Uncovering government surveillance and fighting for robust and effective legal safeguards and oversight is a continuous battle in Latin American countries. Surveillance capabilities and technologies are becoming more intrusive and prevalent, surrounded by a culture of secrecy and entrenched views that pit security against privacy. There are several challenges to face. Alongside growing resistance against government biometric surveillance, the long-standing problem of unfettered communications surveillance persists and presents new troublesome trends.
Both appear tied together, for example, in renewed attempts to compel individuals to give their biometric data in order to access mobile phone services, as we saw in México and Paraguay in 2021, with fierce opposition from civil society. The Supreme Court in Mexico indefinitely suspended the creation of the Padrón Nacional de Usuarios de Telefonía Móvil (PANAUT), a national registry of mobile users associated with their biometric data, after the federal agency assigned to implement the registry filed a constitutional complaint affirming its budgetary autonomy and its duty to ensure users' rights to privacy, data protection, and access to information. In Paraguay, the bill forcing users to register their biometrics to enable a mobile telephone service was rejected by a parliamentary commission and has been halted in Congress since then.
This post highlights a few relevant developments this year regarding communications privacy in Latin America in its relation with other rights, such as freedom of expression and assembly.
#ParoNacional in Colombia: Patrolling Phones and the Web
In the wake of Colombia’s tax reform proposal, demonstrations spread over the country in late April, reviving the social unrest and socio-economic demands that led people to the streets in 2019. Media has reported on government crackdowns against the protestors, including physical violence, missing persons, and deaths. Fundación Karisma has also stressed implications for the right to protest online and the violation of rights due to internet shutdowns and online censorship and surveillance. Amid the turmoil, EFF has put together a set of resources to help people navigate digital security in protest settings.
As seen in the 2019 protests, Colombian security forces once again abused their powers searching people’s phones at their discretion in 2021. Relying on controversial regulation that allows law enforcement agents to check the IMEI of mobile devices to curb cell phone thefts, police officers compelled protesters to hand over their passwords or unlock their phones, even though neither of these are needed to verify the IMEI of a device. As Fundación Karisma pointed out, like the search of a house, police can only seize a cell phone with a court order. Otherwise, it will interfere with peoples’ fundamental rights to privacy, right to a fair trial, and the presumption of innocence. Over the years, the IMEI regulation has led to cases where the police reviewed people's social networks or deleted potential evidence of police brutality and abuses.
Colombian police "patrolling" on the web has also reinforced concerns over its invasive nature. Karisma points out that a 2015 Colombian police resolution authorizing law enforcement "cyber patrolling" is unclear about its specific scope, procedures, tools, and limits. Yet, a June 2021 Ministry of Defense report of their activities during the national strike indicates that digital patrolling served to detect cyberthreats, profile suspicious people and activities related to “vandalism” acts, and combat what the government deemed online disinformation. In the latter case, cyber patrolling was combined with a narrative dispute over the truth about reports, images, and videos on the excessive use of police force that have gained national and international attention. Karisma’s report shed light on government campaigns framing critical publications to the army or the police as fake news or digital terrorism. The report concludes that such prejudicial framing served as the first step in a government strategy to stigmatize protests online and offline and to encourage censorship of critical content.
Following the Inter-American Commission on Human Rights (IACHR) mission to Colombia in June, the IACHR expressed concern about Colombian security forces taking on a fact-checking role, especially on information related to their own actions. The IACHR has also highlighted the importance of the internet as a space for protest during the national strike, taking into account evidence of restrictions presented by Colombian groups, like Fundación Karisma, Linterna Verde, and FLIP.
Threats and Good News for Encryption
In Brazil, legislative discussions on the draft bill 2630/2020, the so-called “Fake News” bill, continued throughout 2021. Concerns around disinformation gained new strength with the propagation of a narrative in favor of ineffective methods to tackle the COVID pandemic promoted by President Jair Bolsonaro and his supporters. Despite its legitimate concerns with the disproportionate effects of disinformation campaigns, the text approved in the Senate still in 2020 contained serious threats for privacy, data protection, and free expression. Among them, the traceability mandate for instant messaging applications stood out.
EFF along with civil society groups and activists on the ground stayed firm on opposing the traceability rule. This rule compelled instant messaging applications to massively retain the chain of forwarded communications, undermining users’ expectation of privacy and strong end-to-end encryption safeguards and principles. In August, we testified in Brazil’s Congress stressing how massive data retention obligations and pushes to move away from robust end-to-end encryption implementations not only erode rights of privacy and free expression, but also impair freedom of assembly and association. As a piece of good news, the traceability mandate was dropped in the latest version of the bill, though perils to privacy remain in other provisions.
