It may take some years to fully evaluate the effects of September 11, 2001 on privacy and civil liberties. Shortly after the events of that day, previous proposals were re-introduced, and new policies with similar objectives were drafted to extend police surveillance authority. Two years on, the political landscape has shifted significantly in many, if not most, countries.
The policy changes were not limited to the United States, as a large number of countries responded to the threat of terrorism. With terrorist actions around the world, including in Bali, Russia, Morocco, and Saudi Arabia, governments have seized on these events as opportunities to create and enhance their powers. The country reports in this survey outline, in more detail, the many legislative shifts that took place around the world. Terrorism politics is truly global.
The changes in anti-terrorism laws are not the only policy transformations in response to terrorism. The mere threat of terrorism has changed political discourse. In some cases, the war on terrorism has given new life to previously failed proposals such as ID cards in the United Kingdom; only recently has the UK government returned to the rhetorics of terrorism to shore up support for the cards while previously fraud and asylum seekers were used.[63] When terrorism was not part of the government's official rhetorics, supporting members of parliament and the media continued to relate ID cards with strategies to combat terrorism.
In some cases, policies have been adopted from other countries with little consideration to the variances in political dynamics. Hong Kong attempted to harmonize its laws on sedition with mainland China, requiring a standardization of criminalised groups. Malaysia decided against repealing its Internal Security Act 1960 involving detention.[64]
In other cases, the mere increase of state power is immediately associated with the war on terrorism; whether requiring the removal of veils for drivers license photos,[65] secret seizure of packages from the media,[66] clamping down on train-spotters and -photographers,[67] chasing down opposition parties,[68] and the equation of terrorism to separatism[69] and its implications,[70] or suppressing dissent,[71] amongst others. Canada is attempting to create a travelers' database for anti-terrorism purposes, and other crimes; the United Kingdom managed to pass data retention laws in the legislative environment of the aftermath of September 2001; while retained data could be accessed, under another law, for practically any crime. In the US, concerns have arisen regarding the use of counter-terrorism powers to seize funds from foreign banks that do business in the US for investigations that are unrelated to terrorism.[72]
In other situations, these laws may be passed and used to suppress dissent. In Italy, the Interior Minister warned of warned of a growing climate of 'widespread political illegality'; mixed together Islamic terrorist groups, endogenous leftwing armed groups, anarchist insurrectionaries, and right wing groups as a common threat.[73] Moldova's bill to fight extremism coincides with the government's intention to minimize dissent as it allows the banning of political parties, public and religious associations, and medial outlets if they promote violent overthrow of country's territorial integrity, undermining state power, or setting up illegal armed organizations.[74] Georgia's bill, drafted in consultation with European colleagues according to a state security ministry official,[75] provides for restricting or suspending the activities of organizations that receive foreign funding and whose activities "threaten Georgia's national interests," but fails to define those interests.[76]
While the legal landscape is shifting and affecting many components of human rights, and not only privacy, in many cases these policies are founded upon its curtailment.
The immediate period after September 2001 was a time of fear, flux and uncertainty. The United Nations responded with Resolution 1368 calling on increased cooperation between countries to prevent and suppress terrorism.[77] NATO invoked Article 5, claiming an attack on any NATO member country is an attack on all of NATO; legislatures responded accordingly. The Council of Europe condemned the attacks, called for solidarity, and also called for increased cooperation in criminal matters.[78] Later the Council of Europe Parliamentary Assembly called on countries to ratify conventions combating terrorism, lift any reservations in these agreements, and extend the mandate of police working groups to include "terrorist messages and the decoding thereof."[79] The European Union responded similarly, pushing for a European arrest warrant, common legislative frameworks for terrorism, increasing intelligence and police cooperation, freezing assets and ensuring passage of the Money Laundering Directive.[80] The OECD furthered its support for the Financial Action Task Force on Money Laundering and, along with the G-7[81] and the European Commission, called for the extension of its mandate to combat terrorist financing.[82] These calls for international cooperation were perceived by many as impetus to create new laws.
The European Commission considered requiring every member state of the European Union to make cyber-attacks punishable as a terrorist offence. New Zealand minimized public consultation on a proposed law to freeze the financial assets of suspected terrorists because the government felt it was bound by United Nations Security Council resolutions. France expanded police powers to search private property without warrants. Germany reduced authorization restraints on interception of communications, and increased data sharing between law enforcement and national security agencies.
Australia and Canada both introduced laws to redefine terrorist activity and to grant powers of surveillance to national security agencies (ASIO and CSIS respectively) for domestic purposes if terrorist activity or a terrorist affiliation is suspected. India passed a law to allow authorities to detain suspects without trial, conduct increased wiretapping, and seize funds and property. The United Kingdom passed a law permitting the retention of data for law enforcement purposes in contravention to existing data protection rules. The United States passed several laws, including the USA-PATRIOT Act, which increases surveillance powers and minimizes oversight and due process requirements.
Within this deluge of new policy proposals in the immediate period after September 2001, several trends may be identified.
Almost every country that changed its laws to reflect the environment following September 2001 increased the ability of law enforcement and national security agencies to perform interception of communications, and transformed the powers of search and seizure, and an increase in the type of data that can be accessed.
The novelty in these initiatives tends to arise in the reduced authorization requirements and oversight. This included initiatives to weaken due process requirements; as occurred in Canada where the first anti-terrorism bill proposed that law enforcement agencies would no longer be required to justify the need for the wiretap. That is, in existing law, the judge authorizing the interception would need to be satisfied that "other investigative procedures have been tried and have failed, other investigative procedures are unlikely to succeed or the urgency of the matter is such that it would be impractical to carry out the investigation of the offence using only other investigative procedures."[83] In the law, an exception is established for all offences that fall under the broad category of "terrorist activity." Other parts of the law allow for interception authorization by the Minister of Defense instead of requiring judicial authorization.
There is also a general increase in the breadth of application of these powers, by incorporating and including new technologies and communications infrastructures, permitting additional government agencies to use these powers, and formalize roving powers. The USA-PATRIOT Act codified the use of Carnivore-style Internet surveillance technology, granting access to sensitive traffic data with only a court order rather than a judicial warrant. Moreover, the reporting regime in the United States was weakened with amendments to the Foreign Intelligence Surveillance Act so that fewer warrants would have to be requested and reported because the expiration time period was increased, and 'generic' orders could be requested allowing one warrant to be served on multiple service providers.
Attempts to differentiate the authorization and oversight requirements based on the communications-technology also occurred. The Australian government proposed in its Telecommunications Interception Legislation Amendment Bill 2002 to grant powers to intercept and read e-mail, SMS and voice mail messages without a warrant because these communications were considered access to 'stored' data rather than 'intercepted' in real-time. This proposed act was rejected in the Senate in June 2002;[84] however, the Government claims that it "remains of the view that the approach adopted in the bill with respect to stored information is appropriate. However, to avoid holding up this important package of legislation, the government has agreed to remove these provisions from the bill and to deal with the issue at a later date."[85] This did not stop a significant increase in interceptions in Australia however. According to parliamentary findings, in the past year there were 17,000 mail investigations, 2514 wiretaps, and access to 733,000 telephone bills; a remarkable increase from previous years.[86]
In 2000, the United Kingdom proposed a policy to require the retention of communications traffic data for up to 7 years by a central government authority.[87] While the proposal faced significant resistance in the public discourse at that time, in December 2001 a similar policy was introduced and passed under the United Kingdom's anti-terrorism law in response to the events of September 2001. The new European Union directive on data protection in electronic services also supports the creation of such data retention laws within the European community and is consistent with international pressure to weaken data protection. In October 2001, President Bush sent a letter to the President of the European Commission requesting that the European Union "[c]onsider data protection issues in the context of law enforcement and counterterrorism imperatives," and as a result to "[r]evise draft privacy directives that call for mandatory destruction to permit the retention of critical data for a reasonable period."[88] Building from previously articulated concerns that "[d]ata protection procedures in the sharing of law enforcement information must be formulated in ways that do not undercut international cooperation,"[89] the United States Department of Justice submitted several recommendations to the European Commission working group on cybercrime, including the recommendation that
Any data protection regime should strike an appropriate balance between the protection of personal privacy, the legitimate needs of service providers to secure their networks and prevent fraud, and the promotion of public safety.[90]
This perspective was reiterated in May 2002, this time by the Group of 8 Justice and Interior Ministers, requesting that countries
Ensure data protection legislation, as implemented, takes into account public safety and other social values, in particular by allowing retention and preservation of data important for network security requirements or law enforcement investigations or prosecutions, and particularly with respect to the Internet and other emerging technologies.[91]
Individuals and citizens are at the same time losing subject access rights under data protection and freedom of information regimes. In the interests of critical infrastructure protection, access to information is being reduced, limiting government accountability. Meanwhile, in order to protect sensitive investigative and intelligence data, subject access requests are restricted as some data banks are being exempted from both data protection and freedom of information laws.
Several policies were introduced to enable and promote increased data sharing, both within and across government agencies, and with the private sector. The sharing of data between agencies introduces purpose-creep where data collected for one purpose is used for another, but also introduces highly sensitive data to arms of government that can not be expected to protect the data adequately.
