Contents
RESPONDING TO TERRORISM
IDENTITY SYSTEMS
SURVEILLANCE OF COMMUNICATIONS
TRAVEL PRIVACY
AUDIO BUGGING
VIDEO SURVEILLANCE
SATELLITE SURVEILLANCE
ELECTRONIC COMMERCE
RADIO-FREQUENCY IDENTIFICATION (RFID)
PUBLIC RECORDS
CENSUS
DIGITAL RIGHTS MANAGEMENT
AUTHENTICATION AND IDENTITY DISCLOSURE
WHOIS
UN WSIS AND PRIVACY
SPY TV: INTERACTIVE TELEVISION & "T-COMMERCE"
GENETIC PRIVACY
WORKPLACE PRIVACY
E-VOTING PRIVACY
NANOTECHNOLOGY
It may take some years to fully evaluate the
effects of the terrorist attacks of the past few years on privacy and civil
liberties. In the wake of each attack, previous proposals were re-introduced,
and new policies with similar objectives were drafted to extend police
surveillance authority. Three years on from September 11 2001, the political landscape has shifted significantly in many, if not most, countries.
The policy changes were not limited to the United
States, as a large number of countries responded to the threat of terrorism.
With terrorist actions around the world, including in Madrid (Spain), Bali, Russia,
Morocco, and Saudi Arabia, governments have seized on these events as
opportunities to create and enhance their powers. The country reports in this
survey outline, in more detail, the many legislative shifts that took place
around the world. Terrorism politics is truly global.
The changes in anti-terrorism laws are not the
only policy transformations in response to terrorism. The mere threat of
terrorism has changed political discourse. In some cases, the war on terrorism
has given new life to previously failed proposals such as ID cards in the United
Kingdom. In 2003, the UK government returned to the rhetoric of terrorism to
shore up support for the cards while previously fraud and asylum seekers were
used.
Despite more recent statements by the Home Office Minister, quietly admitting
that ID cards will have no effect on combating terrorism, the policy is seen as
inseparable in the minds of the people, despite mounting evidence stating
otherwise.
When terrorism was not part of the government's official rhetoric, supporting
members of parliament and the media continued to relate ID cards with
strategies to combat terrorism.
In some cases, policies have been adopted from
other countries with little consideration to the variances in political
dynamics. Hong Kong attempted to harmonize its laws on sedition with mainland China,
requiring a standardization of criminalized groups. Malaysia decided against
repealing its Internal Security Act 1960 involving detention. South Africa and Jamaica's
draft anti-terrorism laws copy Canada's proposed definition of "terrorist
activity," even though Canada later changed its definition due to concerns
of confusing protesters and terrorists.
In other cases, the mere increase of state power
is immediately associated with the war on terrorism; whether requiring the
removal of veils for drivers license photos,
secret seizure of packages from the media,
clamping down on train-spotters and -photographers, chasing down
opposition parties,
and the equation of terrorism to separatism
and its implications,
or suppressing dissent,
amongst others. Canada is attempting to create a travelers' database for
anti-terrorism purposes, and other crimes; the United Kingdom managed to
pass data retention laws in the legislative environment of the aftermath of
September 2001; while retained data could be accessed, under another law, for
practically any crime. In the US, concerns have arisen regarding the use of
counter-terrorism powers to seize funds from foreign banks that do business in
the US for investigations that are unrelated to terrorism.
In other situations, these laws may be passed and
used to suppress dissent. In Italy, the Interior Minister warned of warned of a
growing climate of "widespread political illegality;" mixed together
Islamic terrorist groups, endogenous leftwing armed groups, anarchist
insurrectionaries, and right wing groups as a common threat. Moldova's bill to
fight extremism coincides with the government's intention to minimize dissent
as it allows the banning of political parties, public and religious
associations, and medial outlets if they promote violent overthrow of country's
territorial integrity, undermining state power, or setting up illegal armed
organizations. Georgia's bill,
drafted in consultation with European colleagues according to a state security
ministry official,
provides for restricting or suspending the activities of organizations that
receive foreign funding and whose activities "threaten Georgia's national
interests," but fails to define those interests.
While the legal landscape is shifting and
affecting many components of human rights, and not only privacy, in many cases
these policies are founded upon its curtailment.
The immediate period after September 2001 was a
time of fear, flux and uncertainty. The United Nations responded with
Resolution 1368 calling on increased cooperation between countries to prevent
and suppress terrorism.
NATO invoked Article 5, claiming an attack on any NATO member country is an
attack on all of NATO; legislatures responded accordingly. The Council of
Europe condemned the attacks, called for solidarity, and also called for
increased cooperation in criminal matters.
Later the Council of Europe Parliamentary Assembly called on countries to
ratify conventions combating terrorism, lift any reservations in these
agreements, and extend the mandate of police working groups to include
"terrorist messages and the decoding thereof." The European Union
responded similarly, pushing for a European arrest warrant, common legislative
frameworks for terrorism, increasing intelligence and police cooperation, freezing
assets and ensuring passage of the Money Laundering Directive. The OECD furthered
its support for the Financial Action Task Force on Money Laundering and, along
with the G-7
and the European Commission, called for the extension of its mandate to combat
terrorist financing.
These calls for international cooperation were perceived by many as impetus to
create new laws.
The European Commission considered requiring
every member state of the European Union to make cyber-attacks punishable as a
terrorist offence. New Zealand minimized public consultation on a proposed law
to freeze the financial assets of suspected terrorists because the government
felt it was bound by United Nations Security Council resolutions. France
expanded police powers to search private property without warrants. Germany
reduced authorization restraints on interception of communications, and
increased data sharing between law enforcement and national security agencies.
Australia and Canada both introduced laws to
redefine "terrorist activity" and to grant powers of surveillance to
national security agencies (ASIO and CSIS respectively) for domestic purposes
if terrorist activity or a terrorist affiliation is suspected. India passed a
law to allow authorities to detain suspects without trial, conduct increased
wiretapping, and seize funds and property. The United Kingdom passed a law
permitting the retention of data for law enforcement purposes in contravention
to existing data protection rules. The United States passed several laws,
including the USA-PATRIOT Act, which increases surveillance powers and
minimizes oversight and due process requirements.
Within this deluge of new policy proposals in the
immediate period after September 2001, several trends may be identified.
Almost every country that changed its laws to
reflect the environment following September 2001 increased the ability of law
enforcement and national security agencies to perform interception of
communications, and transformed the powers of search and seizure, and an
increase in the type of data that can be accessed.
The novelty in these initiatives tends to arise
in the reduced authorization requirements and oversight. This included
initiatives to weaken due process requirements; as occurred in Canada where the
first anti-terrorism bill proposed that law enforcement agencies would no
longer be required to justify the need for the wiretap. That is, in existing
law, the judge authorizing the interception would need to be satisfied that
"other investigative procedures have been tried and have failed, other
investigative procedures are unlikely to succeed or the urgency of the matter
is such that it would be impractical to carry out the investigation of the
offence using only other investigative procedures." In the law, an
exception is established for all offences that fall under the broad category of
"terrorist activity." Other parts of the law allow for interception
authorization by the Minister of Defense instead of requiring judicial
authorization.
There is also a general increase in the breadth
of application of these powers, by incorporating and including new technologies
and communications infrastructures, permitting additional government agencies
to use these powers, and formalize roving powers. The USA-PATRIOT Act codified
the use of Carnivore-style Internet surveillance technology, granting access to
sensitive traffic data with only a court order rather than a judicial warrant.
Moreover, the reporting regime in the United States was weakened with
amendments to the Foreign Intelligence Surveillance Act so that fewer warrants
would have to be requested and reported because the expiration time period was
increased, and 'generic' orders could be requested allowing one warrant to be
served on multiple service providers.
