubscribers(oravaryingmixture ofallfour)fortheir may report thecumulativenumberoftargetedaccounts,communications may report thenumberofindividualdemandsreceived, whereas others to recording andreporting thesamestatisticalinformation.Someoperators Second, different operatorsare likelytohavewidelydiffering approaches Vodafone inthisreport. be unwillingorunabletocommitthekindofdisclosures madeby other localoperatorsinsomeofourcountriesoperationwould ence incompilingthisreport, webelieveitislikelythatanumberof demands issuedtoalloperators:however, basedonourexperi- generating thosedemands.Itisimportanttocapture anddisclose nor willanoperatorunderstandthecontextofinvestigations of agencyandauthoritydemandsacross thecountryasawhole, First, noindividualoperatorcanprovide afullpicture oftheextent 105 106 - and (M)NOs,orindeedtotakeovertheiroperations. extremely broad specialpowerstoimposedutiesor restrictions onTSPs of thecountriessurveyed,insuchexceptionaltimesauthoritieshave powers insuch timesare thesameas underthelawintimesofpeace; In contrast,according totheTIDinformation, inColombia,interception can besuspendedintimesof “nationalemergency”. fundamental rights,including therighttoconfidentialityofcommunications, of communications,couldbe temporarilysuspended.InIndia,too,many wise constitutionallyguaranteed rights,includingtherighttoconfidentiality so-called “EmergencyLaws”(Notstandsgesetze)underwhichsomeother in 1968,againstmuchpopularprotest, theGermanlegislatoradopted powers reserved forthemselves therighttointerveneinsuchcases.But the countryregaining full sovereignty afteritsreunification, theoccupying gesetz) originallydidnotrefer expressly tostatesofemergency. Priorto In (états deguerre etdesiège). to theexecutivebranchormilitaryinformalstatesofwar andsiege their legalsystemfrom theFrench model),extremely broad powersaccrue law isdeclared) andtheUK.InFrance(andinothercountriesthatderive Myanmar, Pakistan,Russia,SouthAfrica,Turkey (especiallyifmartial These powersare essentiallydiscretionary inDRCongo,Egypt,Kenya, war orformalemergency. special powers,andlargelysuspendmanyfundamentalrights,intimesof we maynotebrieflythatinmanycountriestheexecutivepowerscanassert humanrightstreaties).the nation”,asitisputininternational However, officially declared nationalemergency(an“emergency threatening thelifeof anti-terrorism and“nationalsecurity”purposesoutsidetimesofwaror The focusofthisreport isontheuseofbroad surveillance powersfor 2.3.5 SpecialPowersinOfficialEmergencies RIPA couldconceivably different warrant”issuedunders.8(4) devices.IntheUK,asingle“external cations ofseveral,sometimesagreat many, individuals,andtonumerous could coverinterception ofmetadataorcontentsrelating tothecommuni- to ensure publictransparency.” However, itacknowledgedthateachwarrant by theirverynature, completelynontransparent. outside ofanyformaloversightortransparency framework.Theyare thus, law—as manydo—thenthose“extralegal”programmes are ofcoursealso tion isthat,iftheintelligenceagenciesoperateprogrammes outsidethe Our third andfinalcaveattothediscussionontransparency inthissubsec- • • • tics shouldalsocover: statistics ontheuseoftheirinterception powers.We feelthatsuchstatis- We agree shouldalsocompileandrelease thatgovernments meaningful precisely whatisrequired inorder tocarryoutkeyword analysis. warrants, coveringthecommunicationsofmillionsindividuals,maywellbe and (astheexpertJemimaStratford QCadded)suchextremely broad single the BritishIsles’,orallsuchcommunicationscarriedonaparticularcable” Germany, theConstitutionasadoptedin1949(theBasicLawor Grund- the numberofindividualsaf the numberofcommunicationoutletsorcablesaf the numberofwarrantsorauthorisationsissued; 107 “specify‘allcommunicationsenteringandleaving 108 Itisclearfrom theTIDinformationthatinmany 110 fected bythem. 109 fected; and - 51 I BOUNDARIES OF LAW 52 I BOUNDARIES OF LAW tion oradequateoversight. cations, andcommunicationsinfrastructure, withoutjudicialauthorisa- access” nowincreasingly grantedtothesecurityservicescommuni- forcement agencies,onthebasisofajudicialwarrant,and“generic powers oftargetedlawfulinterception ofcommunicationsbylawen- is wellillustratedinthisreport bythecontrastbetween“normal” crime” andactsthreatening “cybersecurity”,and“extremism”. This suchasorganisedcrime to“economicthreats”,of concern, “cyber terrorists, andthenremain there, andare slowlyextendedtootherareas on thestatutebooktocounter“special”threats posedbyserious powers, whichwould“normally”beregarded asunacceptable,are put manent quasi-emergencies”. ofthecreationtional warned byanti-terrorism legislationof“semi-per - legal systems.Thisisnotnew;Asfarbackas1980,AmnestyInterna from the“normal”ruleoflawhaveincreasingly crept intothe“normal” matter isthatinthefightagainstterrorism, specialpowersdeparting focus onspecialpowersinformalemergencies.Rather, theworrying Thus, neitherintheUSAnorothercountriessurveyedshouldwe under ArticleIIoftheConstitutiontoconductforeign intelligence. the powertoissuethatorder underthePresident’s “inherent authority” the bulkinterceptioncommunications”,becausehehad of“international issue ExecutiveOrder 12333which,aswehaveseen,isthemainbasisfor effect. attacks; andthatthisdeclared stateofemergencyformallyremains in war. Suchanemergencywas,infact,declared inresponse tothe“9/11” claim certainexceptionalpowers,otherwiselargelylimitedtotimesof In theUSA,President candeclare a“nationalemergency”andthen access tocommunicationservicesinemergencies. the onlyspecialpowerisofauthoritiestodemandpriority provide information onsomesuchcases. been revealed tryingtobecomprehensive, elsewhere. belowwe Without But unlawfulorquasi-lawful(“extralegal”) surveillanceoperationshavealso law studentandactivistMax Schrems. even more explicitlybytheIrishHighCourt,incase brought byAustrian already beeneffectively confirmedbytheCourtofJusticeEU,and Political RightsandtheEuropean ConventiononHumanRights.Thishas therefore ipsofactoinbreachCovenantonCiviland oftheInternational humanrightslaw.as “law”intermsofinternational Theseprogrammes are sures) inlegalframeworks thatare soopaquethattheycannotberegarded secret (orassecret astheauthoritiescanmanage inthelightofexpo- it isclearthatmuchstillbeingdonebytheNSAandGCHQ thatiskept and thatthesameappliestomuchofUK’s GCHQ’s activities.Indeed, that wouldneverhavebeenrevealed haditnotbeenforhisrevelations; exposed byEdward Snowden,relied onsecret interpretations ofthelaw We havealready notedthatsomeofthecore programmes oftheUSA, that noordinary personcouldhaveforeseen. the absenceoflegalauthority, orundersecret interpretations ofthelaw cannot ignore thefactthatsurveillancealsoappearstobecarriedoutin Although thisreport must focusontheuseoflawfullygrantedpowers,we 2.3.6 Secret “Extralegal”Operations 111

However, thePresident didnotneedtorely onthisdeclarationto 112 Thisremains thedanger:thatspecial - - Pakistani networksispervasive; someofitisalsounlawful.” nications and Provision ofCommunications RelatedInformation Act] Despite theaim ofRICA[theRegulation ofInterception ofCommu - reportedOn SouthAfrica,PrivacyInternational that: and freedom ofexpression.” humanrightsobligationstoprotectto international therightstoprivacy with whatremit andpowers, andhowtheirpoliciespracticesadhere under whatlegalregime [thevariousintelligenceagencies]are operating, On go tothecompanyseekdataoftheircustomers. tomonitorcommunications directlygovernment withouthavingto ities havedirect access toVodafone’s network,whichallowsthe Kenya. Theinference from thisdisclosure isthattheKenyanauthor agency orauthoritydemandsforlawfulinterception assistance”in port, publishedinJune2014,revealed thatithad“notreceived any Vodafone’s transparency report, LawEnforcement Disclosure Re- citizens violated.” thatjudicialprocessesconcerns are beingcircumvented andtheprivacyof requires judicialapproval fortheinterception ofcommunications,“there are regard notedthatalthoughthelawWith toKenya , PrivacyInternational NSA. “Monkeyshoulder” and“Wharpdrive”,inveryclosecooperationwiththeUS’s into” oftheglobalfibre-optic communicationcables,undersuchheadingsas give informationonbroader programmes involving theextensive“tapping thought waslawful,evenwithinthecountry, butalsothatithadrefused to interpretations ofthelawtocarryoutsurveillancebeyondwhatmostlawyers In legalised intherecentSurveillanceLaw. (1October2015)International cooperation. Afterthiswasrevealed, thepractice,insteadofbeinghalted,was annexe tothe2010French/British LancasterHouseAgreement ondefence lance wasbasedonasecret decree of2008,later linkedtoanalsosecret sea globalcommunicationcablesthatlandinFrance.Apparently, thesurveil- the current president hadauthorisedthe“topsecret” tappingintotheunder In practically enforced. for somesurveillanceactivities;however, thisrequirement isnot lance, theTelecommunications Actnonethelessrequires awarrant Whilst theagenciesare givenbroad powers tocarryoutsurveil- which isstillinplacethepost-Mubarak-era”,andreported that: PI commentedaboutEgypt’s “culture ofimpunityforunlawfulsurveillance, is proscribed byColombia’s flawedintelligencelaws. agenciesoutsidetherealmsystems byseveralgovernment ofwhat tious deploymentofmass,automatedcommunicationssurveillance show that[these]recent reforms havebeenunderminedbysurrepti- of surveillancesystems...confidentialdocumentsandtestimonies one ofitssecurityagenciesinlightrevelations abouttheabuse laws, interrogated itstechnicalcapabilities,andevendisbanded hasreformed[Although] theColombiangovernment itssurveillance reportsPrivacy International withregard toColombia that: each day, ofwhichsometwomillionwere retained indefinitely. l’ObsreportedFrance, thejournal inJuly2015thatbothprevious and Germany, itwasreported notonlythattheBNDhadrelied on“creative” , Privacy International notedthatitwasaltogether“unclearMyanmar, PrivacyInternational 116 Thistappingresulted inthecollectionofsome220milliondatasets 118 Italsonotedthat: 120 OfPakistanitsaidthat“Interception across 119 122 113 121 117 114 115 - - 53 I BOUNDARIES OF LAW 54 I BOUNDARIES OF LAW surveillance, blurringthelinesbetweenlegalandextralegalactivities: In have, byandlarge, notyetbeenacteduponbythegovernment. of theSouthAfricanintelligenceagencies.Theserecommendations of recommendations toaddress thelackofcontrol andregulations The MatthewsCommissionreport, released in2008,madeaseries requirements ofRICA. unlawful