Communications Surveillance
What is communications surveillance?
Communications surveillance is the monitoring, interception, collection, preservation and retention of information that has been communicated, relayed or generated over communications networks to a group of recipients by a third party.
This third party could be a law enforcement agency, intelligence agency, a private company, or a malicious actor. Communications surveillance does not require a human to read the intercepted communication, as any automated action of communications surveillance represents an interference with the right to privacy. Communications surveillance can take place on a mass scale, such asunder the UK's Tempora program, or on a more intrusive scale, like the installation of malware onto a computer.
Communication plays a huge role in all of our lives. It helps us build relationships, share experiences, and develop as individuals and as a society. As such, communications surveillance is a significant interference with this fundamental need to communicate, and to do so on our own terms, and with confidence that our thoughts are not shared beyond our control. People behave differently when they know they are being watched, which can lead to self-censorship or a hesitancy to engage in society.
Without the security of knowing that your communications are private, our ability to create safe boundaries and manage our relationships falls apart.
How is communications surveillance conducted?
Developments in communications have brought us access to a diverse set of networks on which to communicate. As communications technologies developed, from the telegraph to fixed landlines to mobile communications and the internet, we have been given more control over who we communicate with and the method in which to do so.
With each step, however, communications surveillance technologies have become more and more sophisticated, and capable of grabbing even more information than ever before.
In turn, communications surveillance is no longer limited to intercepting a messenger or attaching a 'crocodile clip' to a telephone line. There are now four main methods of communications surveillance: internet monitoring, mobile phone interception, fixed line interception, and intrusion technologies (which are explained in detail below). Surveillance over internet, mobile, and fixed-line networks can take place with or without the cooperation of the network operator:
Authorities request assistance for surveillance from operators: Cooperation with telecommunication providers is sometimes referred to by surveillance proponents as 'lawful access', when laws require communications service operators to deliver information to either law enforcement or intelligence agencies when requested. This is often the surveillance described in transparency reports released by companies, such as Vodafone, but not all forms of lawful access are necessarily reported to the public.
Authorities have direct access to networks and services and can pull information themselves: Surveillance can be initiated directly by the government agency without the knowledge of the communications service provider. This would involve the government using communications surveillance technologies that interfere directly with the communication path. Examples of these types of technologies that conduct this form of surveillance are IMSI catchers, which pretend to be mobile phone base stations to collect information on nearby devices, and mass monitoring systems, such as the Zebra system sold by South African company VASTech.
What are the differences between the surveillance performed over different networks?
While there are several types of technologies that can be sold to perform communications surveillance, we have broken them into four categories: Internet Monitoring, Mobile Phone Monitoring, Fixed Line Interception, and Intrusion technology.
- Internet Monitoring: Internet monitoring is the act of capturing data as it travels across the internet toward its intended destination. It can take place across any point of the physical or electronic systems that comprise the internet. Types of technologies include physical taps that perform communications surveillance by tapping the wires and software that targets information published on 'publicly' available sources which in the past included news websites but now controversially includes social networks.
- Mobile Phone Monitoring: Mobile phone monitoring technologies capture information transmitted over mobile networks. One of the most common forms of mobile phone monitoring is through the use of IMSI Catchers. IMSI catchers, when deployed in a specific area, work by presenting themselves as powerful base stations, enticing all phones in that given area to join its “network” and then capture unique identification numbers from your phone, known as IMSIs. In some cases, the most sophisticated forms of IMSI catchers have the capability to intercept calls and even send messages to each registered phone. There is a strong suggestion that this took place in Ukraine during anti-government protests early in January 2014.
- Fixed Line Interception: Fixed line interception entails the capture of information as it travels across public switched telephony networks (PSTN), which forms the backbone of our international communication networks. The historical view of this form of surveillance involved crocodile clips being attached to the physical line. Modern surveillance technologies of PSTN still fundamentally operate in that way, where a physical probe is placed on the phone network which allows for the interception of phone calls. As the computers that join networks together have become more sophisticated, and the speed and throughput of communications has dramatically grown, so has the scale at which the interceptions can take place. Nowadays, commercial surveillance companies are selling technologies allowing for a whole country's network to be tapped simultaneously.
