One Small Step for Privacy, One Giant Leap Against Surveillance
Today, the 193 members of the United Nations General Assembly unanimously approved a UN privacy resolution entitled "The right to privacy in the digital age." The resolution, which was introduced by Brazil and Germany and sponsored by more than 50 member states, is aimed at upholding the right to privacy for everyone at a time when the United States and the United Kingdom have been conducting sweeping mass surveillance on billions of innocent individuals around the world from domestic soil.
The resolution reaffirms a core principle of international human rights law: Individuals should not be denied human rights simply because they live in another country from the one that is surveilling them. We hope the resolution will make it harder for the US and its Five Eyes allies to justify their mass surveillance activities by claiming that their human rights obligations stop at their own borders.
Requests the United Nations High Commissioner for Human Rights to submit a report to the General Assembly on the protection of the right to privacy, including in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale.
In short, this request opens the opportunity for further work on the issue by the United Nations on the protection of privacy across borders. Fortunately, EFF and several other NGOs and legal scholars around the world have already developed a set of robust principles, called the 13 International Principles for the Application of Human Rights to Communications Surveillance—or more commonly, the “Necessary and Proportionate Principles.”
The Principles look beyond the current set of revelations to take a broad look at how modern communications surveillance technologies can be addressed consistently with human rights and the rule of law. The Principles can be used by states around the world to push for stronger legal protections at the United Nations and other international bodies as well as at home.
The Principles make clear that:
Critical Internet infrastructure must be protected: No law should impose security holes in our technology in order to facilitate surveillance. Dumbing down the security of hundreds of millions innocent people who rely on secure technologies in order to ensure surveillance capabilities against the very few bad guys is both overbroad and short-sighted. The assumption underlying such efforts—that no communication can be truly secure—is inherently dangerous, leaving people at the mercy of good guys and bad guys alike. It must be rejected.
Monitoring equals surveillance: Much of the expansive state surveillance revealed in the past year depends on confusion over whether actual "surveillance" has occurred and thus whether human rights obligations apply. Some have suggested that if information is merely collected and kept but not looked at by humans, no privacy invasion has occurred. Others argue that computers analyzing all communications in real-time for key words and other selectors is not "surveillance" for purposes of triggering legal protections. These differences in interpretation can mean the difference between targeted and mass surveillance of communications. Definitions matter. States should not be able to bypass privacy protections on the basis of arbitrary definitions.
We must protect metadata: It’s time to move beyond the fallacy that information about communications is not as privacy invasive as communications themselves. Information about communications, also called metadata or non-content, can include the location of your cell phone, clickstream data, and search logs, and is just as invasive as reading your email or listening to your phone calls—if not more so. What is important is not the kind of data is collected, but its effect on the privacy of the individual. Thus, the law must require high standards for government access. Our metadata needs to be treated with the same level of privacy as our content.
Privacy must be protected across borders: Privacy protections must be consistent across borders at home and abroad. Governments should not bypass national privacy protections by relying on secretive informal data sharing agreements with foreign states or private international companies. Individuals should not be denied privacy rights simply because they live in another country from the one that is surveilling them. Where data is flowing across borders, the law of the jurisdiction with the greatest privacy protections should apply.
- We must restore proportionality: Authorities must have prior authorization by an independent and impartial judicial entity in order to determine that a certain act of surveillance has a sufficiently high likelihood to provide evidence that will address a serious harm. Any decisions about surveillance must weigh the benefits against the costs of violating an individual's privacy and freedom of expression. Respect for due process also requires that any interference with fundamental rights must be properly enumerated in law that is consistently practiced and available to the public. A judge must ensure that freedoms are respected and limitations are appropriately applied.
You can read more about the crucial issues we are fighting for behind the Principles here. They have so far been endorsed by:
Thousands of concerned citizens worldwide.
More than 330 organizations supporting human rights, access to knowledge, the environment, women rights, free expression, and a free press. Sign the Principles on behalf of your organization here.
More than 46 experts, academics, security researchers, political parties and elected officials from more than 17 countries. Sign the Principles as an expert or elected official by sending an email to rights (at) eff (dot) org.