andunconstitutional,becauseitfailstocomplywiththe lance (includingmassinterception ofcommunications)thatis gathering inSouthAfricafoundthattheNCCcarriesoutsurveil- (known as“MatthewsCommission”)setuptoreview intelligence A MinisterialReviewCommissiononIntelligenceinSouthAfrica without judicialauthorisationsorothersafeguards. nications, includingconversations,emails,textmessagesanddata, how theagencyisabletoconductmassmonitoringoftelecommu- was highlightedbytheMail&Guardian in2013.Thereport noted The capacityoftheNCCtoconductunregulated masssurveillance ders ofSouthAfricaorpassesthrough orendsinSouthAfrica). foreign signals(communicationthatemanatesfrom outsidethebor services inSouthAfrica.Itincludesthecollectionandanalysisof collecting electronic signalsonbehalfofintelligenceandsecurity Centre (NCC),thegovernment’s nationalfacilityforintercepting and This isparticularlysowithregards totheNationalCommunications RICA legalframework,inmannersthatviolatetherighttoprivacy. consistent reports ofstatesurveillancebeingcarriedoutoutsidethe to regulate theinterception ofcommunications,there havebeen lance, regardless ofthelaw. surveillance, orthesecurityagenciesstillcarryoutindiscriminate surveil- countries surveyed,eitherthelaweffectively provided noreal limitationson Overall, therefore, thesadconclusionmustbethatinvastmajorityof In practice,muchthesamecanbesaidofRussia(seesection4.10). phones, andanalyzestore thedata. the authoritytointercept callsoverseas,andbyforeigners andpay the headofagencyordeputyheads,lawgivesintelligence agency the needforacourtorder. Beyondthismeasure, withtheauthorizationof cyber securitypassingviatelecommunicationchannels”withoutspecifying intelligence,nationaldefense,terrorism,crimesandexternal international Furthermore, thenewlawpermitsagencyto“collectdatarelating to unfettered accesstodatawithoutjudicialoversightorreview. damentally underminestherighttoprivacybypermittingagency scope ofretention andaccesstoprivatedata.ThenewMİTlawfun- Turkey’s lawsingeneralfailtoenshrineanyclearlimitationsonthe Turkey, thelawitselfissolaxastoeffectively allowforunrestrained 123 - could havebeenused. can beprohibited –and theabsenceofanysuchdatasuggeststhispower the useofinterception powers (inrelation tobothmetadataandcontent) adequate safeguards.” legal frameworkenablesinterception ofcommunicationstooccurwithout putit,inColombia,“Anoverlybroad,International technically unsound actors.AsPrivacy activistsandgovernment surveillance ofjournalists, lice IntelligenceDirectorate havebeenimplicatedintheunlawfultargeted from theAdministrative Department ofSecuritytotheArmyPo- has notedthatlawenforcementscandals. PrivacyInternational agencies always observedandthere havebeennumerous documentedsurveillance Even thesebroad legalsurveillancepowersdonotmeanthatthelawis lance studiesasa“backdoor”. these connectionandaccesspointsamounttowhatisknowninsurveil- points” (ConstitutionalCourtDecisionC-594of2014).Itseemslikelythat (M)NOs networksviatheseofficially mandated“connectionandaccess tion andmonitoring;variousagenciesmayaccesstheTSPs (M)NOs mayberequired toinstalltechnicalequipment tofacilitateintercep- undermined bythefactthat,underDecree 1704of2012,TSPsand crime. However, thesafeguard ofjudicialauthorisationinthiscontextis poses ofnationalsecurity, evenwhere theyare notinvestigatingaspecific with judicialauthorisation,intercept privatetelecommunicationsforthepur other countries).Themilitary, thepolice,and theintelligenceservicesmay, General(theequivalent ofprocuratorsthe Attorney orpublicprosecutors in judicial authorisation,ontheorder ofofficials from theFiscalia,headedby Code allowsfortargetedlawfulinterception ofcommunicationswithout fidentiality ofcommunications.However, the ColombianCriminalProcedure The 1991ColombianConstitutionguaranteestherighttoprivacyandcon- 4.1 the Cases of Overview 4 Colombia 127 Thepublication,byTSPs,ofaggregate dataon

- 55 I BOUNDARIES OF LAW 56 I BOUNDARIES OF LAW direct accesshastakenplaceunderthevaguepowersthatpresently exist. provisions are notalwaysaconstraintonsurveillance.Itisunclearwhether Due toweakruleoflawandadherence todueprocess intheDRCongo,legal independent oversightovertheuseofabove-mentionedpowers. installation of“backdoors”underitsvagueprovisions. There iseffectively no so sweepingthatitshouldbeassumedtheauthoritiescanalsodemand the MinisterofInterior, withoutjudicialauthorisation.Infact,thelawis of thecountry, ortheprevention ofcrimeandorganisedcrime”,onorder of of theessentialelementsscientific,economicandculturalpotential interceptions ofbothmetadataandcontentfor“nationalsecurity, protection the samelaw, thepoliceandintelligenceagenciescancarryoutuntargeted General.Underauthorisations forsuchLIcanbegrantedbytheAttorney sweeping anddonotrequire judicialauthorisationfortargetedinterception; investigations underthe2002Telecommunications FrameworkLaware confidentiality ofcommunications.However, powersforlawenforcement The 2005ConstitutionoftheDRCongoguaranteesrighttoprivacyand 4.2 and overallthere isstill“aculture of impunityforunlawfulsurveillance.” is obtainedforat leastsomesurveillanceactivities isnotpracticallyenforced; Egypt duringtheArabUprisings in2011.Therequirement thatajudicialwarrant powers were usedtofacilitatetheinfamousdisconnection ofcommunicationsin direct accesstotelecommunicationsprovider infrastructure. Theseemergency are usingtheir“emergency”powerstotakecontrol ofinfrastructure tofacilitate are likelytolookintonationalsecuritycases.Itisunclearwhether governments Moreover, militarytribunals,appointedandoverruledbythedefenceminister, cannot beseentoimpartialandisheavilyinfluencedbypoli tical decisions. previous regimes, hasdeterioratedevenfurther. Theexistingjusticesystem Importantly, adherence toruleoflawinEgypt,whichwasalready poorunder routine withinthecurrent government.” of thesurveillanceandInternet-related‘security’practicesthat havebecome ing executiveapproval. Reports suggesttheunpublishedlawwill“codifymany disclosed inApril2015,wasreported ashavingbeenadoptedbutstillrequir A newCybercrime Law, draftedinsecrecy buttheexistenceofwhichwas are theoretically required butare almostnevermadepublic. sight overtheuseofabove-mentionedpowers,saveforcourtorders that security, thatcanalsobeusedforsurveillance. There isnoindependentover allows fortheprotection ofcyberassets,asparttheeconomyandnational tion of“backdoors”.Additionally, provision 31ofthe2014EgyptianConstitution being abletocheckhowthisaccessisused,thusineffectallowingtheinstalla- the powertoassumeaccessTSPsandMNOsinfrastructure, withouteither “National security”isundefinedinthiscontext.Thesamelawgrantsauthorities in relationunderthe2003CommunicationsLaw. tonationalsecurityconcerns, trol authorityhavebroad andill-definedpowerstoobtain metadataandcontent ther, thearmedforces, police,intelligenceservices,andtheadministrativecon- criminal investigations,witheitheraprosecutor’s orajudge’s authorisation.Fur Code, accesstobothmetadataandcontentcanbeordered aspartofordinary ality, includingthatofcommunications.However, undertheCriminalProcedure The 2014EgyptianConstitutionguaranteestherighttoprivacyandconfidenti- 4.3 Egypt DR Congo 128 129 - - - was legalisedintheOctober2015law. After thiswasrevealed, asjustnoted,thepractice,insteadofbeinghalted, 2010 French-British Lancaster HouseAgreement ondefencecooperation. was basedonasecret decree of2008,laterlinked toasecret annextothe global communicationcablesenteringFrance.Apparently, thesurveillance the current president hadauthorisedthetopsecret tappingofundersea l’ObsreportedThus, thejournal inJuly2015thatboththeprevious and unlawful before itsadoption. adopted specificallytolegalisepracticesretrospectively thatwere clearly lance before thelawwasadopted.Indeed,appearstohavebeen powers, butthere havebeenrevelations aboutextensive illegalsurveil- tations ofthelaw. There are nostatisticsavailableyetontheuseofthese aboutsecret,(Article L.854-1),raisingconcern excessivelybroad interpre- by theConseild’Étattoregulate thedetailofrelevant surveillance 2015 lawfurthermore contains aprovision whichallowsforsecret decrees subject to“advice”from variousbodies,notreal oversight.TheOctober The useofthegenericaccesspowersprovided forintherecent lawisonly means of“backdoors”. data withouttheknowledgeorinvolvementofTSPsand(M)N,i.e.,by practice, thismandatory“assistance”maywellleadtodirect accesstothe (M)NOs overtheresponses tothose“requests” from theauthorities.Butin cess” todata–whichsuggeststhatthere issomecontrol bytheTSPsand “implement relevant processes” internal to“respond torequests forac- Article L.34-1-IIoftheCMECfurthermore requires TSPsand(M)NOsto economic, industrialandscientificinterests” ofthestate. the prevention ofterrorism butalsoinsupportof“majorforeign policyand judicial involvement)forthepurposesnotjustofdefendingnationor communicationsdataontheorder“external”) ofthePrimeMinister(without (i.e.,opted on1October2015,allowsforgenericaccessto“international” The recentCommunications,ad- LawonSurveillanceoverInternational be ordered byajudge. investigation. UnderCMEC,too,accesstocommunicationscontentmust specifically, theinvestigativejudge(juged’instruction)actinginacriminal der theCriminalProcedure Codebyeitheraprosecutor orajudge—more Metadata accessintargetedcriminalinvestigationscanbeauthorisedun- application oftheEuropean ConventiononHumanRightsindomesticlaw. Communications, CMEC),andthrough the(somewhatcomplex)domestic laws (inparticulartheCivilCodeandonMailElectronic dentiality ofcommunications.However, thisrightisprovided forinother In France,there isnospecificconstitutionalrighttoprivacyorconfi- 4.4 F rance 57 I BOUNDARIES OF LAW 58 I BOUNDARIES OF LAW against muchpopular protest, thelegislator adopted“Emergency Laws” reserved for themselvestherighttointervene insuchcases.But 1968, did notrefer expressly tostatesofemergency, astheoccupyingpowers The originalGermanBasicLaw, as adoptedaftertheSecondWorld War, to theparliamentarycommittee ofinquiryintosurveillance. involving extensive“tappinginto” oftheglobalfibre-optic communicationcables revealed thattheagencyrefused togiveinformationonbroader programmes authorities onbothtargetedanduntargeted(“strategic”)surveillance. Itwasalso assumed tobeunlawful.Apparently detailedstatisticaldataare publishedbythe into theglobalcommunicationsystems,inwaysthatlawyers had untilthenbe pretations ofthelawtocarry outsurveillanceoperations,includingthetapping