There are significant shifts in the policies and practices in the United States with changes to the Attorney General Guidelines regulating the actions and capabilities of the Department of Justice and FBI, increased sharing of information between the FBI and CIA supported by the USA-PATRIOT Act, and proposed policies to increase sharing with local law enforcement agencies. The United States is not alone in introducing such policies. The United Kingdom is proposing "joined-up government" within its consultation paper on modernizing government and public services[92] to create "data-sharing gateways" and provide "seamless" services. It also tried unsuccessfully to allow practically any government agency to gain access to the traffic data of individuals under the Regulation of Investigatory Powers Act, including local councils and parishes.[93]
The increased flow of data is also coming from the private sector. The United Kingdom and Canada proposed laws to grant law enforcement agencies access to travelers' information. The United Kingdom Home Office has recommended that it gain access to information from every passenger before international flights.[94] The Canadian policy proposed to grant both the federal law enforcement and the intelligence agencies access to air passenger information, regardless of domestic or international travel, and to match this data with other personal information[95] for a wide number of purposes and investigations, not limited only to terrorism.[96]
Similarly, the European Union considered granting Europol access to the Schengen Information System, including privileges to change the information held on travelers.[97] Data sharing between financial institutions and with government agencies also increased. New money laundering agreements and regulations have been introduced to increase surveillance of transactions, and even expanded to include hedge funds and money transfer firms.[98] Donations to charities are receiving further scrutiny as both the charities and the donors are monitored to investigate links with terrorist groups.[99] Some financial institutions are also sharing personal information between themselves in order to minimize risk of clients being terrorists, or "undesirables."[100]
Following from data sharing, there are several proposals to create profiles or increase the existing profiles of individuals. This occurs in several stages; the most immediate appears to be the profile of travelers. There are proposals for a next generation computer-assisted passenger prescreening system that will bring in data from credit-reporting agencies and other companies,[101] and even previous flights and registries, set for data mining.[102] Other proposals include trusted-traveler programs involving biometrics in both the United States and Germany,[103] similar to schemes used at Ben Gurion Airport in Tel Aviv.[104] Some airports have also installed face-recognition technologies, while similar technologies are being implemented at national monuments, and even beaches.
In the longer term there are several proposals to increase profiling of citizens and non-citizens. These proposals are typically enhanced and complemented by national identification schemes, enhanced with biometrics. There was considerable discussion in the United States in introducing such a national ID card scheme but no formal policy was introduced. Meanwhile non-citizens may already be tracked at border entry points and as they move within the country. A system called Student and Exchange Visitor Information System keeps track of foreign students to ensure that they are still registered and maintains a log of their addresses.
The United Kingdom proposed the adoption of entitlement cards in an effort to deal with immigration and illegal work and identity theft, but also supported by the fight against terrorism. Similarly, Hong Kong planned to introduce a biometric chip identity card to verify fingerprints to authenticate travelers into China.
None of the above trends were necessarily new; the novelty is the speed in which these policies gained acceptance, and in many cases, became law in the period following September 2001.
New policies to combat terrorism continue to emerge. The United States continues to lead with new policies, technologies, and practices. The importance of the US policies is that they tend to influence policies and citizens of other countries. By September 2002, the Office of Management and Budget counted fifty-eight new regulations responding to terrorism;[105] by March 2003 the General Accounting Office counted nine new National Strategies;[106] there have been innumerable laws passed at the federal and state levels [107]; countless changes in administrative measures, including the Attorney General Investigative Guidelines; and some attention has been given to policies and projects from various departments, not limited to the Terrorism Information Awareness Program (TIA) and Computer Assisted Passenger Prescreening (commonly referred to as CAPPS II). Some of these are covered in more detail below.
The management of US borders continues to receive policy attention. There are increased interviews of visa applicants, requirements for machin- readable passports from other countries, and plans to track foreign visitors by collecting information such as fingerprints and photos. The Transportation Security Administration's CAPPS II system, that would profile travelers is still being developed, to use "dynamic intelligence information to select passengers for enhanced screening" authenticated from "publicly and commercially available databases" to "run against terrorist or other appropriate federal government systems, an aggregate numerical threat score will be generated," in less than five seconds.[108] In March 2003 a Committee amendment was passed requiring a report within 90 days on the potential impact of CAPPS II on privacy and civil liberties.
Meanwhile, US Customs officials have been meeting with EU officials regarding the transfer of and access to passenger personal data, as required under Aviation and Transportation Security Act 2001. The EU's Article 29 working group on data protection noted several problems with the proposed data sharing, including the retention time (proposed period of 7-8 years was considered unjustified), an excessive amount of data being requested.[109]
Several other programs for datasharing and data mining exist, including the Terrorism Information Awareness Program, renamed in May 2003 from Total Information Awareness. This program is developed within the Pentagon Information Awareness Office, to "imagine, develop, apply, integrate, demonstrate and transition information technologies, components, and prototype closed-loop information systems that will counter asymmetric threats by achieving total information awareness useful for preemption, national security warning, and national security decision making."[110]
Further data collection measures that were controversial in 2003 included the registration of immigrants and fingerprinting. The National Security Entry-Exit Registration System (NSEERS) involved the registration of nearly 82,000 male immigrants and visitors from predominantly Muslim countries, leading to possibly 13,000 deportations.[111] The information will be stored in a secure government database along with travel data, photos; and will be matched against other data held on potential terrorists.[112] Officials have admitted, according to the New York Times, that only eleven individuals have been identified to have links to terrorism.[113] Another system, the Student and Exchange Visitor Information System (SEVIS), to track the nearly one million foreign students in the US, has also been problematic due to poor technology and limited resources.[114]
There have also been several developments in surveillance law. The use of the USA-PATRIOT Act has been questioned and reported upon in the past year. There have been attempts at extending its contentious measures that are supposed to sunset at the end of 2005.[115] Finally, in February 2003 a draft bill was uncovered, entitled the Domestic Security Enhancement Act of 2003 that contains several new powers including the ability to strip citizenship, wiretaps without court orders, secret detentions, limits on the challenging of secret evidence, increased use of DNA without court orders and consent, increased data sharing, and increased international cooperation in search and seizure and extradition.
Other countries have found novel means of implementing invasive policies and practices. The global legal landscape is fragmented. In some countries there are no specific terrorism laws as yet, such as in Belgium. Other countries have been very active in implementing laws.
Among the remarkable legal developments include laws on increasing the powers of law enforcement and national security agencies to arrest and detain individuals. Australia has been the leader, outside of the US. In 2002, the Australian Parliament considered at least eight bills on terrorism. The most controversial has been the Australian Security Intelligence Organisation Legislation Amendment (Terrorism)Bill 2002. An earlier version of the bill gave rise to a 27-hour debate that had to be shut down by the Prime Minister in the fall of 2002.[116] Reintroduced in late 2002 and debated intensely in 2003, it was passed in June 2003. The law allows for warrants to detain citizens eighteen years of age and older for seven days if it is believed that the citizen has information that may be useful to combat terrorism; while citizens from age sixteen may be detained if they are suspected of terrorist activity. Interrogation may occur for three eight-hour periods. The warrants may be applied successively, with no limit.
Earlier drafts of the bill gave rise to significant concern from the opposition and civil society; many of these concerns continue unabated. The Australian law society has articulated concerns regarding limitations on the right against self-incrimination.[117] The opposition parties prevented the application of the law unto citizens of age fourteen to sixteen. Meanwhile amendments to limit the successive application for warrants were voted down. The law does include a three-year sunset provision.
Similar laws on detention have arisen elsewhere. Columbia is proposing to amend its constitution to give police forces the power to make arrests, conduct searches without warrants, and detain individuals for 36 hours without judicial authorization. The Senate has already approved this proposal, while the House of Representatives is expected to do so at the end of July.[118] Canada's antiterrorism law, enacted in December 2001, allowed for preventative arrests without warrant and investigative hearings. Since then, the Solicitor General of Canada has released a report noting that the detention power has not been used,[119] nor have investigative hearings been convened.[120]
Egypt extended its emergency laws for another three years allowing for similar powers of detention. Egypt has been applying the extension continuously since 1981.[121] The US Department of State has expressed concerns regarding these powers, as the Egyptian government applies emergency courts for cases not linked to national security, while also referring civilians to military tribunals for non-violent offences.[122]
In the period following the bombings in Bali, the Indonesian government decreed to the law enforcement agencies the power to detain individuals without evidence.[123] This power evolved into law in March 2003 where individuals could be detained for six months based on prima facie evidence, while also allowing intelligence to be used as evidence, and increased abilities to conduct interception of communications, among other powers.[124] Similar to the Egyptian situation, the US Department of State has also made public its concerns regarding the application of state powers, particularly in the conviction of political activist in June 2003.[125]
Kenya has also received some terrorist attention. Following alerts from the United Kingdom and the United States, the Kenyan government published a Suppression of Terrorism Bill in June 2003; subsequently published in full by the Daily Nation newspaper.[126] The bill provides for the power to detain any person in a place which is subject of an urgent search permit; any police officer above rank of inspector may detain a suspect incommunicado for up to thirty-six hours without access to lawyer; while also granting immunity to the police for application of "reasonable force."[127] In broadening those who can be identified as terrorist, the bill includes any given individual who "(a) wears an item of clothing; or (b) wears, carries or displays an article, in such a way or in such circumstances as to arouse reasonable suspicion that he is a members or supporter of a declared terrorist organization shall be guilty of an offence and shall be liable on conviction to imprisonment for a term not exceeding six months, or both."[128]
South Africa's draft bill contains similar provisions. Providing food, drink and clothing to a member of a terrorist organization;[129] definition of terrorism is broad to include act "likely to intimidate the public or a segment of the public;" media also oppose because could compel public and journalists to become snoops.[130]
The Philippines has also been actively confronting terrorism and devising new policies. A proposed law provides for longer periods of detention without a warrant, and the Anti-Terrorism Action Council (including eight cabinet members and governor of the Central Bank) may authorize the interception of communications and freezing of bank accounts.[131]
There are alternative wordings for legalizing detention and other coercive powers, however. South Africa's proposed bill also proposes detention powers in its bail procedures,[132] despite promises from the government otherwise.[133] The Tanzanian bill requires "cooperation with the authorities" on the basis of perceived international commitments.[134] Sudan is applying its powers, given to a special branch to prosecute terrorism suspects, and particularly "religious extremists and armed bandits."[135]
In early 2002 some progress had been made on legal appeals regarding detention. In the United Kingdom, a Special Immigration Appeals Tribunal decided against the government's policy on detention because it was specifically targeting non-British citizens, and thus in contravention of the European Convention of Human Rights equal protection clauses. The government quickly appealed, however, and the Court of Appeals decided in October 2002 that detention is in fact lawful, provided that the detainees are a threat to national security.
