This post is the second in a series about our new State of Communications Privacy Laws report, a set of questions and answers about privacy and data protection in eight Latin American countries and Spain. The series’ first post was “A Look-Back and Ahead on Data Protection in Latin America and Spain.” The reports cover Argentina, Brazil, Chile, Colombia, Mexico, Paraguay, Panama, Peru, and Spain.
Although the full extent of government surveillance technology in Latin America remains mostly unknown, media reports have revealed multiple scandals. Intelligence and law enforcement agencies have deployed powerful spying tools in Latin American presidential politics and used them against political adversaries, opposition journalists, lawmakers, dissident groups, judges, activists, and unions. These tools have also been used to glean embarrassing or compromising information on political targets. All too often, Latin America’s weak democratic institutions have failed to prevent such government abuse of power.
High Tech Spying in Latam, Past and Present
Examples abound in Latin America of documented government abuses of surveillance technologies. Surveillance rose to public prominence in Peru in the 1990s with a scandal involving the former director of the Intelligence Agency and former President Fujimori. Fujimori's conviction marked the first time in history that a democratically elected president had been tried and found guilty in his own country for human rights abuses, including illegal wiretapping of opposition figures’ phones. In the 2000s, the Colombian intelligence agency (DAS) was caught wiretapping political opponents. Ricardo A. Martinelli, Panama’s President from 2009 to 2014, was accused of using the spyware “Pegasus” to snoop on political opponents, union leaders, and journalists. (A court last year rejected illegal wiretapping charges against him because of “reasonable doubts”.)
In Chile in 2017, civil society worked to grasp how the Intelligence Directorate of Chile's Carabiniers (Dipolcar and its special intelligence unit) had "intercepted'' eight of the Mapuche indigenous community leaders’ encrypted WhatsApp and Telegram messages. These leaders had been detained as part of the Huracán Operation. Carabineros shifted its explanation of how it had procured the messages: it had simply claimed generic "interception of messages," but later claimed to have used a keylogger and other malicious software. Expert examinations within a Prosecutor’s Office investigation and the report of a Congressional investigative committee concluded that evidence was fabricated. The Huracán Operation also engaged in fraudulent manipulation of seized devices and obtained communications without proper judicial authorization. This is but one abuse among many involving Mapuches by Chilean authorities.
Leaked U.S. diplomatic cables showed collaboration in communications surveillance between the U.S. Drug Enforcement Administrations and Latin American governments such as Paraguay and Panama. This included "cooperation" between the U.S. government and Paraguayan telecom companies.
History repeats itself. Just a few weeks ago, a report revealed that between 2012 and 2018, the government of Mexico City operated an intelligence center that targeted political adversaries including the current Mexican President and the current mayor of Mexico City. Likewise, Brazilians learned just a few weeks ago about Cortex—the Ministry of Justice’s Integrated Operations Secretariat (SEOPI) surveillance program created to fight “organized crime.” Intercept Brazil revealed that Cortex integrates automated-license plate readers (ALPRs) with other databases such as Rais, the Ministry of Economy's labor database. Indeed, Cortext reportedly cross-references Rais records about employee “address, dependents, salary, and position” with location data obtained from 6,000 ALPRs in at least 12 Brazilian states. According to the Intercept's anonymous source, around 10,000 intelligence and law enforcement agents have access to the system. The context of this new revelation recalls a previous scandal involving the same Ministry of Justice's Secretariat. In July of this year, Brazil’s Supreme Court ordered the Ministry of Justice to halt SEOPI’s intelligence-gathering against political opponents. SEOPI had compiled an intelligence dossier about police officers and teachers linked to the opposition movement. The Ministry of Justice dismissed SEOPI’s intelligence director.
Sunlight is the Best Disinfectant
The European Court of Human Rights has held that “a system of secret surveillance set up to protect national security may undermine or even destroy democracy under the cloak of defending it.” In a recent report, the Inter-American Commission’s Free Expression Rapporteur reinforced the call for transparency. The report stresses that people should, at least, have information on the legal framework for surveillance and its purpose; the procedures for the authorization, selection of targets, and handling of data in surveillance programs; the protocols adopted for the exchange, storage, and destruction of the intercepted material; and which government agencies are in charge of implementing and supervising those programs.
Transparency is vital for accountability and democracy. Without it, civil society cannot even begin to check government overreach. Surveillance powers and the interpretation of such laws must always be on the public record. The law must compel the State to provide rigorous reporting and individual notification. The absence of such transparency violates human rights standards and the rule of law. Transparency is all the more critical where, for operational reasons, certain aspects of the system remain secret.