gence service,theBND,hasrevealed thattheagencyrelied on“creative” inter intercept devicesare published,theformerin-house lawyerforthemainintelli- Although allthelawsandeventechnicalregulations ontheinstallationof by parliamentarycommittees,whichare understaffed fortheirtasks. judicial review. Consequentlytheonlyindependentoversightisundertaken communications surveillancebyintelligenceservicesisalsoexemptfrom communication cablesrunningtoorfrom andthrough Germany. Tele- Services inanycasedotapdirectly andelectronic intothemainInternet tion of“backdoors”.Inaddition,ithasbeenrevealed thattheIntelligence the knowledgeorinvolvementofTSPsand(M)NOs,i.e.,toinstalla- of interception, whichinpracticemaywellleadtodirect accesswithout sion. Underthelaw, TSPsand(M)NOsmust“assist”intheimplementation the filteringofbulkdatamustbeapproved byaspecial“G10”Commis- limited toterrorism andotherseriouscrimes,that“keywords” usedin other nationallaws,inparticularthatthe“strategicinterception” mustbe al communications”.Thislawissubjecttosomerestrictions notfoundin - services inso-called“strategicinterception”or“internation of“external” surveillance, includingthe“hooveringup”ofdatainbulk,byintelligence communications) allowsforlawfulinterception andbroader communication named afterthearticleofBasicLawthatguaranteesprivacy by intelligenceagencies.Thewell-known“Article10Law”(so-calledG10, There are alsoissuesinrelation togenericaccesscommunicationsdata judicial oversighteveninrelation tominoroffences. can beobtainedondemand,byawiderangeofauthorities,andwithout assigned aspecificIPaddress orphonenumberatacertainpointintime) practice”. Nevertheless,limited“lineidentification”data(whowasformally targeted lawenforcement interception andcanberegarded as“best (StPO) isagoodexampleofrule-of-law-compliantsystemfor“normal” French counterpart,thesysteminGermanCriminalProcedure Code subject toaseriesofothersafeguards andconditions.Together withits confirmed bythecourtwithinthree days.Theissuingoftheorders isalso prosecutor mayissuetheorder, butinsuchinstancestheorders mustbe court attherequest oftheprosecutor, exceptinurgentcaseswhenthe In criminalmatters,aLawfulIntercept Order mayonlybeissuedbya enforcement asopposedtointelligenceservices. protection. Quitedifferent legalregimes apply, however, forsurveillancebylaw tection totherightprivacyandconfidentialityofcommunicationsdata The GermanConstitution,the“BasicLaw”(Grundgesetz),grantsstrong pro- 4.5 Germany - security” isdefined inArticle238(1)oftheConstitution toincludeany“na - itoring, without targetingofanykind,toprotect nationalsecurity. “National National IntelligenceServices Actfurthermore allows interception andmon- communications (bothmetadata andcontents)withoutjudicialorder. The formation andCommunications Actprovide forsweeping powerstointercept Intelligence ServiceAct,thePrevention ofTerrorism Act,andtheKenyanIn- Kenyan Constitution.However, arangeofKenyanlawsincludingtheNational privacy andconfidentialityofcommunicationsisguaranteed inthe2010 Subject toArticle24onthelimitationsfundamentalrights, therightto 4.7 difference inthatregard. only verylittle,ifany, protection undertheConstitution,thismakeslittle cy”. However, giventhatconfidentialityofcommunicationsalready attracts Many constitutionalrightscanbesuspendedintimesof“national emergen- rules, buttheseare keptsecret, and/orappliedarbitrarily. guidanceon,andinterpretationsinstruments andinternal of,theprimary stroy itsownfilesaftersixmonths.There are evidentlysubsidiaryrulesand officials, butbylawthecommitteemustmaintainutmostsecrecy andde- Surveillance oversightisonlybya“review committee”madeupofhigh again, thecompulsoryinstallationof“backdoors”. metadata andcontent)availabletotheauthoritiesinreal time—suggesting, require theseproviders tomakedetailedcommunicationsinformation(both cations. ThelicensesunderwhichTSPsand(M)NOsoperatefurthermore In effect, theserulesallow forarbitrary, “generic”interception ofcommuni- classes ofpersons;anditwouldseeminrelation toany[specified]subject. powers toorder interception ofwholeclassesmessages; onwhole incitement tocommit[any]offences”. Theseprovisions grantsweeping “in theinterests offriendlyrelations withforeign states”and“toprevent that canbeinvoked,notjustwhenthere isanactualemergency, butalso set outintheInformationTechnology ActandtheIndianTelegraph Rules in anycomputer. Beyondthat,there are exceptionalemergencypowers intercept ormonitorinformationtransmitted,generated,received, orstored officialsgrants evenwiderpowerstoavarietyofauthorisedgovernment Information Technology Act,read togetherwiththeIndianTelegraph Rules, intercepts are sweepinganddonotrequire judicialauthorisation.The Provisions intheIndianCriminalProcedure Codeontargetedlawful is therefore addressed, ifatall,onacase-by-casebasis. feels theconceptistoobroad andmoral-based(ratherthanlaw-based).It al liberty. However, thejudiciaryisreluctant todosoexplicitlybecauseit Article 21oftheConstitutionwhichguaranteesrighttolifeandperson- discussion injudicialandlegislativecircles onwhetheritcanberead into ly guaranteedintheIndianConstitution.There hasbeenconsiderable The righttoprivacyandconfidentialityofcommunicationsisnotexpress- 4.6 been used. be temporarilysuspended.To thisdaythesebroad authoritieshavenever teed rights—includingtherighttoconfidentialityofcommunications—can (Notstandsgesetze) underwhichsomeotherwiseconstitutionallyguaran- India Kenya 59 I BOUNDARIES OF LAW 60 I BOUNDARIES OF LAW Moreover, asreported byPrivacyInternational, widely circumvented. Kenyan legalsystemisweakanditsuspectedthatthesesafeguards are tary committeethatnominallyhaspowersofoversightoversurveillance,the Although there issomeprovision forjudicialauthorisationsandaparliamen- installation ofdevicesallowingdirect access,i.e.,of“backdoors”. as effective. Moreover, theNationalIntelligenceServiceActalsorequires the of anysubstantivelimitations,theprocedural safeguard cannotberegarded ing, butgiventhissweepingdefinitionof“nationalsecurity”andtheabsence tional interest”. Ajudicialwarrantisrequired forsuchintercepts andmonitor individual privacy, Myanmar lawgenerally)doesnotcontainanyrulesontheprotection of being drafted.Inanycase,the2013Telecommunications Law(andindeed, tigations, isuncleartosaytheleast,althoughregulations are apparently The legalframeworkforlawfulintercepts, eveninordinary criminalinves- guarantee istherefore minimal. the limitationsthatcanbeimposedonthem,sopracticalmeaningof highly ambiguousaboutthetruescopeandeffect oftherightsitgrantsand Article 357ofthe2008MyanmarConstitution.Thatconstitution,however, is The righttoprivacyandconfidentialityofcommunicationsisguaranteedin 4.8 cy andfreedom ofexpression.” adhere human rightsobligationstoprotect tointernational therightstopriva- operating, withwhatremit andpowers,howtheir policiesandpractices er “unclearunderwhatlegalregime [thevariousintelligence agencies]are hasobservedthatit isaltogeth- In linewiththeabove,Privacy International of warorofficial national emergenciesare essentiallydiscretionary). access” powers,eveninnormaltimes(thepowersoftheauthorities intimes There iseffectively noindependentoversightovertheuseofthese“generic “back doors”. any conditionontheserviceproviders, includingallowingtheinstallationof ception demandsthatcanberead asallowingtheimpositionofeffectively operate containbroad requirements oftechnicalcooperationwithinter public interest”. Furthermore, thelicensesunderwhichTSPsand(M)NOs a numberofbroadly stated grounds, includingwhenitissimply“inthe security oftheStateorrulelawisadverselyaffected, butalsoon Security Organs”tointercept communications. taken, andprovides forbroad powersfortheotherwise undefined“National tions bypolice,increases thepurposesforwhichsurveillancemaybeunder it weakensthelegalsafeguards pertainingtotheinterception ofcommunica- eliminate securitythreats,” inPresident UhuruKenyatta’s words. Specifically, ment agencies’powerstoenhanceKenya’s “abilitytodetect,monitorand spate ofconstitutionallyprotected rightswhileconsolidatinglawenforce- into lawdespitestreet protests andskirmishesinsideParliament,curtailsa Security Laws(Amendment)Bill2014.Thebill,whichwashastilyenacted the rulingJubileeCoalitionmovedswiftlytointroduce anomnibusbill,the were killedintwoattacksbyAlShabaabmilitantslate2014,membersof likely tobehappening. Myanmar 131 and allowsgenericinterception notonlywhenthe 132 Thismeansthat arbitrarysurveillanceis 130 afteratleast64people - - - other lawsrelating tolawfulintercept, thecontentsofcommunications in and othermessages. UndertheRussianCriminal Procedure Codeand privacy ofcorrespondence, oftelephoneconversations, postal,telegraph, The 1993Constitutionofthe RussianFederationguaranteestherightto 4.10 occasionally someinformationmaycomeoutincourt). expressly forbiddenunder theOfficial Secrets Act1923(although,ofcourse, information aboutinterceptions, includingtherelease ofaggregate data,is interpretations ofthose rules, canbekeptsecret. Moreover, therelease ofall relating guidanceand tosurveillance, in particularsubsidiaryrulesorinternal relation tobroadly definednationalsecurity. Thissuggeststhatcertainrules ever, there are broad exceptionscontainedintheOrdinance, inparticular accessible (becausetheyare informationheldbypublicauthorities).How- dom ofInformationOrdinance 2002thatinprinciplealllegalrulesshouldbe In accordance withArticle19-AoftheConstitution,itfollowsfrom theFree- of genericaccess. There iseffectively noindependentoversightoverthe useofthesepowers without applyingforauthorisation. authoritiesjustusedirectnational securityissues,thegovernment access system, thisissimplynotadhered toinactualsurveillancepractices.On requires orothercomputer awarrantforanysurveillanceoftheinternet access, i.e.,“backdoors”.WhiletheInvestigationforFairTrial Act2013 The lawalsorequires theinstallationofdevicesallowingagenciesdirect the notoriousInter-Services IntelligenceAgency, ISI. all surveillanceagenciesincludingFederalInvestigationAuthority(FIA)and agency requires authorisation,currently ageneralgovernment provided to offence”. Inorder toconductsurveillanceunderthe PTRAtherespective broadly defined“nationalsecurity”issuesorforthe“apprehension ofany tions, notjustincasesofactualemergencybutmore broadly inrelation to toauthorise“anyperson”interceptGovernment ortracecommunica- defined purposesandoffences. Specifically, s.54ofthePTRAallows