Attempts to differentiate the authorization and
oversight requirements based on the communications-technology also occurred.
The Australian government proposed in its Telecommunications Interception
Legislation Amendment Bill 2002 to grant powers to intercept and read e-mail,
SMS and voice mail messages without a warrant because these communications were
considered access to 'stored' data rather than 'intercepted' in real-time. This
proposed act was rejected in the Senate in June 2002; however, the
Government claims that it "remains of the view that the approach adopted
in the bill with respect to stored information is appropriate. However, to
avoid holding up this important package of legislation, the government has
agreed to remove these provisions from the bill and to deal with the issue at a
later date." This did not stop
a significant increase in interceptions in Australia however. According to
parliamentary findings, in 2002 there were 17,000 mail investigations, 2,514
wiretaps, and access to 733,000 telephone bills; a remarkable increase from
previous years.
In 2000, the United Kingdom proposed a policy to
require the retention of communications traffic data for up to seven years by a
central government authority.
While the proposal faced significant resistance in the public discourse at that
time, in December 2001 a similar policy was introduced and passed under the United
Kingdom's anti-terrorism law in response to the events of September 2001. The
new European Union directive on data protection in electronic services also
supports the creation of such data retention laws within the European community
and is consistent with international pressure to weaken data protection. In
October 2001, President Bush sent a letter to the President of the European
Commission requesting that the European Union "[c]onsider data protection
issues in the context of law enforcement and counterterrorism imperatives,"
and as a result to "[r]evise draft privacy directives that call for
mandatory destruction to permit the retention of critical data for a reasonable
period."
Building from previously articulated concerns that "[d]ata protection
procedures in the sharing of law enforcement information must be formulated in
ways that do not undercut international cooperation," the United States
Department of Justice submitted several recommendations to the European
Commission working group on cybercrime, including the recommendation that
Any data protection
regime should strike an appropriate balance between the protection of personal
privacy, the legitimate needs of service providers to secure their networks and
prevent fraud, and the promotion of public safety.
This perspective was reiterated in May 2002, this
time by the Group of 8 Justice and Interior Ministers, requesting that
countries
Ensure data protection
legislation, as implemented, takes into account public safety and other social
values, in particular by allowing retention and preservation of data important
for network security requirements or law enforcement investigations or
prosecutions, and particularly with respect to the Internet and other emerging
technologies.
Individuals and citizens are at the same time
losing subject access rights under data protection and freedom of information
regimes. In the interests of critical infrastructure protection, access to
information is being reduced, limiting government accountability. Meanwhile, in
order to protect sensitive investigative and intelligence data, subject access
requests are restricted as some data banks are being exempted from both data
protection and freedom of information laws.
Several policies were introduced to enable and
promote increased data sharing, both within and across government agencies, and
with the private sector. The sharing of data between agencies introduces
purpose-creep where data collected for one purpose is used for another, but
also introduces highly sensitive data to arms of government that can not be
expected to protect the data adequately.
There are significant shifts in the policies and
practices in the United States with changes to the Attorney General Guidelines
regulating the actions and capabilities of the Department of Justice and FBI,
increased sharing of information between the FBI and CIA supported by the
USA-PATRIOT Act, and proposed policies to increase sharing with local law
enforcement agencies. The United States is not alone in introducing such
policies. The United Kingdom is proposing "joined-up government"
within its consultation paper on modernizing government and public services to create
"data-sharing gateways" and provide "seamless" services. It
also tried unsuccessfully to allow practically any government agency to gain
access to the traffic data of individuals under the Regulation of Investigatory
Powers Act, including local councils and parishes.
The increased flow of data is also coming from
the private sector. The United Kingdom and Canada proposed laws to grant law
enforcement agencies access to travelers' information. The United Kingdom Home
Office has recommended that it gain access to information from every passenger
before international flights.
The Canadian policy proposed to grant both the federal law enforcement and the
intelligence agencies access to air passenger information, regardless of
domestic or international travel, and to match this data with other personal
information
for a wide number of purposes and investigations, not limited only to
terrorism.
Similarly, the European Union considered granting
Europol access to the Schengen Information System, including privileges to
change the information held on travelers.
Data sharing between financial institutions and with government agencies also
increased. New money laundering agreements and regulations have been introduced
to increase surveillance of transactions, and even expanded to include hedge
funds and money transfer firms.
Donations to charities are receiving further scrutiny as both the charities and
the donors are monitored to investigate links with terrorist groups. Some financial
institutions are also sharing personal information between themselves in order
to minimize risk of clients being terrorists, or "undesirables."
This year further information has leaked
regarding the use of the controversial private-run profiling system, MATRIX
(Multistate Anti-TerRrorism Information eXchange). This system combines
information from government databases and private-sector companies. According
to its promotional material, "When enough seemingly insignificant data is
analyzed against billions of data elements, the invisible becomes
visible."
Although many states have withdrawn from the system, it was uncovered that the
system, developed by Florida-based company Seisint, was used extensively in the
months following the attacks on the World Trade Center and Pentagon. With
funding from the US Department of Justice and Department of Homeland Security, the system
identified 120,000 people who showed a statistical likelihood of being
terrorists.
This "High-Terrorism Factor" was used to conduct investigations and
arrests after the information was submitted to state policy, former Immigration
and Naturalization Service, FBI, and the Secret Service.
Following from data sharing, there are several
proposals to create profiles or increase the existing profiles of individuals.
This occurs in several stages; the most immediate appears to be the profile of
travelers. There are proposals for a next generation computer-assisted
passenger prescreening system that will bring in data from credit-reporting
agencies and other companies,
and even previous flights and registries, set for data mining. Other proposals
include trusted-traveler programs involving biometrics in both the United
States and Germany,
similar to schemes used at Ben Gurion Airport in Tel Aviv. Some airports have
also installed face-recognition technologies, while similar technologies are
being implemented at national monuments, and even beaches.
In the longer term there are several proposals to
increase profiling of citizens and non-citizens. These proposals are typically
enhanced and complemented by national identification schemes, enhanced with
biometrics. There was considerable discussion in the United States in
introducing such a national ID card scheme but no formal policy was introduced.
Meanwhile non-citizens may already be tracked at border entry points and as
they move within the country. A system called Student and Exchange Visitor
Information System keeps track of foreign students to ensure that they are
still registered and maintains a log of their addresses.
The United Kingdom proposed the adoption of entitlement
cards in an effort to deal with immigration and illegal work and identity
theft, but also supported by the fight against terrorism. Similarly, Hong Kong
planned to introduce a biometric chip identity card to verify fingerprints to
authenticate travelers into China.
None of the above trends were necessarily new;
the novelty is the speed in which these policies gained acceptance, and in many
cases, became law in the period following September 2001.
New policies to combat terrorism continue to
emerge. The United States continues to lead with new policies, technologies,
and practices. The importance of the US policies is that they tend to influence
policies and citizens of other countries. By September 2002, the Office of
Management and Budget counted 58 new regulations responding to terrorism; by March 2003 the
General Accounting Office counted nine new National Strategies; there have been
innumerable laws passed at the federal and state levels; countless changes
in administrative measures, including the Attorney General Investigative
Guidelines; and some attention has been given to policies and projects from
various departments, not limited to the Terrorism Information Awareness Program
(TIA) and Computer Assisted Passenger Prescreening (commonly referred to as
CAPPS II).
The management of US borders continues to receive
policy attention. There are increased interviews of visa applicants,
requirements for machine-readable passports from other countries, and plans to
track foreign visitors by collecting information such as fingerprints and
photographs.