More initiatives have been introduced to increase and enhance identification and enable profiling. The Philippines[136] and the United Kingdom[137] are considering ID cards in order to combat terrorism.
Canada has also been actively considering the adoption of ID Cards. The reasoning behind its introduction, according to the Minister of Citizenship and Immigration is that the US will soon require the fingerprinting of Canadians as they pass through the US-Canada border. "If you have that entry-and-exit program when you will have to be fingerprinted, you will say, 'I'm a Canadian citizen, why do you need my fingerprints and what are you going to do with it?' Well, wouldn't you like to have a debate among ourselves and say, as Canadians, we will build that the Canadian way? If we can have the technology with our own scanners, we can say we will take care of our own people with our own scanners."[138] The House of Commons select committee on Citizenship and Immigration is convening on the issue at the time of this report's publication. Meanwhile, the Canadian government has also been pursuing, under its Public Safety Bill, giving law enforcement authorities access to travel information, even within Canada. This is a separate initiative from the Canadian Customs and Revenue Agency's proposal to retain travel information for six years. Recently that proposal has been altered to purge non-customs related data after it is no longer used, and to implement access controls on the database of travel.
Australia has been actively pursuing the concept of a smart passport that includes digital photos. The government has run a trial of SmartGate application at Sydney Airport that was heavily criticized as involving ineffective and flawed technology.[139] At the same time, the Australian government has also been pushing for an advanced passenger processing system at Asian-Pacific Economic Cooperation forum (APEC).[140]
The New Zealand Customs Service began receiving advance passenger lists in 2003 from airlines under its Customs and Excise Act. The airlines would "feed data directly to the CS's computer system" before landing; and this information is checked for "people of interest." This system is seen as a first step to setting up Advance Passenger Processing system that will identify problematic passengers prior to boarding flights.[141]
In the European Union, the Spanish government put forward a proposal for a Directive requiring carriers to collect and send data on all passengers at the time of boarding to law enforcement agencies in destination countries or face fines.[142]
Some legal developments pertain directly to information technology use. Cuba's law on combating terrorism includes hacking.[143] New Zealand's counter-terrorism bill could force individuals to disclose their passwords, even in non-terrorism related investigations, or face three months in jail or a fine of NZD$2000.[144] Kenya's bill includes an offence for "collection of information for terrorist purposes," i.e, "collects, makes or transmits a record of information of a kind likely to be useful to a person committing or preparing an act of terrorism; or possesses a document or record containing information of that kind shall be guilty of an offence' term not exceeding ten years; 'transmit' includes by telephone, e-mail, voicemail, or other telecommunications method; and make available on the Internet. "It is a defense for a person charged with an offence under this section to satisfy the court that he had a reasonable excuse for his action or possession."
It is increasingly difficult to identify the sources of laws, however. Several countries have introduced new laws because of a felt imperative to model changes in other countries. For example, Kenyan opposition party members accuse the United Kingdom and the United States for pressuring Kenya; and they note that the definition of terrorism in the Kenyan bill is taken from section 802 of PATRIOT Act. This was denied by the Justice and Constitutional Affairs assistant minister Robinson Njeru Githae, as reported by the Nairobi-based newspaper, The Nation: "We have not to reinvented the wheel. What we have done is to pick the best of Suppression of Terrorism Act in the Commonwealth countries and given it a Kenyan outlook."[145]
Another source of law includes international treaties. Romania's recently passed law on corruption includes components of the Council of Europe Convention on Cybercrime. Many countries are trying to ratify and implement into law the approximately twelve United Nations conventions on anti-terrorism. Governments report regularly to the United Nations Security Council committee on Resolution 1373 on their progress in adopting these convention.[146] However, they are also adding to and interpreting these conventions. For example, New Zealand Justice Minister Phil Goff stated in April 2003 that the new Counter Terrorism Bill "was the final step in adopting the last of twelve United Nations conventions aimed at fighting terrorism... It will give police and customs officers more powers to fight terrorism, including enabling police to use tracking devices, and will allow evidence found in the investigation of one crime to be used in the prosecution of another."[147] These additional powers are not included within the standard conventions.
It is therefore important to note not only the laws in other countries, but also the activities of international governmental organizations. These organizations have been very active in developing counter-terrorism policy tools and mechanisms.
The African Union, formerly the Organization of African Unity, released a convention in August 2002 in order to promote the criminalization of terrorist acts, and extradition and mutual legal assistance regimes.[148] While this convention contains controversial concepts with respect to civil liberties, it is far from being unique considering the developments in recent years in such conventions as the Council of Europe Convention on Cybercrime.
The Asian-Pacific Economic Cooperation forum (APEC) held a summit in October 2002 in order to promote growth and fight against terrorism. An agreement emerged from the Mexico summit that aims to halt terrorist financing, and to promote cybersecurity.
More recently, the Association for Southeastern Asian Nations held a summit in late June and early July of 2003. Among outcomes included an agreement to obtain and share evidence amongst member countries, share bank records, cooperate in the freezing of foreign assets, and conduct searches and seizures upon request from fellow members; all in the aim to combat terrorism and cross-border crime. [149] An uncommon development, however, is the lack of agreement on extradition. Discussions have also occurred on the issue of secure identity documents.
The Group of 8 industrialized countries (G8) is the primary source of discussion on secure passports. At the May 2003 summit of Justice and Home Affairs ministers in Paris, the United Kingdom reportedly promoted computerized passports.[150] The ministers unanimously stressed the importance of developing biometric technologies with the goal of developing a common framework for biometric passports, as is being discussed by the International Civil Aviation Organization. There was some disagreement, according to reports, that the French and the US differed on which form of biometrics should be promoted (the US was pushing for iris scans or 'other innovative technologies', the French were for fingerprints).[151] In the end, according to the ICAO, facial recognition was adopted at the end of May 2003.[152] Other issues addressed by ministers included critical infrastructure protection, child pornography, and enhancing financial investigations. In this last issue of discussion, the G8 ministers promoted the work of experts who "identified 29 best practice principles on tracing, freezing, seizing and confiscating crime-related assets," while admitting that "these principles and good practices are ambitious." [153]
The G8 Evian summit of heads of government met in June 2003. At this summit the G8 created the Counter-Terrorism Action Group (CTAG), which would support the UN Counter-Terrorism Committee for 'capacity building'.[154] The proposal was led by the US, with the goal to create a group that would deal with "terrorist financing, customs and immigration controls, illegal arms trafficking, police and law enforcement"; "will identify relevant international best practices, codes, and standards in combating terrorism"; "target counterterrorism assistance to priority countries"; and "work with International Financial institutions to strengthen counterterrorism financing measures."[155]
The Commonwealth Secretariat also engaged in work to promote capacity building. In 2002 the secretariat developed "Implementation Kits for International Counter-Terrorism Conventions," a form of 'do-it-yourself' manual for governments, covering all twelve multilateral treaties drawn up between 1963 and 1999 by the UN and other inter-governmental fora.[156] In September 2002, the secretariat also released "Model Legislative Provisions on Measures to Combat Terrorism" that provides for defining specified entities' a variety of offenses and their investigation, interception of communications and admissibility as evidence. The model provisions also establish procedures for trials, promotion of information sharing, ensure extradition and mutual legal assistance, empower governments to seize evidence, manage charities, outline refugee application refusals, and allow for the removal of persons.[157]
The intergovernmental policy area of financial regulations is dominated by the output of the Financial Action Task Force (FATF). In the early 1990s the FATF developed its forty recommendations on combating money laundering. In April 2002, the FATF released guidance for financial institutions for detecting terrorist financing; and conducted consultation on forty recommendations for terrorist financing, thus extending its remit beyond money laundering. In June 2003 the new recommendations were adopted. According to the FATF:
The FATF recognises that countries have diverse legal and financial systems and so all cannot take identical measures to achieve the common objective, especially over matters of detail. The Recommendations therefore set minimum standards for action for countries to implement the detail according to their particular circumstances and constitutional frameworks. The Recommendations cover all the measures that national systems should have in place within their criminal justice and regulatory systems; the preventive measures to be taken by financial institutions and certain other businesses and professions; and international co-operation.[158]
The acknowledgement of flexibility is due to, according to reports, disagreement on regulatory procedures between American and German delegations.[159] The recommendations include the requirement that institutional secrecy laws are not used to inhibit implementation, and recommend against the keeping of anonymous accounts, with some recommendations on identification as 'due diligence'. Co-operation between countries is also recommended, as is the removal of unduly restrictive conditions for this cooperation to take place. The scope of application also increases; non-financial businesses including lawyers and notaries except when under privilege.
