Going into 2014, there were high hopes for advancing privacy protections and to finally have the debate around surveillance we've been clamoring for. In 2013, the right to privacy was “the right whose time has come”. Privacy was even Dictionary.com's word of the year. Europe was on the edge of passing new strong privacy laws, despite protests from industry and governments. Parliaments in Canada and the United Kingdom had pushed back against expanding surveillance laws. Transparency reports were beginning to shine a more comprehensive picture on internet surveillance around the world. Then the Snowden revelations, amongst a growing awareness to how our lives are being spied on by both industry and governments, shot privacy to the forefront of the public's conscience.
If 2013 was the year that the world woke up to the dangerous reach of surveillance into our daily lives, what happened in 2014?
Governments struck back. Though Snowden's actions spurred many national conversations, governments maintained a willful ignorance to these concerns and passed new and expansive surveillance laws.
In 2014, surveillance powers of the state actually reached worrying new heights. There may not have been a “Snowden” moment, but troubling news came out showing how powerful the State's reach is, from state-sponsored hacking to the ability to monitor an entire country's communications.
But we remain hopeful. Public awareness of the right to privacy continued to grow in 2014. Civil society organisations around the world joined together for “The Day We Fight Back”, privacy was forefront at the United Nations, and a number of court rulings, particularly in Europe, strengthened the right. And for the first time ever, governments in Europe began taking action on preventing the sale of dangerous surveillance technologies around the world.
It was a busy, and hard year for sure. Below, we take a detailed look at seven critical events this year for privacy.
1. We are closer than ever on preventing the export of surveillance technologies to repressive governments
In late 2013, there was finally some governmental action on constraining the surveillance industry. Forty-one governments that compose the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, took the first steps to begin address the completely unchecked surveillance industry by developing new regulations.
In 2014 we fought hard to actually implement these regulations. We are now closer than ever before to keeping mass and intrusive spying technologies out of the hands of repressive governments.
Privacy International, along with Amnesty International, Human Rights Watch, Reporters Without Borders, FIDH, Digitale Gesellschaft, and the Open Technology Institute, joined together to form the Coalition Against Unlawful Surveillance Exports (CAUSE). This campaign put the issue of export controls high on the agenda in Europe and the United States.
The European Commission announced in November that it would move ahead and add specific forms of surveillance technology to the EU control list on dual use items, taking steps to finally hold companies to account who sell spy equipment and enable human rights abuses. The European Parliament has also become much more vocal on this issue - calling for a ban on the export of intrusion and surveillance technologies which could be used to spy on and repress citizens in Egypt.
The technologies taken up by the European Commission include IP monitoring and intrusion software. By adding intrusion software and IP monitoring to the control list, this places exporters of surveillance technology such as FinFisher, Hacking Team and Amesys under more scrutiny as now they will be obligated to apply for licences for their technologies when exporting out of the EU.
This could not have come at a more critical time. Spyware sold by the leading producers, Hacking Team and Gamma continue to be found around the world, and the companies' products have been connected to the surveillance of activists from Bahrain and Ethiopia. And as PI's report on surveillance in Central Asia details the human rights concerns when these types of technologies wind up in the hands of authoritarian governments.
However, there are concerns, in particular from the security community, about how these controls may negatively impact legitimate research, or ensnare legitimate technologies. It is important to reiterate that the new language doesn’t control “intrusion software” per se, but rather the software and technology used on servers to disseminate it. In other words, the controls are not aimed at the malware and rootkits that actually infect a device, but on the actual software used to create, deliver and instruct them.
While having these controls in place will not completely stop the export of these technologies , these changes make this multi-billion dollar industry more transparent and more accountable to lawmakers and the public.
2. Privacy has its time at the United Nations
After remaining in the shadows for decades, the right to privacy finally had its day in the sun at the United Nations. The right to privacy in the digital age became a focal point of discussion, receiving unprecedented attention from the Human Rights Council and the UN General Assembly.
The UN General Assembly passed a resolution recognising that any digital surveillance programme must be compliant with the right to privacy, and that any interference with the right to privacy must not be arbitrary and must be conducted on the basis of a legal framework, which is publicly accessible, clear, precise, comprehensive and non-discriminatory.
This resolution built upon a report by the UN High Commissioner for Human Rights, which served as a gamechanger for the right to privacy. After consultation with stakeholders, including Privacy International, the High Commissioner’s report lends substantial support to the propositions Privacy International has long advocated: that mass surveillance inherently interferes with human rights, mandatory communications data retention is neither necessary or proportionate, there is no persuasive difference between communications content and communications data when it comes to privacy, and States must extend human rights obligations to individuals whose communications pass through their jurisdictions.
More limited progress was made in the context of the Universal Periodic Review. Government representatives still did not systematically raise concerns regarding the right to privacy even when reviewing countries where serious concerns have emerged on the unlawful intrusion in the privacy of its citizens, including for the purposes of stifling legitimate dissent.
