A/69/397 United Nations General Assembly Distr.: General 23 September 2014 Original: English Sixty-ninth session Agenda item 68 (a) Promotion and protection of human rights: implementation of human right instruments Promotion and protection of human rights and fundamental freedoms while countering terrorism* Note by the Secretary-General The Secretary-General has the honour to transmit to the General Assembly the report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Ben Emmerson, submitted in accordance with General Assembly resolution 68/178 and Human Rights Council resolution 15/15. * Late submission. 14-61490 (E) 021014 *1461490* 14-61490 2/23 A/69/397 Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism Summary The present report is the fourth annual report submitted to the General Assembly by the current Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Ben Emmerson. The key activities undertaken by the Special Rapporteur between 17 December 2013 and 31 July 2014 are listed in section II of the report. In section III, the Special Rapporteur examines the use of mass digital surveillance for counter-terrorism purposes, and considers the implications of bulk access technology for the right to privacy under article 17 of the International Covenant on Civil and Political Rights. 3/23 14-61490 A/69/397 I. Introduction 1. The present report is submitted to the General Assembly by the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Ben Emmerson, pursuant to General Assembly resolution 68/178 and Human Rights Council resolutions 15/15, 19/19, 22/8 and 25/7. It sets out the activities of the Special Rapporteur carried out between 17 December 2013 and 31 July 2014. It then examines the use of mass digital surveillance for counter-terrorism purposes, and considers the implications of bulk access technology for the right to privacy under article 17 of the International Covenant on Civil and Political Rights. II. Activities related to the mandate 2. On 13 February 2014, the Special Rapporteur participated as a speaker in a panel discussion entitled “Debating Kadi II: United Nations Ombudsperson v. judicial review in Security Council sanctions decision-making”, at the London School of Economics, in London. 3. From 23 to 25 February 2014, the Special Rapporteur participated in an expert seminar on the theme “The right to privacy in the digital age”, hosted by the Permanent Missions of Austria, Brazil, Germany, Liechtenstein, Mexico, Norway and Switzerland in Geneva, and facilitated by the Geneva Academy of International Humanitarian Law and Human Rights, in Geneva. 4. On 11 March 2014, the Special Rapporteur presented his report on the use of remotely piloted aircraft, or drones, in extraterritorial lethal counter-terrorism operations, including in the context of asymmetrical armed conflict, and its civilian impact (A/HRC/25/59) to the Human Rights Council at its twenty-fifth session. He also held an interactive dialogue with the Council on his reports on his country visits to Burkina Faso (A/HRC/25/59/Add.1) and Chile (A/HCR/25/59/Add.2). 5. On 12 March 2014, Special Rapporteur participated as a panellist in a side event on the topic “Human rights and drones” and held a press conference at the twenty-fifth session of the Human Rights Council. III. Counter-terrorism and mass digital surveillance A. Introduction and overview 6. The exponential growth in States’ technological capabilities over the past decade has improved the capacity of intelligence and law enforcement agencies to carry out targeted surveillance of suspected individuals and organizations. The interception of communications provides a valuable source of information by which States can investigate, forestall and prosecute acts of terrorism and other serious crime. Most States now have the capacity to intercept and monitor calls made on a landline or mobile telephone, enabling an individual’s location to be determined, his or her movements to be tracked through cell site analysis and his or her text messages to be read and recorded. Targeted surveillance also enables intelligence and law enforcement agencies to monitor the online activity of particular 14-61490 4/23 A/69/397 individuals, to penetrate databases and cloud facilities, and to capture the information stored on them. An increasing number of States are making use of malware systems that can be used to infiltrate an individual’s computer or smartphone, to override its settings and to monitor its activity. Taken together, these forms of surveillance provide a mosaic of data from multiple sources that can generate valuable intelligence about particular individuals or organizations. 7. The common feature of these surveillance techniques is that they depend upon the existence of prior suspicion of the targeted individual or organization. In such cases, it is the almost invariable practice of States to require some form of prior authorization (whether judicial or executive), and in some States there is an additional tier of ex post facto independent review. In most States, therefore, there is at least one opportunity (and sometimes more than one) for scrutiny of the information alleged to give rise to the suspicion, and for an assessment of the legality and proportionality of surveillance measures by reference to the facts of a particular case. With targeted surveillance, it is possible to make an objective assessment of the necessity and proportionality of the contemplated surveillance, weighing the degree of the proposed intrusion against its anticipated value to a particular investigation. 8. The dynamic pace of technological change has, however, enabled some States to secure bulk access to communications and content data without prior suspicion. Relevant authorities in these States are now able to apply automated “data mining” algorithms to dragnet a potentially limitless universe of communications traffic. By placing taps on fibre-optic cables through which the majority of digital communications travel, relevant States have thus been able to conduct mass surveillance of communications content and metadata, providing intelligence and law enforcement agencies with the opportunity to monitor and record not only their own citizens’ communications, but also the communications of individuals located in other States. This capacity is typically reinforced by mandatory data retention laws that require telecommunications and Internet service providers to preserve communications data for inspection and analysis. The use of scanning software, profiling criteria and specified search terms enables the relevant authorities then to filter vast quantities of stored information in order to identify patterns of communication between individuals and organizations. Automated data mining algorithms link common identifying names, locations, numbers and Internet protocol addresses and look for correlations, geographical intersections of location data and patterns in online social and other relationships. 1 9. States with high levels of Internet penetration can thus gain access to the telephone and e-mail content of an effectively unlimited number of users and maintain an overview of Internet activity associated with particular websites. All of this is possible without any prior suspicion related to a specific individual or organization. The communications of literally every Internet user are potentially open for inspection by intelligence and law enforcement agencies in the States concerned. This amounts to a systematic interference with the right to respect for the privacy of communications, and requires a correspondingly compelling justification. __________________ 1 http://blog.privacystrategy.eu/public/published/Submission_ISC_7.2.2014_-_Caspar_Bowden.pdf. 5/23 14-61490 A/69/397 10. From a law enforcement perspective, the added value of mass surveillance technology derives from the very fact that it permits the surveillance of the communications of individuals and organizations that have not previously come to the attention of the authorities. The public interest benefit in bulk access technology is said to derive precisely from the fact that it does not require prior suspicion. The circularity of this reasoning can be squared only by subjecting the practice of States in this sphere to the analysis mandated by article 17 of the International Covenant on Civil and Political Rights. 11. Article 17 of the Covenant provides that any interference with private communications must be prescribed by law, and must be a necessary and proportionate means of achieving a legitimate public policy objective (see paras. 28-31 below). The prevention of terrorism is plainly a legitimate aim for this purpose (see paras. 