Meanwhile, US Customs officials have been meeting
with EU officials regarding the transfer of and access to passenger personal
data, as required under Aviation and Transportation Security Act 2001. The EU's
Article 29 working group on data protection noted several problems with the
proposed data sharing, including the retention time (proposed period of 7-8
years was considered unjustified), and the excessive amount of data being
requested.
The negotiations that followed over 2003 and the beginning of 2004 have
resulted in the EU's capitulation, however. The European Commission agreed
early 2004 to submit European airlines' customer information to the Department
of Homeland Security, despite numerous unresolved issues. The Department of
Homeland Security has promised to keep passenger data only for 3.5 years. The
DHS has not changed its demands regarding the amount of data requested, and has
not committed itself not to use the data later for profiling purposes. The
Commission was anxious to see an agreement emerge, and is also hoping for
reciprocity from American carriers, as the EU embarks on its own passenger
profiling scheme.
Several other programs for data-sharing and
data-mining have been developed, including the Terrorism Information Awareness
(TIA) Program, renamed in May 2003 from Total Information Awareness.
This program was one of many post-September 11 responses to terrorism. TIA is a
now-defunct program of the Defense Advanced Research Projects Agency (DARPA)
that intended to scan ultra-large databases of personal information to detect
the "information signature" of terrorists. The program was
headed by Admiral John Poindexter, and was renamed "Terrorism Information
Awareness" to pacify critics.
Congress acted to limit the project in February 2003 by requiring DARPA to
submit a detailed report on TIA and later in the year, cut funding for
Poindexter's entire Information Awareness Office.
Further data collection measures that were
controversial in 2003 included the registration of immigrants and
fingerprinting. The National Security Entry-Exit Registration System (NSEERS)
involved the registration of nearly 82,000 male immigrants and visitors from predominantly
Muslim countries, leading to possibly 13,000 deportations. The information
will be stored in a secure government database along with travel data, photos,
and will be matched against other data held on potential terrorists. Officials have admitted,
according to the New York Times, that only 11 individuals have been identified
to have links to terrorism.
Another system, the Student and Exchange Visitor Information System (SEVIS), to
track the nearly one million foreign students in the US, has also been
problematic due to poor technology and limited resources. These systems were
merged under the US-VISIT program, which began in January 2004, and will be
fully implemented at airports in the US, applying to all foreign travelers in
September 2004.
There have also been several developments in surveillance law. The use of the
USA-PATRIOT Act continues to be questioned. There have been attempts at
extending its contentious measures that are supposed to sunset at the end of
2005.
After an extensive cross-country campaign by Attorney General John Ashcroft,
the White House has exerted a great deal of pressure on Congress to prevent
laws that scale back the powers
and to extend the more invasive provisions indefinitely. A recent effort to
water down the law was rejected in the House of Representatives by a 210 to 210
tie vote, after debate was prolonged when it appeared that the law's reach
would be minimized.
Finally, in February 2003 a draft bill was
uncovered, entitled the Domestic Security Enhancement Act of 2003 that contains
several new powers including the ability to strip citizenship, wiretaps without
court orders, secret detentions, limits on the challenging of secret evidence,
increased use of DNA without court orders and consent, increased data sharing,
and increased international cooperation in search and seizure and extradition.
Other countries have found novel means of
implementing invasive policies and practices. The global legal landscape is
fragmented. In some countries there are no specific terrorism laws as yet, such
as in Belgium. Other countries have been very active in implementing laws.
Among the remarkable legal developments include
laws on increasing the powers of law enforcement and national security agencies
to arrest and detain individuals. Australia has been the leader, outside of the
US. In 2002, the Australian Parliament considered at least eight bills on
terrorism. The most controversial has been the Australian Security Intelligence
Organization Legislation Amendment (Terrorism) Bill 2002. An earlier
version of the bill gave rise to a 27-hour debate that had to be shut down by
the Prime Minister in the fall of 2002.
Reintroduced in late 2002 and debated intensely in 2003, it was passed in June
2003. The law allows for warrants to detain citizens 18 years of age and older
for seven days if it is believed that the citizen has information that may be
useful to combat terrorism; while citizens from age 16 may be detained if they
are suspected of terrorist activity. Interrogation may occur for three
eight-hour periods. The warrants may be applied successively, with no limit.
Earlier drafts of the bill gave rise to
significant concern from the opposition and civil society; many of these
concerns continue unabated. The Australian law society has articulated concerns
regarding limitations on the right against self-incrimination. The opposition
parties prevented the application of the law unto citizens of age 14 to 16. Meanwhile
amendments to limit the successive application for warrants were voted down.
The law does include a three-year sunset provision.
Similar laws on detention have arisen elsewhere. Columbia
is proposing to amend its constitution to give police forces the power to make
arrests, conduct searches without warrants, and detain individuals for 36 hours
without judicial authorization. The Senate has already approved this proposal,
while the House of Representatives is expected to do so at the end of July. Canada's
antiterrorism law, enacted in December 2001, allowed for preventative arrests
without warrant and investigative hearings. Since then, the Solicitor General
of Canada has released a report noting that the detention power has not been
used,
nor have investigative hearings been convened.
Egypt extended its emergency laws for another
three years allowing for similar powers of detention. Egypt has been applying
the extension continuously since 1981.
The US Department of State has expressed concerns regarding these powers, as
the Egyptian government applies emergency courts for cases not linked to
national security, while also referring civilians to military tribunals for
non-violent offences.
In the period following the bombings in Bali, the
Indonesian government decreed to the law enforcement agencies the power to
detain individuals without evidence.
This power evolved into law in March 2003 where individuals could be detained
for six months based on prima facie evidence, while also allowing intelligence
to be used as evidence, and increased abilities to conduct interception of
communications, among other powers.
Similar to the Egyptian situation, the US Department of State has also made
public its concerns regarding the application of state powers, particularly in
the conviction of political activist in June 2003.
Kenya has also received some terrorist attention.
Following alerts from the United Kingdom and the United States, the Kenyan
government published a Suppression of Terrorism Bill in June 2003; subsequently
published in full by the Daily Nation newspaper. The bill provides
for the power to detain any person in a place that is subject of an urgent
search permit; any police officer above rank of inspector may detain a suspect incommunicado
for up to 36 hours without access to lawyer; while also granting immunity to
the police for application of "reasonable force." In broadening
those who can be identified as terrorist, the bill includes any given
individual who "(a) wears an item of clothing; or (b) wears, carries or
displays an article, in such a way or in such circumstances as to arouse
reasonable suspicion that he is a member or supporter of a declared terrorist
organization shall be guilty of an offence and shall be liable on conviction to
imprisonment for a term not exceeding six months, or both."
South Africa's draft bill contains similar
provisions. Providing food, drink and clothing to a member of a terrorist
organization;
definition of terrorism is broad to include act "likely to intimidate the
public or a segment of the public;" media also oppose because could compel
public and journalists to become snoops.
The Philippines has also been actively
confronting terrorism and devising new policies. A proposed law provides for
longer periods of detention without a warrant, and the Anti-Terrorism Action
Council (including eight cabinet members and governor of the Central Bank) may
authorize the interception of communications and freezing of bank accounts.
There are alternative wordings for legalizing
detention and other coercive powers, however. South Africa's proposed bill also
proposes detention powers in its bail procedures, despite promises
from the government otherwise.
The Tanzanian bill requires "cooperation with the authorities" on the
basis of perceived international commitments.
Sudan is applying its powers, given to a special branch to prosecute
terrorism suspects, and particularly "religious extremists and armed
bandits."
