Regulatory framework and grays in a discussion that directly impacts our human rights.
On July 23, the Argentine Agency for Access to Public Information (AAIP), Control Authority of Law No. 25.326 on Protection of Personal Data, suggested to the Ministry of Security of the Nation the suspension of the application of the General Protocol for Police Crime Prevention with the use of Open Digital Sources (hereinafter, "the Protocol") until its adaptation to current regulations on the protection of personal data is reviewed again. More than two months have passed since that Note and it is still unknown if its implementation underwent any kind of revision.
The Protocol, approved at the end of May this year by the Resolution No. 144/2020 of the Ministry of National Security within the framework of the public emergency in health matters established by Law No. 27.541 et seq., in relation to the COVID-19 coronavirus, . establishes the "General principles, criteria and guidelines for crime prevention tasks carried out in cyber space by police forces and security forces dependent on the Ministry". The Protocol renews a pre-existing State policy and draws a discussion on the legality, proportionality and necessity of this type of state practices known in the jargon as Open Source Intelligence (OSINT) and Social Media Intelligence (SOCMINT).
The different methods of intelligence on open sources have been adapted as technology has evolved. Prior to the approval of the Protocol, there was a very similar document adopted by the former Minister of Security, Patricia Bullrich, which came to light only in April 2020, when Minister Frederic entrusted the security forces to seek any type of regulation that allows you to monitor information online in order to “measure social humor".
Although the AAIP suggested the suspension of the Protocol due to lack of adaptation to the personal data protection regulations (which is no small thing coming from a state body), the Protocol raises another discussion regarding the framing due to these activities: are they tasks crime prevention or intelligence tasks? Attentive to the impact of these practices on our fundamental rights, in particular the impact on the rights of freedom of expression and privacy, it is necessary that the legal nature of the activity is clearly established. In any case, the mechanism for supervision and control over these tools must be clearly stipulated, both in the administrative order and in the judicial order. Allowing -or, worse still, naturalizing- that state agencies collect, systematize, monitor, and use information published on the Internet without any type of accountability, simply by obtaining it from open sources, poses enormous risks to the exercise of human rights on the internet and for democracy.
Legal framework: intelligence disguised as surveillance?
Open Source Intelligence (OSINT) “es the practice that involves the use of a set of techniques and technologies that facilitate the collection of information that is publicly available, such as texts, images, videos, audios, and even geospatial data. Only at the moment that such information is found to have a utility or purpose, and is assigned to a specific action, does it then become intelligence itself ". (1)
The practices of OSINT and SOCMINT have existed for decades and the debates around their legality are more current than ever. Earlier this year, following the scandal unleashed by reports of illegal wiretapping of magistrates, politicians and journalists in Colombia, the IACHR and its Special Rapporteur for Freedom of Expression, Edison Lanza, they manifested that "The use of any surveillance program or system in private communications must be clearly and precisely established in the law, be truly exceptional, and be limited according to what is strictly necessary for the fulfillment of imperative purposes such as the investigation of serious crimes defined in the legislation, and have prior judicial control. The surveillance of communications and interference with privacy that exceed what is stipulated in the law, that are oriented to purposes other than those authorized by it or those that are carried out clandestinely should be drastically sanctioned.s ". In other statement in the same sense, they reiterated thate “The IACHR has established that massive communications surveillance may in no case be considered proportional. In the same vein, the systematized collection of public data - voluntarily exposed by the owner of said data, such as blog posts, social networks, or any other intervention in the public domain - also constitutes interference in people's private lives. The fact that the person leaves public traces of their activities - inevitably on the Internet - does not enable the State to systematically collect them except in specific circumstances where such interference is justified ”.