33 and 34 below), but the activities of intelligence and law enforcement agencies in this field must still comply with international human rights law.2 Merely to assert — without particularization — that mass surveillance technology can contribute to the suppression and prosecution of acts of terrorism does not provide an adequate human rights law justification for its use. The fact that something is technically feasible, and that it may sometimes yield useful intelligence, does not by itself mean that it is either reasonable or lawful (in terms of international or domestic law) (see A/HRC/27/37, para. 24). 12. International human rights law requires States to provide an articulable and evidence-based justification for any interference with the right to privacy, whether on an individual or mass scale. It is a central axiom of proportionality that the greater the interference with protected human rights, the more compelling the justification must be if it is to meet the requirements of the Covenant. The hard truth is that the use of mass surveillance technology effectively does away with the right to privacy of communications on the Internet altogether. By permitting bulk access to all digital communications traffic, this technology eradicates the possibility of any individualized proportionality analysis. It permits intrusion on private communications without independent (or any) prior authorization based on suspicion directed at a particular individual or organization. Ex ante scrutiny is therefore possible only at the highest level of generality. 13. Since there is no target-specific justification for measures of mass surveillance, it is incumbent upon relevant States to justify the general practice of seeking bulk access to digital communications. The proportionality analysis thus shifts from the micro level (assessing the justification for invading a particular individual’s or organization’s privacy) to the macro level (assessing the justification for adopting a system that involves wholesale interference with the individual and collective privacy rights of all Internet users). The sheer scale of the interference with privacy rights calls for a competing public policy justification of analogical magnitude. 14. As an absolute minimum, article 17 requires States using mass surveillance technology to give a meaningful public account of the tangible benefits that accrue from its use. Without such a justification, there is simply no means to measure the compatibility of this emerging State practice with the requirements of the Covenant. An assessment of proportionality in this context involves striking a balance between __________________ 2 See the compilation of good practices on legal and institutional frameworks for intelligence services and their oversight, promulgated by the former Special Rapporteur (A/HRC/14/46, paras. 9-50). 14-61490 6/23 A/69/397 the societal interest in the protection of online privacy, on the one hand, and the undoubted imperatives of effective counter-terrorism and law enforcement, on the other. Determining where that balance is to be struck requires an informed public debate to take place within and between States. The international community needs to squarely confront this revolution in our collective understanding of the relationship between the individual and the State.3 It is a prerequisite for any assessment of the lawfulness of these measures that the States using the technology be transparent about their methodology and its justification. 4 Otherwise, there is a risk that systematic interference with the security of digital communications will continue to proliferate without any serious consideration being given to the implications of the wholesale abandonment of the right to online privacy. If States deploying this technology retain a monopoly of information about its impact, a form of conceptual censorship will prevail that precludes informed debate. 15. Some argue that users of the Internet have no reasonable expectation of privacy in the first place, and must assume that their communications are available to be monitored by corporate and State entities alike. The classic analogy drawn by those who support this view is between sending an unencrypted email and sending a postcard. Whatever the merits of this comparison, it does not answer the key questions of legality, necessity and proportionality. The very purpose of the Covenant’s requirement for explicit and publicly accessible legislation governing State interference with communications is to enable individuals to know the extent of the privacy rights they actually enjoy and to foresee the circumstances in which their communications may be subjected to surveillance (see paras. 35-39 below). Yet the value of this technology as a counter-terrorism and law enforcement tool rests in the fact that users of the Internet assume their communications to be confidential (otherwise there would be no purpose in intruding upon them). This is reflected in the assertions made by members of the intelligence communities of the United States of America and the United Kingdom of Great Britain and Northern Ireland following the disclosure of mass surveillance programmes operated by these two States, in which the disclosures were said to have damaged national security by alerting potential terrorists to the fact that their communications were under surveillance.5 16. Any assessment of proportionality must also take full account of the fact that the Internet now represents the ubiquitous means of communication for many millions of people around the world. The revolution in digital technology has brought about a quantum shift in the way we communicate with one another. Digital communications technologies that use the Internet (including handheld devices and smartphones) have become part of everyday life (see A/HRC/27/37, para. 1). __________________ 3 4 5 As the United States Privacy and Civil Liberties Oversight Board has observed: “[P]ermitting the government to routinely collect the calling records of the entire nation fundamentally shifts the balance of power between the state and its citizens”; “Report on the Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act and on the Operations of the Foreign Intelligence Surveillance Court”. In her report on the right to privacy in the digital age (A/HRC/27/37, para. 48), the High Commissioner for Human Rights noted “the disturbing lack of governmental transparency associated with surveillance policies, laws and practices, which hinders any effort to assess their coherence with international human rights law and to ensure accountability”. See http://abcnews.go.com/Blotter/intel-heads-edward-snowden-profound-damage-ussecurity/story?id=22285388 and www.itv.com/news/2013-10-09/the-damage-of-edwardsnowdens-revelations/. 7/23 14-61490 A/69/397 Anyone who wishes to participate in the exchange of information and ideas in the modern world of global communications is nowadays obliged to use transnational digital communication technology. Internet traffic is frequently routed through servers located in foreign jurisdictions. The suggestion that users have voluntarily forfeited their right to privacy is plainly unwarranted (ibid., para. 18). It is a general principle of international human rights law that individuals can be regarded as having given up a protected human right only through an express and unequivocal waiver, voluntarily given on an informed basis. In the modern digital world, merely using the Internet as a means of private communication cannot conceivably constitute an informed waiver of the right to privacy under article 17 of the Covenant. 17. The Internet is not a purely public space. It is composed of many layers of private as well as social and public realms.1 Those making informed use of social media platforms in which messages are posted in full public view obviously have no reasonable expectation of privacy. The postcard analogy is entirely apposite for the dissemination of information through the public dimensions of Twitter and Facebook, for example, or postings on public websites. But reading a postcard is not an apposite analogy for intercepting private messages sent by e-mail, whether they are encrypted or unencrypted. 18. Assuming therefore that there remains a legal right to respect for the privacy of digital communications (and this cannot be disputed (see General Assembly resolution 68/167)), the adoption of mass surveillance technology undoubtedly impinges on the very essence of that right (see paras. 51 and 52 below). It is potentially inconsistent with the core principle that States should adopt the least intrusive means available when entrenching on protected human rights (see para. 51 below); it excludes any individualized proportionality assessment (see para. 52 below); and it is hedged around by secrecy claims that make any other form of proportionality analysis extremely difficult (see paras. 