Inter-governmental organizations in the Europe have been very active as well. The Southeastern Europe Cooperation Initiative (SECI) Regional Center for Fight Against Cross-Border Crimes had its first meeting of 'Mission Force for Fight Against terrorism' (sic), in June 2003. Held in Turkey, eighty-five representatives attended from Albania, Bulgaria, Bosnia-Herzegovina, Croatia, Hungary, Macedonia, Moldova, Romania, Greece, Slovenia and Serbia-Montenegro. According to Turkish Security Director General Gokhan Aydiner, "Turkey has been trying for years to bring the issue of terrorism onto agenda of the world. In some countries, terrorist organizations and their members are considered fighters of freedom. Those who staged gory actions in which thousands of people lost their lives, continue their terrorism activities without any punishment." [160] According to media reports, the task force aimed to cover organized crimes and terrorism, development of common operational plans, financial sources of terrorist organizations.
The Organization for Security and Cooperation in Europe (OSCE) began a new initiative with its first annual security review conference in June 2003. A speech by US Ambassador Cofer Black, Coordinator for Counterterrorism, called on the OSCE to continue fighting terrorism, to encourage FATF adherence, to implement UN conventions (noting that only 38% of OSCE states have become parties to all 12), and to do the utmost to prevent spread of small arms and light weapons. He also called for closer cooperation with the UN, G8, ICAO to develop international standards and in turn to encourage regional implementation. Particularly, he called for cooperation on the issue of travel document security with G8 and ICAO.[161] This was supported by 'several delegations', as it was felt that "this work could make a significant, real contribution not only to the war on terrorism, but also to the fight against organized crime and illegal immigration, all issues that many delegations had identified as threats to their security and stability."[162]
The vast majority of these meetings of inter-governmental organizations outlined above were closed. In the coming months and years, however, their work, findings, conclusions, and conventions will be affecting national policy discourse.
This will be particularly the case in the European Union and primarily the output of the Council, where there is more of a binding requirement to enact policies at the national level. As accession countries to the EU begin their process of legal harmonization, interpretation and guidance on EU policies will require scrutiny. The EU has been active in all of the issues covered above. In 2001 and 2002 the Council Framework Decision on a European arrest warrant was developed and is currently being implemented into national law. A Working Party on Terrorism has been convening to develop measures to exchange information between member states, the creation computer-aided preventative searches on the basis of offender profiles (particularly the compiling of travel patterns).[163] These profiles may include method and means of travel, 'physical distinguishing features (e.g. battle scars)', education, places of stay, methods of communication, psycho-sociological features, family situation, expertise in advanced technologies; with the aim to identify terrorists before an act is carried out. A proposed innovation includes searching through "relevant national databases (e.g. registers of residents, registers of foreigners, universities etc.') subject to the provisions of national law, for person who need to be vetted more closely by the security authorities."[164]
The EU has also developed a "roadmap" regarding the implementation of an "EU Action Plan in the fight against terrorism." This roadmap includes the discussion of counter-terrorism in political dialogues with third countries and other multilateral fora. The EU has been particularly active in meetings with Asian countries, and in meetings with the US on mutual legal assistance.[165] The roadmap also consists of enhancing preventing of crime involving the use of electronic communications systems, measures to counter insider dealing, transparency criteria for legal entities, initiatives to draw up a common list of terrorist organizations, and the 'systematic transmission to Europol of any piece of data relevant to terrorism', while complying with international obligations regarding protection of fundamental rights and ensuring 'a balance between data protection and police efficiency', among other initiatives.
While the anti-terrorism policy developments outlined above and later in this report have shifted the legal and technological landscape for privacy, there have been some developments in the area of civil liberties and terrorism.
In the US, opposition to the USA-PATRIOT Act has grown. In response to the law, some librarians have begun to tape warnings to computer screens that usage could be subject to scrutiny by law enforcement agencies; in some cases they are destroying records of reading habits and sign-up logs of computer use.[166] There have been successful amendments on TIA and CAPPS II related policies to call for studies of the privacy and civil liberties implications of these programs. Finally, in many districts and cities, there is oppostion to the PATRIOT Act. More than one hundred local governments have passed laws against the Act.[167]
Changes in proposed and existing laws are occurring for several reasons elsewhere in the world. In Hong Kong, after protests including one involving over 400,000 demonstrators, the government appears to have backed down on changes to the Basic Law to deal with sedition.[168] Jordan rescinded Article 150 of its penal code, which was introduced in response to the events of September 11. The Article had allowed for "permanent or temporary closure" of publications that "carry false or libellous information that can undermine national unity or the country's reputation', and publications carrying articles that incite 'crimes, strikes, illegal public assemblies or undermining public order."[169]
In the most severe case, Peru has been forced to review sentences given out to 1,800 people when the high court handed down a decision rejecting the anti-terrorism decrees established under the Fujimori government as unconstitutional.[170] These decrees included trials for treason before hooded military judges and life sentences without review, [171] including on free expression related offences.[172]
The effectiveness of opposition may take some time to take full effect. After India's antiterrorism bill became law, it has been reported that the entire opposition to the government walked out on parliament. [173] Since its enactment, however, and after its use to detain some politicians, the parliament has constituted a Review Committee to ensure that the powers are not misused for non-terrorism purposes.[174]
For the few laws enacted after September 2001 that already contained sunset provisions and parliamentary reviews, many of these reviews are upcoming. Many powers are also being questioned in the courts, questioned in the marketplace, and by civil society. The track records and experiences of similar powers across countries may be useful in calling these powers into question; at least as a counter to the call of governments to harmonize more intrusive powers.
Identity (ID) cards are in use in one form or another in virtually all countries of the world. The type of card, its functions, and integrity vary enormously. While several countries have official, compulsory, national ID cards that are used for a variety of purposes, many countries do not. These include Australia, Canada, India, Ireland, New Zealand, the United States and the Nordic countries. Those that do have such a card include Belgium, Egypt, France, Germany, Greece, Hong Kong, Malaysia, and South Africa.
Nationwide ID systems are established for a variety of reasons. Race, politics and religion often drive the deployment of ID cards.[175] The fear of insurgence, religious differences, immigration, or political extremism have been all too common motivators for the establishment of ID systems that aim to force undesirables in a State to register with the government, or make them vulnerable in the open without proper documents.
In recent years technology has rapidly evolved to enable electronic record creation and the construction of large commercial and state databases. A national identifier contained in an ID card enables disparate information about a person that is stored in different databases to be easily linked and analyzed through data mining techniques. ID cards are also becoming "smarter" - the technology to build microprocessors the size of postage stamps and put them on wallet-sized cards has become more affordable. This technology enables multiple applications such as a credit card, library card, health care card, driver's license and government benefit program information to be all stored on the same national ID along with a password or a biometric identifier. Governments in Finland, Malaysia, and Singapore have experimented with such "Smart" ID cards. In July 2002, the Labor government in the United Kingdom launched a six-month public consultation process on whether the United Kingdom should adopt an "entitlement card" with similar features.[176] Critics contend that such cards, especially when combined with information contained in databases, enable intrusive profiling of individuals and create a misplaced reliance on a single document, which enables precisely the type of fraud the cards are meant to eliminate.[177]
In several countries, these systems have been successfully challenged on constitutional privacy grounds. In 1998, the Philippine Supreme Court ruled that a national ID system violated the constitutional right to privacy.[178] In 1991, the Hungarian Constitutional Court ruled that a law creating a multi-use personal identification number violated the constitutional right of privacy.[179] The 1997 Portuguese Constitution states "Citizens shall not be given an all-purpose national identity number." [180]
In other countries, opposition to the cards combined with the high economic cost and other logistical difficulties of implementing the systems has led to their withdrawal. Massive protests against the Australia Card in 1987 resulted in the near collapse of the government. Card projects in South Korea and Taiwan were also stopped after widespread protests. In the United States plans to convert the state driver's license into a nationwide system of identification have stalled because of the stiff resistance from a broad coalition of civil society groups.[181]
Biometrics is the identification or verification of someone's identity on the basis of physiological or behavioral characteristics. Biometrics involves comparing a previously captured unique characteristic of a person to a new sample provided by the person. This information is used to authenticate or verify that a person is who they said they were (a one-to-one match) by comparing the previously stored characteristic to the fresh characteristic provided. It can also be used for identification purposes where the fresh characteristic is compared against all the stored characteristics (a one-to-many match). New biometric technology attempts to automate the identification or verification process by converting the provided biometric into an algorithm, which is then used for matching purposes. The computer matching technique necessarily produces either false positives, where a person is incorrectly identified as someone else, or false negatives, where a person who is meant to be identified by the system is not correctly identified. The two error rates are dependent, so for example reducing the number of false positives increases the number of false negatives. The tolerance level is adjusted depending on the need for security in the application.
The most popular forms of biometric ID are fingerprints, retina/iris scans, hand geometry, voice recognition, and digitized (electronically stored) images. The technology is gaining interest from governments and companies because, unlike other forms of ID such as cards or papers, it can be more difficult to alter or tamper with one's own physical or behavior characteristics. Important questions remain, however, about the effectiveness of the automated biometric matching techniques, particularly for large-scale applications.[182] Critics also argue that widespread deployment of biometric identification technology could remove the veil of anonymity or pseudo-anonymity in most daily transactions through the creation an electronic trail of people's movements and habits.[183]
Biometrics schemes are being implemented across the world. The technology is widely used in small settings for access control to secure locations such a nuclear facility or bank vault. It is increasingly being used for broader applications such as retail outlets, government agencies, childcare centers, police forces and automated-teller machines. Spain has commenced a national fingerprint system for unemployment benefits and healthcare entitlements. Russia has announced plans for a national electronic fingerprint system for banks. Jamaicans are required to scan their thumbs into a database before qualifying to vote in elections. In France and Germany, tests are under way with equipment that puts fingerprint information onto credit cards. Many computer manufacturers are considering including biometric readers on their systems for security purposes.