In early 2002 some progress had been made on
legal appeals regarding detention. In the United Kingdom, a Special Immigration
Appeals Tribunal decided against the government's policy on detention because
it was specifically targeting non-British citizens, and thus in contravention
of the European Convention of Human Rights equal protection clauses. The
government quickly appealed, however, and the Court of Appeals decided in
October 2002 that detention is in fact lawful, provided that the detainees are
a threat to national security.
More initiatives have been introduced to increase
and enhance identification and enable profiling. The Philippines and the United
Kingdom
are considering ID cards in order to combat terrorism.
Canada has also considered the adoption of ID
Cards. The reasoning behind its introduction, according to the Minister of
Citizenship and Immigration is that the US will soon require the fingerprinting
of Canadians as they pass through the US-Canada border. The Public Safety
Bill 2004 grants law enforcement authorities access to travel information, even
within Canada.
This is a separate initiative from the Canadian Customs and Revenue Agency's
proposal to retain travel information for six years. Recently that proposal has
been altered to purge non-customs related data after it is no longer used, and
to implement access controls on the database of travel.
Australia has been actively pursuing the concept
of a smart passport that includes digital photos. The government has run a
trial of SmartGate application at Sydney Airport that was heavily criticized as
involving ineffective and flawed technology.
At the same time, the Australian government has also been pushing for an
advanced passenger processing system at the Asia-Pacific Economic Cooperation
forum (APEC).
In 2004 the Australian Customs agency received the approval from the EU to
access the passenger name records of EU citizens, as the Article 29 Working
Party deemed the protections adequate.
The New Zealand Customs Service began receiving
advance passenger lists in 2003 from airlines under its Customs and Excise Act.
The airlines would "feed data directly to the CS's computer system"
before landing; and this information is checked for "people of
interest." This system is seen as a first step to setting up an Advance
Passenger Processing system that will identify problematic passengers prior to
boarding flights.
In the European Union, the Spanish government put
forward a proposal for a Directive requiring carriers to collect and send data
on all passengers at the time of boarding to law enforcement agencies in
destination countries or face fines.
Some legal developments pertain directly to
information technology use. Cuba's law on combating terrorism includes hacking. New Zealand's
counter-terrorism bill could force individuals to disclose their passwords,
even in non-terrorism related investigations, or face three months in jail or a
fine of NZD 2,000.
Kenya's bill includes an offence for "collection of information for
terrorist purposes," i.e, "collects, makes or transmits a
record of information of a kind likely to be useful to a person committing or
preparing an act of terrorism; or possesses a document or record containing
information of that kind shall be guilty of an offence' term not exceeding 10
years; "transmit" includes by telephone, e-mail, voicemail, or other
telecommunications method; and make available on the Internet. "It is a
defense for a person charged with an offence under this section to satisfy the
court that he had a reasonable excuse for his action or possession."
It is increasingly difficult to identify the
sources of laws, however. Several countries have introduced new laws because of
a felt imperative to model changes in other countries. For example, Kenyan
opposition party members accuse the United Kingdom and the United States for
pressuring Kenya; and they note that the definition of terrorism in the Kenyan
bill is taken from section 802 of PATRIOT Act. This was denied by the Justice
and Constitutional Affairs assistant minister Robinson Njeru Githae, as
reported by the Nairobi-based newspaper, The Nation: "We have not to
reinvented the wheel (sic). What we have done is to pick the best of
Suppression of Terrorism Act in the Commonwealth countries and given it a
Kenyan outlook."
Another source of law includes international
treaties. Romania's recently passed law on corruption includes components of
the Council of Europe Convention on Cybercrime. Many countries are trying to
ratify and implement into law the approximately 12 United Nations conventions
on anti-terrorism. Governments report regularly to the United Nations Security
Council committee on Resolution 1373 on their progress in adopting these
conventions.
However, they are also adding to, and interpreting, these conventions. For
example, New Zealand Justice Minister Phil Goff stated in April 2003 that the
new Counter Terrorism Bill "was the final step in adopting the last of
twelve United Nations conventions aimed at fighting terrorism. . . . It will
give police and customs officers more powers to fight terrorism, including
enabling police to use tracking devices, and will allow evidence found in the
investigation of one crime to be used in the prosecution of another." These additional
powers are not included within the standard conventions.
It is therefore important to note not only the
laws in other countries, but also the activities of international governmental
organizations. These organizations have been very active in developing
counter-terrorism policy tools and mechanisms.
The African Union, formerly the Organization of
African Unity, released a convention in August 2002 in order to promote the
criminalization of terrorist acts, and extradition and mutual legal assistance
regimes.
While this convention contains controversial concepts with respect to civil
liberties, it is far from being unique considering the developments in recent
years in such conventions as the Council of Europe Convention on Cybercrime.
The Asian-Pacific Economic Cooperation forum
(APEC) held a summit in October 2002 in order to promote growth and fight
against terrorism. An agreement emerged from the Mexico summit that aims to
halt terrorist financing, and to promote cyber security. At the 2003 summit in Bangkok,
the US tried to focus the agenda on how anti-terrorism policy can support
global trade, to some concern of APEC members who wanted to focus on economic
issues.
The final declaration included a statement that APEC leaders will undertake
measures to "dismantle, fully and without delay, transnational terrorist
groups that threaten APEC economies."
The group will now create a fund, run by the Asian Development Bank, to fund
counter-terrorism initiatives including port security and money laundering. It now appears
that APEC is considering the creation of "financial intelligence
units" to combat the diversion of money from trade to terror groups.
The Association for Southeastern Asian Nations
2003 summer summit included an agreement to obtain and share evidence amongst
member countries, share bank records, cooperate in the freezing of foreign
assets, and conduct searches and seizures upon request from fellow members; all
in the aim to combat terrorism and cross-border crime. An uncommon
development, however, is the lack of agreement on extradition. Discussions have
also occurred on the issue of secure identity documents. This disagreement
continued, however, in the October 2003 summit when the summit statement paid
little attention to anti-terrorism policy.
The summit did see the establishment of the ASEAN Security Community, pushed by
Indonesia,
that would not only focus on terrorism, but also on other transnational crimes. This was followed
up with a meeting in Bangkok of the ASEAN+3 countries (ASEAN and China, South
Korea, and Japan), where ministers vowed to improve communication and enhance
intelligence sharing, "especially against the growing threat of terrorism
in the region."
This would be done through the speeding up of mutual assistance and extradition
treaties.
The Group of 8 industrialized countries (G8) is
the primary source of discussion on secure passports. At the May 2003 summit of
Justice and Home Affairs ministers in Paris, the United Kingdom reportedly
promoted computerized passports.
The ministers unanimously stressed the importance of developing biometric
technologies with the goal of developing a common framework for biometric
passports, as is being discussed by the International Civil Aviation
Organization. There was some disagreement, according to reports, that the
French and the US differed on which form of biometrics should be promoted (the US
was pushing for iris scans or "other innovative technologies," the
French were for fingerprints).
In the end, according to the ICAO, facial recognition was adopted at the end of
May 2003.
Other issues addressed by ministers included critical infrastructure
protection, child pornography, and enhancing financial investigations. In this
last issue of discussion, the G8 ministers promoted the work of experts who
"identified 29 best practice principles on tracing, freezing, seizing and
confiscating crime-related assets," while admitting that "these
principles and good practices are ambitious."
The G8 Evian summit of heads of government met in
June 2003. At this summit the G8 created the Counter-Terrorism Action Group
(CTAG), which would support the UN Counter-Terrorism Committee for
"capacity building."
The proposal was led by the US, with the goal to create a group that would deal
with "terrorist financing, customs and immigration controls, illegal arms
trafficking, police and law enforcement"; "will identify relevant
international best practices, codes, and standards in combating
terrorism"; "target counterterrorism assistance to priority
countries"; and "work with International Financial institutions to
strengthen counterterrorism financing measures."