51 and 52 below). The States engaging in mass surveillance have so far failed to provide a detailed and evidencebased public justification for its necessity, and almost no States have enacted explicit domestic legislation to authorize its use (see para. 37 below). Viewed from the perspective of article 17 of the Covenant, this comes close to derogating from the right to privacy altogether in relation to digital communications. For all these reasons, mass surveillance of digital content and communications data presents a serious challenge to an established norm of international law. In the view of the Special Rapporteur, the very existence of mass surveillance programmes constitutes a potentially disproportionate interference with the right to privacy. 6 Shortly put, it is incompatible with existing concepts of privacy for States to collect all communications or metadata all the time indiscriminately. The very essence of the right to the privacy of communication is that infringements must be exceptional, and justified on a case-by-case basis (see para. 51 below). 19. There may be a compelling counter-terrorism justification for the radical re-evaluation of Internet privacy rights that these practices necessitate. However, the arguments in favour of a complete abrogation of the right to privacy on the Internet have not been made publicly by the States concerned or subjected to informed scrutiny and debate. The threat of terrorism can provide a justification for mass surveillance only if the States using the technology can demonstrate with __________________ 6 See also the view of the High Commissioner for Human Rights, A/HRC/27/37, paras. 20 and 25. 14-61490 8/23 A/69/397 particularity the tangible counter-terrorism advantages shown to have accrued from its use. Moreover, measures justified by reference to States’ duties to protect against the threat of terrorism should never be used as a Trojan horse to usher in wider powers of surveillance for unrelated governmental functions. There is an ever present danger of “purpose creep”, by which measures justified on counter-terrorism grounds are made available for use by public authorities for much less weighty public interest purposes (see para. 55 below). In the present report, the Special Rapporteur builds upon the work of his predecessor (A/HRC/13/37) and the former Special Rapporteur on the promotion and protection of the right to freedom of expression and opinion (A/HRC/23/40). He argues that there is now an onus on States deploying bulk access surveillance technology to explain promptly, precisely and publicly why this wholesale intrusion into collective privacy is justified for the prevention of terrorism or other serious crime. B. Recent disclosures concerning the nature and extent of States’ digital surveillance capabilities 20. On 5 June 2013, a national newspaper in the United Kingdom published the content of a classified court order authorized by the United States Foreign Intelligence Surveillance Court under section 215 of the Patriot Act. The order reportedly required one of the largest telecommunications providers in the United States to hand over to the National Security Agency all “telephony metadata” on a daily basis for a three-month period and prohibited the company from disclosing the existence of the request or the order itself. On 6 June 2013, a United States newspaper published a separate story disclosing the existence of a covert National Security Agency digital programme called PRISM. The programme, reportedly authorized pursuant to section 702 of the United States Foreign Intelligence Surveillance Act, was said to involve the collection of content data from the central servers of nine leading United States technology companies. 21. According to reports in both newspapers, the material retrieved through PRISM was made available to other intelligence agencies, including the Government Communications Headquarters of the United Kingdom. Subsequent disclosures reported the existence of a separate data collection programme called Upstream, which is said to involve the capture of both telephone and Internet communications passing through fibre-optic cables and infrastructure owned by United States service providers. Much of the world’s Internet traffic is routed through servers physically located in the United States. 22. The media have subsequently reported that the National Security Agency’s Systems Intelligence Directorate includes an applications vulnerabilities branch that collects data from communications systems around the world. The Agency is said to operate an Internet exploitation mechanism called Quantum, which enables it to compromise third-party computers. The methodology reportedly involves taking secret control (or “ownership”) over servers in key locations on the “backbone” of the Internet. By impersonating chosen websites (including such common sites as the Google search page), Quantum is able to inject unauthorized remote control software into the computers and Wi-Fi-enabled devices of those who visit the clone site (who will, of course, have no reason to doubt the clone site’s authenticity). Technology experts assess that this methodology can permanently compromise the 9/23 14-61490 A/69/397 user’s computer, ensuring that it continues to provide intelligence to the National Security Agency in the United States indefinitely. 23. The United States Executive and Legislative branches have subsequently taken a number of steps in response to these disclosures. One issue to have emerged from this process is the difference in treatment between United States citizens and non-citizens (even those located within the territorial jurisdiction of the United States). The key developments may be summarized as follows: (a) On 9 August 2013, President Barack Obama announced that he had requested the Privacy and Civil Liberties Oversight Board7 to undertake a review of existing counter-terrorism efforts. 8 In late August 2013, the Board called upon the Director of National Intelligence and the Attorney-General to update the intelligence community’s procedures on collecting, retaining and disseminating information relating to United States citizens; 9 (b) On 12 December 2013, the President’s Review Group released its report entitled “Liberty and security in a changing world”, in which the Group made a number of significant recommendations for reform. In response to that report, on 17 January 2014 President Obama announced a series of proposed legislative and administrative changes.10 The Administration concurrently released a new Presidential Policy Directive, “PPD-28”, to strengthen the oversight of the signals intelligence activities of the intelligence community, both within and outside the United States; 11 (c) On 23 January 2014, the Privacy and Civil Liberties Oversight Board released the first of two reports in which the majority concluded that the telephone metadata programme was inconsistent with domestic law because section 215 of the Patriot Act did not provide an adequate basis to support it.12 On 27 March, President Obama announced a set of new proposals to end the existing programme. 13 On 22 May 2014, the House of Representatives adopted the United States Freedom Act, incorporating some of the President’s proposals; (d) On 2 July 2014, the Privacy and Civil Liberties Oversight Board released a second report setting out in detail how surveillance operations under section 702 of the Foreign Intelligence Surveillance Act work in practice. 14 While the report’s chief concern was the compatibility of these programmes with United States statutory and constitutional requirements, the Board recognized that they also raised “important but difficult legal and policy questions” concerning the treatment of __________________ 7 8 9 10 11 12 13 14 The Board is an independent agency within the executive branch with authority to review and analyse counter-terrorism operations and to ensure that they are balanced with the need to protect privacy and civil liberties; see www.pclob.gov/. See www.whitehouse.gov/the-press-office/2013/08/09/remarks-president-press-conference. See www.pclob.gov/newsroom. See www.washingtonpost.com/politics/full-text-of-president-obamas-jan-17-speech-on-nsareforms/2014/01/17/fa33590a-7f8c-11e3-9556-4a4bf7bcbd84_story.html. See www.whitehouse.gov/the-press-office/2014/01/17/remarks-president-review-signalsintelligence. “Report on the Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act and on the Operations of the Foreign Intelligence Surveillance Court”. See www.whitehouse.gov/the-press-office/2014/03/27/fact-sheet-administration-s-proposalending-section-215-bulk-telephony-m. “Report on the Surveillance Program Operated Pursuant to Section 702 of the FISA”, see www.pclob.gov/meetings-and-events/2014meetingsevents/02-july-2014-public-meeting. 