The most controversial form of biometrics - DNA identification - is benefiting from new scanning technology that can automatically match DNA samples against a large database in minutes. Police forces in several countries including Canada, Germany, and the United States have created national DNA databases. Samples are being routinely taken from a larger group of people. Initially, it was only individuals convicted of sexual crimes. Then it was expanded to people convicted of other violent crimes and then to arrests. Now, many jurisdictions are collecting samples from all individuals arrested, even for the most minor offenses. Former New York City Mayor Rudolf Giuliani even proposed that all children have a DNA sample collected at birth. In Australia, the United Kingdom, and the United States, police have been demanding that all individuals in a particular area voluntarily provide samples or face being considered a suspect. United States Attorney General Ashcroft has testified that he has asked the FBI to increase the capacity of its database from 1.5 million to 50 million profiles.[184]
At the same time, DNA data has been used as exculpatory evidence in many criminal trials.
Most countries around the world regulate the interception of communications by governments and private individuals and organizations. These controls typically take the form of constitutional provisions protecting the privacy of communications and laws and regulations that implement those requirements.
There has been great pressure on countries to adopt wiretapping laws to address new technologies. These laws are also in response to law enforcement and intelligence agencies pressure to increase surveillance capabilities. In Japan, wiretapping was only approved as a legal method of investigation in 1999. Other countries such as Australia, Belgium, Germany, New Zealand, South Africa and the United Kingdom have all updated their laws to facilitate surveillance of new technologies.
The United States government has been at the forefront of promoting greater use of electronic surveillance. Former FBI Director Louis Freeh traveled extensively around the world, promoting the use of wiretapping in newly democratic countries such as Hungary and the Czech Republic. At the same time, the United States has led world efforts to ensure that all communications technologies have built-in surveillance capabilities and to prohibit the manufacture and use of equipment that cannot be eavesdropped upon. The United States has also been working through international organizations such as the OECD, G-8 and the Council of Europe to promote surveillance.
It is recognized worldwide that wiretapping and electronic surveillance are a highly intrusive form of investigation that should only be used in limited and unusual circumstances. Nearly all major international agreements on human rights protect the right of individuals from unwarranted invasive surveillance.
Nearly every country in the world has enacted laws on the interception of oral, telephone, fax and telex communications. In most democratic countries, intercepts are initiated by law enforcement or intelligence agencies only after it has been approved by an judge or some other kind of independent magistrate or high level official and generally only for serious crimes. Frequently, it must be shown that other types of investigation were attempted and were not successful There is some divergence on what constitutes a 'serious crime', and appropriate approval.
Several countries including France and the United Kingdom have created special commissions that review wiretap usage and monitor for abuses. These bodies have developed an expertise in the area that most judges who authorize surveillance do not have, while they also have the ability to conduct follow up investigations once a case is complete. In other countries, the privacy commissioner or data protection authority has some ability to conduct oversight of electronic surveillance.
An important oversight measure that many countries employ is the requiring of annual public reporting of information about the use of electronic surveillance by government departments. These reports typically provide summary details about the number of uses of electronic surveillance, the types of crimes that they are authorized for, their duration and other information. This is a common feature of wiretap laws in English-speaking countries and many others in Europe. Countries that issue annual reports on the use of surveillance include Australia, Canada, France, New Zealand, Sweden, the United Kingdom, and the United States. Meanwhile in the Netherlands, the Minister of Justice in April 2003 announced that he saw no additional value in maintaining a log of the frequency of wiretaps, or installing a special functionary to oversee the warranty process.[185]
These countries recognize that it is necessary to allow for people outside governments to know about its uses to limit abuses. They are widely used in many countries by the Parliaments for oversight and also by journalists, NGOs and others to examine the activities of law enforcement. The reports have shown an increase in the use of surveillance in many countries including Australia,[186] the United States, and the United Kingdom while others such as Canada have remained steady. Most recently, however, Canada has reduced the amount of reporting; despite statutory requirements, annual reports from the Solicitor General on surveillance activities have not been released since 1999. [187]
These laws are designed to ensure that legitimate and normal activities in a democracy such as journalism, civic protests, trade union organizing or political opposition are free from being subjected to unwarranted surveillance because they have different interests and goals than those in power. It also ensures that relatively minor crimes, especially those that would not generally involve telecommunications for facilitation, are not used as a pretext to conduct intrusive surveillance for political or other reasons.
However, wiretapping abuses have been revealed in most countries, sometimes occurring on a vast scale involving thousands of illegal taps. The abuses invariably affect anyone "of interest" to a government. Targets include political opponents, student leaders and human rights workers.[188] This can occur even in the most democratic of countries such as Denmark and Sweden, where it was recently disclosed that intelligence agencies were conducting surveillance of thousands of left-leaning activists for nearly forty years.
The United Nations Commissioner on Human Rights in 1988 made clear that human rights protections on the secrecy of communications broadly covers all forms of communications:
Compliance with Article 17 requires that the integrity and confidentiality of correspondence should be guaranteed de jure and de facto. Correspondence should be delivered to the addressee without interception and without being opened or otherwise read. Surveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited.[189]
The need for greater protection is recognized by many democratic countries around the world. Most recently, the German Federal Constitutional Court is considered whether the interception laws passed in 1998 are constitutional; the results of this case are expected in the fall of 2003.[190]
Increasingly new standards, technologies and new policies are complicating the situation.
In the past fifteen years, the United States government has led a worldwide effort to limit individual privacy and enhance the capability of its police and intelligence services to eavesdrop on personal conversations. This campaign had two strategies. The first is to promote laws that make it mandatory for all companies that develop digital telephone switches, cellular and satellite phones and all developing communication technologies to build in surveillance capabilities; the second is to seek limits on the development and dissemination of products, both in hardware and software, that provide encryption, a technique that allows people to scramble their communications and files to prevent others from reading them.[191]
Law enforcement agencies have traditionally worked closely with telecommunications companies to formulate arrangements that would make phone systems "wiretap friendly." These agreements range from allowing police physical access to telephone exchanges, to installing equipment to automate the interception. Because most telecommunications operators were either monopolies or operated by government telecommunications agencies, this process was generally hidden from public view.
Following deregulation and new entries into telecommunications in the United States in the early 1990s, law enforcement agencies, led by the FBI, began demanding that all current and future telecommunications systems be designed to ensure that they would be able to conduct wiretaps. After several years of lobbying, the United States Congress approved the Communications Assistance for Law Enforcement Act (CALEA) in 1994.[192] The act sets out legal requirements for telecommunications providers and equipment manufacturers on the surveillance capabilities that must be built into all telephone systems used in the United States. In 1999, at the request of the Federal Bureau of Investigation, an order was issued under CALEA requiring carriers to make available the physical location of the antenna tower that a mobile phone uses to connect at the beginning and end of a call.[193]
Due to heavy lobbying, the Internet Service Providers in the United States have so far been exempted from implementing these technical requirements. In other countries the computer industries have not been so fortunate. In Australia the Telecommunications Act 1997 places obligations on telecommunications operators to positively assist law enforcement in the performance of their duties and to provide an interception capability. The costs of these obligations are borne by the operators themselves.[194] Furthermore, the 2001 Cybercrime Act allows executing officers to require a "specified person" with "knowledge of a computer or a computer system" to provide assistance in accessing, copying or converting data held on or accessible from that computer. Failing to provide this assistance is an offence punishable by six months imprisonment. [195]
In the United Kingdom the Regulation of Investigatory Powers Act 2000 requires that telecommunications operators maintain a "reasonable interception capability" in their systems and be able to provide on notice certain "traffic data."[196] It also imposes on obligation on third parties to hand over encryption keys. These requirements were recently clarified in the Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002.
In the Netherlands, a new Telecommunications Act was approved in December 1998 that required that Internet Service Providers have the capability by August 2000 to intercept all traffic with a court order and maintain users logs for three months.[197] The law was enacted after XS4ALL, a Dutch ISP, refused to conduct a broad wiretap of electronic communications of one of its subscribers. In New Zealand, the Telecommunications (Residual Powers) Act 1987 requires network operators to assist in the operation of a call data warrant (equivalent to the United States trap and trace or pen register warrant). [198] An obligation to assist in the operation of a full interception warrant is now also being considered in New Zealand. The Telecommunications (Interception Capabilities) Bill currently being drafted by the Government would require all Internet Service Providers and telephone companies to upgrade their systems so that they are able to assist the police and intelligence agencies intercept communications. It would also require a telecommunications operator to decrypt the communications of a customer if that operator had provided the encryption facility.[199]
In January 2002, a new Law on the surveillance of mail and telecommunications entered into force in Switzerland, requiring ISPs to take all necessary measures to allow for interception.[200] In contrast, the Austrian Federal Constitutional Court held, in a decision[201] in February 2003, that the law compelling telecommunications service providers to implement wiretapping measures at their own expense is unconstitutional.[202] Most recently, Poland and New Zealand have been reported as proposing and adopting new laws requiring ISPs to monitor and record communications transactions.
