This post is the third in a series about our new State of Communications Privacy Laws report, a set of questions and answers about privacy and data protection in Argentina, Brazil, Chile, Colombia, Mexico, Paraguay, Panama, Peru, and Spain. The research builds upon work from the Necessary and Proportionate Principles—guidelines for evaluating whether digital surveillance laws are consistent with human rights safeguards. The series’ first two posts were “A Look-Back and Ahead on Data Protection,” and “Latin American Governments Must Commit to Surveillance Transparency.” This third post provides an overview of the applicable standards and safeguards for criminal investigations in eight Latin American countries and Spain.
In December 1992, a Paraguayan lawyer discovered the so-called “Terror Archive,” an almost complete record of the interrogations, torture, and surveillance conducted during the 35-year military dictatorship of Alfredo Stroessner. The files reported details of “Operation Condor,” a clandestine program between the military dictatorships in Argentina, Chile, Paraguay, Bolivia, Uruguay, and Brazil between the 1970s and 1980s. The military governments of those nations agreed to cooperate in sending their teams into other countries to track, monitor, and kill their political opponents. The Terror files listed more than 50,000 deaths and 400,000 political prisoners throughout Argentina, Bolivia, Brazil, Chile, Paraguay, Uruguay, Colombia, Peru, and Venezuela. Stroessner’s secret police used informants, cameras with telephoto lenses, and wiretaps to build a paper database of everyone who was viewed as a threat, plus their friends and associates. The Terror Archive shows how far a government can sink when unchecked by judicial authorities, public oversight bodies, and an informed public. As we have written, Latin America abounds with recent abuses of surveillance powers, and many countries are still struggling with a culture of secrecy.
Civil society around the world has been fighting to ensure strong legal safeguards are established and enforced, including those described in the Necessary and Proportionate Principles. Our State of Communication Privacy Laws report builds upon this work to provide an overview of the legal standards and safeguards that apply today for criminal investigations in eight Latin American countries and Spain.
Significant Protections Exist Against Intercepting and Listening In On Conversations
The most common method of communications surveillance is wiretapping or similar forms of intercepting communications. Most countries’ laws and legal systems explicitly address this intrusion and place limits on how and when it can occur. In Brazil, Colombia, Mexico, Panama, Paraguay, Peru, and Spain, the constitution directly states that private communications may not be breached without a court order. Mexico and Panama’s constitutions also protect the secrecy of private communications setting its violation is subject to criminal penalties. Beyond constitutional protections, there are usually criminal statutes against unauthorized interception, such as in Brazil, Peru, and Spain. In a few countries, there is a separate emergency track where a judicial review can come after the interception; Peru, Spain, and Mexico allow this emergency scenario.
Even though judicial orders are usually needed to intercept (or “intervene in”) private communications, the rules criminal courts are expected to apply when granting these orders can vary hugely from country to country. If you’ve followed EFF’s privacy litigation, you’ve seen how big a deal these variations in rules can be and how much controversy there is about how they apply to particular technologies, from geofence warrants to warrants targeting identifiers like addresses rather than people.
Fans of U.S. privacy law may recall the notion of “specificity” that grew out of the desire to prevent “general warrants” that allow authorities to access private information untethered to the specific target or purpose of an investigation. In Brazil, Chile, Mexico, Spain, and Peru, an interception must target specific persons, lines, or devices. For Spain, this identification is required, provided the data is known; Brazil’s law waives the identification when it’s shown to be “manifestly impossible” to obtain. Both Chile’s and Brazil’s laws also add a reasonable suspicion requirement.
Criminal procedural laws also establish that intercepting communications is an exceptional measure to be used in limited circumstances and not in every investigation. Chile, Brazil, Spain, and Peru limit interception to investigations of serious crimes, punishable with higher penalties. Constitutional protections in Brazil, Peru, Mexico, Paraguay, and Spain require that any intervention measure be necessary or indispensable. Chilean Constitution requires that the law establishes the “cases and forms” in which private communications may be intercepted.
Argentina and Panama’s laws specify that interception is an exceptional measure, but they are somewhat unclear about what is meant by “exceptional.” The Argentinian Supreme Court has helped to clarify the need to apply to communications interception existing case law prohibiting the opening of letters or other correspondence; interception should be authorized by law, adequate, and strictly necessary, to achieve a legitimate aim.
In Spain, “communications investigative measures” must comply with principles of relevance, adequacy, exceptionality, necessity, and proportionality. Such standards are key to set boundaries and guidance on how judges assess data requests. Requests tend to come in urgent situations; applying the principles helps avoid responding in disproportionate or unaccountable ways. International human rights law and the Inter-American standards, binding for several countries in the region, also reinforce the principles that guide judges’ scrutiny of interception orders.