Secrecy prevents meaningful public policy debates on these matters of extreme importance: the public can’t respond to abuses of power if it can’t see them. There are many methods states and communication companies can implement to increase transparency about privacy, government data access requests, and legal surveillance authorities.
Policy Recommendations
States should publish transparency reports of law enforcement demands to access customers’ information.
The UN Special Rapporteur on free expression has called upon States to disclose general information about the number of requests for interception and surveillance that have been approved and rejected. Such disclosure should include a breakdown of demands by service providers, type of investigation, number of affected persons, and period covered, among other factors. Unfortunately, the culture of secrecy on states’ transparency reporting is a real problem in Latin America.
Brazil and Mexico have regulations that compel agencies to publish transparency reports, and they do disclose statistical information. However, Argentina, Colombia, Chile, Paraguay, Peru, and Spain do not have a concrete law that requires them to do so, and in practice, they do not post such reports. Of course, the lack of a specific obligation to publish public interest data, as pointed out by the IACHR’s Freedom of Expression Rapporteur, should not prevent States from publishing this type of data. The IACHR Rapporteur states that the public has the right to access a surveillance agency’s functions, activities, and public resources management.
Mexico's Transparency Law requires governmental agencies to regularly disclose statistical information about data demands made to telecom providers for interceptions, access to communications records, and access to location data in real time. Agencies also must keep the data updated.
Brazil’s decree 8.771/2016 obliges each federal agency to publish, on its website, yearly statistical reports about their requests for access to Internet users' subscriber data. The statistical reports should include the number of demands, the list of ISPs and Internet applications from which data has been requested, the number of requests granted and rejected, and the number of users affected. Moreover, Brazil's National Council of Justice created a public database with statistics on communications interceptions authorized by courts. The system breaks the data down per month and court in the following categories: number of started and ongoing requests, number of new and ongoing criminal procedures, number of monitored phones, number of monitored VOIP communications, and number of monitored electronic addresses.
Companies should publish detailed statistical transparency reports regarding all government access to their customers’ data.
The legal frameworks in Argentina, Brazil, Colombia, Chile, Mexico, Peru, Panama, Paraguay, and Spain do not prohibit companies from publishing statistical data on government requests for user data and other investigative techniques authorities. But of the countries we studied, the only one where ISPs publish this information is Chile. Large and small Chilean ISPs have published their transparency reports, including Telefonica, WOM!, VTR, Entel, and most recently GTD Manquehue. We haven’t seen similar developments in other countries. While America Móvil (Claro) operates in all the Latam countries covered in our reports, only in Chile and Peru does it publish one with statistical figures for government data requests.
Telefónica-Movistar is among the few companies to fully embrace transparency reports throughout all the Latam countries where it operates. Others should follow. In Central America, Millicom-Tigo has generally issued consolidated data for Costa Rica, El Salvador, Guatemala, Honduras, and, more recently, Panama. This is less helpful and deviates from the general standard to publish aggregate data per country and not per multi-country region. The company does the same for South America, where it publishes consolidated statistical data for Bolivia, Colombia, and Paraguay. In 2018, Millicom-Tigo first followed the industry-standard by posting aggregate data just for Colombia.
AT&T publishes detailed data for the United States, but very little information for Latam countries, except for Mexico, where more data is available. The type of data requested by governments depends on the services AT&T provides in each country (whether it is broadband, mobile, or only TV and entertainment). AT&T should provide information like the number of rejected requests or the applicable legal framework for all the countries where it operates.
In Spain, Orange published its latest report in 2018, while Ono Vodafone’s last report refers to 2016-2017 requests.
Many local Latam telcos have failed to publish transparency reports.
- In Argentina: Cablevision, Claro, Telecom, Telecentro, and IPLAN.
- In Brazil: Claro, Oi, Algar, and Nextel.
- In Colombia: Claro and EMCALI.
- In Panama: Cable & Wireless Panamá (Más Móvil), Claro, and Digicel
- In Perú: Entel, Olo, Bitel, and Inkacel
- In Paraguay: Claro, Personal, Copaco, Vox, and Chaco Comunicaciones.
- In México: Telmex/Telcel (América Móvil), Axtel, Megacable, Izzi, and Totalplay.