The G8 summits for 2004, held in the US,
furthered these ideas. The Justice and Home Affairs Ministers summit called for
legislation to enable sharing of information among and between the intelligence
community, the law enforcement community and prosecutors to the fullest degree
possible, to prevent, disrupt and preempt terrorist activities; while giving
due regard to civil liberties and fundamental principles of law. The ministerial
summit also called for "special investigative techniques" that
involve undercover agents, cover filing and listening devices, and covert
interception of "all forms of electronic communications," and
"the use of other critical measures," but that they must take into
account privacy rights; while states are encouraged to change legal procedure
to allow such techniques to be used in courts. The official
Sea-Island Summit of G8-leaders, however, did not reflect much of this. That
summit included new language regarding a "Secure and Facilitated
International Travel Initiative" to protect borders through the sharing of
personal information and secure travel documents.
The Commonwealth Secretariat also engaged in work
to promote capacity building. In 2002 the secretariat developed
"Implementation Kits for International Counter-Terrorism
Conventions," a form of "do-it-yourself" manual for governments,
covering all 12 multilateral treaties drawn up between 1963 and 1999 by the UN
and other inter-governmental fora.
In September 2002, the secretariat also released "Model Legislative
Provisions on Measures to Combat Terrorism" that provides for defining
specified entities' a variety of offenses and their investigation, interception
of communications and admissibility as evidence. The model provisions also
establish procedures for trials, promotion of information sharing, ensure
extradition and mutual legal assistance, empower governments to seize evidence,
manage charities, outline refugee application refusals, and allow for the
removal of persons.
The intergovernmental policy area of financial
regulations is dominated by the output of the Financial Action Task Force
(FATF). In the early 1990s the FATF developed its 40 recommendations on
combating money laundering. In April 2002, the FATF released guidance for
financial institutions for detecting terrorist financing; and conducted
consultation on 40 recommendations for terrorist financing, thus extending its
remit beyond money laundering. In June 2003 the new recommendations were
adopted. According to the FATF:
The FATF recognises
that countries have diverse legal and financial systems and so all cannot take
identical measures to achieve the common objective, especially over matters of
detail. The Recommendations therefore set minimum standards for action for
countries to implement the detail according to their particular circumstances
and constitutional frameworks. The Recommendations cover all the measures that
national systems should have in place within their criminal justice and
regulatory systems; the preventive measures to be taken by financial
institutions and certain other businesses and professions; and international
co-operation.
The acknowledgement of flexibility is due to,
according to reports, disagreement on regulatory procedures between American
and German delegations.
The recommendations include the requirement that institutional secrecy laws are
not used to inhibit implementation, and recommend against the keeping of
anonymous accounts, with some recommendations on identification as "due
diligence." Co-operation between countries is also recommended, as is the
removal of unduly restrictive conditions for this cooperation to take place.
The scope of application also increases; non-financial businesses including
lawyers and notaries except when under privilege.
Inter-governmental organizations in the Europe
have been very active as well. The Southeastern Europe Cooperation Initiative
(SECI) Regional Center for Fight Against Cross-Border Crimes had its first
meeting of 'Mission Force for Fight Against terrorism' (sic), in June 2003.
Held in Turkey, 85 representatives attended from Albania, Bulgaria, Bosnia-Herzegovina,
Croatia, Hungary, Macedonia, Moldova, Romania, Greece, Slovenia and
Serbia-Montenegro. According to Turkish Security Director General Gokhan
Aydiner, "Turkey has been trying for years to bring the issue of terrorism
onto agenda of the world. In some countries, terrorist organizations and their
members are considered fighters of freedom. Those who staged gory actions in
which thousands of people lost their lives, continue their terrorism activities
without any punishment."
According to media reports, the task force aimed to cover organized crimes and
terrorism, development of common operational plans, financial sources of
terrorist organizations.
The Organization for Security and Cooperation in
Europe (OSCE) began a new initiative with its first annual security review
conference in June 2003. A speech by US Ambassador Cofer Black, Coordinator for
Counterterrorism, called on the OSCE to continue fighting terrorism, to
encourage FATF adherence, to implement UN conventions (noting that only 38
percent of OSCE states have become parties to all 12), and to do the utmost to
prevent spread of small arms and light weapons. He also called for closer
cooperation with the UN, G8, and ICAO to develop international standards and in
turn to encourage regional implementation. Particularly, he called for cooperation
on the issue of travel document security with G8 and ICAO. This was
supported by "several delegations," as it was felt that "this
work could make a significant, real contribution not only to the war on
terrorism, but also to the fight against organized crime and illegal
immigration, all issues that many delegations had identified as threats to
their security and stability."
The Bulgarian government, which took over the leadership of the OSCE in 2004,
promises to steer the organization towards greater international cooperation in
combating terrorism and safeguarding national borders.
The vast majority of these meetings of
inter-governmental organizations outlined above were closed. In the coming
months and years, however, their work, findings, conclusions, and conventions
will be affecting national policy discourse.
This will be particularly the case in the
European Union and primarily the output of the Council, where there is more of
a binding requirement to enact policies at the national level. As accession
countries to the EU begin their process of legal harmonization, interpretation
and guidance on EU policies will require scrutiny. The EU has been active in
all of the issues covered above. In 2001 and 2002 the Council Framework
Decision on a European arrest warrant was developed and is currently being
implemented into national law. A Working Party on Terrorism has been convening
to develop measures to exchange information between member states, the creation
computer-aided preventative searches on the basis of offender profiles
(particularly the compiling of travel patterns). These profiles
may include method and means of travel, "physical distinguishing features
(e.g., battle scars)", education, places of stay, methods of
communication, psycho-sociological features, family situation, expertise in
advanced technologies; with the aim to identify terrorists before an act is
carried out. A proposed innovation includes searching through "relevant
national databases (e.g., registers of residents, registers of
foreigners, universities etc.) subject to the provisions of national law, for
person who need to be vetted more closely by the security authorities."
The EU has also developed a "roadmap"
regarding the implementation of an "EU Action Plan in the fight against
terrorism." This roadmap includes the discussion of counter-terrorism in
political dialogues with third countries and other multilateral fora. The EU
has been particularly active in meetings with Asian countries, and in meetings
with the US on mutual legal assistance.
The roadmap also consists of enhancing preventing of crime involving the use of
electronic communications systems, measures to counter insider dealing,
transparency criteria for legal entities, initiatives to draw up a common list
of terrorist organizations, and the 'systematic transmission to Europol of any
piece of data relevant to terrorism', while complying with international
obligations regarding protection of fundamental rights and ensuring 'a balance
between data protection and police efficiency', among other initiatives.
After the bombings in Madrid, the EU rushed
forward on these initiatives. Amidst calls from the UK Home Office Secretary
David Blunkett to "cut the waffle" and to follow up on plans agreed
at the EU years ago, he called for EU member states to implement security
measures agreed after the September 11 attacks. The UK then
pushed for other countries to adopt rules on data retention and the EU-wide
arrest warrant; although some resistance arose from Sweden, Germany, and Denmark. The final
declaration reflected these sentiments, calling for rules on the retention of
communications traffic, and simplifying exchanges of information across
borders, with a view to adoption by June 2005.
While the anti-terrorism policy developments
outlined above and later in this report have shifted the legal and
technological landscape for privacy, there have been some developments in the
area of civil liberties and terrorism.
In the US, opposition to the USA-PATRIOT Act has
grown. In response to the law, some librarians have begun to tape warnings to
computer screens that usage could be subject to scrutiny by law enforcement
agencies; in some cases they are destroying records of reading habits and
sign-up logs of computer use.