3. State-sponsored hacking comes into the light
When it comes to hacking, the most-talked about security news this year may have been the infiltration of Sony Pictures, and the subsequent release of a bunch of embarrassing emails from studio execs and the eventual cancelled widespread release of “The Interview”.
The Sony hack may have received the most amount of attention, but it was hardly the only, or the most important, news about state-sponsored hacking that came out this year.
Early this year, it was revealed through a series of Snowden documents that GCHQ and NSA are infecting potentially millions of computer and mobile devices around the world with malicious software that gives them the ability to sweep up reams of content, switch on users' microphones or cameras, listen to their phone calls and track their locations.
GCHQ was also linked to the hacking of Belgium's largest telecommunications provider, Belgacom, using the sophisticated malware known as “Regin.”. While the Belgacom hack was first reported in September 2013, the full extent of the attack was not fully known this year.
In the wake of these revelations, Privacy International took two cases against the British government for their hacking activities, one for the targeting of personal devices and another in conjunction with seven internet service and communications providers challenging the deliberate targeting and undermining of the world's communications infrastructure.
4. Government surveillance on trial
Privacy International, Bytes for All, Amnesty International, Liberty, and others met with GCHQ at the Investigatory Powers Tribunal over to the UK Government's policies around intelligence sharing (PRISM) and mass interception, storage, and processing of data flowing over undersea fibre optic cables that carry the world's communications (TEMPORA). While ultimately the Tribunal ruled that Government's policies were legal in principle (which PI plans on appealing to the European Court of Human Rights), several key items came out of the case, namely the disclosure of two (previously) secret Government policies.
First, the UK Government considers it justifiable to engage in mass surveillance of every Facebook, Twitter, YouTube and Google user in the UK, even if there is no suspicion that the user has committed any offence, by secretly redefining Britons’ use of them as “external communications”. Second, the UK intelligence services can request or receive access to bulk data from foreign agencies like the National Security Agency without a warrant whenever it would “not be technically feasible” for the government to obtain it themselves.
These revelations were the first time that the policies used to justify GCHQ's surveillance activities were made public, and were only disclosed due to the legal challenge brought forth by PI and others.
5. The lack of response from the Five Eyes to the Snowden revelations
The year started off with a bang – off the back of the Snowden revelations, the “Day We Fight Back” saw hundreds of civil society organisations around the world stand together to call for an end to mass and indiscriminate surveillance. Hundreds of thousands of people from around the world joined in to call for action and many policymakers called for reform.
But the reform never came. In fact, things may have gotten worse.
The Obama Administration proposed some NSA reforms, but also firmly disagreed with the Privacy and Civil Liberties Oversight Board’s (PCLOB) conclusions that current programs have undermined US law. The Senate also failed to pass the USA FREEDOM Act, even though the law would have done nothing to protect non-Americans's data. In keeping with it's track record of limited transparency, the NSA on Christmas Eve released 12 years worth of heavily redacted intelligence oversight reports, which detailed a shocking number of abuses and legally-questionable activities by agency officials.
In the UK, Parliament rammed through emergency legislation allowing for mass communications data retention (which we'll get to later) and extended the reach of UK warrants and orders to anywhere in the world. Instead of reigning in the surveillance state, the Data Retention and Investigatory Powers Act 2014 actually expanded it. The new Director of GCHQ, Robert Hannigan, in what was GCHQ's first public words since the Snowden revelations, wrote an op-ed in the Financial Times attacking tech companies, calling social networks “command-and-control networks of choice for terrorists and criminals”.
A new batch of Snowden documents were released showing the deep involvement of New Zealand in the Five Eyes surveillance alliance, which removed the perception that the country was a passive participant in the club.
In Canada, a number of bills were proposed that would give the government greater surveillance powers. This October, the Canadian government tabled the Protection of Canada from Terrorists Act, which aims to clarify the legal status of extraterritorial Canadian surveillance by mandating a court to authorize surveillance on foreign territories. Bill S-4, the Digital Privacy Act, was also proposed in Canada during 2014, which would facilitate IT service providers' exchange of information with third parties. The Canadian intelligence agency, CSEC, had its budget doubled in 2014 for facility maintenance, collection of foreign intelligence and to improve security.
And Australia took the disturbing move to broaden its mass surveillance powers, even in the face of public outrage at the country's role in the Five Eyes. The Bill, which amended the Australian Security Intelligence Organisation (ASIO) Act 1979, included such privacy-threatening provisions like allowing ASIO to use any computer, network or Internet communication to remotely gain access to a targeted computer.
But Australia also took another step to strengthen its surveillance powers, going against international trends on communications data retention.