communications data(bothmetadataandcontents)inrelation tobroadly authorisation. ThePTRApowerscanbeusedtogaingenericaccess of interception toawiderangeofauthorities,withouttheneedforjudicial (Re-Organisation) Act1996(PTRA)whichgivesextremely sweepingpowers Police Order (asonewouldexpect),butinthePakistanTelecommunication vestigation, isregulated, notintheCriminalProcedure Codeorthe2002 Interception ofcommunications,eveninrelation toordinary criminalin- laws, etc.)isguaranteedunderArticle19-AoftheConstitution. on amatterofpublicimportance(whichisrelevant inrelation toaccess stan Constitution(lastmodifiedin2012).Therightofaccesstoinformation The rightto“privacyofthehome”isguaranteedinArticle14(1)Paki- 4.9 has notyetbeenreleased. rent stateofaffairs, andprovide anewdraftInterception Law–butthetext reform. There issomepotentialthatelectionsin2015willimprove thecur It shouldbeadded,however, thatMyanmarisinaprocess offundamental Pakistan Russia 133 - 61 I BOUNDARIES OF LAW 62 I BOUNDARIES OF LAW be aretired judge.Manywould regard- theinvolvement ofgovernment-se content, authorisation mustbegivenbya “designated” judge,whichcan data, authorisationcanbegiven byamagistrate,butforcommunication veillance, blurringthelinesbetweenlegalandillegalsurveillanceactivities. Overall, inRussia,thelawitselfissolaxastoallowforunrestrained sur use ofinterception warrants. undoubtedly barred from releasing detailssuchasaggregate dataonthe publishing thelawsandregulations towhichtheyare subject.Theyare so widelyastoprevent theprovidersevenfrom andoperatorsconcerned operator’s network,anditwouldappearthatthisprohibition isconstrued Agencies toconductinvestigationsbyusingdatafrom aprovider or sational actionstakenormethodsusedbytheIntelligenceandSecurity and (M)NOsfrom revealing anyinformationabouttacticalororgani- Communications andArticle10.1oftheLawonInformationprohibit TSPs above-mentioned powersofgenericaccess.Article64theLawon There iseffectively noindependentoversightovertheuseof “back doors”. the otherhand,canclearlyallowlattertorequire theinstallationof the TSPsand(M)NOsononehand,IntelligenceServices “Rules onCooperation”thatsetoutthetermsofrelationship between to communicationsdata,bothmetadataandcontent.Furthermore, the “take control ofprivatecommunications”,andgainunrestricted access try’s Counter-Terrorism Law, thenationalsecurityagency, theFSB,can stake, thecourtisgivenlittleleewaytodenyorder. Underthe coun- shown, meaningthatiftheauthoritiesclaimanationalsecurityissueisat ty, nosuspicionorevidenceofanyspecificcriminaloffence needstobe Decree No.242000.Consequently, incasesrelating tonationalsecuri- of theRussianFederation”issetoutinsweepingtermsPresidential does notrequire acourtorder. Moreover, the“NationalSecurityConcept intercepts shouldbeoflimitedduration.However, accesstometadata of apublicprosecutor orothercriminalinvestigationbody;suchlawful tively seriouscases,andsubjecttoajudicialorder issuedattherequest ordinary criminalinvestigationsshouldbeallowedonlyincertainrela- broadly definedmattersof“nationalsecurity”. (both metadataandcontent) are grantedinrelation toexcessively (RICA), muchwiderpowers of genericaccesstocommunicationsdata Provision ofCommunication-RelatedInformationAct no.70of2002 However, undertheRegulationofInterception ofCommunicationsand to archived metadatacan beordered byanyjudgeormagistrate. the SouthAfricanPoliceServiceandStateSecurity Agency. Access South AfricanNationalDefenceForce, theCrimeIntelligenceDivisionof a publicprosecutor orat therequest ofthe intelligence servicesofthe and subjecttoacourtorder, oflimitedduration,issuedattherequest of quires thatthisshouldbe allowedonlyincertainrelatively seriouscases, and metadataofcommunicationsinordinary criminalinvestigationsre- South Africanlawrelating toreal-time lawfulintercept ofthecontents confidentiality ofcommunications. The 1996SouthAfricanConstitutionguaranteestherighttoprivacyand 4.11 South Africa 134 UnderRICA,formeta- - constitutional, becauseitfailstocomplywiththerequirements.” Africa foundthattheNCCcarriesoutsurveillanceisunlawfulandun- ‘Matthews Commission’)setuptoreview intelligencegatheringinSouth Ministerial ReviewCommissiononIntelligenceinSouthAfrica(knownas the RICAlegalframework,inmannersthatviolaterighttoprivacy…A been consistentreports ofstatesurveillancebeingcarriedoutoutside by blurringthe linesbetweenlegalandillegal surveillance. itself issolaxas thatitseemstoallowforunrestrained surveillance, there- that inTurkey, asinseveralothercountriesincludedoursurvey, thelaw by stateagenciesonalarge scale. Inviewoftheabove,itwouldappear widespread perception inTurkey thatmobilecommunicationsare monitored powers ofgenericaccess.According there toPrivacyInternational, isa There isnoindependentoversightovertheuseof above-mentioned mandatory installationof“backdoors”. requirements forinterception, meaningthatitcanorder themtoallowthe thority canalsoimposeconditionsonTSPsand(M)NOs,including technical on AuthorisationwithintheElectronic CommunicationSector, theICT Au- from theMinistryofTransport andCommunications.UndertheRegulation public safetyand“publicinterests”, afterobtaininga(positive)“opinion” data (again,ofbothmetadataandcontents)forthepurposes ofprotecting nology Authority, BTK,canalsoorder theinterception ofcommunications rights andfreedoms of others”. TheInformationandCommunicationTech- of crime,protection ofpublichealthandmorals,protection ofthe out acourtorder ongrounds of“nationalsecurity, publicorder, prevention data andcontents)canbeordered, alsobytheintelligenceagencies,with- set of“non-delayable”cases,interception ofcommunications(bothmeta- broadly definedmattersof“nationalsecurity”.Inparticular, inanundefined to bothmetadataandcontentsofcommunicationsinrelation toexcessively ment andintelligenceagenciesare grantedwidepowersofgenericaccess and combatingcrimesbymeansofsuchpublications”),thelawenforce- amendment toa2007Law“onregulation ofpublicationsontheinternet Criminal Procedure Code,underamore recent 2014law(technicallyan required forlawfulinterception ofthecontentcommunicationsunder dentiality ofcommunications.Althoughacourtorder hastraditionallybeen The 2002Turkish Constitutionguaranteestherighttoprivacyandconfi- 4.12 vented bytheaboverequirements. hasreportedPrivacy International seriousabuses,whichwere notpre- cess” surveillancepowers,includingaggregate information. of informationontheuselawfulintercept andbroader “genericac- The lawmoreover expressly prohibits therelease, byTSPsand(M)NOs, the TSPstoobtainaccesscommunicationscontent. tored. Underthelaw, theyshouldapparently alwayshavetogothrough allow direct accesstocommunicationscontentthatwouldnotbemoni- allow theauthoritiestoorder theinstallationof“backdoors”thatwould The textofRICAishighlycomplex,butwewere toldthatitdoesnot undermined bythelowthreshold required forauthorisations. nications. Whateverthatbe,therequirement ofajudicialauthorisationis important expertiseinrelation tosurveillanceandinterception ofcommu- lected judgesasworrisome,butothersfeelthatsuchcandevelop Turkey 135 Specifically, itnotedthat:“there have 136 63 I BOUNDARIES OF LAW 64 I BOUNDARIES OF LAW such information. official reports. Moreover, s.19RIPA prohibits TSPsand(M)NOs from releasing Information ontheactualuse of theabovepowersisredacted from published nine otherhumanrightsorganisations. challenged intheEuropean and CourtofHumanRightsby PrivacyInternational under, andinterpretations of,thelawremain secret. Thissecrecy iscurrently being tions ofthepolicieswere madepublic.However, mostofthedetailed rulesissued was contrarytotheHumanRightsAct,followingwhichsome small,selectivepor secret untilFebruary2015, whentheInvestigatoryPowerTribunal ruled thatthis itsdatasharingarrangements,inparticularwiththeUSA—wereerning completely surveillance activitiesunderbroadly phrasedstatutoryprovisions—and thosegov- the IntelligenceServicesAct)are theUK’s published,thedetailedrulesgoverning Although theprimarystatutes(inparticularRIPA, theTelecommunications Actand and itsprocesses are nontransparent. letions bythePrimeMinister. TheInvestigatory PowersTribunal haslimitedpowers appointed bythePrimeMinister, anditsreports are subjecttoredactions andde- Minister. Themembersoftheparliamentaryoversight committee,theISC,are also The variousoversightcommissionersare notindependent,andreport tothePrime been barred from revealing itintheirreports. over theintelligenceservices)hadbeeninformedofthisusepower, buthad and Parliament’s IntelligenceandSecurityCommittee(theofficial oversightbody reviewer ofthelegislation,DavidAndersonQC. gain direct, bulkaccesstocommunicationsdata(i.e.,metadata),bytheofficial ment, afterithadbeenurgedto“avow”(i.e.,ownupto)theuseofpower Edward Snowden,butthishasonlyrecently- been formallyconfirmedbythegovern ed thatthispowerwasusedinrelation tothesurveillanceprogrammes revealed by tronic communicationsnetworkstodo,ornotanything.Itwaslongsuspect- thepowertoissue“directions”gives thegovernment toproviders ofpublicelec- The broadest ofallprovisions iss.94oftheTelecommunications Act1984.This keyword analysisofbulkdatathatwenowknowGCHQengagesin. individuals—may wellbeprecisely whatisrequired inorder tocarryoutthekindof cable—and associatedbroad warrants,coveringthecommunicationsofmillions entering andleavingtheBritishIsles”.Suchcommunicationscarriedonaparticular Moreover, asinglesuchwarrantcanconceivablyspecify“allcommunications in theUK. UK, evenifaUKpersonvisitswebsite,ormakesVoIP calltoanotherperson communications, thosealmostinvariablyinvolvethesendingofdataoutside traffic,the UK,butwhenitcomestoInternet orvoice-over-Internet-protocol (VoIP) UK. Thisdoesnotcovercommunicationsthattakeplaceentirely andsolelywithin cations”, i.e.,communicationsthatinvolvethetransmissionofdatatoorfrom the interception ofbulkormassdata(metadatacontent)fromcommuni- “external Under s.8(4)RIPA, ministershavesweepingpowerstoauthorisethe Government Further, accesstometadatacanbeself-authorisedbyawiderangeofpublicbodies. Powers Act,RIPA) byapolitician(i.e.,theHomeSecretary), ratherthanbyajudge. of thecontentscommunicationsare issued(undertheRegulationofInvestigatory ordinary criminalinvestigations,warrantsauthorisinglawful(targeted)interception dentiality ofcommunicationsare protected undertheHumanRightsAct.Evenin There isnowrittenconstitutionintheUK.Instead,rightsofprivacyandconfi- 4.13 UnitedKingdom 137 Andersonrevealed thatbothhe - remains in effect. emergency was infactdeclared inresponse tothe“9/11”attacks, andformally exceptional powers,otherwise largelylimitedtotimesofwar–andsuchan The President candeclare a“nationalemergency”andthenclaimcertain tions, collectedandatleasttemporarily archived inmassive NSAdatabases. lance dataamountstotrillions ofdatasetsbillionsindividualcommunica- Snowden revelations andNGOlitigationdiscloseisthatthecollectedsurveil- grammes andstatisticsonitsmassiveglobalsurveillanceoperations. Whatthe isextremelyThe USGovernment reticent toreveal actualpractices,pro- litigation). law, whichcannotlawfullybereported (thoughsomewere revealed inNGO The NSA’s programmes rely onsecret rulesandsecret interpretations ofthe for USpersonsare weak, thosefornon-USpersonsare essentiallyillusory. gence agenciesthemselvestoreport non-compliance.Asaresult, whileremedies parency aboutitsproceedings anddecisions,withextensive reliance onintelli- thority” underArticleIIoftheConstitution);andthere isaneartotallackoftrans- intercept communications(enactedunderthePresident’s ofexternal “inherent au- including thoseauthorisedunderExecutiveOrder 12333,themainbasisforbulk lance Court(FISC),hasnojurisdictionovermanysignificantsurveillanceactivities, communications.Specifically,access to“external” theForeign IntelligenceSurveil- US oversightsystemsdonotextendtoindiscriminatesurveillanceandgeneric discussed inconjunctionwithUK’s GCHQ. NSA. Thissweepingaccessisfurthercomplementedbythehackingpractices their dataare directly andindiscriminatelyaccessible to—andaccessedby—the ing (thedatasubjects(theircustomersanywhere intheworld),offactthat being placedundera“gaggingorder” whichlegallyprevents themfrom inform- works, includingGoogle,FacebookandApple–withthecompaniesinquestion ServiceProvidersand (M)NOsgloballyoperatingUSInternet socialnet- The US’s NSAhasdemandeddirect genericaccesstothesystemsofUSTSPs data, i.e.,forgenericaccesstothosecommunications. which carryalargeproportionandothercommunications ofglobalInternet essentially alldataflowingthrough theunderseacablesenteringcountry, revelations disclosedthatthesepowersare usedbytheUSto“hooverup” specifically targeted.Thisappliestobothmetadataandcontent.TheSnowden to anothercountry),provided thatthecommunicationsofUSpersonsare not judicial warrant,any“foreign” communications(i.e.,from or NSA) are givenunlimitedpowertointercept inbulk,withoutaproper targeted Under FISAandtheAmendmentAct,intelligenceagencies(including provides toaTSPor(M)NO)nolongerqualifyforprivacyprotection. disclosed tothird parties(suchasacallednumberthatpersonmakingcall the so-calledthird partydoctrine,underwhichdatathathasbeen“voluntarily” Access bypublicauthoritiestometadataisgenerallyunregulated asaresult of criminal investigationsagainstUSpersonsrequires ajudicialwarrant. Amendment, lawfulinterception ofthecontentscommunicationsinordinary er, “USpersons”)anddoesnotextendto“non-USpersons”.UndertheFourth munications. However, itislimitedtoUSnationalsandlawfulresidents (togeth- search” butisquiteextensivelyinterpreted asproviding protection alsoofcom- The FourthAmendmentoftheUSConstitutionprotects against“unreasonable 4.14 United States 65 I BOUNDARIES OF LAW 66 I BOUNDARIES OF LAW Necessary and Proportionate Principles . Work on theaboveshouldbeinspired bytheexcellentdocument, ments oftherulelaw. (at leastingeneralterms)for generalawareness. Theseare allele- corrections mustthemselvesbeknownaspotentialities anddisclosed to legalfoundationandtransparency, inthatredress orpunishment practices. Allthree forms ofconsequenceshouldagainbelinkedback on wrongdoers within orbytheagencies;and(3)changestobad plinary, administrativeand,ifappropriate, criminalsanctionsimposed individualredress andremedies forwronged individuals;(2)disci- (1) relevant standards. Theseconsequencesshouldtaketheformof: must beaccompaniedbyconsequencesforanyfailures tomeetthe ful, andreported inrelevant ways.Finally, accountabilityandoversight processes andinstitutions withaccesstoinformationthatismeaning- In order forthere tobeaccountabilityandtransparency, there mustbe conform tothestandards setforthem. also existtoshowwhethertheactionsofagencies,inpractice, tional, towhichactorsare tobeheldaccountable.Transparency must - ability withoutfirstclarifyingthelegalframeworks,domesticorinterna gorised undertheseheadings.Forexample,there canbenoaccount- inter-related, andstandards are therefore noteasilyandnarrowly cate- intelligence agenciesandlawenforcement. Thesemattersare closely parency, accountability, andoversightofsurveillancepowers erated asetofproposed standards forthe Drawing onlessonsinthecasestudiespresented above,wehavegen- peratives forthegreater good. with lawenforcement; there isawayforward thatbalancestheseim- But ourfundamentalfreedoms andhumanrightsneednotbeatodds different are partsofgovernments temptedtomisusethesepowers. extended beyondtheiroriginalintentthrough “purposecreep”138 as essary andproportionate. There isadanger thatthesepowerswillbe legislated inthe14countriessurveyedgowellbeyondwhatisnec- our societythatweseektoprotect. Surveillancepowersascurrently these advancesmustnotcomeattheexpenseofcore valuesof to enhancecounter-terrorism andlawenforcement efforts. However, Information technologyhasgivenusanunprecedented opportunity Recommendations Conclusion and 5 139 Theprocess todeveloping legal foundation,trans- these principles was led by Privacy International, Access and the Elec- tronic Frontier Foundation and provides an excellent basis for addition- al conversations on how to govern government surveillance.

The standards set out at the end of our executive summary are informed by comparative constitutional and international legal requirements (particularly in terms of human rights law), and are intended to be practical to implement. It should be noted that the proposed standards are not good practices, let alone best practices, as that would require going beyond the scope of existing legal obligations within International Human Rights Law. Instead, these proposed standards are an attempt to ensure greater compliance with existing international legal obligations and can thus be regarded, at best, as attempts to achieve a bare minimum of transparency, accountability, oversight and governance over government surveillance practices.

Space for notes: I BOUNDARIES OF LAW

67 68 I BOUNDARIES OF LAW The CJEUfollowsthesamereasoning (leavingasideasomewhatacademicdifference therelation asconcerns http://www.bundestag.de/blob/282874/8f5bae2c8f01cdabd37c746f98509253/mat_a_sv-4-3_korff-pdf-data.pdf under theheading“Basichumanrightsprinciplesandcase-law”,p.10ff, availableat: Expert Opinionprovided totheCommitteeofInquiryintosurveillanceGermanBundestag,sectionC.2.a, For more detailandfullreferences totheECtHRcaselawunderpinningthatsummary, seethesameauthor’s http://ec.europa.eu/justice/news/events/conference_dp_2009/presentations_speeches/KORFF_Douwe_a.pdf Approach underArticles8–11ECHRandArticle2ECHR”,availableat: and witnessstatements) isavailableat:https://www.privacynotprism.org.uk/news/2013/10/03/legal-chal and Weber andSaraviav. Germany)canbefoundonthepreceeding pages(pp. 14-17). with fullreferences (in particulartothecasesKlassv. Germany, Liberty&Othersv. the UK,Malonev. theUK, German Bundestag(endnote1),atp.18.The analysisofthecaselawECtHRunderpinningsummary, CovenantonCivilAndPoliticalRights,CCPR/C/21/Rev.1/Add.9,International November2,1999. See alsoGeneralCommentNo.27,adoptedbytheHumanRightsCommitteeunderArticle 40,para.4,ofthe http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf. rights andfundamentalfreedoms whilecounteringterrorism, p.11,available at: http://www.african-court.org/en/images/documents/Judgment/Konate%20Judgment%20Engl.pdf attain theobjectivebeingsought.”Thejudgmentisavailableat: provided standards, by‘law’,withininternational pursuealegitimateobjective andare aproportionate meansto next hadtoconsider:“whetherrestrictions onthefreedom ofexpression imposedbytheRespondentStateare of 5December2014,para.125,where theCourtsaidthat,oncecasehad beendeclared admissible,it The Courthasfast-tracked thecaseandajudgmentmay, unusually, behandedoutstillthisyear. lenge-to-uk-internet-surveillance/ 16 15 14 13 12 https://www.oas.org/dil/access_to_information_IACHR_guidelines.pdf cally toprivacy):seesection7,para.27ff, availableat: the I-ACommHRinparticular(evenifthatreport relates totheright ofaccesstoinformationratherthanspecifi sion onHumanRightscontainsagoodsummaryoftheapplicationsameprinciples undertheACHR,by 11 http://www.europarl.europa.eu/document/activities/cont/201310/20131017ATT72929/20131017ATT72929EN.pdf Surveillance ofEUCitizens,atitshearingon14October2013,inparticularpoints(a)–(g)p.3,availableat: human rightsandcounter-terrorism, on totheEuropean Parliament’s LIBECommitteeInquiryonElectronic Mass Article 17ICCPR(therighttoprivacy),seethestatementbyMartinScheinin,formerUNSpecialRapporteur On theapplicationofessentiallysametestsbyHumanRightsCommittee,withparticularreference to mentation/opinion-recommendation/files/2014/wp211_en.pdf WP211, adoptedon27February2014,availableat:http://ec.europa.eu/justice/data-protection/article-29/docu necessity andproportionality conceptsanddataprotection withinthelawenforcement sector, Opinion01/2014, Party” (thebodyrepresenting thedataprotection authoritiesintheEUMemberStates)onapplicationof analysis ofboththeECtHRandCJEUcaselawinthisregard, seetheopinionofEU“Article29Working to mattersofdirect relevance tothepresent report, includingcompulsorydataretention. Foraparticularlyuseful ship betweennecessityandproportionality), especiallyinitsmore recent caselaw, more specificallyinrelation 10 jsp?Ref=CommDH/IssuePaper(2008)3 sioner forHumanRightsoftheCouncilEurope. December2008.Available at:https://wcd.coe.int/ViewDoc. 9 8 7 6 5 4 3 2 1 Endnotes articles/147 Domestic IntelligenceAgenciesandTheirImplicationsforHomelandSecurity. June2007.https://www.hsaj.org/ communications https://www.telecomindustrydialogue.org/resources/country-legal-frameworks See:Foschepoth,J.ÜberwachtesDeutschland:Post-undTelefonüberwachung inderaltenBundesrepublik, 2013. SeeKorff, D.“Protecting therighttoprivacyinfightagainstterrorism”, IssuePaperwrittenfortheCommis Forexample,seeBurch, J.ADomesticIntelligenceAgencyfortheUnitedStates?ComparativeAnalysisof See:Walton, C.Empire ofSecrets: BritishIntelligence,theColdWar andtheTwilight ofEmpire. 