14-61490 10/23 A/69/397 non-United States persons.15 The Board took the view that the application of the right to privacy to national security surveillance conducted in one country that might affect residents of another country is not “settled” among States parties to the International Covenant on Civil and Political Rights, a proposition that was said to be evidenced by the “ongoing spirited debate”.16 24. A parallel process of review has taken place within the United Kingdom. On 10 June 2013, in response to allegations that Government Communications Headquarters had circumvented United Kingdom law by using the National Security Agency’s PRISM programme to access the content of communications that could not be accessed under domestic law, the Foreign Secretary made a statement in Parliament indicating that any data obtained from the United States involving United Kingdom nationals is “subject to proper United Kingdom statutory controls and safeguards”, including the relevant provisions of the Intelligence Services Act of 1994, the Human Rights Act of 1998 and the Regulation of Investigatory Powers Act of 2000. 17 25. On 21 June 2013, the media reported on the existence of a separate programme operated by Government Communications Headquarters (“Tempora”), under which data interceptors were reportedly placed on fibre-optic cables running between the United Kingdom and the United States to facilitate the interception of both metadata and content information. Whether existing legislation provides Government Communications Headquarters with the lawful authority to conduct such operations, and whether they conform to the right to privacy as guaranteed under article 8 of the European Convention on Human Rights, has been questioned within and outside the United Kingdom Parliament. 18 Subsequent disclosures have focused on the role of the Joint Threat Intelligence Group in Government Communications Headquarters. This agency is reported to have deployed a computer virus called Ambassador’s Reception for the purposes of online covert action. This virus is said to be able to encrypt itself and act as a “chameleon” imitating communications by other Internet users. 26. Following a preliminary investigation into Government Communications Headquarters’ access to communications and content data, the Intelligence and Security Committee (a Parliamentary committee with responsibility for the oversight of the intelligence community)19 issued a statement on 17 July 2013. Having taken account of the legal framework governing information-sharing arrangements between Government Communications Headquarters and its overseas counterparts, the Committee concluded that no United Kingdom law had been violated and that Government Communications Headquarters had conformed to its statutory duties under the Intelligence Services Act of 1994. The Committee nevertheless concluded that further investigations were merited to consider whether the existing statutory framework governing access to private communications was adequate given the “complex interaction” among the Intelligence Services Act of 1994, the Human Rights Act of 1998 and the Regulation of Investigatory Powers __________________ 15 16 17 18 19 Ibid., p. 98. Ibid., p. 100. See www.gov.uk/government/speeches/foreign-secretary-statement-to-the-house-of-commonsgchq. See www.theguardian.com/uk-news/2013/oct/14/conservative-peer-spying-gchq-surveillance; and www.publications.parliament.uk/pa/cm201314/cmhansrd/cm131031/halltext/131031h0001.htm. See http://isc.independent.gov.uk/. 11/23 14-61490 A/69/397 Act of 2000. On 17 October 2013, the Intelligence and Security Committee announced that it would broaden the scope of its inquiry following concerns about the extent of intelligence service capabilities and the impact of their operations on the right to privacy.20 27. On 8 April 2014, the Court of Justice of the European Union released its judgement in the case of Digital Rights Ireland, in which it declared the European Union Data Retention Directive to be incompatible with the right to respect for private life and the right to the protection of personal data, both of which are guaranteed under the Charter of Fundamental Rights of the European Union.21 The Directive required communication service providers to retain traffic data so as to permit access by the competent national authorities for the purpose of preventing, investigating, detecting and prosecuting serious crime, including terrorism. In holding that the retention of, and access to, traffic data constituted a “particularly serious interference” with both rights, the Court of Justice of the European Union found that the Directive failed to satisfy the principle of proportionality. On 10 July 2014, the United Kingdom Government introduced the Data Retention and Investigatory Powers Bill in response to the ruling. The Government characterized the Bill (now an Act) as a measure to “clarify” the nature and extent of obligations that can be imposed on telecommunications and Internet service providers based in the United Kingdom.22 C. Mass surveillance, counter-terrorism and the right to privacy 1. The right to privacy under article 17 of the International Covenant on Civil and Political Rights 28. Privacy can be defined as the presumption that individuals should have an area of personal autonomous development, interaction and liberty free from State intervention and excessive unsolicited intrusion by other uninvited individuals (see A/HRC/23/40, para. 22; and A/HRC/13/37, para. 11). The duty to respect the privacy and security of communications implies that individuals have the right to share information and ideas with one another without interference by the State (or a private actor), secure in the knowledge that their communications will reach and be read by the intended recipients alone.23 The right to privacy also encompasses the right of individuals to know who holds information about them and how that information is used. 24 29. Article 17 of the International Covenant on Civil and Political Rights is the most important legally binding treaty provision guaranteeing the right to privacy at the universal level. It provides that “no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home and correspondence, nor to unlawful attacks on his or her honour and reputation”. It further provides that “everyone has the right to the protection of the law against such interference or attacks”. Other international human rights instruments contain similar provisions; __________________ 20 21 22 23 24 See http://isc.independent.gov.uk/news-archive/17october2013. Court of Justice of the European Union, Judgment in Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others, Judgment of 8 April 2014. See www.gov.uk/government/speeches/communications-data-and-interception. Human Rights Committee general comment No. 16, para. 8. Ibid., para. 10; see A/HRC/23/40, para. 22. 14-61490 12/23 A/69/397 and laws at the regional and national levels also reflect the right of all people to respect for their private and family life, home and correspondence. 30. The right to privacy is not, however, an absolute right. Once an individual is under suspicion and subject to formal investigation by intelligence or law enforcement agencies, that individual may be subjected to surveillance for entirely legitimate counter-terrorism and law enforcement purposes (see A/HRC/13/37, para. 13). Although article 17 of the Covenant does not contain a specific limitation clause outlining the circumstances in which interference with the right to privacy may be compatible with the Covenant, it is universally understood as permitting such measures providing that (a) they are authorized by domestic law that is accessible and precise and that conforms to the requirements of the Covenant,25 (b) they pursue a legitimate aim and (c) they meet the tests of necessity and proportionality.26 31. The realization that a large part of the world’s Internet traffic is at some point routed through the United States prompted a number of States to express concerns as to whether the right to privacy of their citizens had been violated by the PRISM programme. In December 2013, the General Assembly adopted resolution 68/167, on the right to privacy in the digital age, which was co-sponsored by 57 Member States and adopted without a vote. In that resolution, the Assembly affirmed that the right to privacy must be protected online, and called upon all States to review their procedures, practices and legislation related to communications surveillance, interception and collection of personal data, emphasizing the need for States to ensure the full and effective implementation of their obligations under international human rights law. 32. In the same resolution, the General Assembly also mandated the Office of the United Nations High Commissioner for Human Rights to report to the Human Rights Council and the General Assembly on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance, and/or the interception of digital communications and the collection of personal data, including on a mass scale. In paragraph 47 of her report published on 30 June 2014 (A/HRC/27/37), the High Commissioner concluded that international human rights law provided a clear and universal framework for the promotion and protection of the right to privacy, including in the context of domestic and extraterritorial surveillance, the interception of digital communications and the collection of personal data. She noted, however, that the practice of many States revealed a lack of adequate national legislation and/or enforcement, weak procedural safeguards and ineffective oversight, all of which had contributed to a lack of accountability for arbitrary or unlawful interference with the right to privacy. The High Commissioner emphasized that information was still emerging on the nature and extent of digital surveillance operations but expressed her concern at the “disturbing lack of governmental transparency associated with surveillance policies, laws and practices, __________________ 25 26 Human Rights Committee general comment No. 16, para. 3. See A/HRC/27/37, paras. 