- Intrusion: Intrusion technologies clandestinely deploy malicious software (malware) on mobile phones and computers. The malware, or Trojan, allows operators to take complete control over the target's device by embedding itself in all system functions. Intrusion technologies are some of the most invasive forms of surveillance available. As devices become more connected to communication networks and become integral to our lives, we become increasingly dependent on them to hold our intimate details. Intrusion technologies give operators full access to these devices and everything held on them, collecting and transmitting data to the operator of the Trojan, while the user is unaware of all of this as the infected device operates normally. All this time the intrusion technologies can monitor everything that appears on the individual's screen, track keyboard entry and other input, monitor content of communications sent from the device, including historic communications, such as old e-mails or chat conversations. Intrusion technology can collect much more than merely what is on the devices. The data returned to the operator of the intrusion tool can include real-time recordings of live audio and video feeds from the device's camera or microphone. The user's device thereby becomes spy in itself, capturing information around the individual including conversations with others and monitoring his or her online and offline activities.
Who are the actors performing communications surveillance?
Anyone with these types of technologies can perform communications surveillance. It is often the case that these actors include law enforcement agencies, intelligence agencies, private company,or a malicious actor.
While some countries such as the United States and United Kingdom develop these types of technology in-house, there is also a large commercial surveillance market, where companies sell these technologies to countries and support ongoing surveillance systems.
Is communications surveillance legal?
All surveillance must meet the minimum standards of being both necessary in a democratic society to achieve a legitimate aim and proportionate to that aim. Individuals must be protected against arbitrary interference with their right to communicate privately. When a government wishes to conduct communications surveillance, it must only be done in accordance with clear and transparent law.
The lawful interception of communications must be performed with proper legal authorisation, but what this authorisation looks like varies across jurisdictions. Since communications surveillance directly interferes with the right to privacy, any laws that allow for it must be in accordance with human rights principles. The mere existence of surveillance laws do not make the act of communications surveillance lawful.
Acts that regulate communications surveillance exist because of the fundamental right to privacy that we all share. The right to privacy and specifically for correspondence is in international and regional human rights documents, including the Universal Declaration on Human Rights (Article 12),the International Convention on Civil and Political Rights (Article 17), the Arab Charter of Human Rights (Article 21), the European Convention on Human Rights (Article 8), and the American Convention on Human Rights (Article 11). Addtionally, there are 136 constitutions around the worldthat protect the privacy of communications.
Despite this clear international and constitutional agreement, in many countries laws governing surveillance and the processes around its conduct remain unclear. Often, laws are vague and broadly interpreted; courts authorise and review surveillance in secret; and individuals are monitored surreptitiously, and are not notified that they were placed under surveillance.
In many cases, laws governing communications surveillance have become outdated in the face of powerful new technologies. The greatest problem is that communications surveillance technology is not waiting around for legislation to catch up and reach those minimum standards. Another key problem is that legislators and the judiciary too rarely understand communications technology and surveillance capabilities. A final challenge is that government authorities are calling for new laws because they are lacking in capabilities even though they have more power to conduct surveillance today than ever before.
What can be done?
In recent years, there have been remarkable advancements around the world to protect an individual's right to privacy in the face of growing surveillance. Both courts and civil society have been making efforts address some of the dated ideas of communications surveillance.
In 2014, the European Court of Justice struck down the Data Retention Directive, calling mandatory data retention "an interference with the fundamental rights of practically the entire European population...without such an interference being precisely circumscribed by provisions to ensure that is is actually limited to what is strictly necessary". This decision represented a strong authoritative recognition of the safeguards that must be in place to protect our right to privacy.
The Philippines Supreme Court the same year ruled against a section of a cybercrime bill that would allow for the interception of a communication's origin, destination and route of message without the need to apply for authorisation. This decision recognised the revealing nature of metadata and the need for a process of authorisation to be in place for its interception.
To pushback against bad surveillance laws, civil society groups launched the International Principles on the Application of Human Rights to Communications Surveillance in 2014. The initiative aims to address the need for a framework to evaluate communications surveillance policies and practices against human rights.
The principles are an interpretation of existing state obligations in light of new technological understandings. They represent what States are obliged to meet in domestic law, and serves as an advocacy tool for civil society to pressure governments to meet certain standards in respect to communications surveillance.
Nonetheless, as the Edward Snowden disclosures showed, the capability of governments to operate in secret and to conduct surveillance across borders in unaccountable ways has grown significantly within our modern communications infrastructure. And courts remain reluctant to address secret surveillance and have yet to consider challenges to state power exerted across borders.