2013. FieldMarshalMontgomeryofAlamein,AHistoryWarfare, neweditionbyJane’s, 1982,p.17 Seethereferences innotestosection2.3ofthisreport. See:InformationOnCountryLegalFrameworksPertainingTo Freedom OfExpression AndPrivacyInTele Seesection1.3ontheterminologyanddefinitionsusedinthisreport. http://thewebindex.org The2009AnnualReportoftheSpecialRapporteurforFreedom ofExpression oftheInter-American Commis Ontheapproach oftheECtHR(whichismostdevelopedinthisregard), see:Korff, D.,“TheStandard Application58170/13, 30September2013.Thefulltextoftheapplication (andofsupportingdocuments RomanZakharov v. Russia,ApplicationNumber47143/06,GrandChamberjudgmentof4 December 2015. Thesummaryistakenfrom theExpert Opinionprepared byDouweKorff fortheCommittee ofInquirythe Forexample,seeScheinin,M.,ReportoftheSpecialRapporteuronpromotion andprotection ofhuman Cf.theoutlineofCourt’s approach inthefreedom ofexpression caseofKonatév. BurkinaFaso,judgment ------rules onsuchinterception –whichwasfoundtobein breach oftheEuropean ConventiononHumanRightsin 1979). ThiswasalsoconfirmedtotheAd-hoc EU-USWorking Group onDataProtection, establishedto investi or intercept) doesnothavea“significant voluntaryconnectionwiththeUnitedStates”(USv. Verdugo-Urquidez, The FBIhasrecently changedanFBIFactSheettodescribeits“primaryfunction” asnolonger“lawen blurred.” See:www.fbi.gov/about-us/investigate/cyber/addressing-threats-to-the-nations-cybersecurity. nation-states, terrorist organizations,andtransnationalcriminalenterprises; withthelinesbetweensometimes agency, addingthat“[t]heseroles are complementary, asthreats tothenation’s cybersecuritycanemanatefrom is chargedbothwithprotecting theUSA’s nationalsecurityandwithbeingthenation’s principallawenforcement at: https://wcd.coe.int/ViewDoc.jsp?Ref=CommDH/IssuePaper(2008)3 terrorism, IssuePaperwrittenfortheCommissionerHumanRightsof CouncilofEurope, 2008,available activities relating tonationalsecurity, are notedinDouweKorff, Protecting therighttoprivacy inthefightagainst The more recent developments,inparticularalsorelation totheblurringoflinesbetweenpolicingand framework, section3.1. Privacy &LawEnforcement, FIPRstudyfortheUKInformationCommissioner, 2005,PaperNo.4,Thelegal the lawofarmedconflict(seesection2.3.5). we foundthatthekindsofprogrammes wearewithdonotgenerallyrely concerned onlegalprovisions covering https://en.necessaryandproportionate.org/LegalAnalysis For theBackground LegalAnalysistothePrinciples,see: andSupportingInternational A listofsignatoriesisavailablehere: https://en.necessaryandproportionate.org/signatories http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P8-TA-2015-0388+0+DOC+XM resolution of12March 2014ontheelectronic masssurveillanceofEUcitizens,availableat: www.ipu.org/conf-e/133/Res-1.htm Freedoms, adoptedunanimouslybythe133rd IPUAssembly, Geneva,21October2015,availableat:http:// adopted on21April2015,availableat:http://assembly.coe.int/nw/xml/XRef/Xref-XML2HTML-EN.asp?file report toalsocoverthose. including theUSA,Brazil,GermanyandNetherlands.However, itgoesbeyondthescopeofpresent security services,prepared May2015,availableat:https://wcd.coe.int/com.instranet.InstraServ byAidanWills, The Commissionerhassincereleased anotherIssuePaper, onDemocraticandeffective oversightofnational ViewDoc.jsp?Ref=CommDH/IssuePaper(2014)1&Language=lanAll for HumanRightsoftheCouncilEurope byDouweKorff, December2014,availableat:https://wcd.coe.int/ adduced inthepresent sectionofthisreport (becauseoneofuswasaco-authortheUNUstudy). study hasnotbeenpublished,wecanconfirmthatithighlightedtheverysamebasicandspecificprinciplesalso by aresearch project carriedoutundertheauspicesofUnitedNationsUniversity(seepara.8).Althoughthis The report acknowledgedthe“majorsubstantivecontribution”topreparation oftheHCHR’s report provided http://www.ohchr.org/Documents/Issues/DigitalAge/A-HRC-27-37_en.doc Rights, UNGeneralAssembly, A/HRC/27/37,30June2014,availableat: Rights CommitteetoissueanewGeneralCommentonArticle17ICCPRinthelightofSnowdenrevelations. http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&doclang=EN 6 October2015,availableat:para.94. available at:http://curia.europa.eu/juris/document/document.jsf?text=&docid=153045&doclang=EN 35 tigative Measures (whichare sometimesinserted inthecriminalprocedure codes[CPCs]asamendments). 34 the adhocEU-USWorking Group onDataProtection, 27November2013,section2,para.2. gate theUSsurveillanceactivitiesexposed by Snowden:seetheReportonFindingsEUCo-chairsof 33 32 weekly.com/news/4500257028/GCHQ-and-NCA-join-forces-to-police-dark-web 31 scure_fbi_team_that_does_the_nsa_dirty_work For thedangersinherent insuchblurringofthelines,see:www.foreignpolicy.com/articles/2013/11/21/the_ob posts/2014/01/05/fbi_drops_law_enforcement_as_primary_mission#sthash.4DrWhlRV.dpbs forcement”, butnow“nationalsecurity”.SeeTheCable,5January2014:http://thecable.foreignpolicy.com/ 30 29 28 27 https://www.accessnow.org/policy/libe-inquiry ing thetextsofworkingdocumentsproduced bythecommittee,see: For fulldocumentationontheEP’s LIBECommittee’s inquiryleadingupthe29October2015resolution, includ L+V0//EN 26 25 section 5.2oftheExplanatoryMemorandum. national securityagencytheBundesnachrichtendienst(BND)andStateSecretary attheMinistryofJustice:see hearing oftherapporteurinStrasbourgon4April2014byMrHansjörgGeiger, formerheadoftheGerman The ideaofan“intelligencecodex”tocovertheactivitiesnationalsecurityagencieswasfirstmootedata (scroll downandexpandtheExplanatoryMemorandumbyMrOmtzigt,rapporteur). http://assembly.coe.int/nw/xml/XRef/Xref-XML2HTML-en.asp?fileid=21583&lang=en The rapporteur’s report –presented asanexplanatorymemorandumtothedraftresolution –isavailableat: The recommendations paraphrasedinthetextare from para.19. id=21692&lang=en 24 23 the ruleoflaw. (Recommendation6). thorised “hacking”intoITsystemsanddevices),ratherthanregarding suchmeasures asinherently contraryto directly” (i.e.,through so-called“backdoors”),and“undertakingcomputernetworkexploitation”(i.e.,state-au mends strong authorisationsystemsfor“untargetedbulksurveillance”,“collectingcommunications/metadata This focusesmore onthequalityofoversightmechanismsthansubstantivelimitations.Thus,itrecom let?command=com.instranet.CmdBlobGet&InstranetImage=2796355&SecMode=1&DocId=2286978&Usage=2 22 21 ternal/Download.aspx?symbolno=CCPR%2fC%2fUSA%2fCO%2f4&Lang=en ica, CCPR/C/USA/CO/4,23April2014,para.22,availableat:http://tbinternet.ohchr.org/_layouts/treatybodyex 20 19 18 17 AnexceptionwasEnglish lawpriorto1975,underwhichthere were effectively nocommonlaw-orstatutory Typically inaCodeofCriminalProcedure, butsometimesalsoinPoliceLawsorspecialonSpecialInves TheFourthAmendmentdoesnotapplyifthe personaffected bya“search” (whichincludesanonlinesearch Seesection1.3. SeeComputerWeekly, “GCHQandNCAjoinforces topolicedarkweb”,9Nov2015.http://www.computer ApageontheFBIwebsite“Addressing threats tothenation’s cybersecurity”expressly notesthattheFBI Theexpandingoftherole ofthepoliceinto“preventive” actionisnotnew. SeeIanBrown &DouweKorff, We willnotlookattheuseof“signalsintelligence”[SIGINT]bymilitaryagenciesintimeswar, ifonlybecause Forthefulltextofprinciples,see:https://en.necessaryandproportionate.org/text Fulltitle:European Parliamentresolution of29October2015onthefollow-uptoEuropean Parliament Inter-Parliamentary Union,ResolutiononDemocracyintheDigitalEraandThreat toPrivacyandIndividual ParliamentaryAssemblyoftheCouncilEurope (PACE), Resolution2045(2015)onMasssurveillance, Anumberofinquirieshavealsobeencarriedout,orare beingcarriedout,atnationallevelsinvariousstates andinthewiderdigitalworld,“IssuePaper”prepared TheruleoflawontheInternet fortheCommissioner Therighttoprivacyinthedigitalage,ReportofOffice oftheUnitedNationsHighCommissionerforHuman HumanRightsCommittee,Concludingobservationsonthefourthperiodicreport oftheUnitedStatesAmer NotethatProf. Scheinin,inhisStatementtotheEPLIBECommittee(endnote1),calleduponHuman GrandChamberJudgmentCaseC-362/14,MaximillianSchrems v. [Irish]DataProtection Commissioner, CJEUGrandChamberJudgmentinJoinedCasesC-293/12andC-594/12,DigitalRightsIreland, 8April2014, ------69 I BOUNDARIES OF LAW 70 I BOUNDARIES OF LAW http://searchsecurity.techtarget.com/definition/back-door security mechanisms.See: the “5EYES”globalsurveillancesystemsrevealed byEdward Snowden(o.c.,endnote10),sectionsB.2(b)&(c). “5EYES” globalsurveillancesystemsrevealed byEdward Snowden(o.c.,endnote10),sectionsB.2(b),Theprin http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P8-TA-2015-0388+0+DOC+XM 12 March 2014ontheelectronic masssurveillanceofEUcitizens(2015/2635(RSP)),para.24,availableat: http://ssrn.com/abstract=2283175 http://www.europarl.europa.eu/committees/en/studiesdownload.html?languageDocument=EN&file=79050 Fundamental rightsimplicationsforEUdatasovereignty inthecloud,2013,availableat,respectively: Privacy intheCloud,2012,andsubsequentarticlebyBowdenJudithRauhofer, Protecting theirown: -%20Declaration%20-%20Felten.pdf (ACLU), availableat:https://www.aclu.org/files/pdfs/natsec/clapper/2013.08.26%20ACLU%20PI%20Brief%20 formally opened. the French “policejudiciaire” whoactinrelation tocriminalinvestigations,oncesuchinvestigationshave been https://terrorismlegislationreviewer.independent.gov.uk/the-big-reveal/ with references tothe originaldocuments“leaked”byEdward Snowden. law_enforcement.html#aaap https://vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/ interception capabilities”,availableat: paras. 270and272. law_enforcement.html#aaap https://vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/ interception capabilities”,availableat: Uebersicht_TKUE_2014.pdf?