22-25, and the sources there cited; A/HRC/23/40, paras. 28 and 29; A/HRC/13/37, paras. 13-17; Siracusa Principles on the Limitation and Derogation Provisions in the International Covenant on Civil and Political Rights, E/CN.4/1985/4, annex; Human Rights Committee general comments Nos. 16, 27, 29, 34 and 31; Human Rights Committee, Van Hulst v. Netherlands, Communication No. 903/2999, 2004; Madafferi v. Australia, Communication No. 1011/2001, 2004; Toonen v. Australia, Communication No. 488/1992, para. 8.3; MG v. Germany, Communication No. 1482/2006, 2008; and CCPR/C/USA/CO/4. 13/23 14-61490 A/69/397 which hinders any effort to assess their coherence with international human rights law and to ensure accountability” (ibid., para. 48). She called upon States to review their national law and practice for conformity with international human rights norms, and to make amendments, where necessary. She also called upon the international community to carry out further in-depth study into the issues (ibid., paras. 49 and 51). 2. Counter-terrorism as a legitimate aim 33. Unlike a number of the qualified rights protected by the Covenant, article 17 does not enumerate an exhaustive list of legitimate public policy objectives that may form the basis of a justification for interfering with the right to privacy. Nonetheless, the prevention, suppression and investigation of acts of terrorism clearly amount to a legitimate aim for the purposes of article 17. Terrorism can destabilize communities, threaten social and economic development, fracture the territorial integrity of States, and undermine international peace and security. Under article 6 of the Covenant, States are under a positive obligation to protect citizens and others within their jurisdiction against acts of terrorism. One aspect of this obligation is the duty to establish effective mechanisms for identifying potential terrorist threats before they have materialized. States discharge this duty through the gathering and analysis of relevant information by intelligence and law enforcement agencies (see A/HRC/20/14, para. 21). 34. The enhanced capacity of States to monitor all Internet traffic is said to be of particular significance in the counter-terrorism context because communications via the Internet have played an important part in the financing and perpetration of acts of international terrorism; because the Internet has been used for the purpose of recruitment to terrorist organizations; and because the identification in advance of those involved in the planning or instigation of acts of terrorism may otherwise be hampered by intelligence limitations. Since terrorism is a global activity, the search for those involved must extend beyond national borders. The prevention and suppression of terrorism is thus a public interest imperative of the highest importance and may in principle form the basis of an arguable justification for mass surveillance of the Internet. 3. Mass surveillance and the quality of law requirement 35. Article 17 of the Covenant explicitly provides that everyone has the right to the protection of the law against unlawful or arbitrary interference with their privacy. This imports a “quality of law” requirement that imposes three conditions: (a) the measure must have some basis in domestic law; (b) the domestic law itself must be compatible with the rule of law and the requirements of the Covenant; and (c) the relevant provisions of domestic law must be accessible, clear and precise. An interference that is authorized by domestic law may nonetheless be “unlawful” and/or “arbitrary” for the purposes of article 17 if the relevant domestic legislation does not meet the core requirements of accessibility, specificity and foreseeability, 27 or if domestic law otherwise fails to meet the standards of necessity and proportionality.28 Accordingly, domestic law must contain provisions that ensure that intrusive surveillance powers are tailored to specific legitimate aims (see __________________ 27 28 Human Rights Committee general comment No. 16, para. 3. Ibid., para. 8. 14-61490 14/23 A/69/397 A/HRC/13/37, para. 60; and A/HRC/27/37, para. 28), and afford effective safeguards against abuse.29 Moreover, the exercise of executive discretion must be circumscribed with reasonable clarity by the applicable law or binding published guidelines.30 36. Accessibility requires not only that domestic law be published, but also that it meet a standard of clarity and precision sufficient to enable those affected to regulate their conduct with foresight of the circumstances in which intrusive surveillance may occur. In paragraph 8 of its general comment No. 16 on the right to privacy, the Human Rights Committee stressed that legislation authorizing interference with private communications “must specify in detail the precise circumstances in which such interference may be permitted”. Prior to the introduction of mass surveillance programmes outlined in the present report, this stipulation had always been understood as requiring domestic legislation to spell out clearly the conditions under which, and the procedures by which, any interference may be authorized; the categories of person whose communications may be intercepted; the limits on the duration of surveillance; and the procedures for the use and storage of the data collected.29 The European Court of Human Rights has also stressed the need for clear detailed rules on the subject.31 37. Mass surveillance programmes pose a significant challenge to the legality requirements of article 17 of the Covenant. Where bulk access programmes are in operation, there are no limits to the categories of persons who may be subject to surveillance, and no limits on its duration. These conditions cannot therefore be spelled out in legislation. The detailed legal and administrative frameworks for mass surveillance often remain classified, and little is still publicly known about the ways in which captured data are operationalized. Very few States have so far enacted primary legislation explicitly authorizing such programmes. Instead, outdated domestic laws that were designed to deal with more rudimentary forms of surveillance have been applied to new digital technology without modification to reflect the vastly increased capabilities now employed by some States. Indeed, it has been suggested that certain States have “intentionally sought to apply older and weaker safeguard regimes to ever more sensitive information” (see A/HRC/13/37, para. 57). 38. The Special Rapporteur considers that there is an urgent need for States to revise national laws regulating modern forms of surveillance to ensure that these practices are consistent with international human rights law. Domestic laws governing the interception of communications should be updated to reflect modern forms of digital surveillance that are far broader in scope, and involve far deeper penetration into the private sphere, than those envisaged when much of the existing domestic legislation was enacted. The absence of clear and up-to-date legislation creates an environment in which arbitrary interferences with the right to privacy can occur without commensurate safeguards. Explicit and detailed laws are essential for __________________ 29 30 31 CCPR/C/USA/CO/4, para. 22; Malone v. United Kingdom, Application No. 8691/79, Judgment of 2 August 1984, paras. 67-68; and Weber and Saravia v. Germany, Application No. 54934/00, Judgment of 29 June 2006. A/HRC/27/37, para. 29; and Siracusa Principles on the Limitation and Derogation Provisions in the International Covenant on Civil and Political Rights (see E/CN.4/1985/4, annex), paras. 16 and 18. Weber and Saravia v. Germany, Application No. 54934/00, Judgment 29 June 2006; Uzun v. Germany (2012) 54 EHRR 121 para. 35. 15/23 14-61490 A/69/397 ensuring legality and proportionality in this context. They are also an indispensable means of enabling individuals to foresee whether and in what circumstances their communications may be the subject of surveillance. 