Mapping Laws on Government Access to Citizens' Data: Colombia
Constitution of 1991
The Constitution of 1991 provides that the communications are inviolable, except the interception and record by court order (article 15). Nevertheless the Constitution was amended in relation by the functions of the Attorney General (Constitutional Amendment Nº 3 of 2002), allowing him to make interceptions and record of communications without a previous court warrant but with a judicial review by the judge of guarantees (article 250).
Article 15. (…) The correspondence and other forms of private communication are inviolable. Only they can be intercepted or recorded by means of court warrant, in the cases and with the formalities that the law establishes.
Article 250. (…) The Attorney General has the following functions:
2. To advance records, searches, seizures and interceptions of communications. In these events the judge who exercises the functions of control of guarantees will be in charge of a posterior judicial review, in the following thirty six (36) hours.
Code of Criminal Procedure
The Code of Criminal Procedure (amended by Law 1453 of 2011 –articles 52 and 53) provides the legal requirements that must follow the Attorney General to issue a warrant to intercept and record private communications and to retain any kind of information that are transmitted through any communications network for the purposes of gathering evidence for a criminal prosecution or seizure a convicted or under investigation person. Also, it provides the formal requirements to be met by the Attorney´s warrant on communications interception and retention.
Article 235. Interception of private communications.
The prosecutor will be able to order, for the purposes of gathering material and physical evidence, search and location of accused or convicted person, to intercept private communications transmitted by any network by magnetophonic recording or similar. In this respect, the competent authorities will be in charge of the technical operation of the respective interception and its processing. They have the obligation to do it immediately after the notification of the warrant and all the costs will be at the expense of the authority that executes the interception.
In any case, the interceptions order shall be a written warrant. The persons who take part in these operations shall guarantee the confidentiality of the information and communications. The communications of the defender will never be intercepted. The order will be valid for no more than six (6) months, but it could be extended, if the prosecutor considers that the probable causes that originated the first warrant continue.
This extension of the warrant is subject to a prior judicial review.
Article 236. Recovery of information produced by data transmission through communications networks. When the prosecutor has reasonable justification, according to the cognitive means provided in this code, to infer that the accused in a criminal procedure is transmitting or manipulating data via telecommunications networks, will issue an order to the police with judicial functions to seizure or recover such information, terminal equipment, devices or servers so forensic computer experts, discover, collect, analyze and guard the information retrieved to obtain material and physical evidence or allows to arrest the suspect of crime, accused or convicted felon.
In these cases it will be applied analogously, according to the nature of this act, the criteria for communications interception and retention. The apprehension referred in this article will be limited solely to the time required to capture the information contained therein. If applicable, the seized equipment will be immediately returned.
Decree 1704 of 2012
Recently, on 15 August 2012, the Ministries of Justice and ICTs issued Decree 1704 on Communications interception and data retention. Its legal framework is the Criminal Procedure Code of 2004 (particularly articles 235 and 236 mentioned above) and its purpose is to optimize the investigation, detection and prosecution of serious crime.
According to this decree, all telecommunications services providers (including ISPs) must implement the technological means and infrastructure required to guarantee the access to the networks by the judicial police to develop lawful interception activities, prior a warrant issued by the Attorney General.
Article 4 states that communications providers must retain and store for a period of 5 years subscribers personal information (identity, address, localization), which must be available to the Attorney General or any competent authority at any time and in real time (i.e. localization and geographic coordinates).
Finally, services providers must guarantee the confidentiality of the information retained.
Article 1. Definition of lawful interception of communications: The interception of communications, regardless of the origin or underlying technology, is a public security mechanism that seeks to optimize the investigation of crimes that is conducted by competent authorities and agencies, within the framework of the Constitution and the Law.
Article 2. Duty of telecommunications network and service providers: Telecommunications network and service providers carrying out business within the national territory must implement and ensure at all times the availability of the necessary technology infrastructure that provides connection and access points for the capturing of communications traffic in their networks, so that the agencies having permanent Judicial Police functions may perform all activities required for the interception of communications, subject to prior authorization by the National Attorney General or his/her designee.
Telecommunications network and service providers must respond in a timely manner to the requests for interception of communications made by the National Attorney General, in conformity with this decree and the legal framework currently in force, to facilitate interception activities by permanent judicial police agencies.