Stored Communications Are Protected
The vast majority of legal systems featured in the reports require judicial order for law enforcement access to stored communications—whether following interception procedures, “search and seizure”-like rules, or other constitutional provisions. Unfortunately, this can be contentious for stored data not regarded as “correspondence” or for communications content contained on devices accessed by law enforcement authorities in situations where a search warrant is usually waived.
In Brazil, Marco Civil legislation approved in 2014 requires a judicial order to access both stored and ongoing Internet communications, establishing a path to override legal interpretation that constitutional protection afforded to communications secrecy (art. 5, XII) covered the "communication" of data but not the data itself. In 2012, Brazil's Supreme Court (STF) had followed this interpretation, setting a distinction between telephone conversations and stored call records, to consider lawful the identification of another suspect by police officers checking the records on devices found on an arrested person without a previous warrant. However, in 2016, the country’s Superior Court of Justice (STJ) relied on the constitution’s privacy protection clause (art. 5, X) and the Marco Civil to rule that judicial orders are required before accessing WhatsApp messages stored on a device obtained by police when its owner is caught in the act of committing a criminal offense. Late last year, it was the turn of the Supreme Court (STF) to overrule its 2012 precedent. As stressed by the presiding Justice,
[n]owadays, these devices are able to record the most varied information about their users. Mobile phones are the main form of access for Brazilians … to the internet. This reason alone would be enough to conclude that the rules on data protection, data flows, and other information contained in these devices are relevant.
In the U.S, EFF worked to help the courts correctly apply the “search incident to arrest” doctrine to new technologies. This doctrine sometimes allows police to search an object, like a bag, simply because the person carrying it was arrested, even if there was no cause to believe it contained something suspicious. In Riley v. California (2014), the U.S. Supreme Court held that this doctrine does not justify search of an arrestee’s phone. EFF filed an amicus brief in support of this holding.
In Panama, both the Criminal Procedure Code and the law on organized crime investigations require a judicial order before seizing correspondence or private documents, including electronic communications. Data stored in seized electronic devices, however, are only subject to subsequent judicial review. While the deadline for this review in the Criminal Procedure Code is ten days, it may take up to 60 days for organized crime investigations. The accused and their attorneys will be invited to take part in the analysis of the data contained in the devices, but the examination can proceed without their participation.
Drawing the line between “correspondence” and other kinds of electronic data to determine whether stronger or weaker protections apply is challenging in the digital context. Moreover, the attempt to draw this distinction commonly overlooks the ways that “non-content” information, such as messaging history or location data, can also reveal intimate and sensitive details deserving similar protection. Here we go deeper into this issue. Yet, even when focusing on communications content, there are serious concerns about the level of privacy protections in the region.
Colombia’s Concerning Post-Interception Judicial Review Standard
We might imagine that all countries now follow this established pattern: a law enforcement officer seeks permission from a judge to perform some kind of otherwise-prohibited investigative action; the judge considers the request, and issues an order, and then the officer proceeds according to the parameters approved by the judge.
But Colombia, surprisingly, sometimes does things backward, with a judge retroactively approving investigatory measures that have already been taken. The Colombian Constitutional Court has stated that, as a general rule, a judge’s prior authorization is necessary if an investigation will interfere with the fundamental rights of the person targeted. There exists an exception to this rule: when the law gives the Office of the Attorney General power to interfere with an individual’s rights for the purpose of collecting information relevant to a criminal investigation, actions taken are subject to after-the-fact judicial review. This exception must be strictly limited to searches, house visits, seizures, and interceptions of communications. Yet, the definition of interception by an administrative regulation includes both content and related metadata, leveling down, rather than upwards, the protection granted to communications data.
On the other hand, the Colombian Constitutional Court has also held that law enforcement practices, like selectively searching a database for an accused person’s confidential information, require prior judicial authorization. In the U.S, law enforcement cannot search a database without a prior warrant subject to specific exceptions like consent and emergency. EFF work in the U.S. focuses on ensuring warrants are necessary and proportionate in scope. For example, if the only thing relevant to an investigation is the emails to person X during week Y, the warrant should limit the search of the database to just that scope.
Government Authorities' Direct Access To Intercepted Communications
Direct access mechanisms are situations when law enforcement or intelligence authorities have a “direct connection to telecommunications networks in order to obtain digital communications content and data (both mobile and internet), often without prior notice or judicial authorization and without the involvement and knowledge of the Telco or ISP that owns or runs the network.” The European Court of Human Rights ruled that direct access is “particularly prone to abuse.” The Industry Telecom Dialogue has explained that some governments require such access as a condition for operating in their country:
“some governments may require direct access into companies’ infrastructure for the purpose of intercepting communications and/or accessing communications-related data. This can leave the company without any operational or technical control of its technology. While in countries with independent judicial systems actual interception using such direct access may require a court order, in most cases independent oversight of proportionate and necessary use of such access is missing.”