39. A public legislative process provides an opportunity for Governments to justify mass surveillance measures to the public. Open debate enables the public to appreciate the balance that is being struck between privacy and security (ibid., para. 56). A transparent law-making process should also identify the vulnerabilities inherent in digital communications systems, enabling users to make informed choices. This is not only a core ingredient of the requirement for legal certainty under article 17 of the Covenant; it is also a valuable means of ensuring effective public participation in a debate on a matter of national and international public interest (see A/HRC/27/37, para. 29; and A/HRC/14/46). In the view of the Special Rapporteur, where the privacy rights of the digital community as a whole are subject to systematic interference, nothing short of detailed and explicit authorization in primary legislation suffices to meet the principle of legality. 40. By contrast, the use of delegated legislation (instruments enacted by the executive under delegated powers) has already permitted the adoption of secret legal frameworks for mass surveillance, inhibiting the ability of the legislature, the judiciary and the public to scrutinize the use of these new powers (see A/HRC/13/37, para. 54). Such provisions do not meet the quality of law requirements in article 17 of the Covenant because they are not sufficiently accessible to the public (see CCPR/C/USA/CO/4). While there may be legitimate public interest reasons for maintaining the secrecy of technical and operational specifications, these do not justify withholding from the public generic information about the nature and extent of a State’s Internet penetration. Without such information, it is impossible to assess the legality, necessity and proportionality of these measures. States should therefore be transparent about the use and scope of mass communications surveillance (see A/HRC/23/40, para. 91). 4. Extraterritorial mass surveillance programmes 41. Certain States have the technical capability to conduct mass surveillance of communications between individuals not resident within their jurisdiction, and have thus implemented surveillance arrangements that have extraterritorial effect. Some of these activities are physically conducted on the territory of the State concerned and therefore engage the principles of territorial jurisdiction under the Covenant. This is the case not only where State agents place data interceptors on fibre-optic cables travelling through their jurisdiction, but also where a State exercises regulatory authority over the telecommunications or Internet service providers that physically control the data (A/HRC/27/37, para. 34). In either case, human rights protections must be extended to those whose privacy is being interfered with, whether or not they are physically located in the country in which the service provider is incorporated. The same is true where legislation on mandatory data retention imposes obligations on service providers located within a State’s territorial or legal jurisdiction. Even where States penetrate infrastructure located wholly outside their territorial jurisdiction the relevant authorities nevertheless remain bound by the State’s obligations under the Covenant (ibid., paras. 32-35 and the sources cited therein). 14-61490 16/23 A/69/397 42. Extraterritorial surveillance operations pose unique challenges for the application of the “quality of law” requirements in article 17 of the Covenant. Domestic legislation governing the interception of external (international) communications often affords less protection than comparable provisions protecting purely domestic communications.32 Of even greater concern, some States (including the United States) continue to permit asymmetrical protection regimes for nationals and non-nationals. This difference of treatment affects all digital communications since messages are often routed through servers located in other jurisdictions. However, it has particularly significant ramifications for the penetration of cloudbased computing. 33 43. Either form of differential treatment is incompatible with the principle of non-discrimination in article 26 of the Covenant, a principle that is also inherent in the very notion of proportionality.34 Moreover, the use of mass surveillance programmes to intercept communications of those located in other jurisdictions raises serious questions about the accessibility and foreseeability of the law governing the interference with privacy rights, and the inability of individuals to know that they might be subject to foreign surveillance or to interception of communications in foreign jurisdictions. The Special Rapporteur considers that States are legally bound to afford the same protection to nationals and non-nationals, and to those within and outside their jurisdiction. 5. International cooperation between intelligence agencies 44. Similar concerns arise in relation to international intelligence-sharing arrangements. The absence of laws to regulate information-sharing agreements between States has left the way open for intelligence agencies to enter into classified bilateral and multilateral arrangements that are beyond the supervision of any independent authority (see A/HRC/13/37). Information concerning an individual’s communications may be shared with foreign intelligence agencies without the protection of any publicly accessible legal framework and without adequate (or any) safeguards. Following a wide process of consultation, the High Commissioner for Human Rights recently found credible evidence that some Governments have systematically routed data collection and analytical tasks through jurisdictions with weaker safeguards for privacy (see A/HRC/27/37, para. 30). Such practices make the operation of the surveillance regime unforeseeable for those affected by it and are therefore incompatible with article 17 of the Covenant. __________________ 32 33 34 In her report on privacy in the digital age the High Commissioner identified a number of such provisions: in the United States, the Foreign Intelligence Surveillance Act, sect.1881(a); in the United Kingdom, the Regulation of Investigatory Powers Act of 2000, sect.8(4); in New Zealand the Government Security Bureau Act of 2003 sect.15A; in Australia the Intelligence Services Act sect.9; and in Canada the National Defence Act, sect.273.64(1) (see A/HRC/27/37, para. 35, note 30). European Parliament Directorate General for Internal Policies and Casper Bowden, “The US surveillance programmes and their impact on EU citizens’ fundamental rights”, 2013. The Human Rights Committee has also emphasized the importance of “measures to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity, regardless of the nationality or location of individuals whose communications are under direct surveillance”, CCPR/C/USA/CO/4, para. 22 (a). 17/23 14-61490 A/69/397 6. Safeguards and supervision 45. One of the core protections afforded by article 17 is that covert surveillance systems must be attended by adequate procedural safeguards to protect against abuse.29 These safeguards may take a variety of forms, but generally include independent prior authorization and/or subsequent independent review. Best practice requires the involvement of the executive, the legislature and the judiciary, as well as independent civilian oversight (see A/HRC/27/37). The absence of adequate safeguards can lead to a lack of accountability for arbitrary or unlawful intrusions on the right to Internet privacy (ibid.). 46. Where targeted surveillance programmes are in operation, many States make provision for prior judicial authorization. Judicial involvement that meets international standards is an important safeguard, although there is evidence that in some jurisdictions the degree and effectiveness of such scrutiny has been circumscribed by judicial deference to the executive (ibid., para. 38). In other States, such as the United Kingdom, warrants of interception directed at particular targets are granted by government ministers without prior judicial authority. This is said to be justified on the basis that ministers are democratically accountable to the electorate. The Executive’s use of these powers is then subject to review by an independent Interception of Communications Commissioner, and individuals can also bring complaints to a judicial body, the Investigatory Powers Tribunal, which has authority to consider classified information in closed proceedings. 47. In the context of targeted surveillance, whichever method of prior authorization is adopted (judicial or executive), there is at least an opportunity for ex ante review of the necessity and proportionality of a measure of intrusive surveillance by reference to the particular circumstances of the case and the individual or organization whose communications are to be intercepted. Neither of these opportunities exists in the context of mass surveillance schemes since they do not depend on individual suspicion. Ex ante review is thus limited to authorizing the continuation of the scheme as a whole, rather than its application to a particular individual. The Special Rapporteur considers that those States using mass surveillance technology must establish strong independent oversight bodies that are adequately resourced and mandated to conduct ex ante review of the use of intrusive surveillance techniques against the requirements of legality, necessity and proportionality in article 17 of the Covenant (A/HRC/13/37, para. 62). 