There have been successful amendments on TIA and CAPPS II related policies to
call for studies of the privacy and civil liberties implications of these
programs. Finally, in many districts and cities, there is opposition to the
PATRIOT Act. More than one hundred local governments have passed laws against
the Act.
Members of Congress and Senators continue to introduce new legislation to
minimize the threats to privacy and civil liberties.
Changes in proposed and existing laws are
occurring for several reasons elsewhere in the world. In Hong Kong in 2003,
after protests including one involving over 400,000 demonstrators, the
government appears to have backed down on changes to the Basic Law to deal with
sedition.
Jordan rescinded Article 150 of its penal code, which was introduced in
response to the events of September 11. The Article had allowed for
"permanent or temporary closure" of publications that "carry
false or libelous information that can undermine national unity or the
country's reputation', and publications carrying articles that incite 'crimes,
strikes, illegal public assemblies or undermining public order."
In the most severe case, Peru has been forced to
review sentences given out to 1,800 people when the high court handed down a
decision rejecting the anti-terrorism decrees established under the Fujimori
government as unconstitutional.
These decrees included trials for treason before hooded military judges and
life sentences without review,including on free expression related offences.
The effectiveness of opposition may take some
time to take full effect. After India's antiterrorism bill became law, it has
been reported that the entire opposition to the government walked out on
parliament. Since its
enactment, however, and after its use to detain some politicians, the
parliament has constituted a Review Committee to ensure that the powers are not
misused for non-terrorism purposes.
The incoming government in India has pledged to
follow through on promises to repeal the controversial Prevention of Terrorism
Act (POTA). As stated in the President's address to Parliament in June 2004,
"My government is concerned about the misuse of POTA in the recent past.
While there can be no compromise on the fight against terrorism, the Government
is of the view that existing laws could adequately handle the menace of
terrorism. The Government, therefore, proposes to repeal POTA."
Other efforts came close, or are in the works. In
the United Kingdom House of Lords, efforts to repeal the retention of
communications data almost succeeded in November 2003. A Privy Council Report
emerged in December 2003 calling on data retention to be separated from
anti-terror legislation and given its day in Parliament for appropriate
deliberation and oversight, while also limiting retention to one year and
placing that language in the primary legislation. The European
Commission's decision to permit the flow of passenger information from European
carriers' databases to the US Department of Homeland Security has been
questioned repeatedly by the European Parliament, and most recently, the
Parliament has taken its case to the European Court of Justice. These are merely
some of the sources of change.
Non-governmental organizations around the world
have questioned draft laws, bills, and court decisions and have voiced
concerns, taken cases to courts, and responded to consultation processes. The
arising court decisions may lead to further changes, parliamentarians may
listen more, and increased attention to international organizations may lead to
more open policy-making, and as a result, better laws.
Identity (ID) cards are in use in one form or
another in virtually all countries of the world. The type of card, its
functions, and integrity vary enormously. While several countries have
official, compulsory, national ID cards that are used for a variety of
purposes, many countries do not. These include Australia, Canada, India, Ireland,
New Zealand, the United States and the Nordic countries. Those that do have
such a card include Belgium, Egypt, France, Germany, Greece, Hong Kong, Malaysia,
and South Africa.
Nationwide ID systems are established for a
variety of reasons. Race, politics and religion often drive the deployment of
ID cards.
The fear of insurgence, religious differences, immigration, or political
extremism have been all too common motivators for the establishment of ID
systems that aim to force undesirables in a State to register with the
government, or make them vulnerable in the open without proper documents.
In recent years technology has rapidly evolved to
enable electronic record creation and the construction of large commercial and
state databases. A national identifier contained in an ID card enables
disparate information about a person that is stored in different databases to
be easily linked and analyzed through data mining techniques. ID cards are also
becoming "smarter" – the technology to build microprocessors the size
of postage stamps and put them on wallet-sized cards has become more
affordable. This technology enables multiple applications such as a credit
card, library card, health care card, driver's license and government benefit
program information to be all stored on the same national ID along with a
password or a biometric identifier. Governments in Finland, Malaysia, and Singapore
have experimented with such "Smart" ID cards. In July 2002, the Labor
government in the United Kingdom launched a six-month public consultation
process on whether the United Kingdom should adopt an "entitlement
card" with similar features.
Critics contend that such cards, especially when combined with information
contained in databases, enable intrusive profiling of individuals and create a
misplaced reliance on a single document, which enables precisely the type of
fraud the cards are meant to eliminate.
In April 2004 the UK Government announced its draft bill on the identity card
and a back-end database of all residents.
In several countries, these systems have been
successfully challenged on constitutional privacy grounds. In 1998, the
Philippine Supreme Court ruled that a national ID system violated the
constitutional right to privacy.
In 1991, the Hungarian Constitutional Court ruled that a law creating a
multi-use personal identification number violated the constitutional right of
privacy.
The 1997 Portuguese Constitution states "Citizens shall not be given an
all-purpose national identity number."
In other countries, opposition to the cards
combined with the high economic cost and other logistical difficulties of
implementing the systems has led to their withdrawal. Massive protests against
the Australia Card in 1987 resulted in the near collapse of the government.
Card projects in South Korea and Taiwan were also stopped after widespread
protests. In the United States plans to convert the state driver's license into
a nationwide system of identification have stalled because of the stiff
resistance from a broad coalition of civil society groups.
Biometrics is the identification or verification
of someone's identity on the basis of physiological or behavioral
characteristics. Biometrics involves comparing a previously captured unique
characteristic of a person to a new sample provided by the person. This
information is used to authenticate or verify that a person is who they said
they were (a one-to-one match) by comparing the previously stored
characteristic to the fresh characteristic provided. It can also be used for
identification purposes where the fresh characteristic is compared against all
the stored characteristics (a one-to-many match). New biometric technology
attempts to automate the identification or verification process by converting the
provided biometric into an algorithm, which is then used for matching purposes.
The computer matching technique necessarily produces either false positives,
where a person is incorrectly identified as someone else, or false negatives,
where a person who is meant to be identified by the system is not correctly
identified. The two error rates are dependent, so for example reducing the
number of false positives increases the number of false negatives. The
tolerance level is adjusted depending on the need for security in the
application.
The most popular forms of biometric ID are
fingerprints, retina/iris scans, hand geometry, voice recognition, and
digitized (electronically stored) images. The technology is gaining interest
from governments and companies because, unlike other forms of ID such as cards
or papers, it can be more difficult to alter or tamper with one's own physical
or behavior characteristics. Important questions remain, however, about the
effectiveness of the automated biometric matching techniques, particularly for
large-scale applications.
Critics also argue that widespread deployment of biometric identification
technology could remove the veil of anonymity or pseudo-anonymity in most daily
transactions through the creation an electronic trail of people's movements and
habits.
Biometrics schemes are being implemented across
the world. The technology is widely used in small settings for access control
to secure locations such a nuclear facility or bank vault. It is increasingly
being used for broader applications such as retail outlets, government
agencies, childcare centers, police forces and automated-teller machines. Spain
has commenced a national fingerprint system for unemployment benefits and
healthcare entitlements. Russia has announced plans for a national electronic
fingerprint system for banks. Jamaicans are required to scan their thumbs into
a database before qualifying to vote in elections. In France and Germany, tests
are under way with equipment that puts fingerprint information onto credit
cards. Many computer manufacturers are considering including biometric readers
on their systems for security purposes.
The most controversial form of biometrics – DNA
identification – is benefiting from new scanning technology that can automatically
match DNA samples against a large database in minutes. Police forces in several
countries including Canada, Germany, and the United States have created
national DNA databases. Samples are being routinely taken from a larger group
of people. Initially, it was only individuals convicted of sexual crimes. Then
it was expanded to people convicted of other violent crimes and then to
arrests. Now, many jurisdictions are collecting samples from all individuals
arrested, even for the most minor offenses. Former New York City Mayor Rudolf
Giuliani even proposed that all children have a DNA sample collected at birth.