As we’ve written before, EFF and our partners have urged private companies to issue transparency reports, explaining how and on what scale they turn users’ private information over to government entities. This practice is growing all around the world. We found one surprise in Millicom and Telefónica Transparency Reports. Both global telecom companies are currently operating in Colombia, and both disclose that they don't report the number of times someone’s communications on their mobile lines were intercepted because government authorities directly perform the procedure in their systems without their help or knowledge.
According to Millicom's report, direct access requirements for telecom companies' mobile networks in Honduras, El Salvador, and Colombia prevent the ISPs from knowing how often or for what periods interception occurs. Millicom reports that in Colombia the company is subject to strong sanctions, including fines, if authorities find it gained information about the interception taking place in its system. This is why Millicon does not possess information regarding how often and for what periods of time communications are intercepted. Millicom states that a direct access requirement also exists in Paraguay, but the procedures there allow the company to view judicial orders required for government authorities to start the interception. To the best of our knowledge, nothing in Paraguay's legislation explicitly and publicly compels telecom providers to provide direct access.
Modern Surveillance Techniques
The European Court on Human Rights, in Marper v. UK, has observed that the right to privacy would be unacceptably weakened if the use of “modern scientific techniques in the criminal-justice system were allowed at any cost and without carefully balancing the potential benefits of the extensive use of such techniques against important private-life interests.” We couldn’t agree more.
Unfortunately, the region is plagued by improper access to people’s communications data and a culture of secrecy that persists even when authoritarian regimes are no longer in place. From recurrent unlawful wiretaps to the unfettered use of malware, the extensive evidence of improper surveillance tactics used by governments in the region is likely the tip of the iceberg.
In our research, we haven’t seen any specific legislation authorizing law enforcement use of cell-site simulators (CSSs). CSSs, often called IMSI catchers or Stingrays, masquerade as cell phone towers and trick our phones into connecting to them so police can track down a target. In the United States, EFF has long opposed the government use of CSSs. They are a form of mass surveillance, forcing the phones of countless innocent people to disclose information to the police in violation of the U.S. Constitution. They disrupt cellular communications, including 911 calls. They are deployed disproportionately within communities of color and poorer neighborhoods. They exploit vulnerabilities in the cellular communication system that the government should fix instead of exploit. In the US, EFF argues that the government should not acquire IMSI catchers, but if the government does so, they should not be used for anything other than locating a particular phone. They should require a warrant, be used only for violent felonies, and require the immediate deletion of data not related to the target. There also must be oversight mechanisms to ensure the tool is used in compliance with the proportionality principle.
Regarding law enforcement use of malware, except for Spain, no other country in our research clearly authorizes malware as an investigative tool in criminal investigations, despite the government's widespread use of such technology. Malware or malicious software seeks to gain access or damage a computer without the owner’s consent. Malware includes spyware, keyloggers, viruses, worms, or any type of malicious code that infiltrates a computer. Malware, for example, is known to be used in Mexico, Panama, Venezuela, Colombia, Brazil, Chile, Ecuador, Honduras, and Paraguay with insufficient legal authorization. In certain countries, law accounts for the possibility that some authorities may require judicial authorization for the intervention of private communications for specific purposes, and that might be the legal authority employed by some governments to use malware.
For example, in Paraguay, Article 200 of the Criminal Procedure Code states a judge may authorize the intervention of the communication "irrespective of the technical means used to intervene it." However, constitutional protections and international human rights law balances such interference with the right to privacy. Any intervention requests must comply with a three-step test: be prescribed by law; have a legitimate aim; and be necessary and proportionate. Limitations must also be interpreted and applied narrowly. In Guatemala, the Control and Prevention of Money Laundering Law authorizes the use of any technological means available for the investigation of any offense to facilitate the clarification of a crime.
In the United States, EFF’s work on malware has focused on the deployment of government hacking tools in violation of the Fourth Amendment. The use of remote hacking tools by the FBI against all visitors to specific visitors to a website containing child exploitation materials, in particular, points to the need for limits on hacking authority to ensure they meet the probable cause and particularity requirements of the Fourth Amendment.
Police and intelligence agencies should never have direct and unrestricted access to communications data. Any access to communications data should be prescribed by law through clear and precise mandates and subject to specific conditions such as access is necessary to prevent a serious crime; independent judicial authorization is obtained; a factual basis for accessing data is provided; access is subject to independent and effective oversight, and users are notified, especially in cases of secret surveillance (even if after the fact). We also believe that any legal framework to access communications data should include special protections for the communications data of civil society organizations similar to those enjoyed by lawyers and the press. Otherwise, rule of law and human rights protections will continuously fail to succeed. Unrestricted access to communications data or any personal data via direct access to networks, malware, or IMSI catchers are serious human rights violations. In Schrems I, the European Court of Human Rights made clear that legal frameworks that grant public authorities access to data on a generalized basis compromise "the essence of the fundamental right to private life." In other words, any law that compromises the “essence to the right to private life” cannot ever be proportionate or necessary.