48. The other procedural dimension of article 17 is the requirement for ex post facto review of intrusive surveillance measures. Some States provide for an independent reviewer to monitor the operation of surveillance legislation by analysing the manner and extent of its use and the justification therefor. Such reviews should always incorporate an analysis of the compatibility of State practice with the requirements of the Covenant. 49. In addition to this type of general overview, States are under a specific obligation to provide a remedy to individuals whose Covenant rights have arguably been violated. Article 2, paragraph 3(b), of the Covenant requires States parties to ensure that any person claiming a remedy has an enforceable right to have his or her claim determined by a competent domestic judicial, administrative or legislative authority. In order to render this right effective, domestic law must provide an independent mechanism capable of conducting a thorough and impartial review, with access to all relevant material and attended by adequate due process 14-61490 18/23 A/69/397 guarantees, which has power to grant a binding remedy (including, where appropriate, an order for the cessation of surveillance or the destruction of the product) (see A/HRC/14/46; and A/HRC/27/37, para. 39). 50. In order to invoke the right to an effective remedy, it is generally necessary for an individual to establish that he or she has been the victim of a violation. In the context of secret surveillance measures, this requirement can be difficult or impossible to meet. Very few States have provisions in place requiring ex post notification of surveillance to the suspect. The European Court of Human Rights has, accordingly, relaxed the requirement for individuals to prove that they have been the subject of secret surveillance. It has drawn a distinction between complaints directed towards the existence of a regime that is alleged to fall short of the requirements of the European Convention on Human Rights, and complaints concerning specific instances of unlawful activity by the State. In the former situation, the Court has been prepared to examine the impugned provisions on their face,35 whereas in the latter situation, it has generally required applicants to show a “reasonable likelihood” that they have been the subject of unlawful surveillance.36 In the context of mass surveillance regimes, the Special Rapporteur considers that any Internet user should have standing to challenge the legality, necessity and proportionality of the measures at issue. 7. The necessity and proportionality of mass surveillance programmes 51. It is incumbent upon States to demonstrate that any interference with the right to privacy under article 17 of the Covenant is a necessary means to achieving a legitimate aim. This requires that there must be a rational connection between the means employed and the aim sought to be achieved. It also requires that the measure chosen be “the least intrusive instrument among those which might achieve the desired result” (see CCPR/C/21/Rev.1/Add.9; and A/HRC/13/37, para. 60). The related principle of proportionality involves balancing the extent of the intrusion into Internet privacy rights against the specific benefit accruing to investigations undertaken by a public authority in the public interest. However, there are limits to the extent of permissible interference with a Covenant right. As the Human Rights Committee has emphasized, “in no case may the restrictions be applied or invoked in a manner that would impair the essence of a Covenant right”.37 In the context of covert surveillance, the Committee has therefore stressed that any decision to allow interference with communications must be taken by the authority designated by law “on a case-by-case basis”. 38 The proportionality of any interference with the right to privacy should therefore be judged on the particular circumstances of the individual case. 39 52. None of these principles sits comfortably with the use of mass surveillance technology by States. The technical ability to run vast data collection and analysis programmes undoubtedly offers an additional means by which to pursue counterterrorism and law enforcement investigations. But an assessment of the __________________ 35 36 37 38 39 Klass v. Germany (1979-80) 2 EHRR 214. Halford v. United Kingdom (1997) 24 EHRR 523. Human Rights Committee general comments Nos. 27 and 31. Human Rights Committee general comment No. 16, para. 8. Human Rights Committee general comment No. 16, para. 4, Van Hulst v. The Netherlands, Communication No. 903/1999, 2004, para 7.3; Toonen v. Australia, Communication No. 488/1992, para. 8.3. 19/23 14-61490 A/69/397 proportionality of these programmes must also take account of the collateral damage to collective privacy rights. Mass data collection programmes appear to offend against the requirement that intelligence agencies must select the measure that is least intrusive on human rights (unless relevant States are in a position to demonstrate that nothing less than blanket access to all Internet-based communication is sufficient to protect against the threat of terrorism and other serious crime). Since there is no opportunity for an individualized proportionality assessment to be undertaken prior to these measures being employed, such programmes also appear to undermine the very essence of the right to privacy. They exclude altogether the “case-by-case” analysis that the Human Rights Committee has regarded as essential, and they may thus be deemed to be arbitrary, even if they serve a legitimate aim and have been adopted on the basis of an accessible legal regime (see A/HRC/27/37, para. 25). The Special Rapporteur, accordingly, concludes that such programmes can be compatible with article 17 of the Covenant only if relevant States are in a position to justify as proportionate the systematic interference with the Internet privacy rights of a potentially unlimited number of innocent people in any part of the world.40 8. Mandatory retention legislation and the automated mining of communications data held by telecommunications and Internet service providers 53. Mass surveillance programmes are not confined to the interception of communications content. Digital communications generate large amounts of transactional data. These communications data (or metadata) include personal information on individuals, their location and online activities. Many States have adopted legislation compelling telecommunications and Internet service providers to collect and preserve communications data in order to make them available for subsequent analysis. Such laws typically require service providers to furnish State authorities with Internet protocol allocations, enabling the user of a particular Internet protocol address at any given time to be identified. The capture of communications data has become an increasingly valuable surveillance technique for States. Communications data are easily stored and searched, and can be used to compile profiles of individuals that are just as privacy-sensitive as the content of communications (see A/HRC/27/37, para. 19). By combining and aggregating information derived from communications data, it is possible to identify an individual’s location, associations and activities (see A/HRC/23/40, para. 15). In the absence of special safeguards, there is virtually no secret dimension of a person’s private life that would withstand close metadata analysis.1 Automated data-mining thus has a particularly corrosive effect on privacy. 54. In many States, a wide range of public bodies have access to communications data, for a wide variety of purposes, often without judicial authorization or meaningful independent oversight. In the United Kingdom, for example, more than 200 agencies are authorized to seek communications data under the Regulation of Investigatory Powers Act of 2000,41 and there were 514,608 requests by public __________________ 40 41 See A/HRC/27/37, para. 25, where the High Commissioner for Human Rights observed: “[I]t will not be enough that the measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the haystack, relative to the harm threatened; namely whether the measure is necessary and proportionate.” The list of agencies authorized to seek communications data includes tax authorities and local government agencies, and may be extended by delegated legislation (executive order). 