At a minimum, companies' transparency reports should disclose the number of government data requests per country, and split by key types of data, applicable legal authorities, and the number of claims challenged or denied. The reports we reviewed usually provide different numbers for content and metadata, which is important. AT&T also includes real-time access to location data for Mexico. Telefonica and AT&T Mexico's section release the number of rejected requests; Millicom doesn't provide this information. None of the reports distinguish criminal orders from national security requests; AT&T does so only for the United States. Reports should also allow readers to learn the number of affected users or devices; disclosing only the number of requests isn’t enough, since one legal demand may refer to more than one customer or device. Telefónica indicates figures of accesses affected for both interception and metadata in Argentina, Brazil, Chile, Mexico, and Peru. In Spain, the system used by security forces for sending judicial orders to obtain metadata still doesn't allow this breakdown. And in Colombia, it's not even possible to count the number of interception requests in mobile lines.
Of course, companies' transparency reports depend on their knowledge of when surveillance takes place through their systems. Such knowledge is missing--and so transparency reporting is not possible--when police and other government agencies compel providers to give law enforcement direct access to their servers. The 2018 UN High Commissioner on Human Rights report recognized that such direct access systems are a serious concern; they are particularly prone to abuse and tend to circumvent critical procedural safeguards. According to Millicom's report, direct access requirements to telecom companies' mobile networks in Honduras, El Salvador, and Colombia prevent the ISPs from knowing how often or for what periods interception occurs. Millicom points out that a similar practice exists in Paraguay. Yet, in this case, Millicom states the procedures allow them to view the judicial order required for authorities to initiate the interception.
Companies should publish guidelines for government agencies seeking users’ data.
It is important for the public to know how police and other government agencies obtain customer data from service providers. To ensure public access to this information, providers should transparently publish the request guidelines they provide to government agencies.
In Peru, Claro has published detailed guidelines, including an explanatory chart for the procedures the company adopts before law enforcement requests for communications data. Chilean telecom companies also publish their law enforcement guidelines. WOM and VTR detail the integrated systems and contact channels they use to receive government requests, and the information that requests and judicial orders should contain, such as the investigative targets and procedures. They break details down by type of interception (like emergency cases and deadline extension) and users' information (such as traffic data). GTD Manquehue has a similar model but doesn't specify information related to urgent interceptions and extension requests. Claro also includes contact channels and some important requisites, particularly for traffic and other associated data. Entel doesn't indicate contact channels for data requests but goes beyond others in explaining the applicable legal framework and requirements orders must fulfill. In turn, Telefónica - Movistar's guidelines are vague when setting legal requirements, but provide great detail about the kind of metadata and subscriber information authorities can access.
Telefónica and Millicom have global guidelines for all law enforcement requests. They apply to their subsidiaries, which usually don't publish local specifications. While Telefonica guidelines commit to relevant principles and display a chart flow for assessing government requests, Millicom outlines five steps of their process for law enforcement assistance. Both give valuable insight into the companies' procedures. But they shouldn't supplant the release of more specific guidelines at the domestic level, showing how their global policies apply regarding local contexts and rules.
Secret laws—about government access to data or anything else—are unacceptable.
Law is only legitimate if people know it exists and can act based on that knowledge. It allows people the fundamental fairness of understanding when they can expect privacy from the government and when they cannot. As we’ve noted before, it avoids the Kafkaesque situations in which people, like Joseph K in The Trial, cannot figure out what they did that resulted in the government accessing their data. The UN Report on the Right to Privacy in the Digital Age states that “Secret rules ... do not have the necessary qualities of ‘law’ … [a] law that is accessible, but that does not have foreseeable effects, will not be adequate.” The Council of Europe’s Parliamentary Assembly likewise has condemned the “extensive use of secret laws and regulations.”
Yet the Peruvian guidelines on data sharing by ISPs with police has been declared “reserved information.” In striking contrast, Peruvian wiretapping protocols are deemed public.
Service providers should notify all their customers, wherever they live when the government seeks their data. Such notice should be immediate, unless doing so would endanger the investigation.
The notification principle is essential to restrict improper data requests from the government to service providers. Before the revolution in electronic communication, the police had to knock on a suspect’s door and show their warrant. The person searched could observe whether the police searched or seized their written correspondence, and if they felt the intrusion was improper, ask a court to intervene.
Electronic surveillance, however, is much more surreptitious. Data can be intercepted or acquired directly from telecom or Internet Providers without the individual knowing. It is often impossible to know that their data has been accessed unless the evidence leads to criminal charges. As a result, the innocent are least likely to discover the violation of their privacy rights. Indeed, new technologies have enabled covert remote searches of personal computers. Any delay in the notification has to be justified to a court and tied to an actual danger to the investigation or harm to a person. The UN High Commissioner for Human Rights recognized that users who have been subject to surveillance should be notified, at least ex post facto.
Peru and Chile provide the two best standards in the region to notify the persons affected. Unfortunately, notification is often delayed. Peru's Criminal Procedure Code allows informing the surveilled person once the access procedures are completed. The affected person may ask for judicial re-examination within three days of receiving notice. Such post-access notification is permitted only if the investigation scope allows it and does not endanger another person.