International cooperation played a significant role in the development of these standards.In 1993, the FBI began hosting meetings at its research facility in Quantico, Virginia called the "International Law Enforcement Telecommunications Seminar" (ILETS). The meetings included representatives from Canada, Hong Kong, Australia and the European Union. At these meetings, an international technical standard for surveillance, based on the FBI's CALEA demands, was adopted as the "International Requirements for Interception." In January 1995, the Council of the European Union approved a secret resolution adopting the ILETS standards.[203] Following this, many countries adopted the resolution into their domestic laws without revealing the role of the FBI in developing the standard. Following the adoption, the European Union and the United States offered a Memorandum of Understanding (MOU) for other countries to sign to commit to the standards. Several countries including Canada and Australia immediately signed the MOU. Others were encouraged to adopt the standards to ensure trade. International standards organizations, including the International Telecommunications Union (ITU) and the European Telecommunication Standardisation Institute (ETSI), were then successfully approached to adopt the standards.
The ILETS group continued to meet. Several committees were formed and developed a more detailed standard extending the scope of the interception standards. The new standards were designed to apply to a wide range of communications technologies, including the Internet and satellite communications. It also set more detailed criteria for surveillance across all technologies. The result was a 42-page document called ENFOPOL 98 (the European Union designation for documents created by the European Uni Police Cooperation Working Group).[204]
In 1998, the document became public and generated considerable criticism. The committees responded by removing most of the controversial details and putting them into a secret operations manual that has not been made publicly available. The new document, now called ENFOPOL 19, expanded the type of surveillance to include "IP address (electronic address assigned to a party connected to the Internet), credit card number and E-mail address."[205] In April 1999, the Council proposed the new draft council resolution to adopt the ENFOPOL 19 standards into law in the European Union. The Council of Ministers revised the document and, in June 2000, approved a resolution calling for countries:
to ensure that, in the development and implementation - in cooperation with communication service providers - of any measures which may have a bearing on the carrying out of legally authorised forms of interception of telecommunications, the law enforcement operational needs...are duly taken into account.[206]
The annex for the document sets out detailed guidelines for interception requirements for "all telecommunications services, circuit and packet-switched, fixed and mobile networks and services." It expands the coverage of the original International User Requirements (IURs) to now include networking technologies, without acknowledging that technologies such as computer networking generate more and greater details of information including web browsing and mobile location information and thus applying traditional surveillance analogies result in more intrusive surveillance.
A related development has been the use of "black boxes" on ISP networks to monitor user traffic. The actual workings of these black boxes are unknown to the public. What little information has been made public reveals that many of the systems are based on "packet sniffers" typically employed by computer network operators for security and maintenance purposes. These are specialized software programs running in a computer that is hooked into the network at a location where it can monitor traffic flowing in and out of systems. These sniffers can monitor the entire data stream searching for key words, phrases or strings such as net addresses or e-mail accounts. It can then record or retransmit for further review anything that fits its search criteria. In many of the systems, the boxes are connected to government agencies by high-speed connections.
The April 2000, it was publicly revealed that the FBI had developed and was using an Internet monitoring system called "Carnivore" (now called DCS 1000).[207] The system places a PC running Windows NT at an ISP's offices and can monitor all traffic about a user including e-mail and browsing. Carnivore "can scan millions of e-mails a second" and "would give the government, at least theoretically, the ability to eavesdrop on all customers' digital communications, from e-mail to online banking and Web surfing." [208] In response to the public uproar over Carnivore, Attorney General Janet Reno announced that the technical specifications of the system would be disclosed to a "group of experts" to allay public concerns. [209] In the fall of 2000, the Justice Department commissioned a team of experts at the IIT Research Institute and the Illinois Institute of Technology Chicago-Kent College of Law (IITRI) to undertake an independent review of the carnivore system. The IITRI group issued its final report on Carnivore in December 2000 and made several recommendations for changes to the system.[210]
In some countries, there have been laws or decrees enacted to require the systems to build in these boxes. Russia was the first country where this requirement was made public, and according to Russian computer experts, the United States government advised them on implementation. In 1998, the Russian Federal Security Service (FSB) issued a decree on the System for Operational Research Actions on the Documentary Telecommunication Networks (SORM-2) that would require ISPs to install surveillance devices and high-speed links to the FSB which would allow the FSB direct access to the communications of Internet users without a warrant. [211] ISPs are required to pay for the costs of installing and maintaining the devices. When an ISP based in Volgograd challenged FSB's demand to install the system, the local FSB and Ministry of Communication attempted to have its license revoked. The agencies were forced to back off after the ISP challenged the decision in court. In a separate case, the Supreme Court ruled in May 2000 that SORM-2 was not a valid ministerial act because it failed several procedural requirements.
Following the Russian lead, in September 1999, Ukrainian President Leonid Kuchma proposed requiring that ISPs install surveillance devices on their systems based on the Russian SORM system. The rules and a subsequent bill were attacked by the Parliament and withdrawn. However, in August 1999, the security service visited several the large ISPs who were reported to have installed the boxes.
In the Netherlands, following the passage of the 1998 Telecommunications Act (see above), the Dutch Forensics Institute[212] developed a "black-box" for ISPs to install on their networks. The black box would be under control of the ISP and turned on after receiving a court order. The box would look at authentication traffic of the person to wiretap and divert the person's traffic to law enforcement if the person is online. Due to the inability of ISPs to adopt the requirements of the law, however, its implementation has been delayed.
In China, a system know as the "Great Firewall" routes all international connections through proxy servers at official gateways, where Ministry for Public Security (MPS) officials identify individual users and content, define rights, and carefully monitor network traffic into and out of the country. At a 2001 security industry conference, the government announced an ambitious successor project known as "Golden Shield." Rather than relying solely on a national intranet, separated from the global Internet by a massive firewall, China will now build surveillance intelligence into the network, allowing it to "see," "hear" and "think."[213] Content-filtration will shift from the national level to millions of digital information and communications devices in public places and people's homes.[214] The technology behind Golden Shield is incredibly complex and is based on research developed largely by Western technology firms, including Nortel Networks, Sun Microsystems and others. The Golden Shield efforts do not signal an abandonment of other avenues of access and content control. For example, details are only beginning to emerge about a new "black box" device, derived from technology previously used in airline cockpit data recorders, and broadly similar to the Carnivore system. Chinese Internet police would use the black box technology to monitor dissidents and collect evidence on illegal activities.[215]
New methods of surveillance, and in particular those capable of circumventing encryption, are also being developed. One such technological device is a "key logger" system. A key logger system records the keystrokes an individual enters on a computer's keyboard. Keystroke loggers can be employed to capture every key pressed on a computer keyboard, including information that is typed and then deleted. Such devices can be manually placed by law enforcement agents on a suspect's computer, or installed "remotely" by placing a virus on the suspect's computer that will disclose private encryption keys.
The question of such surreptitiouspolice decryption methods arose in the case of United States v Scarfo.[216] There, the FBI manually installed a key logger device on the defendant's computer in order to capture his PGP encryption password. Once they discovered the password, the files were decrypted, and incriminatory evidence was found. In December 2001, the United States FBI confirmed the existence of a similar technique called "Magic Lantern."[217] This device would reportedly allow the agency to plant a Trojan horse keystroke logger on a target's computer by sending a computer virus over the Internet; rather than require physical access to the computer as is now the case. The new Danish Anti-Terrorism law, enacted in June 2002, appears to give law enforcement the power to secretly install this kind of snooping software on the computers of criminal suspects.[218]
As new telecommunications technologies emerge, many countries are adapting existing surveillance laws to address the interception of networked and mobile communications. These updated laws pose new threats to privacy in many countries because the governments often simply apply old standards to new technologies without analyzing how the technology has changed the nature and sensitivity of the information. It is crucial for the protection of privacy and human rights that transactional data created by new technologies is given greater protection under law than traditional telephone calling records and other transactional information found in older systems.
In the traditional telephone system, transactional data usually takes the form of telephone numbers or telephone identifiers, the call metrics (e.g., length of call, time and date), countries involved, and types of services used. This data is usually collected and processed by telephone companies for billing and network efficiency (e.g., fault correction) purposes. While this data is stored by telephone companies, it is available to law enforcement authorities. Communications content, i.e. conversations, are not stored routinely. As a result, the obstacles to law enforcement access to this data were minimal: traffic data was available, legally less sensitive, and so accessible with lower authorization and oversight requirements. The content of communications was treated as more sensitive, and more invasive, and more difficult to collect, thus typically requiring greater authorization and oversight mechanisms.
Different communications infrastructures give rise to different forms of transactional data, however. When surfing the net, a user can visit dozens of sites in just a few minutes and reveal a great deal about their personal situation and interests. This can include medical, financial, social interests and other highly sensitive personal information. As the Council of Europe acknowledges in the Explanatory Report of the Convention on Cybercrime:
The collection of this data may, in some situations, permit the compilation of a profile of a person's interests, associates and social context. Accordingly Parties should bear such considerations in mind when establishing the appropriate safeguards and legal prerequisites for undertaking such measures.[219]
The detailed and potentially sensitive nature of the data makes it more similar to content of communications than telephone records.
Similarly, location information generated by mobile communications infrastructure, such as mobile phones and mobile IP, is more sensitive than the mere location of a fixed telephony communication. The location information of mobile communications can provide details of an individual's movements and activities and whom they have met with. This location information may be combined with other transactional information such as websites visited using the mobile device, individuals called, search engine requests; all used to create a considerable profile. This affects a wide variety of human rights beyond the right of privacy including the rights of free speech and assembly.
