Privacy-invasive police requests for IP addresses successfully challenged
ONG Derechos Digitales
(Published December 2012) In 2008, a Chilean website called Huelga.cl (“strike” in English) was approached by the Cyber Crime Section of the Chilean Police. The law enforcement agency demanded that the webmaster hand over data related to pseudonymous user accounts, such as IP addresses, records of previous connections, names, and physical addresses. The targeted pseudonymous users had left comments on the website about an ongoing strike. Meanwhile, police accessed the whois database to determine which ISP hosts the Huelga.cl site and then pressured the ISP for information too.
Huelga.cl is an online space for coordinating union actions. Because police did not have a court order to back up this request for information, Huelga.cl took a stand by resisting police pressure and refusing to hand over the data without a fight. For assistance, they turned to Derechos Digitales, a Chilean nonprofit that promotes human rights online, including free speech and privacy.
Chile has a mandatory data retention regime that compels Internet service providers (ISPs) and telcos to continuously collect and store records documenting the online activities of millions of users who access the Internet within national boundaries. Most ISPs and telcos give subscribers IP addresses that change periodically. Because the Chilean mandatory data retention regime forces ISPs and telecom providers to keep records of IP address allocations for a given time, police can demand information from these providers in order to identify individuals based on who had a given IP address at a particular date and time and only for serious crimes.
To fight the police request, Huelga.cl teamed up with the local ISP that hosted its content because police were attempting to get information from both of them simultaneously. Derechos Digitales assisted both with legal support, because they realized it was not enough to protect the website but not the ISP.
“In our legal analysis, we noticed that the data retention law, which has been in force since 2003, requires ISPs to collect and store personal data of their users for given term, in order to use it for purpose of law enforcement – but only in cases of serious crimes,” explains Alberto Cerda, who was then studies director of Derechos Digitales. “However, in this case police officers lacked a specific court order requiring Huelga.cl to provide that data. Plus, the ongoing investigation was not related to any felony, but a mere misdemeanor.”
After Derechos Digitales helped Huelga.cl and the ISP push back, the police stopped calling and never asked for a court order to be issued against the people from Huelga.cl.
“Our first approach was contacting the police officers, because we thought they ignored the scope of their duties in this case,” notes Cerda. “Unfortunately, that was not enough. The police continued calling the website administrator and asking for the information. This forced us to challenge the measure before the competent authorities.” In July 2008, Huelga.cl submitted presentations before the criminal court, the local prosecutors, and the police authorities simultaneously. Since website operators keep private information about users, Derechos Digitales asserted, webmasters have a responsibility to safeguard the privacy of their users. The Chilean constitution guarantees the right to privacy that cannot be arbitrarily affected either by the government nor a non-state actor. Additionally, the Chilean data protection law and criminal code provide protection against outrageous violations of the right to privacy.
In addition to their legal work, Derechos Digitales also got the word out with a public information campaign. This included preparing blog posts, making appearances on radio programs, and reaching out to media outlets to raise awareness about how it was possible to challenge police if they solicited information about Internet users without court orders.
Finally, the police backed off for good, and Huelga.cl issued a public statement. "[The] consistency and conviction with which we have protected the privacy of our user community has helped the police to respect the legal process, called into question the real justification for the requested information, and reaffirmed our commitment to people who rely on our site," The website operators wrote. "We thank Derechos Digitales for the support and legal assistance it has provided to get full safeguards for the fundamental rights of our users.”
Through assisting Huelga.cl, Derechos Digitales realized that the arguments, materials and responses they produced for one campaign could be used again if a similar case arose. Sure enough, similar cybercrime requests surfaced further down the line. But once they had created informational materials for the Huelga.cl case, a ready-made response was in place to challenge new requests. “You can link to previous posts, and give a history on what’s happening,” says Francisco Vera of Derechos Digitales.
Cerda notes that the case also illustrated the need to educate webmasters and ISPs on the importance of privacy vis-à-vis the government. “The case became relevant only because the administrator realized the implication of the police request,” he said. “We need to work harder to make sure any person in that position, and any Internet service provider, understands that he/she can refuse to hand over information about their clients/users upon simple request by the police.” For that matter, law enforcement agencies should also be educated to be sure that they understand the law and are using legal practices.
The Huelga.cl case also illustrates how several other fundamental rights can be impacted by surveillance practices. This police request threatened to impact not only on privacy, but also free speech, the right to information, due process, and workers’ rights.
- Establish clear barriers when challenging overbroad surveillance.
- Use public education as a response to privacy-invasive practices.
- Formulating a response for one case can provide guidance in the future
Derechos Digitales [ES]
Chile’s data retention law (See article 222 of the criminal procedure code)