Privacy is a fundamental right, and in the future, it will be increasingly essential to freedom everywhere. For journalists and activists, protecting one’s privacy and sources has become a critical issue no matter where you operate in the world.
To help you protect your privacy and better understand surveillance risks, we invited you to ask questions to Privacy International’s data surveillance expert Matthew Rice.
Here are some of the best questions from you, our Advocacy Assembly community.
1) As an Iranian journalist, how can we make sure of the safety of our contacts' details in our mobile-phones while travelling?
Before you begin to adopt practices like travelling without devices or saving money to buy expensive devices that “promise” to deliver “privacy without compromise”, you need to do some ‘threat modelling’. To do this, you need to ask yourself:
- What am I trying to protect?
- Who or what it is that I am trying to protect against? What could happen if I don’t?
- How likely is this to happen? How serious will it be if it does?
- How much trouble am I willing to go to? Is it worth it?
You’ve already answered the first question: you want to protect your sources. The other questions still need to be answered, though. What is the significance of you travelling in this scenario? What is it you are trying to protect against? Could it be solved by leaving your device at home? Remember this isn’t always about a high-tech solution or some new app that encrypts your contacts. If your threat actor is a persistent and well-resourced state, I’m afraid there's not much you can do technologically or physically here.
But that doesn’t mean you make it easy for them! In the course, Right to Privacy: Introduction and Principles we discuss some examples of great work on secure applications such as Security in a Box, from the Tactical Technology Collective and Electronic Frontier Foundation’s Surveillance Self-Defense. I recommend you start there to gain a better understanding of what steps you can take to protect your information.
Whether you use any of the solutions discussed in those resources, however, is up to you and your threat model.
2) What are the best and worst countries to live in with regards to protection of one's own data?"
An important point to remember is that the question of protection is not decided based on where you live, but where your data lives. If the country you live in has a comprehensive data protection law, then your data should be protected when it is held by companies and government in your country. The moment your data leaves your country, you should expect your rights to follow that data. In fact, there is a safeguard attached to this in data protection laws: when personal data is transferred across jurisdictions, most data protection laws require equivalent levels of protection to be in place in the receiving country before the transfer can take place.
But, if your data travels to countries without adequate data protection laws, your rights are not protected. The question to ask is: in which countries does my data reside? You should find out where the services you currently use are located, and then look at the two factors below:
1. A comprehensive data protection law.
It may sound basic but it isn’t a guarantee that the country you live in has a comprehensive data protection law applying to both the business sector and public bodies. Countries such as United States of America, Pakistan, Uganda and Iran still do not have comprehensive data protection laws in place. As of December 2016, over 100 countries around the world have a law in place (for more check out the map referenced in this article), so at least you have a few locations to choose from…
2. An active Data Protection Regulator.
You will also want to see a Data Protection Regulator that is willing to take on the responsibility of making the law meaningful and holding those that break the law to account. For example, Spain’s Data Protection Regulator is well known for its active application of the law and leveraging fines - possibly because leverage of penalties is the way the regulator funds itself. While in Ireland, the Data Protection Regulator was reluctant to investigate the transfer of data from Ireland (where Facebook has its Europe offices) to the US under the Safe Harbor Arrangement, which is how the now famous Max Schrems v. Facebook case started.
There are other factors that would be useful to weigh up, including funding of the commission - the Philippines had a data protection act years before it had an operating commission to implement it or expert staff.
3) A number of reports by Privacy International show governments sharing information about people's personal privacy. Are there any privacy laws in certain countries protecting individuals from this type of cross-country surveillance?
This is a tricky - but very important - question for the future. As technology and data transcend borders, more of our private lives contained in that data are leaving the country we live in and ending up all over the world. Unfortunately, our rights do not travel as easily. There are some laws in place that go a little way to providing a framework but more definitely needs to be done.
Well-established customary international law prohibits one state from undertaking law enforcement operations in another - including obtaining evidence - without first requesting permission. As a result, many states have established mechanisms to request such assistance.
The most common mechanism is a Mutual Legal Assistance Treaty - MLAT for short. MLATs are agreements between States that allow them to request the other party to the MLAT to locate wanted individuals, issue warrants, share evidence, obtain testimony, among other things.
MLATs often contain references to respecting the domestic laws of the receiving party, and some even attempt at protecting privacy rights. For example, Access Now writes that the multilateral, Inter-American MLAT “indicates that the law of the receiving state should indicate the protections for third parties who have a stake in the requested items.” So to understand the protections you should expect from governments sharing information in the law enforcement context, some part of the answer may come from a combination of a relevant MLAT and the domestic laws in place in different countries.
That said, MLATS are far from perfect. Current MLAT arrangements are under-funded, and requests for information are time-consuming. Undue delays can lead to falling compliance with rules and regulations - which means less transparency.
It is a much less clear story when it comes to intelligence agencies. Intelligence sharing arrangements like the Five Eyes Alliance between the United Kingdom, the USA, Canada, Australia and New Zealand are generally not made public. Privacy International has long called for the Five Eyes countries to make this arrangement public and for better oversight and safeguards surrounding intelligence sharing.
From the little we do know, these arrangements do not adequately protect the right to privacy. But if we can get these arrangements made public, we and other organisations from around the world may be able to mount a campaign to build the right to privacy into them.
Privacy International’s State of Privacy briefings are an attempt to provide a benchmark for policies and practices affecting the right to privacy in countries that are part of the Privacy International Network. Check if your country is among them. Even if not, you can use the template of these briefings to help you identify the relevant laws and regulatory authorities in your country.
This blog was written by Matthew Rice. Matthew is an Advocacy Officer at Privacy International, and has worked with international organisations on communication surveillance issues. You can enrol for his organisation’s courses on your Right to Privacy here.