__blob=publicationFile&v=2 recent ones)canbefoundhere: https://www.bundesjustizamt.de/DE/SharedDocs/Publikationen/Justizstatistik/ tizstatistik/Telekommunikation/Telekommunikationsueberwachung_node.html Thestatisticsfor2014(themost 37 France, sheorheiscalledtheprocureur del’etat;inGermanytheStaatsanwalt;Italyprocurore. the mixedcivillaw/commonlawsysteminScotland,there isthe“procurator fiscal”;cf.thefiscalinColombia.In tions. Inmanyways(especiallyinformersocialistcountries)theprocurator isthegeneralguardian oflegality. In tries. However, inmanynon-common-lawcountries,theoffice hasamandatethatgoeswellbeyondprosecu 36 66-85, availableat:http://www.surveillance-and-society.org/articles1/statesurv the Malonecase.SeeNickTaylor, StateSurveillanceandtheRighttoPrivacy, Surveillance&Society1(1)(2002): 62 61 60 59 58 57 56 55 54 For furtherdetails,seetheheading“transparency aboutthelaw”. befugnisse-deutlich-aus-2467779.html 53 52 51 50 49 humanrightslaw.ciple ofnon-discrimination,and(c),Theextra-territorialapplicationinternational 48 against terrorism, etc. security”,thefightsecurity” –althoughitdoeshavecompetencesinrelationsecurity”,“international to“internal The issueisofparticularrelevance intheEUbecauseUnionhasnocompetencerelation to“national L+V0//EN&language=EN 47 46 45 44 43 42 41 ry-powers-bill/ http://ukhumanrightsblog.com/2015/11/05/interception-authorisation-and-redress-in-the-draft-investigato For earlycriticism,inparticularalsoofthemarginalrole oftheproposed judicialcommissioner’s role, see: tem/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf 40 cian, i.e.,inthatcase,theMinisterforJustice. 39 Hong Kong,NewZealandandSouthAfrica. text, thetableindicatesthatjudicialintercept warrantsare alsorequired in“normal”casesAustralia,Canada, wp-content/uploads/2015/07/Intercept-Evidence-1-October-2006.pdf Apartfrom in theUSA,notednextin dence -Liftingtheban,2006,p.75,availableat:http://2bquk8cdew6192tsu41lay8t.wpengine.netdna-cdn.com/ 38 stretched alsotothoseprogrammes iftheywere tobecomeknown. Butthatisofcoursespeculation. treaties; andthattheSnowdenrevelations abouttheUSAandUKgeneratedpublicoutcriesthatwouldhave countries havebeenwidelyengagedin“extralegal”activitiesofthesekinds,oftenonthebasissecret lawsor presentation attheFIPRevent“ScramblingforSafety”(2012).https://www.cl.cam.ac.uk/~rja14/sfs-2012.html SeeFoschepoth,J.ÜberwachtesDeutschland:Post-undTelefonüberwachung inderaltenBundesrepublik, 2013. Itisnotimpossiblethatthesenewlegalpowersare beingintroduced toaddress theproblem thatmanyofthese SeePeterSommer, Canweseparate“comm[unication]sdata”and“content”–whatwillitcost?,Powerpoint Abackdoor(alsoreferred toasa“trapdoor”)ismeansofaccess toacomputerprogram thatbypasses See:http://www.heise.de/newsticker/meldung/NSA-Ausschuss-BND-dehnt-strategische-Aufklaerungs Seesub-section2.1. SeeagainDouweKorff, ExpertOpinionprepared fortheCommitteeofInquiryGermanBundestaginto SeeDouweKorff, ExpertOpinionprepared fortheCommitteeofInquiryGermanBundestaginto European Parliamentresolution of29October2015onthefollow-uptoEuropean Parliamentresolution of See:https://www.article19.org/data/files/pdfs/standards/joburgprinciples.pdf Secretary ofStatefortheHomeDepartmentvRehman[2003]1AC153. Seethereport byCasparBowdenetal.totheEuropean Parliament,FightingCybercrime andProtection Schrems v. DPC(endnote14),para.93. Edward Felton,Declarationinongoinglitigationbrought intheUSbyAmericanCivilLibertiesUnion Fortheproposal andthegovernment’s ownoutline,seehere: https://www.gov.uk/government/uploads/sys Idem.According tothetablementionedinendnote25,Ireland intercept warrantsare alsoissuedbyapoliti SeethetableinreportCommissionofJurists),Intercept byJustice(theUKbranchoftheInternational Evi Therelevant statisticscanbefoundhere: https://www.bundesjustizamt.de/DE/Themen/Buergerdienste/Jus “Publicprosecutor” istheclosestequivalenttoterm“procurator” inEnglish-speakingcommonlawcoun Quartz,You thoughtPRISM wasbad?India’s newsurveillance networkwillmaketheNSAgreen withenvy, TheRight toPrivacyinEgypt,2014,p.7. PrivacyInternational, Apparently, thetermrefers totechnicallytrainedLEAorNSAofficials. Theyshouldnotbeconfusedwith IndependentReviewerofTerrorism Legislation,Thebigreveal, 7November2015,availableat: See:http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data - Vodafone, LawEnforcement Disclosure Report2014,undertheheading“Technical implementationoflawful RomanZakharov v. Russia,ApplicationNumber47143/06,GrandChamberjudgmentof4December2015, Vodafone, LawEnforcement Disclosure Report2014,undertheheading“Technical implementationoflawful ------Telenor Group andOrange,thelaweitherprohibited disclosure ofthenumber ofdemandsforlawfulinterception para. 194 adopted on21April2015,availableat:http://assembly.coe.int/nw/xml/XRef/Xref-XML2HTML-EN.asp?file http://www.ldh-france.org/wp-content/uploads/2015/07/Observations-sur-la-loi-relative-au-renseignement.pdf la Magistrature, andtwoothers, Observations SurLaLoiRelativeAuRenseignement,July2015,availableat: mise enœuvre] ofthesurveillance[authorisedbyLaw].” the ParliamentaryIntelligenceCommittee,clarifies[F:précise]mannerofimplementation [F:lesmodalitésde obtained theopinionofNationalCommissionSupervisionoverIntelligenceTechniques andsubmittedto https://www.privacyinternational.org/sites/default/files/HR%20Orgs%20v%20UK.pdf Call Data,at:https://www.techdirt.com/articles/20130917/13395324556/court-reveals-secret-interpretation-pa https://www.eff.org/deeplinks/2014/08/what-you-need-know-about-fisa-court-and-how-it-needs-change Ius cogens,alsoreferred toasaperemptory law, normofinternational isthehighest legalrequirement inpublicinter this regard, see:http://nsarchive.gwu.edu/NSAEBB/NSAEBB127/02.08.01.pdf http://www.nytimes.com/ref/international/24MEMO-GUIDE.html Fortheactualtextofmainmemorandumin para. 242. the USA. aspect ofthesystem. Order%20from%20FISC.pdf 13, at11(FISACt.Mar. 2,2009),availableat https://www.aclu.org/files/assets/pub_March%202%202009%20 available at:https://www.hrw.org/news/2014/05/01/joint-submission-re-national-security-surveillance-and-hu Privacy InformationCenter(EPIC),HumanRightsWatch andPENAmericanCenter, (previous note),para.22, American CivilLibertiesUnion,CenterforDemocracyandTechnology, Electronic Frontier Foundation,Electronic Council, April-May2015,submittedbyBrennan CenterforJusticeatNewYork UniversitySchoolofLaw, Access, to theUnitedNationsTwenty SecondSessionoftheUniversalPeriodicReviewWorking Group, HumanRights University SchoolofLaw, Access,AmericanCivilLibertiesUnion,CenterforDemocracyandTechnology, Elec Working Group, HumanRightsCouncil,April-May2015,submittedbyBrennan CenterforJusticeatNewYork of America,JointSubmissiontotheUnitedNationsTwenty SecondSessionoftheUniversalPeriodicReview given thegenerallyrepressive approaches todissentinRussiaandChina. wouldnotusethosesametoolstocarryoutsurveillanceovertheirownpopulations,that thosegovernments the behestofrelevantforpoliticalandeconomicespionagepurposes,itisdifficult government, tobelieve While thesereports tendtofocusonhackingbyRussianandChinesehackersofWesterntargets,allegedlyat CNET, ThewideworldofhackinginChina,at:http://www.cnet.com/news/the-wide-world-of-hacking-in-china/ http://www.rferl.org/content/russia-hacking-network-spying-us-europe-dukes-fsecure/27254920.html see: Russian hackersknownas“theDukes”was“spyingforthegovernment”, http://www.alternet.org/civil-liberties/snowdens-latest-major-leak-nsas-secret-campaign-crack-undermine-inter impossible toread intercepted communications”,availableat: NSA hassecretly andsuccessfullyworkedtobreak thewidelyusedtechnologythatissupposedtomakeit Also: Snowden’s LatestMajorLeak:TheNSA’s Secret Security:“The CampaigntoCrack,UndermineInternet available at:http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security 86 85 84 id=21692 83 82 81 80 triot-act-allowing-nsa-to-collect-all-phone-call-data.shtml 79 78 national law. Itcannot besetasideoroverriddenbytreaty orotherlawbutisbindingonallstatesinitsownright. 77 76 75 74 befugnisse-deutlich-aus-2467779.html 73 72 71 70 tailed-analysis-by-douwe-korff/ sis byDouweKorff, availableat:http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-de 69 68 67 man-rights-digital-age-2015. 66 For theUK,see,e.g.,witnessstatementsincaseofORGetal.vUK(endnote8). veillance-and-human-rights-digital-age-2015 Center, para.22,availableat:https://www.hrw.org/news/2014/05/01/joint-submission-re-national-security-sur tronic Frontier Foundation,Electronic PrivacyInformationCenter(EPIC),HumanRightsWatch andPENAmerican 65 64 https://www.youtube.com/watch?v=oqy11TE6p7o net-security. Foradetailedexplanationofthetechnologies,seethispaneldiscussion: 63 article4834619.ece http://www.thehindu.com/news/national/indias-surveillance-project-may-be-as-lethal-as-prism/ The articleintheHinduPaperreferred tointhequoteishere: agencies-telecom-service-providers-direct-electronic-provisioning See also:http://articles.economictimes.indiatimes.com/2013-06-28/news/40256071_1_security- available at:http://qz.com/99019/no-call-email-or-text-will-be-safe-from-indias-surveillance-network/ We were informedthatin26ofthe47countries includedinthe2015transparency reports ofVodafone Group, RomanZakharov v. Russia, ApplicationNumber47143/06,GrandChamber judgmentof4December2015. thescales: Security&surveillanceinPakistan,2015. Tipping PrivacyInternational, ParliamentaryAssemblyoftheCouncilEurope, ResolutiononMassSurveillance(Resolution2045(2015)), (France),LiguedesDroits AmnestyInternational del’Homme,SyndicatdesAvocats deFrance,Syndicat Thearticlestipulates,interalia,that“anot-publisheddecree oftheCouncil ofState,adoptedafterhaving 10HumanRightsOrganisationsv. theUK.Thetextofapplicationisavailablehere: Idem.Seealso:CourtReveals‘Secret Interpretation’ OfThePatriot Act,AllowingNSATo CollectAllPhone See:EFF, WhatYou NeedtoKnowAbouttheFISACourt—andHowitNeedsChange,at: See,e.g.:http://www.theatlantic.com/national/archive/2012/02/the-torture-memos-10-years-later/252439/ RomanZakharov v. Russia,ApplicationNumber 47143/06,GrandChamberjudgmentof4December2015, Asexplainedinsub-section1.3,theTIDinformationdoesnotinclude14thcountryincludedoursurvey, Idem. Seeagain:http://www.heise.de/newsticker/meldung/NSA-Ausschuss-BND-dehnt-strategische-Aufklaerungs TheRighttoPrivacyinSouthAfrica,2015,p.5. PrivacyInternational, Asnotedinsection4.11,noteveryonefeelsthattheuseof“designated”judgesisnecessarilyanegative Idem. SeeFundamentalRightsEurope Experts(FREE),EU-USUmbrella DataProtection Agreement: Detailedanaly Idem,para.28. Idem,quotedinpara.24withreference to:Inre Production ofTangible ThingsFrom [REDACTED],No.BR08- NationalSecuritySurveillanceandHumanRightsinaDigitalAge–UnitedStatesofAmerica,JointSubmission FortheUSA,see,e.g.,NationalSecuritySurveillanceandHumanRightsinaDigitalAge–UnitedStates Cf.,e.g.:RFE/RL,RussianHackingNetworkFoundSpyingOnU.S.,Europe ForYears, claimingagroup of privacyandsecurity, Revealed:howUSandUKspyagenciesdefeatinternet Guardian, 5September2013, ------71 I BOUNDARIES OF LAW 72 I BOUNDARIES OF LAW https://www.aclu.org/files/assets/Production%20to%20Congress%20of%20a%20May%2023,%202006%20Gov 3, obtainedinotherlitigationbytheACLU,availablehere: support