Also in the Brazilian Congress, a still-pending threat to encryption lies in a proposed obligation for internet applications to assist law enforcement in telematic interception of communications. The overbroad language of such assistance obligation endangers the rights and security of users of end-to-end encrypted services. Coalizão Direitos na Rede, a prominent digital rights coalition in Brazil, underlined this and other dangerous provisions in this bill that changes the country’s Criminal Procedure Code. The coalition pointed out serious concerns and even setbacks in regard to legal safeguards for law enforcement access to communications data.
Gathering forces to coordinate efforts in advancing a proactive agenda to promote and defend encryption, another piece of great news took place regionally, with the launch of the Alliance for Encryption in Latin America and the Caribbean (AC-LAC). EFF is a member of the Alliance, which, so far, comprises over 20 organizations throughout the region.
Pegasus Project: New Revelations, Persistent Rights Violations
Last, but not least, one of the most remarkable developments in 2021 on the communications privacy front was the Pegasus Project revelations. In July, the Pegasus Project unveiled governments’ espionage on journalists, activists, opposition leaders, judges, and others based on a list of more than 50,000 smartphone numbers of possible targets of the spyware Pegasus since 2016. As reported by The Washington Post, the leaked phone numbers concentrated in countries known to engage in surveillance against their citizens and to have been clients of NSO Group, the Israeli company which develops and sells the spyware. The list of possible targets as well as confirmed attacks through forensic analysis contradict NSO Group’s claims that their surveillance software is used only against terrorism and serious crimes.
Phone numbers in the revealed list spanned more than 45 countries across the globe, but the greatest chunk of them related to Mexican phones—over 15,000 numbers in the leaked data.
Among them were people from the inner circle of President López Obrador, including close political allies and family members, when he was an opposition leader still aspiring for the country's presidential position. Human rights defenders, researchers from the Inter-American Commission on Human Rights, and journalists were not spared on Mexico’s list. Cecilio Pineda Brito, a freelance reporter, was shot dead in 2017 just a few weeks after he was selected as a possible target for surveillance. When a mobile device is infected with Pegasus, messages, photographs, email messages, call logs, location data can be extracted, and microphones and cameras can be activated, giving full access to people's private information and lives.
The revelations confirmed findings published in 2017 by joint investigations held by R3D, Article 19, SocialTIC, and Citizen Lab about attacks carried out during former President Peña Nieto’s administration. Since then, the country’s General Attorney Office has initiated an investigation that is still open and with limited developments. Yet, the new leaked data has spurred advances in shedding light on government contracts related to Pegasus and in detaining and prosecuting, within the Attorney Office investigations, a key person in the political and business complex scheme of the spyware’s use in Mexico.
Revelations of the Pegasus Project have raised the red flag regarding ongoing government negotiations with NSO Group in other Latin American countries, like Uruguay and Paraguay. It has also reinforced concerns around a troublesome procurement procedure involving Pegasus spyware in Brazil, firmly challenged by a group of human rights organizations, including Conectas and Transparency International Brazil. In El Salvador, Apple warned journalists from the well-known independent digital news outlet El Faro of possible targeting of their iPhones by state-sponsored attackers. Similar warnings were sent to El Salvadoran leaders of civil society organizations and opposition political parties.
At the regional level, leading digital rights groups in Latin America requested a thematic hearing to discuss surveillance risks for human rights before the Inter-American Commission on Human Rights. During the October 2021 hearing, they stressed serious concerns with various surveillance technologies employed in countries in the region without proper controls, legal basis, and safeguards aligned with international human rights standards. They urged the Commission to start a regional consultation process to establish a set of inter-American guidelines to guide the processes of acquisition and use of technologies with surveillance capabilities, based on the principles of legality, necessity, and proportionality, which should be the baseline parameters of surveillance policies.
In fact, the widespread use of malicious software by Latin American governments generally occurs with no clear and precise legal authorization, much less strict necessity and proportionality standards or strong due process safeguards. The call for a global moratorium on the use of malware technology until states have adopted robust legal safeguards and effective controls to ensure the protection of human rights—voiced by United Nations experts, the U.N. High Commissioner, and dozens of organizations across the globe, including EFF—is the culmination of persistent human rights abuses and arbitrary violence related to government use of spywares. Moreover, as we said, outrage will continue until governments recognize that intelligence agency and law enforcement hostility to device security puts us all in danger. Instead of taking advantage of system weaknesses and bugs, governments should align in favor of strong cybersecurity for everyone.
Conclusion
Communications surveillance continues to be a pervasive problem in Latin America. Feeble legal safeguards and unfettered surveillance practices erode our ability to speak up against abuses, organize resistance, and fully enjoy a set of fundamental rights. Throughout 2021 and for years prior, EFF has been working with partners in Latin America to foster stronger human rights standards for government access to data. Along with robust safeguards and controls, governments must commit to promote and protect strong encryption and device security—they are two sides of the same coin. And we'll keep joining forces to push for advances and uphold victories on this front in 2022 and the years to come.
This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2021.