Paragraph. The Ministry of Information and Communications Technologies may, as deemed necessary, define the technical specifications of connection points and type of traffic to be intercepted, and impose on telecommunications network and service providers, through general resolutions, technical conditions and models as well as systematic protocols to be followed, to respond to requests for interception made by the National Attorney General.
Article 4. Subscriber information: Once the relevant legal requirements have been met, telecommunications network and service providers must deliver to the National Attorney General’s Office or other competent authorities, through the Judicial Police group designated to investigate the case, the subscriber’s data such as identity, invoicing address and type of connection. This information must be delivered forthwith.
Telecommunications network and service providers must keep subscriber information up-to-date, and retain such information for a period of five years.
Article 5. Location information: If specifically required for purposes of the interception of communications, telecommunications network and service providers must deliver to the Attorney General’s Office, through the permanent judicial police agencies, the specific information contained in their databases, such as sectors, geographic coordinates and power, among others, that may contribute to determining the geographic location of terminals or devices involved in the communication. This information must be delivered on-line or on a real time basis whenever required.
Article 6. Confidentiality: Telecommunications network and service providers, officers from the Attorney General’s Office, and those carrying out Judicial Police functions who have access to any kind of information or data in the course of, or in connection with, the exercise of their duties, or who take part in activities related to the interception of communications, shall guarantee data privacy and confidentiality of information, subject to all criminal and disciplinary investigations that may be applicable.
Article 7. Sanctions: The telecommunications network and service providers which breach the provisions set forth in this Decree shall be subject to the sanctions provided for in Law 1341 of 2009 and other regulations and related legislation, without prejudice to administrative and criminal actions and liability.
Within the powers conferred under the Law, the Ministry of Information and Communications Technologies shall carry out inspection, oversight and control activities in relation to the fulfilment of the obligations hereunder.
In 2009, the Criminal Code of 1999 was amended by adding a new section on Cybercrimes (Law 1273 of 2009, Cybercrimes Act), including crimes such as phishing, hacking and stealing personal data.
Article 269A: Abusive access to a computer system. Whoever, without consent or outside the agreement, access to all or part of a computer system protected or not with a security measure, or remain within it against the will of those who have a legitimate right to exclude that person, shall be liable to imprisonment of forty-eight (48) to ninety-six (96) months and a fine of 100 to 1,000 monthly legal minimum wages.
Section 269B: Illegitimate obstruction of computer or telecommunications network. Whoever, without being authorized to do so, prevents or obstructs the functioning or normal access to a computer system, computer data contained therein, or a telecommunications network, is punishable by imprisonment of forty-eight (48) to ninety six (96) months and a fine of 100 to 1000 legal monthly minimum wage, provided that the conduct does not constitute an offense punishable by a greater penalty.
Article 269C: Interception of data. A person who, without a warrant to intercept data on its origin, destination or within a computer system, or electromagnetic emissions from a computer system that transports them, is punishable by imprisonment of thirty-six (36) to seventy-two (72) months.
Article 269F: Violation of personal data. The person who, without being authorized to do so, for his own benefit or a third party benefit, obtains, compiles, subtracts, offers, sells, exchanges, sends, buys, intercepts, discloses, modifies or uses personal codes, personal data contained in files, databases or similar, is punishable by imprisonment of forty-eight (48) to ninety-six (96) months and a fine of 100 to 1000 legal monthly minimum wage.
Article 269G: Spoofing websites to capture personal information. The person who illegally and without being entitled to do so, designs, develops, traffics, sells, carries out, programs or sends electronic pages, links or pop-up windows, is punishable by imprisonment of forty-eight (48) to ninety-six (96) months and a fine of 100 to 1,000 monthly legal minimum wage, provided that the conduct is not punishable with more severe penalty.
The same penalty shall apply to any person who modifies the name domain system for the purposes of misleading an user making him believe that he´s entering to his bank website or to other personal or trusted website, provided that the conduct does not constitute an offense punishable with more severe penalty.
Law 1341 of 2009 – Information and communications technologies act
Article 4. State intervention in the ICT Sector. Pursuant to the intervention principles provided in the Constitution, the State shall intervene in the ICT sector:
10. To impose obligations of service provision and use of infrastructure on telecommunications services providers for the purposes of public security, national defence and prevention of emergency situations.