6. Courts push back against surveillance and strengthen privacy
The European Court of Justice, in two rulings this year, took important steps to reenforce the right to privacy: by striking down the Data Retention Directive and by holding up existing privacy principles in the “right to be forgotten” ruling.
In strong and unequivocal language, the Court in April invalidated the European Union’s 2006 Data Retention Directive. The court very clearly stated that the right to privacy provides a fundamental barrier between the individual and powerful institutions, and that the widespread and indiscriminate collection of information is inconsistent with human rights and democratic values.
In the wake of the decision, countries across Europe began to either abolish or recalibrate their data retention laws. Companies, some immediately, began deleting customer data they were forced to retain. The decision was a validation of what we had been saying for years: the mass storage and retention of metadata is an interference with the right to privacy, and access to this data cannot be justified under vague references to combating serious crimes or terrorism.
Yet some countries did not take heed. Despite having months to adapt to the Court's ruling, the UK Parliament in July passed an 'emergency' surveillance bill, which rammed through data retention powers. In Australia, data retention laws were proposed which completely conflicted with the Court's ruling. While not subject to the ruling, the new laws in Australia flew in the face of the international trend to scale back this form of mandated mass surveillance.
In what proved to be a controversial ruling, the European Court of Justice also issued judgement in what was commonly called the “right to be forgotten case”, holding up existing privacy principles under the Data Protection Directive 1995 against Google's search results. American industry and free expression advocates loudly spun the ruling as threatening free speech, but the ruling itself was a rather straightforward legal judgement: The Court took the view that search engines allow for a detailed profile of an individual, and as such, should follow the law to protect the privacy rights of individuals.
However, there are incredibly complex implications as a result of the ruling, and much more needs to be figured out as a result, including the discretion of search engines who receive claims from individuals requesting deletion and acting as arbiter of what is in the public interest.
The Supreme Court of Canada upheld the right to privacy of IP addresses held by internet service providers, but made a worrying decision on searching a mobile phone pursuant to arrest. Meanwhile, the U.S. Supreme Court ruled in favour of privacy of mobile phones in Riley v California.
7. The expanding awareness of risks to privacy from surveillance in the Global South
While much of the world's focus remains on the Five Eyes countries and their surveillance activities, the right to privacy is at risk in the Global South.
In fact, in many countries, especially where it is difficult to expect accountability from governments and where the rule of law is not respected, the situation was more grim. Here's a snapshot of what happened around the world, with an eye on surveillance in countries where Privacy International works with partners.
The Kenyan government introduced the Security Laws (Amendments) Bill 2014 (SLAB), a worrying bill which expands the powers of the National Intelligence Service. Furthermore, SLAB amends the Prevention of Terrorism Act 2012 (PTA) to weaken the legal safeguards pertaining to the interception of communications by police, increases the purposes for which surveillance may be undertaken, and provides for broad powers for the otherwise undefined “National Security Organs” to intercept communications.
The status of the PUMA surveillance program, long acknowledged as one of the most dangerous spying programs in South America, was put on hold because of concerns around the abuse of technology. In what should be seen as a temporary victory for common sense, the attorney general in Colombia put the programme on hold because of the risks to the right to privacy. The Attorney General said, "It can lead to indiscriminate use of interception as a research tool in cases where the invasion of fundamental rights is not even necessary in the fight against crime."
In June 2014, leaked documents from the Ministry of Interior revealed that the Egyptian government was trying to acquire mass surveillance equipment capable of monitoring social networks such as Facebook, Twitter, and YouTube. In response to this, civil society filed a legal case against the Minister of the Interior challenging the purchase and deployment of the surveillance programme.
In late 2013 the Tunisian Technical Agency (ATT) was established by presidential decree with no democratic debate "to provide technical support to judicial investigations into the crimes of information systems and communication". In 2014 civil society organisations began their push back against its formation and to challenge its existence. Civil society organisations in Tunisia, such as Nawaat, and around the world have claimed that the ATT is illegal under Tunisia's new constitutional guarantees and lacks a clear legal framework to be considered in accordance with the law.
Our partners in Argentina, Asociación por los Derechos Civiles, filed a Freedom of Information request to the Parliamentary Commission to obtain information on the intelligence agency oversight mechanisms but the request went unanswered. In response, ADC filed a claim at the Supreme Court seeking a declaration that this complete silence is unconstitutional.
A Draft Data Protection and Privacy Bill was introduced, as a way to apply the constitutional right to privacy to modern technologies. But it had a number of significant shortcomings. Along with our Ugandan partner Unwanted Witness, PI submitted comments on the draft law, seeking stronger comprehensive protections.
While many of these fights are ongoing, this year privacy and surveillance rose on the agendas of many human rights organisations around the world. See also reports from PI's partners in Colombia, Argentina, and two from Pakistan.
With a strong push from civil society organisations around the world, and a more informed public, 2015 may well be brighter than this bleak 2014.