As we all race to better understand encryption technologies so that we can communicate safely between ourselves and our partners, we don’t often stop to fully understand the restrictions that some countries are placing on these technologies. We often fail to question the implications of these restrictions – from criminalising communications, to the quieting effect such legislation can have on civil society.
Understanding these restrictions (and the often discriminatory policies behind them) will help us communicate safely without further endangering ourselves or our colleagues. It also builds a larger community of people who are comfortable and competent in questioning the underlying international legality of these laws.
The recent report by the World Wide Web Foundation, in partnership with the Centre for Internet and Human Rights at European University Viadrina, Oficina Antivigilância at the Institute for Technology and Society Rio in Brazil, and Derechos Digitales in Latin America, helpfully looks what kind of regulations restrict encryption and anonymity in Latin America – and how much human rights organizations know about them.
From Renata Avila’s Medium post about the report:
In contexts in which dissenting voices or even just informational outlets are threatened, with widespread self-censorship, independent and anonymous voices are the only ones reporting about sensitive issues. For them, the ability to communicate their ideas anonymously is a matter of life and death.
Currently, the most visible example is Mexico, but there are other communities with human rights defenders denouncing corruption and exposing both corporate and governmental corrupt practices while using aliases to report.
However, the problem they face is again related to a knowledge gap: few are aware that, even if they do not publish their real name online, the technologies leave them exposed. From IP identification to real-time tracking using GPS, people who think they are anonymous ignore that the sensors embedded in new technologies make them more vulnerable and identifiable.
The full report is here – but here’s a quick summary below:
- From human rights organisations to the business sector, there is little to non-existent knowledge on how policies such as SIM registration harm privacy and pose a threat to freedom of expression.
- The academic and policy research in this area is limited and highly centred on Europe and North America. There is little systematic research on both regulations and restrictions to encryption in Latin America, the Middle East, Asia and Africa.
- All country cases show a pattern towards restriction of anonymity and weaker safeguards for the right to communicate in private, especially for mobile users. Furthermore, the telephone databases are shared across borders and data localization is becoming a widely used tool to persecute transnational crime.
And here are some of the key points from the individual country reports.
Mass surveillance was institutionalized at the national level through a 2011 executive decree that ordered the creation of the Federal System of Biometric Identification (SIBIOS), a centralized, nation-wide ID service that enables law enforcement to “cross-reference” information with biometric and other data that was originally collected for the national ID registry.
In practice, any expectation of anonymity or of complete exemption of Internet service providers in Brazil gets significantly watered down by with the mandatory data retention provision established in article 15 of Marco Civil…it is impossible to use a SIM card, even if pre-paid, without registering.
In Chile, there have been some drastic cases where privacy and (pseudo) anonymity on social media platforms have been violated by law enforcement agencies….A draft bill alleged to prevent terrorist attacks and activities of criminal organizations has been proposed seeking to compel users to register every SIM card under natural or legal entity identity card or tax number and nationality…data would be protected according to data protection law, which enables these kinds of data to be handed over to the police and the Public Prosecutor for research purposes without requiring a warrant.
Since 2011 there is a mandatory requirement for registering mobile devices in order to provide a white list of registered devices and a blacklist of stolen devices. Users must provide: name, address, contact number and ID number…There are two branches of military intelligence: (1) one specialized in the interception of telephone communications, and (2) another devoted to the interception of digital communications.
Citizens need a permit from the Ministry of interior in order to protect their communications using cryptography.
The new Communications Law, enacted in 201355, holds publishers liable for their comment sections, users have to register under a real name policy….Ecuador has mandatory registration of cellphones under penalty of suspension.65 Users must provide full name, address, ID number…
Mexico also approved the Geolocalization Law in 2014, expanding police authority for the purposes of countering drug and gang related violence and weakened privacy safeguards. The reform gives unprecedented mandate to Mexican public authorities and law enforcement bodies to access real time geo-location data from mobile phone companies…
Since 2010, all SIM cards are associated with the National ID Card. People have to submit their original document and the telecommunications provider must record the full name (or company name) and the number and type of legal identification of the subscriber. These data are…shared with State authorities.
In the online environment, due to Ley Resorte, anonymous content is also prohibited and shall be removed or blocked by ISPs. Even the use of pseudonymous have been considered illegal in some cases, leading to prosecution.