In Australia, the United Kingdom, and the United States, police have been
demanding that all individuals in a particular area voluntarily provide samples
or face being considered a suspect. United States Attorney General Ashcroft has
testified that he has asked the FBI to increase the capacity of its database
from 1.5 million to 50 million profiles.
At the same time, DNA data has been used as exculpatory
evidence in many criminal trials.
The USA-PATRIOT Act, passed by the US Congress
after the events of September 11, 2001 included the requirement that the
President certify a biometric technology standard for use in identifying aliens
seeking admission into the US, within two years. The schedule for its
implementation was accelerated by another piece of legislation, the little
known Enhanced Border Security and Visa Entry Reform Act 2002. Part of this
second law included seeking international co-operation with this standard. The
incentive to international co-operation was made clear: "By October 26,
2004, in order for a country to remain eligible for participation in the visa
waiver program its government must certify that it has a program to issue to
its nationals machine-readable passports that are tamper-resistant and which
incorporate biometric and authentication identifiers that satisfy the standards
of the International Civil Aviation Organization (ICAO).
These laws gave momentum to the standards that
were being considered at the ICAO by requiring visa waiver countries (which
include many EU countries, Australia, Brunei, Iceland, Japan, Monaco, New
Zealand, Norway, Singapore, and Slovenia) to implement biometrics into their Machine-Readable
Travel Documents (MRTDs), i.e. passports. Failure to do so, presumably,
means a removal from the program.
Moving the decision to the ICAO pushes the policy
well beyond the Visa Waiver Program countries. The ICAO is the international
standard-setter for passports already and the ICAO has been researching
biometric passports since 1995. Since then the technologies have changed
sufficiently to allow for facial recognition, fingerprints and iris scans to be
considered for implementation in passports standards.
The primary purposes of biometric use, according
to the ICAO, is to allow for verification ("confirming identity by
comparing identity details of the person claiming to be a specific living
individual against details previously recorded on that individual") and
identification ("determining possible identity by comparing identity
details of the presenting person against details previously recorded on a
number of living individuals"). Beneficial side effects include advanced
passenger information to ports of entry, and electronic tracking of passport
use.
In May 2003, the facial recognition emerged as
the primary candidate. Intellectual Property issues prevented iris scans from
being accepted; while it was felt that the facial recognition is more socially
acceptable. Multiple applications of biometrics are also considered, and
permitted. Although the use of a single biometric technology by all States is
preferred by the ICAO to ensure interoperability, "[h]owever, it is also
recognized that some States may conclude it desirable to deploy two biometrics
on the same document." Already the EU is discussing requiring fingerprints
in passports.
The ICAO is aware, however, that there are
contentious legal issues involved with the infrastructure for these passports,
including the collisions between the goals of centralizing citizens' biometrics
and protecting privacy laws, and with "cultural practices." Not only
does this involve a central data store of fingerprints and photos (and face scans)
that can be scanned against other databases for other purposes, but this
sensitive information may be transferred to other countries when verification
is required at border controls. The ICAO foresees that this information may be
retained by these other countries. In essence, this may turn into a global
distributed database of personal information.
Something that may be important to remember at
the time of national implementation is that there is some flexibility permitted
by the ICAO. Some states may interpret the ICAO standards to require
centralised databases.
The ICAO calls for central databases that allow
for additional security confirmation checks, but does not go so far as to
require such systems. It may be interesting to see if national governments recall
this option, or if they rather change their national laws to allow for
centralized storage, as allowed in other ICAO documents. Already the EU is
moving towards a centralized registry of biometrics from the passport enrolment
process.
Most countries around the world regulate the
interception of communications by governments and private individuals and
organizations. These controls typically take the form of constitutional
provisions protecting the privacy of communications and laws and regulations
that implement those requirements.
There has been great pressure on countries to
adopt wiretapping laws to address new technologies. These laws are also in
response to law enforcement and intelligence agencies pressure to increase
surveillance capabilities. In Japan, wiretapping was only approved as a legal
method of investigation in 1999. Other countries such as Australia, Belgium, Germany,
New Zealand, South Africa and the United Kingdom have all updated their laws
to facilitate surveillance of new technologies.
The United States government has been at the
forefront of promoting greater use of electronic surveillance. Former FBI
Director Louis Freeh traveled extensively around the world, promoting the use
of wiretapping in newly democratic countries such as Hungary and the Czech Republic.
At the same time, the United States has led world efforts to ensure that all
communications technologies have built-in surveillance capabilities and to
prohibit the manufacture and use of equipment that cannot be eavesdropped upon.
The United States has also been working through international organizations
such as the OECD, G-8 and the Council of Europe to promote surveillance.
It is recognized worldwide that wiretapping and
electronic surveillance are a highly intrusive form of investigation that
should only be used in limited and unusual circumstances. Nearly all major
international agreements on human rights protect the right of individuals from
unwarranted invasive surveillance.
Nearly every country in the world has enacted
laws on the interception of oral, telephone, fax and telex communications. In
most democratic countries, intercepts are initiated by law enforcement or
intelligence agencies only after it has been approved by an judge or some other
kind of independent magistrate or high level official and generally only for
serious crimes. Frequently, it must be shown that other types of investigation
were attempted and were not successful. There is some divergence on what
constitutes a "serious crime," and appropriate approval.
Several countries including France and the United
Kingdom have created special commissions that review wiretap usage and
monitor for abuses. These bodies have developed an expertise in the area that
most judges who authorize surveillance do not have, while they also have the
ability to conduct follow up investigations once a case is complete. In other
countries, the privacy commissioner or data protection authority has some ability
to conduct oversight of electronic surveillance.
An important oversight measure that many
countries employ is the requiring of annual public reporting of information
about the use of electronic surveillance by government departments. These
reports typically provide summary details about the number of uses of
electronic surveillance, the types of crimes that they are authorized for,
their duration and other information. This is a common feature of wiretap laws
in English-speaking countries and many others in Europe. Countries that issue
annual reports on the use of surveillance include Australia, Canada, France, New
Zealand, Sweden, the United Kingdom, and the United States. Meanwhile in the Netherlands,
the Minister of Justice in April 2003 announced that he saw no additional value
in maintaining a log of the frequency of wiretaps, or installing a special
functionary to oversee the warranty process.
These countries recognize that it is necessary to
allow for people outside governments to know about its uses to limit abuses.
They are widely used in many countries by the Parliaments for oversight and
also by journalists, NGOs and others to examine the activities of law
enforcement. The reports have shown an increase in the use of surveillance in
many countries including Australia,
the United States, and the United Kingdom while others such as Canada have
remained steady. Most recently, however, Canada has reduced the amount of
reporting; despite statutory requirements, annual reports from the Solicitor
General on surveillance activities have not been released since 1999.
These laws are designed to ensure that legitimate
and normal activities in a democracy such as journalism, civic protests, trade
union organizing or political opposition are free from being subjected to
unwarranted surveillance because they have different interests and goals than
those in power. It also ensures that relatively minor crimes, especially those
that would not generally involve telecommunications for facilitation, are not used
as a pretext to conduct intrusive surveillance for political or other reasons.
However, wiretapping abuses have been revealed in
most countries, sometimes occurring on a vast scale involving thousands of
illegal taps. The abuses invariably affect anyone "of interest" to a
government. Targets include political opponents, student leaders and human
rights workers.