Moreover, newer mobile communications protocols are becoming increasingly specific about location data, and the availability of this information is becoming part of the actual communications protocol. That is, the means of identifying the location of a device is becoming more precision-based, and this location information is communicated to several parties, not necessarily only between the device and the mobile communications operator. As a result, the location of the device can be more easily discerned, not necessarily requiring access to the data held by the operator.
In addition to this data that naturally arises from the functioning of a wireless network, there are other initiatives driving the development of technologies that build in location-tracking capabilities. For example, in the United States, the Federal Communications Commission (FCC) directed wireless telephone service providers to begin implementing Automatic Location Identification (ALI) for emergency (911) calls by October 1, 2001. The ALI "accuracy standards" require providers to develop capabilities that will permit the location of users with the following degrees of precision: for handset-based solutions - 50 meters for 67 percent of calls, 150 meters for 95 percent of calls; for network-based solutions - 100 meters for 67 percent of calls, 300 meters for 95 percent of calls.[220] Other wireless devices and services increasingly are coming into use, including wireless personal digital assistants (PDAs), wireless Internet access, and automotive navigation and assistance services (telematics), which when combined with Global Positioning Satellite capabilities, can determine the physical locations of users very precisely.
While there is likely to be strong commercial and law enforcement demand for the collection and use of the location data generated by these services, a legal framework to protect privacy specifically with respect to location information has not yet been implemented. In the absence of legal clarity, some operators have been keeping this kind of data indefinitely. In October 2001, British mobile operator Virgin Mobile revealed that that it had retained all call records since it was created in 1999. Similarly, in November 2001, it was reported that Irish operators, Eircell and Digifone, were holding customer records for more than six years. In both cases, the operators, stated that they believed they were required to keep these records under the law. [221]
The level of legal protection afforded to other traffic data is similarly unclear. Policies generally treat all of this transactional data as 'traffic data'; this data then bears the protections afforded under the traditional telephone system. The United Kingdom in its Regulation of Investigatory Powers Act 2000 accepted, after an extensive debate, that there are varying levels of sensitivity to this data, and separates 'traffic data' (source and destination of a transaction used for routing within a network) from the more sensitive 'communications data' that includes URLs, domain names, etc. The latter requires greater authorization and oversight procedures. Not all countries have pursued this line of reasoning.
Previous United States policy differentiated between traffic data on cable and telephone communications. The Cable Act traditionally protected traffic data to a greater degree than telephone traffic data. Now that cable infrastructure is used for internet communications (which were previously used over telephone lines, and thus traditional laws applied), successive White House administrations worked to erase this distinction, finally succeeding with the USA-PATRIOT Act. Rather than deal with the specifics of digital communications media and services, the changes in United States law reduces the protections of traffic data for all communications to what had previously existed for telephone communications data. This was clearly intended, under the guise of technological neutrality. According to Attorney General Ashcroft:
Agents will be directed to take advantage of new, technologically neutral standards for intelligence gathering... Investigators will be directed to pursue aggressively terrorists on the internet. New authority in the legislation permits the use of devices that capture senders and receivers addresses associated with communications on the Internet.[222]
On May 30, 2002, the European Parliament voted on the new European Union Electronic Communications and Privacy Directive.[224] In a remarkable reversal of their original opposition to data retention, the members voted to allow each European Union government to enact laws to retain the traffic and location data of all people using mobile phones, SMS, landline telephones, faxes, e-mails, chatrooms, the Internet, or any other electronic communication devices, to communicate. The new Directive reverses the 1997 Telecommunications Privacy Directive by explicitly allowing European Union countries to compel Internet service providers and telecommunications companies to record, index, and store their subscribers' communications data.[225] The data that can be retained includes all data generated by the conveyance of communications on an electronic communications network ("traffic data") as well as the data indicating the geographic position of a mobile phone user ("location data").[226] The contentsof communications are not covered by the data retention measures. These requirements can be implemented for purposes varying from national security to criminal investigations and prevention, and prosecution of criminal offences, all without specific judicial authorization.
Although this data retention provision is supposed to constitute an exception to the general regime of data protection established by the directive, the ability of governments to compel Internet service providers and telecommunications companies to store all data about all of their subscribers can hardly be construed as an exception to be narrowly interpreted. The practical result is that all users of new communications technologies are now considered worthy of scrutiny and surveillance in a generalized and preventive fashion for periods of time that States' legislatures or governments have the discretion to determine. Furthermore, because of the cross-border nature of Internet communications, this Directive is likely to have negative repercussions for citizens of other countries. There is a significant risk that non-European Union law enforcement agencies will seek data held in Europe that it can not obtain at home, either because it was not retained or because their national law would not permit this kind of access.
During the debates on the Directive, many members of the European Parliament, and the European Union privacy commissioners consistently opposed data retention, arguing that, these policies are in contravention of data protection practices of deletion of data once it is no longer required for the purpose for which it was collected; and also in contravention of proportionality principles in accordance with constitutional laws and jurisprudence. Similarly, the Global Internet Liberty Campaign, a coalition of 60 civil liberties groups organized a campaign and drafted an open letter to oppose data retention. The letter was sent to all European Parliament members and heads of European Union institutions after more than 16,000 individuals from 73 countries endorsed it in less than a week.[227]The letter asserted that data retention (for reasons other than billing purposes) is contrary to well-established international human rights conventions and case law.
While a few other countries have already established data retention schemes (Belgium, Denmark, France, Spain, Switzerland and the United Kingdom) the implementation phase of the Directive's data retention provision may be bumpy in other Member States. Already in the United Kingdom, after a review by a parliamentary committee, significant questions have been raised regarding the legality, invasiveness, and the financial burdens involved in data retention.[228] The Directive may be seen as being in conflict with the constitutions of some European Union countries, with respect to fundamental rights such as the presumption of innocence, the right to privacy, the secrecy of communications, or freedom of expression.[229]In Finland, because of concerns regarding freedom of speech and privacy, content retention requirements have been reduced to three weeks at most, and for Internet traffic data no retention is required. [230]
Meanwhile, the situation is uncertain in Austria, Germany, Greece, Italy, Luxembourg, Portugal, and Sweden as they consider or question the means through which they can establish retention policies.[231] In Ireland, proposals from the Department of Justice have been poorly received from the industry, the Data Protection Commissioner, the Department of Communications, and the Marine and Natural Resources.[232] Industry associations in several countries[233] and the International Chamber of Commerce have all announced their concerns with general retention laws.[234] In all, nine states have established laws so far; while ten out of fifteen EU governments favor a "harmonizing" EU measure.[235]
A related effort for enhancing government control of the Internet and promoting surveillance is also being conducted in the name of preventing "cyber-crime," "information warfare" or protecting "critical infrastructures." Under these efforts, proposals to increase surveillance of the communications and activities of Internet users are being introduced as a way to prevent computer intruders from attacking systems and to stop other crimes such as intellectual property violations.
The lead bodies internationally are the Council of Europe and the G-8, while there has also been some activity within the European Union.[236] The United States has been active behind the scenes in developing and promoting these efforts.[237] After meeting behind closed doors for years, these organizations finally, in 2000, made public proposals that would place restrictions on online privacy and anonymity in the name of preventing cyber-crime.
The Council of Europe is an intergovernmental organization formed in 1949 by West European countries. There are now 43 member countries. Its main role is "to strengthen democracy, human rights and the rule of law throughout its member states." Its description also notes that "it acts as a forum for examining a whole range of social problems, such as social exclusion, intolerance, the integration of migrants, the threat to private life posed by new technology, bioethical issues, terrorism, drug trafficking and criminal activities."
On September 8, 1995, the Council of Europe approved a recommendation to enhance law enforcement access to computers in member states. The Recommendation of the Committee of Ministers to Member States Concerning Problems of Criminal Procedure Law Connected with Information states:
Subject to legal privileges or protection, investigating authorities should have the power to order persons who have data in a computer system under their control to provide all necessary information to enable access to a computer system and the data therein. Criminal procedure law should ensure that a similar order can be given to other persons who have knowledge about the functioning of the computer system or measures applied to secure the data therein.
Specific obligations should be imposed on operators of public and private networks that offer telecommunications services to the public to avail themselves of all necessary technical measures that enable the interception of telecommunications by the investigating authorities.
Measures should be considered to minimize the negative effects of the use of cryptography on the investigation of criminal offenses, without affecting its legitimate use more than is strictly necessary.
In 1997, the Council of Europe formed a Committee of Experts on Crime in Cyber-space (PC-CY). The group met in secret for several years drafting an international treaty and in April 2000, released the "Draft Convention on Cyber-crime, version 19." Several subsequent versions were released until version 27 was released in June 2001.
The convention has three parts. Part I proposes the criminalization of on-line activities such as data and system interference, the circumvention of copyright, the distribution of child pornography, and computer fraud. Part II requires ratifying states to pass laws to increase their domestic surveillance capabilities to cater for new technologies. This includes the power to intercept internet communications, gain access to traffic data in real-time or through preservation orders to ISPs, and access to secured or "protected" data. The final part of the treaty requires all states to cooperate in criminal investigations. So, for example, country A can request country B to utilize any of the aforementioned investigative powers within country B for a crime that is being investigated in country A. There is no requirement for the crime in country A to actually qualify as a crime in country B, i.e. no requirement for dual-criminality. In this sense, the convention is the largest mutual legal assistance regime in criminal matters ever created.