14-61490 20/23 A/69/397 authorities for communications data in 2013 alone.42 Courts have for some time recognized that the release of metadata to a public authority constitutes an interference with the right to privacy, and the Court of Justice of the European Union recently held that the retention of metadata relating to a person’s private life and communications is, in itself, an interference with the right,43 (with the grant of access to retained metadata for the purpose of analysis constituting a further and distinct interference).44 In reaching this conclusion, the Court of Justice of the European Union emphasized that communications metadata may allow “very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained”.45 55. Applying the approach adopted by the Court of Justice of the European Union, it follows that the collection and retention of communications data constitute an interference with the right to privacy, whether or not the data are subsequently accessed or analysed by a public authority. Neither the capture of communications data under mandatory data retention legislation, nor its subsequent disclosure to (and analysis by) State authorities, requires a prior suspicion directed at any particular individual or organization. The Special Rapporteur therefore shares the reservations expressed by the High Commissioner as to the necessity and proportionality of mandatory data retention laws (see A/HRC/27/37, para. 26). 9. Purpose specification 56. Many States lack “purpose specification” provisions restricting information gathered for one purpose from being used for other unrelated governmental objectives. As a result, data that were ostensibly collected for national security purposes may be shared between intelligence agencies, law enforcement agencies and other State entities, including tax authorities, local councils and licensing bodies.46 National security and law enforcement agencies are typically excluded from provisions of data protection legislation that limit the sharing of personal data. As a result, it may be difficult for individuals to foresee when and by which State agency they might be subjected to surveillance. This “purpose creep” risks violating article 17 of the Covenant, not only because relevant laws lack foreseeability, but also because surveillance measures that may be necessary and proportionate for one legitimate aim may not be so for the purposes of another (ibid., para. 27). The Special Rapporteur therefore endorses the recommendation of his predecessor that States must be obliged to provide a legal basis for the reuse of personal information, in accordance with human rights principles (see A/HRC/13/37, paras. 50 and 66). This is particularly important where information is shared across borders or between States. __________________ 42 43 44 45 46 See www.intelligencecommissioners.com/. Court of Justice of the European Union, Judgment in Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others, Judgment of 8 April 2014, para. 34. Ibid., para. 35. Ibid., paras. 26, 27 and 37. For an analysis of the ways in which such purpose creep has occurred in the United Kingdom, see www.whatdotheyknow.com/request/127491/response/315758/attach/html/2/Summay%20of%20 Counsels%20advice.pdf.html. 21/23 14-61490 A/69/397 10. The private sector 57. States increasingly rely on the private sector to facilitate digital surveillance. This is not confined to the enactment of mandatory data retention legislation. Corporates have also been directly complicit in operationalizing bulk access technology through the design of communications infrastructure that facilitates mass surveillance. Telecommunications and Internet service providers have been required to incorporate vulnerabilities into their technologies to ensure that they are wiretapready. The High Commissioner for Human Rights has characterized these practices as “a delegation of law enforcement and quasi-judicial responsibilities to Internet intermediaries under the guise of self-regulation and cooperation” (see A/HRC/27/37, para. 42). The Special Rapporteur concurs with this assessment. In order to ensure that they do not become complicit in human rights violations, service providers should ensure that their operations comply with the Guiding Principles on Business and Human Rights, endorsed by the Human Rights Council in 2011 (ibid., paras. 43-46). IV. Conclusions and recommendations 58. States’ obligations under article 17 of the International Covenant on Civil and Political Rights include the obligation to respect the privacy and security of digital communications. This implies in principle that individuals have the right to share information and ideas with one another without interference by the State, secure in the knowledge that their communication will reach and be read by the intended recipients alone. Measures that interfere with this right must by authorized by domestic law that is accessible and precise and that conforms with the requirements of the Covenant. They must also pursue a legitimate aim and meet the tests of necessity and proportionality. 59. The prevention and suppression of terrorism is a public interest imperative of the highest importance and may in principle form the basis of an arguable justification for mass surveillance of the Internet. However, the technical reach of the programmes currently in operation is so wide that they could be compatible with article 17 of the Covenant only if relevant States are in a position to justify as proportionate the systematic interference with the Internet privacy rights of a potentially unlimited number of innocent people located in any part of the world. Bulk access technology is indiscriminately corrosive of online privacy and impinges on the very essence of the right guaranteed by article 17. In the absence of a formal derogation from States’ obligations under the Covenant, these programmes pose a direct and ongoing challenge to an established norm of international law. 60. The Special Rapporteur concurs with the High Commissioner for Human Rights that there is an urgent need for States using this technology to revise and update national legislation to ensure consistency with international human rights law. Not only is this a requirement of article 17, but it also provides an important opportunity for informed debate that can raise public awareness and enable individuals to make informed choices. Where the privacy rights of the entire digital community are at stake, nothing short of detailed and explicit primary legislation should suffice. Appropriate restrictions should be imposed 14-61490 22/23 A/69/397 on the use that can be made of captured data, requiring relevant public authorities to provide a legal basis for the reuse of personal information. 61. States should establish strong and independent oversight bodies that are adequately resourced and mandated to conduct ex ante review, considering applications for authorization not only against the requirements of domestic law, but also against the necessity and proportionality requirements of the Covenant. In addition, individuals should have the right to seek an effective remedy for any alleged violation of their online privacy rights. This requires a means by which affected individuals can submit a complaint to an independent mechanism that is capable of conducting a thorough and impartial review, with access to all relevant material and attended by adequate due process guarantees. Accountability mechanisms can take a variety of forms, but must have the power to order a binding remedy. States should not impose standing requirements that undermine the right to an effective remedy. 62. The Special Rapporteur concurs with the High Commissioner for Human Rights that where States penetrate infrastructure located outside their territorial jurisdiction, they remain bound by their obligations under the Covenant. Moreover, article 26 of the Covenant prohibits discrimination on grounds of, inter alia, nationality and citizenship. The Special Rapporteur thus considers that States are legally obliged to afford the same privacy protection for nationals and non-nationals and for those within and outside their jurisdiction. Asymmetrical privacy protection regimes are a clear violation of the requirements of the Covenant. 63. The Special Rapporteur calls upon all States that currently operate mass digital surveillance technology to provide a detailed and evidence-based public justification for the systematic interference with the privacy rights of the online community by reference to the requirements of article 17 of the Covenant. States should be transparent about the nature and extent of their Internet penetration, its methodology and its justification, and should provide a detailed public account of the tangible benefits that accrue from its use. 64. The Special Rapporteur concurs with his predecessor (see A/HRC/13/37, para. 19) and with the former Special Rapporteur on the promotion and protection of the right to freedom of expression and opinion (see A/HRC/23/40, para. 98) that the Human Rights Committee should develop and adopt a new general comment on the right to online privacy, which would reflect developments in the surveillance of digital communications that have taken place since general comment 16 was adopted in 1988. 23/23 14-61490