ofApplicationforcertainTangible ThingsforInvestigationstoProtectTerrorism, againstInternational p. CovenantonCivilandPoliticalRights,30December2011,paras.321-335,avail theInternational Concerning http://www.zeit.de/digital/datenschutz/2015-01/bnd-nsa-metadaten-ueberwachung (Berichtszeitraum 1.Januarbis31.Dezember2011),Bundestagdocument17/12773of14March 2013,avail über dieDurchführung sowieArtundUmfangderMaßnahmennachden§§3,5,7a8diesesGesetzes (Artikel10-Gesetz –G10)2 desGesetzeszurBeschränkungBrief-,Post-undFernmeldegeheimnisses at: http://fas.org/irp/world/uk/isc-privacy.pdf framework, HC1075,12March 2015,para.41,p.20,footnoteomitted;emphasisadded.Thereport isavailable under thelaw)stillcommentonthemandaddtheirownperspective,e.g.,astoscopeofwarrants. on Myanmar(p.31),availableat:http://www.telenor.com/wp-content/uploads/2015/05/GOVERNMENT-AC Telenor Myanmar(p.7),availableat:http://www.telenor.com/wp-content/uploads/2015/05/Authority-re 89 CESS-REPORT_05.pdf 88 quests-for-access-to-electronic-communication_04.pdf 87 from theauthorities. and/or communicationsdataorthelawwasunclearandcompanyawaitingunabletoobtainguidance 113 112 111 110 109 108 107 106 105 http://highscalability.com/blog/2012/9/11/how-big-is-a-petabyte-exabyte-zettabyte-or-a-yottabyte.html On themeaningofotherterms,see: storage-capacity-is-less-impressive-than-thought/ See: http://www.forbes.com/sites/kashmirhill/2013/07/24/blueprints-of-nsa-data-center-in-utah-suggest-its- datasets istherefore extremely low, probably byafactorofthousands. capacity forthefacility”,withoneexabytebeing1000Bytes.Ourreference to“trillions”of to “5zettabytes”(onNPR).Thelowestquotedcapacitythatwehavefoundisstill“lessthan3exabytesofdata Estimates haveincludedsomeextremely highfigures ofastoragecapacityrangingfrom “yottabytes”(inWired) You Say)”,availableat:http://www.wired.com/2012/03/ff_nsadatacenter/ tence ofwhichwasrevealed in2012.See:“TheNSAIsBuildingtheCountry’s BiggestSpyCenter(Watch What 104 103 102 munications of“USpersons”.Nosuchweedingoutisevensuggestedinrelation to“non-USpersons”. 101 100 ernment%20Memorandum%20of%20Law.pdf 99 able at:http://www.state.gov/j/drl/rls/179781.htm 98 97 96 95 94 on pp.4-5. able at:http://dip21.bundestag.de/dip21/btd/17/127/1712773.pdfThestatisticscanbefoundinsectionIII.2, 93 92 91 90 Executive Summary, p. 7. Head ofEurope RegionofAI,12-14November1980, Council ofEurope DocumentAS/Pol/Coll/Terr(32)26. on “DefenceofDemocracyagainstTerrorism inEurope: Tasks andProblems”, presented by DouweKorff as http://www.usatoday.com/story/news/politics/2014/10/22/president-obama-states-of-emergency/16851775/ to workers’uprisings.See:https://fr.wikipedia.org/wiki/%C3%89tat_de_si%C3%A8ge_(France) practice tookroot underwhichsuch transferswere alsoordered inrelation to otherdisturbances,e.g.,inrelation those circumstances thecivilpowers were transferred tothemilitaryauthorities.However, aftertheRevolution,a was inastateofsiegewhenitcutoff from therest ofthecountrybysurrounding enemytroops; andin report: Egypt,France,Germany, India,Pakistan,SouthAfrica,Turkey, theUKandUSA. https://en.wikipedia.org/wiki/State_of_emergency. Theseinclude,ofthe14countriesincludedinpresent https://www1.umn.edu/humanrts/instree/siracusaprinciples.html United NationsEconomicandSocialCouncil(UNDocumentE/CN.4/1985/4,Annex(1985), availableat: CommissionofJurists,butendorsed bytheCovenant onCivilandPoliticalRights,draftedbytheInternational under principle42oftheSiracusaPrinciplesonLimitationandDerogation Provisions intheInternational is formallydeclared before astate-partycanrely onthe “derogation clause”(Article4(1)).Thisisalsorequired http://www.brickcourt.co.uk/news-attachments/APPG_Final_(2).pdf privacy_and_security/law_enforcement.html#aaap operators?”, availableat:https://vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/ Procedures (U)”,onp.3ofthatdocument.Allthelimitationslistedare aimedatweedingoutmost(notall)com persons” intheattachmentcontainingadocumententitled“USSID18–LegalComplianceandMinimization UnitedStatesForeign IntelligenceSurveillanceCourt,Washington D.C.,ExhibitC,MemorandumofLawin FourthPeriodicReportoftheUnitedStatesAmericatoNationsCommitteeonHumanRights Idem,p.8. BNDspeichert220MillionenTelefondaten –jedenTag, dieZeit,30January2015,availableat: Idem,p.7. Idem,sectionIV.2, onpp.6-7. Unterrichtungdurch dasParlamentarischeKontrollgremium (PKGr)–Berichtgemäß§14Absatz1Satz Idem,atiii),iv)andv),onpp.4950,footnotesomitted. Idem,para.134,ati),onp.49,footnotesomitted. andtransparent UKIntelligenceandSecurityCommitteeofParliament,PrivacySecurity:Amodern legal Vodafone saysthatitdoesnotpublishstatisticswheredoso.However, governments theycould(ifallowed Telenor, AuthorityRequestsForAccessTo Electronic Communication–LegalOverview, May2015,entry Telenor, AuthorityRequestsforAccesstoElectronic Communication-CountryData,May2015,entryon Privacy International SpecialReport, ShadowState:Surveillance,Lawand Order PrivacyInternational inColombia,August2015, toaconference SubmissionbyAmnestyInternational oftheParliamentaryAssemblyCouncilEurope See:SpecialReport:America’s perpetual stateofemergency, availableat: Notethathistorically, before theFrench Revolutionof1789,the“statesiege”wasamatterfact:town Forveryusefulcountrysummariesofemergencylawsandpowers,see: CovenantonCivilandPoliticalRightsexpressly NotethattheInternational requires thatastateofemergency JemimaStratford QC,AdviceIntheMatterofStateSurveillance,22January 2014,paras.13-15,availableat: Idem,undertheheading“Whatstatisticsshouldbereported: warrantsortargets?” Vodafone, LawEnforcement Disclosureor Report2014,undertheheading“Whoshouldpublish:governments ThediscussionsoftheNSA’s storagecapacityhavefocussedonitsspecial,largefacilityinUtah,theexis Idem,para.16,footnotereferences omitted. NationalSecuritySurveillanceandHumanRightsinaDigitalAge–UnitedStatesofAmerica,endnote53. Cf.thereferences totheneedforauthorisationofaccesscontentrelating tocommunicationsof“US Idem,p.8,atD.Originalitalics;emphasesinboldadded. ------139 138 137 136 135 134 133 132 131 130 129 128 127 Security?: FrameworksforEuropean-Mediterranean IntelligenceSharing.” Texas 46(151):151–207andShpiro, Shlomo.2001.“TheCommunicationof Mutual LawJournal International 211. ForfurtherinformationseeSEPPER,ELIZABETH.2010.“Democracy, HumanRights,andIntelligenceSharing.” ofIntelligenceandCounterIntelligence17(2):193–230.doi:10.1080/08850600490274890,pagenational Journal 126 dance?” CooperationandConflict47(4):495–518.doi:10.1177/0010836712462774. 125 124 123 122 121 120 119 118 117 schweigen-zehn-weitere-internet-abschnorchel-aktionen/ 116 lobs.com/societe/20150625.OBS1569/exclusif-comment-la-france-ecoute-aussi-le-monde.html 115 114 http://mg.co.za/article/2011-10-14-secret-state/ And also,“Secretspiesonyou”,14Oct2011.availableat: state:Howthegovernment http://mg.co.za/article/2013-06-21-00-spy-wars-south-africa-is-not-innocent South Africaisnotinnocent”,21June2013,availableat: circumstances PrivacyInternational’s inference remains reasonable. not besuch“backdoor”access.However, itdidnotsaythatthiswasthecaseinKenya,andwefeel technical equipmentthatthelawallowsthemtoinstal–andinthosecircumstances there mighttherefore org/news/2014/05/01/joint-submission-re-national-security-surveillance-and-human-rights-digital-age-2015. Privacy InformationCenter(EPIC),HumanRightsWatch andPENAmericanCenter, availableat:https://www.hrw. American CivilLibertiesUnion,CenterforDemocracyandTechnology, Electronic Frontier Foundation,Electronic Council, April-May2015,submittedbyBrennan CenterforJusticeatNewYork UniversitySchoolofLaw, Access, to theUnitedNationsTwenty SecondSessionoftheUniversalPeriodicReviewWorking Group, HumanRights Netzpolitik, 5June2015,availableat:https://netzpolitik.org/2015/angezapfte-glasfasern-bnd-und-kanzleramt-ver https://en.necessaryandproportionate.org/ https://terrorismlegislationreviewer.independent.gov.uk/the-big-reveal/ and HumanRightsinMyanmar. dx.doi.org/10.2139/ssrn.2686095 and HumanRightsinMyanmar(May1,2015).Available orhttp:// atSSRN:http://ssrn.com/abstract=2686095 tense/2015/04/22/netizen_report_egypt_tanzania_and_pakistan_consider_new_cybercrime_laws.html Norwegian Parliament,2015,p.1. Privacy International SpecialReport,ShadowState:Surveillance,LawandOrder PrivacyInternational inColombia,August2015,p.16. TherighttoprivacyinKenya,23June2014.https://www.privacyinternational.org/node/386 PrivacyInternational, Privacy International, TherighttoprivacyinSouthAfrica,2015,withreference PrivacyInternational, toMail&Guardian, “Spywars: thescales:Security&surveillanceinPakistan,2015. Tipping PrivacyInternational, TherighttoprivacyinMyanmar, PrivacyInternational, 2015. Idem.Inacommentonthisquote,Vodafone toldusthat“anumberofcountries”hadnotactuallyinstalled the NationalSecuritySurveillanceandHumanRightsinaDigitalAge–UnitedStatesofAmerica,JointSubmission BNDundKanzleramtverschweigenzehnweitere AngezapfteGlasfasern: OperationenzurInternet-Überwachung, l’Obs,Exclusif:CommentlaFrance(aussi)écoutemonde,1July2015,availableat:http://tempsreel.nouve andothers,TheRighttoPrivacyinEgypt,2014.,pp.710. PrivacyInternational See International PrinciplesontheApplicationofHumanRightstoCommunicationsSurveillance, May2014. SeeInternational http://s3.documentcloud.org/documents/1312939/un-report-on-human-rights-and-terrorism.pdf IndependentReviewerofTerrorism Legislation,Thebigreveal, 7November2015,availableat: Ibid,p.5. TheRighttoPrivacyinSouthAfrica,2015,p.3. PrivacyInternational, Seethediscussionof“nationalsecurity”andJohannesburgPrinciplesinsection2.3. SeeAndreaCapacityBuildinginPost-AuthoritarianContexts.Telecom Calderaro,Governance Internet Reform TheRighttoPrivacyinMyanmar, PrivacyInternational, 2015,para.30. SeeAndreaCapacityBuildinginPost-AuthoritarianContexts.Telecom Calderaro,Governance Internet Reform See:https://www.privacyinternational.org/node/99 TheRighttoPrivacyinEgypt,2014,p.7. PrivacyInternational, TheSpringofCybercrime Laws,NetizenReport,22April2015,availableat:http://www.slate.com/blogs/future_ SeeRudner, Martin.2004.“HuntersandGatherers: TheIntelligenceCoalitionAgainstIslamicTerrorism.” Inter SeeBures, O.2012.“InformalCounterterrorism ArrangementsinEurope: BeautybyVariety orDuplicitybyAbun IntelligenceCooperationAccountable,studyforthe MakingInternational IanLeigh,AidanWills, HansBorn, TherighttoprivacyinTurkey, PrivacyInternational, 2015. - - - - 73 I BOUNDARIES OF LAW