This can occur even in the most democratic of countries such as Denmark and Sweden,
where it was recently disclosed that intelligence agencies were conducting
surveillance of thousands of left-leaning activists for nearly 40 years.
The United Nations Commissioner on Human Rights
in 1988 made clear that human rights protections on the secrecy of
communications broadly covers all forms of communications:
Compliance with
Article 17 requires that the integrity and confidentiality of correspondence
should be guaranteed de jure and de facto. Correspondence should
be delivered to the addressee without interception and without being opened or
otherwise read. Surveillance, whether electronic or otherwise, interceptions of
telephonic, telegraphic and other forms of communication, wire-tapping and
recording of conversations should be prohibited.
The need for greater protection is recognized by
many democratic countries around the world. Most recently, the German Federal
Constitutional Court has considered whether the interception laws passed in
1998 are constitutional.
In March 2004, the German Federal Constitutional Court ruled that significant
portions of the 1998 Grosser Lauschangriff
wiretapping laws infringed upon the guarantees of human dignity and the
inviobility of the home under Articles 1 and 13 of the constitution, or Basic
Law.
The court held that certain communications are protected by an absolute area of
intimacy where citizens can communicate privately without fear of government
surveillance.
This includes conversations with close family members, priests, doctors and
defense attorneys, but excludes conversations about crimes that have already
been committed or the planning of future crimes. However, to justify
surveillance between the target and such persons of trust, the government must
show "there is strong reason to believe that the content of conversation
does not fall in the area of intimacy,"
and that the crime is "particularly serious". Once a specially
protected conversation begins the eavesdropping must stop immediately and any
recordings of that portion of the conversation must be erased. The German
legislature has until June 2005 to amend Grosser Lauschangriff to comply with
the court's decision.
In the past 15 years, the United States
government has led a worldwide effort to limit individual privacy and enhance
the capability of its police and intelligence services to eavesdrop on personal
conversations. This campaign had two strategies. The first is to promote laws
that make it mandatory for all companies that develop digital telephone
switches, cellular and satellite phones and all developing communication
technologies to build in surveillance capabilities; the second is to seek
limits on the development and dissemination of products, both in hardware and
software, that provide encryption, a technique that allows people to scramble
their communications and files to prevent others from reading them.
Law enforcement agencies have traditionally
worked closely with telecommunications companies to formulate arrangements that
would make phone systems "wiretap friendly." These agreements range
from allowing police physical access to telephone exchanges, to installing
equipment to automate the interception. Because most telecommunications
operators were either monopolies or operated by government telecommunications
agencies, this process was generally hidden from public view.
Following deregulation and new entries into
telecommunications in the United States in the early 1990s, law enforcement
agencies, led by the FBI, began demanding that all current and future
telecommunications systems be designed to ensure that they would be able to
conduct wiretaps. After several years of lobbying, the United States Congress
approved the Communications Assistance for Law Enforcement Act (CALEA) in 1994. The act sets out
legal requirements for telecommunications providers and equipment manufacturers
on the surveillance capabilities that must be built into all telephone systems
used in the United States. In 1999, at the request of the Federal Bureau of
Investigation, an order was issued under CALEA requiring carriers to make
available the physical location of the antenna tower that a mobile phone uses
to connect at the beginning and end of a call.
Due to heavy lobbying, the Internet Service
Providers (ISPs) in the United States were exempted from implementing these
technical requirements under CALEA. Changes are in the wind, however as the FBI
is calling for the Federal Communications Commission to expand the law to
reconsider Voice Over IP, i.e., phone calls over the Internet and
providers as telecommunications carriers under CALEA. If these
providers are reclassified as carriers, then the requirements for intercept
capability under CALEA will also apply to them. The Senate is currently
reviewing legislation on regulating VOIP.
Intercepting content over digital services is a
common legal practice in other countries. In Australia the Telecommunications
Act 1997 places obligations on telecommunications operators to positively
assist law enforcement in the performance of their duties and to provide an
interception capability. The costs of these obligations are borne by the
operators themselves.
In the United Kingdom the Regulation of
Investigatory Powers Act 2000 requires that telecommunications operators
maintain a "reasonable interception capability" in their systems and
be able to provide on notice certain "traffic data." It also imposes
on obligation on third parties to hand over encryption keys. These requirements
were further clarified in the Regulation of Investigatory Powers (Maintenance
of Interception Capability) Order 2002. In the Netherlands, a new
Telecommunications Act was approved in December 1998 that required that ISPs
have the capability by August 2000 to intercept all traffic with a court order
and maintain users logs for three months.
The law was enacted after XS4ALL, a Dutch ISP, refused to conduct a broad
wiretap of electronic communications of one of its subscribers. In New Zealand,
the Telecommunications (Residual Powers) Act 1987 requires network operators to
assist in the operation of a call data warrant (equivalent to the United States
trap and trace or pen register warrant).
An obligation to assist in the operation of a full interception warrant is now
also being considered in New Zealand. The Telecommunications (Interception
Capabilities) Bill currently being drafted by the Government would require all
ISPs and telephone companies to upgrade their systems so that they are able to
assist the police and intelligence agencies intercept communications. It would
also require a telecommunications operator to decrypt the communications of a
customer if that operator had provided the encryption facility.In January 2002, a
new Law on the surveillance of mail and telecommunications entered into force
in Switzerland, requiring ISPs to take all necessary measures to allow for
interception.
In contrast, the Austrian Federal Constitutional Court held, in a decision in February 2003,
that the law compelling telecommunications service providers to implement wiretapping
measures at their own expense is unconstitutional. Most recently, Poland
and New Zealand have been reported as proposing and adopting new laws requiring
ISPs to monitor and record communications transactions.
International cooperation played a significant
role in the development of these standards. In 1993, the FBI began
hosting meetings at its research facility in Quantico, Virginia called the
"International Law Enforcement Telecommunications Seminar" (ILETS) .
The meetings included representatives from Canada, Hong Kong, Australia and the
European Union. At these meetings, an international technical standard for
surveillance, based on the FBI's CALEA demands, was adopted as the
"International Requirements for Interception." In January 1995, the
Council of the European Union approved a secret resolution adopting the ILETS
standards.
Following this, many countries adopted the resolution into their domestic laws
without revealing the role of the FBI in developing the standard. Following the
adoption, the European Union and the United States offered a Memorandum of
Understanding (MOU) for other countries to sign to commit to the standards.
Several countries including Canada and Australia immediately signed the MOU.
Others were encouraged to adopt the standards to ensure trade. International
standards organizations, including the International Telecommunications Union
(ITU) and the European Telecommunication Standardisation Institute (ETSI), were
then successfully approached to adopt the standards.
The ILETS group continued to meet. Several
committees were formed and developed a more detailed standard extending the
scope of the interception standards. The new standards were designed to apply
to a wide range of communications technologies, including the Internet and
satellite communications. It also set more detailed criteria for surveillance
across all technologies. The result was a document called ENFOPOL 98, the
European Union designation for documents created by the European Union Police
Cooperation Working Group.
In 1998, the document became public and generated
considerable criticism. The committees responded by removing most of the
controversial details and putting them into a secret operations manual that has
not been made publicly available. The new document, now called ENFOPOL 19,
expanded the type of surveillance to include "IP address (electronic
address assigned to a party connected to the Internet), credit card number and
E-mail address."
In April 1999, the Council proposed the new draft council resolution to adopt
the ENFOPOL 19 standards into law in the European Union. The Council of
Ministers revised the document and, in June 2000, approved a resolution calling
for countries:
to ensure that, in the
development and implementation – in cooperation with communication service
providers – of any measures which may have a bearing on the carrying out of
legally authorised forms of interception of telecommunications, the law
enforcement operational needs . . . are duly taken into account.