Chilean law has a similar provision. The interception procedure is secret by default. However, the state must notify the affected person after the interception has ended, if the investigative scope allows it and notice won’t jeopardize another person. If the data demand is secret, then the prosecutor must set a term of no more than 40 days, which may be extended one more time.
Argentinian criminal law does not include any obligation or prohibition to inform the individual, not even when the access is over. The subject of the investigation may learn about the evidence used in a criminal proceeding. However, an individual may never know that the government accessed their data if it was not used by the prosecutor.
There is no legal obligation in Brazil that compels either the State or companies to provide notice a priori. The Telephone Interception Law imposes a general secrecy requirement. Another statute authorizes the judge to determine secrecy issues. Companies could voluntarily notify the user if a gag order is not legally or judicially set, or subsequently after secrecy is lifted.
In Spain, secrecy is the norm. This includes for interception of communication, malware, location tracking, or communication data access. The obliged company carrying out the investigative measures is sworn to secrecy on pain of criminal penalty.
Freedom of Information Laws and investigative reporting are needed to shine a light on governmental data requests and secret surveillance. Whistleblowers’ legal protection is required, too.
States in the region are required to respond to public record requests and must provide information ex officio. The Inter-American Court recognizes that it is “essential that State authorities are governed by the principle of maximum disclosure, which establishes the presumption that all information is accessible, subject to a limited system of exceptions.” The Court also echoed the 2004 joint declaration by the rapporteurs on freedom of expression of the UN, the OAS, and the OSCE, in which it stipulated that “[p]ublic authorities should be required to publish proactively, even in the absence of a request, a range of information of public interest. Systems should be put in place to increase, over time, the amount of data subject to such routine disclosure."
The Mexican Transparency Law obliges governmental agencies to automatically disclose and update information about government access to company data. In contrast, the Peruvian Transparency Law only compels the State to disclose on request the information it creates or is in its possession, with certain exceptions. So if aggregate information on the details of the requests existed, it could be accessible through FOIA requests. But if it's not, the law does not require the agency to create a new record.
In Latin America, NGOs have used these public access laws to learn more about high tech surveillance in their countries. In Argentina, ADC filed a FOIA request after the City of Buenos Aires announced it would deploy facial recognition software over its CCTV cameras' infrastructure. Buenos Aires' administration disclosed responsive information about the legal basis and purposes for implementing the technology, the government body responsible for its operation, and the software purchase. ODIA made further requests about the system’s technical aspects, and Access Now followed suit in Córdoba.
In the wake of revelations on the use of "Pegasus" malware to spy on journalists, activists, lawyers, and politicians in Mexico, digital rights NGO R3D filed a FOIA request in 2017 seeking documents about the purchase of "Pegasus". After receiving part of the agreement, R3D challenged the country's Transparency and Data Protection Authority (INAI) decision to classify Pegasus’ technical specifications and operation methods. In 2018, the judge overruled INAI's resolution, holding that serious human rights violations and acts of corruption must never be confidential information.
In other countries, digital media have shed light on the number of government data access demands. For example, INFOBAE in Argentina published a story reporting the leaked number of interceptions and other statistical information. Another outlet in Chile revealed the number of telephone interception requests based on the public records law.
The UN High Commission for Human Rights urged to protect individuals who reveal human rights violations:
“The right to privacy, the right to access to information and freedom of expression are closely linked. The public has the democratic right to take part in the public affairs and this right cannot be effectively exercised by solely relying on authorized information.”
The IACHR Rapporteur stresses the important role of investigative journalists and whistleblowers in its new Freedom of Expression report. The rapporteur’s recommendations underscore the need to ensure legislation to protect the right of journalists and others. The law should also protect their sources against direct and indirect exposure, including intrusion through surveillance. Whistleblowers who expose human rights violations or other wrongdoings should also receive legal protection against retaliation.
Conclusions
Governments often confuse a need for secrecy in a specific investigation with an overarching reticence to describe a surveillance technology’s technical capabilities, legal authorities, and aggregate uses. But civil society’s knowledge of these technologies is crucial to public oversight and government accountability. Democracy cannot flourish and persist without the capacity to learn about and provide effective remedies to abuses and violations of privacy and other rights.
Secrecy must be the exception, not the norm. It must be limited in time and strictly necessary and proportionate to protect specific legitimate aims. We still have a long way ahead in making transparency the norm. Government practices, state regulations, and companies’ actions must build upon the transparency principles set forth in our recommendations.