The draft convention text was strongly criticized by a wide variety of interested parties including privacy and civil liberties groups for its promotion of surveillance and lack of controls such as authorization requirements and dual criminality;[238] prominent security experts for previously articulated limitations on security software;[239] and industry for the costs of implementing the requirements, and the challenges involved in responding to requests from 43 different countries. The European Union's Data Protection Working Group has expressed concern regarding the convention's implications upon privacy and human rights, concluding that:
The Working Party therefore sees a need for clarification of the text of the articles of the draft convention because their wording is often too vague and confusing and may not qualify as a sufficient basis for relevant laws and mandatory measures that are intended to lawfully limit fundamental rights and freedoms.[240]
The convention text was finalized in September 2001. After the terrorist attacks on the United States, the convention was positioned as a means of combating terrorism. A signing ceremony took place in November 2001 where it was signed by thirty countries, and later signed by another four. The Convention is open to the members of the Council of Europe and to countries that were involved in the development, which includes the United States, Canada, Japan and South Africa.
The convention will come in to force once ratified by five signatories states, of which three must be members of the Council of Europe. Once it is in force, other non-COE countries like China and Singapore can also ask to join. The Australian government announced in July 2001 that its bill on computer crime, which requires users to provide encryption keys, is based on the Convention.[241] So far only Albania, Croatia, and Estonia have ratified the convention. Romania has incorporated some of the language of the convention into its law on transparency and corruption.[242]
A protocol on Racism and Xenophobia was released in November 2002. This protocol will require the criminalization of certain forms of Internet speech that some might find offensive. [243] The Bush Administration has already stated that it will not support the protocol.[244] There was some discussion of a second protocol on "terrorist messages and the decoding thereof," however discussion on this matter has not advanced publicly.[245]
The G-8 is made up of the heads of state of eight industrialized countries in the world (Canada, France, Germany, Italy, Japan, Russia, the United Kingdom, and the United States. The European Commission participates as an observer). The leaders have been meeting annually since 1975 to discuss issues of importance, including economics and finance, transnational organized crime, terrorism, and the information society.
Since 1995, the G-8 has become increasing more involved in the issue of high-tech crime, and has created working groups and issued a series of communiqués from the leaders and actions plans from justice ministers. Much of this work has been coordinated by the Lyon Group, established formally in 1997.
At the Birmingham, England summit in May 1998, the G-8 adopted a recommendation on ten principles and a ten-point action plan on high-tech crime. The ministers announced:
We call for close cooperation with industry to reach agreement on a legal framework for obtaining, presenting and preserving electronic data as evidence, while maintaining appropriate privacy protection, and agreements on sharing evidence of those crimes with international partners. This will help us combat a wide range of crime, including abuse of the Internet and other new technologies.
The G-8 has met several times with industry and is actively promoting requirements that Internet Service Providers maintain records of all of their users' activities in case there is a future need to investigate a crime that might have occurred. These requirements were strongly criticized at a meeting held by the G-8 in Japan in 2001 where industry and a civil liberties group were invited and a draft press release and guidelines that promoted data retention had to be withdrawn after they had already been made public.
The G-8 has continued its activity in the area of law enforcement and combating terrorism, however. Throughout 2002 several summits involving Finance Ministers, Justice and Interior Ministers, and heads of state have released several statements regarding increased surveillance, traceability of communications,[246] and data retention.[247] Increased cooperation across borders was discussed at length; and as with the Council of Europe convention, no requirements of dual-criminality or double-criminality are necessary.
In July 2000, the Commission announced plans for a new directive for fighting cyber-crime.[248] A communication was released in January 2001.[249] While similar to the Council of Europe convention in many ways, the Commission's proposal also included proposals regarding data retention and the reduction of anonymity. These policies were sought within "public forums" (only with limited invited speaking slots) in the fall of 2001, with unclear and unpublished results.
The retention proposal was sought in the alternative forum of the Directive on Privacy and Electronic Commerce in the European Parliament. The substantive law measures of criminalizing data and systems interference and defining other such offences are being pursued as a Council Framework Decision, currently in draft mode.[250] This initiative is designed to be consistent with the CoE and G-8 activities.
In contrast to many of these law enforcement-driven initiatives, the Organisation for Economic Cooperation and Development (OECD) has tended to take a broader view of security issues. In 1992, the OECD issued Guidelines for the Security of Information Systems.[251] Containing nine principles, the Guidelines stress the importance of ensuring transparency, proportionality and other democratic values when establishing measures, practices and procedures for the security of information systems. In the fall of 2001, the OECD Working Party on Information Security and Privacy (WPISP) established a group of experts to conduct a review of these guidelines (such a review must take place every five years). The group of experts met four times between December 2001 and June 2002 and recommended several changes. OECD released the revised guidelines in the fall of 2002. Although the guidelines have been substantially revised, the need to ensure key democratic values, such as openness, transparency and the protection of personal information, is nonetheless reiterated in the principles.
In the past several years, there has been considerable attention given to mass surveillance by intelligence agencies of international and national communications. Investigations have been opened and hearings held in parliaments around the world about the "Echelon" system coordinated by the United States.
Immediately following the Second World War, in 1947, the governments of the United States, the United Kingdom, Canada, Australia and New Zealand signed a National Security pact known as the "Quadripartite," or "United Kingdom - United States" (UKUSA) agreement. Its intention was to seal an intelligence bond in which a common national security objective was created. Under the terms of the agreement, the five nations carved up the earth into five spheres of influence, and each country was assigned particular signals intelligence (SIGINT) targets.
The UKUSA Agreement standardized terminology, code words, intercept handling procedures, arrangements for cooperation, sharing of information, Sensitive Compartmented Information (SCI) clearances, and access to facilities. One important component of the agreement was the exchange of data and personnel.
The strongest alliance within the UKUSA relationship is the one between the United States National Security Agency (NSA), and Britain's Government Communications Headquarters (GCHQ). The NSA operates under a 1952 presidential mandate, National Security Council Intelligence Directive (NSCID) Number 6, to eavesdrop on the world's communications networks for intelligence and military purposes. In doing so, it has built a vast spying operation that can reach into the telecommunications systems of every country on earth. Its operations are so secret that this activity, outside the United States, occurs with little or no legislative or judicial oversight. The most important facility in the alliance is Menwith Hill, a Royal Air Force base in the north of England. With over two dozen domes and a vast computer operations facility, the base has the capacity to eavesdrop on vast chunks of the communications spectrum. With the creation of Intelsat and digital telecommunications, Menwith Hill and other stations developed the capability to eavesdrop on an extensive scale on satellite-borne fax, telex and voice messages.
The current debate over NSA activities has focused on the existence of a signals intelligence system known as "Echelon." United States officials have refused to confirm the existence of this or any other surveillance systems. In May 2001, the European Parliament's Temporary Committee on the Echelon Interception System (established in July 2000) issued a report concluding that "the existence of a global system for intercepting communications... is no longer in doubt."[252] According to the committee, the Echelon system (reportedly run by the United States in cooperation with Britain, Canada, Australia and New Zealand) was set up at the beginning of the Cold War for intelligence gathering and has developed into a network of intercept stations around the world. Its primary purpose, according to the report, is to intercept private and commercial communications, not military intelligence.
The report recommended "self-protection" by EU citizens and companies, and encouraged further development and use of encryption technology within Europe to protect communications against surveillance. The report also recommended actions to be taken by the European Parliament during its September 2001 session in Strasbourg. These included provisions for the United States to (1) Negotiate and sign an agreement with the European Union (European Union) requiring both parties to "observe, vis-à-vis the other, the provisions governing the protection of the privacy of citizens and the confidentiality of business communications applicable to its own citizens and firms;" (2) sign the International Covenant on Civil and Political Rights so complaints by individuals could be submitted to the Human Rights Committee created by the covenant; (3) negotiate with Member States a code of conduct akin to that of the European Union; and (4) begin a dialog with the European Union on economic intelligence gathering. (On this point the Committee did not find widespread evidence of Echelon being used primarily for economic intelligence gathering). The Committee also recommended that Germany and the United Kingdom condition further authorization of United States communications interception operations within their territories on United States compliance with the European Convention on Human Rights. No further action on these recommendations has been taken.
Prior to issuing its report, the Temporary Committee traveled to Washington, DC to meet with senior Bush administration government and intelligence officials to discuss Echelon. When they arrived, however, their meetings with these officials at the Departments of State, Commerce and Defense, the CIA and the NSA were cancelled at the last minute. The European Parliament subsequently issued a Resolution protesting this move.[253]
The work of the recent Temporary Committee was based on two earlier reports of the European Parliament. The first, "An Appraisal of the Technologies of Political Control,"[254] was published in 1997 and stated that the NSA had established an integrated communications surveillance capability in Europe. It described Echelon as a communications intelligence sharing sub-system capable of scanning particular communications to detect information of interest. In 1999, the second European Parliament report, "Interception Capabilities 2000" set out the technical specifications of the interception system.[255] The report described the merger of Echelon and the International Law Enforcement Telecommunications Seminar (ILETS) stating that in time, the two vast systems - one designed for national security and one for law enforcement - would merge, and in the process will compromise national control over surveillance activities.
These recent events have left observers contemplating two profound conclusions. First, as long as the UK-USA SIGINT partners police and govern their own operations outside of actual effective parliamentary and judicial oversight, there is good reason to believe that SIGINT can be turned against individuals and groups exercising civil and political rights. There is ample evidence that the activities of Greenpeace, Christian Aid, Amnesty International, the International Committee to Ban Landmines, the Tibetan government-in-exile, various anti-globalization movements like the Independent Media Center, and the International Committee of the Red Cross have been targeted by UKUSA agencies. Second, there is an increasing blurring between the activities of intelligence agencies and law enforcement. The creation of a