In Argentine regulations, intelligence is allowed under specific authorizations and limits, in accordance with the provisions of the National Intelligence Law 25.520, Decree 1311/15 et seq., The Internal Security Law and the National Criminal Procedure Code. Law 25.520 understands National Intelligence as “the activity consisting of obtaining, gathering, systematizing and analyzing the specific information referred to the facts, risks and conflicts that affect the National Defense and the internal security of the Nation"(2) , and for criminal intelligence to “The part of the Intelligence referring to specific criminal activities that, due to their nature, magnitude, foreseeable consequences, dangerousness or modalities, affect the freedom, life, patrimony of the inhabitants, their rights and guarantees and the institutions of the representative system , republican and federal that establishes the National Constitutionl"(3), and states that "No intelligence agency may: 1. Perform repressive tasks, possess compulsive powers, or carry out police or criminal investigation functions". (4)
Intelligence Law 25.520 does not expressly prohibit the possibility of intelligence being carried out on publicly accessible sources. In fact, Decree 1311/15 that approves the "New National Intelligence Doctrine" defines intelligence information as "athat includes observations and measurements obtained or collected from public sources or reserved, referring to relevant events or problems in the field of national defense or internal security, or that have an impact on these spheres, and whose collection, systematization and analysis allows to prepare a situation table of all the problems at the level strategic or tactical level”(The underlining is proper).
Without prejudice to the intelligence norm and the definitions that the law itself brings us, the Cyber Patrol Protocol highlights that the tasks of police crime prevention in open digital sources are not tasks of criminal intelligence, but tasks inherent to the functions of security forces. This is where the confusion begins: what is the difference between intelligence tasks and crime prevention tasks (understood as surveillance)?
The difference between surveillance and intelligence is confusing and, unfortunately, the Argentine legal framework does not provide sufficient clarity. Although it can be argued that surveillance or patrolling seems to be an inherent faculty of the duties of the police and security forces, intelligence activities, as we mentioned at the beginning, require specific authorizations and have limits for their application in relation to specific crimes. , in accordance with the provisions of the National Intelligence Law 25.520.
Carolina Botero, Director of the Karisma Foundation of Colombia, stands out in this article that although OSINT "is a legitimate and useful activity for anyone”, The problem is when its use ceases to be monitoring and becomes surveillance or harassment or stalking of a person. On this, he concludes that the more individualized the monitoring of open sources, the further it moves away from monitoring and the more it becomes surveillance, this being a "Regulated activity, which requires controls and cannot be done for reasons of race, religion or political preferences". That said, it seems to identify the anonymization or depersonalization of information as one of the distinguishing elements between the different practices. This is a relevant point in the discussion since there are those who consider that, on the contrary, indiscriminate monitoring can be framed within intelligence tasks.
About the crimes that are monitored:
On the other hand, the Protocol establishes an alarming number of crimes that are the object of prevention tasks (which, by the way, some of them do not seem to be directly related to the health emergency caused by the pandemic). Extensive monitoring is encouraged, which in addition to going against the principles of personal data protection established in Law 25.326, clashes with the specificity requirements mentioned in the national intelligence regulations. Any indiscriminate collection of information in order to, a posteriori, analyze whether or not it constitutes an offense, goes against the nature of said rule. In this regard, CELS maintained that “A minimum degree of substantive suspicion is required regarding the existence of a certain criminal phenomenon (hence the term "specific"), with a certain spatial, temporal and / or personal delimitation, and in relation to the probability of finding relevant data in the open source in question”. Intelligence activities cannot be used as a blank check when gathering information through public sources, then analyzing it thoroughly and ruling out any criminal activity.
Consequences on freedom of expression:
There are several studies that demonstrate the “silencing” impact that OSINT and SOCMINT practices have on discourse: people tend to shut up if they know they are being watched, especially when posting content on social media. In words by Karen Gullo, an analyst at the Electronic Frontier Foundation, “What happens is that people start to self-monitor their communications: they are more likely to avoid associating with certain groups or individuals, or looking at websites or articles, when they believe that the government is monitoring them or the groups or individuals. with whom they connect. This harms our democracy and society as a whole”(The translation is own).
From CELE we analyze the Protocol from a critical perspective in relation to the impact that this type of procedure can have on human rights, fundamentally on the right to freedom of expression. We are concerned about the lack of clear regulations to frame this type of activities within the Ministry of Security and the lack of clarity regarding the supervision of these tasks. In turn, there is concern about the lack of transparency regarding the systems used, the means to carry out these tasks and the security of the data collected. Finally, there is also concern about the lack of proportionality with which the security forces are acting in the investigation and detention of some people as a result of what they comment on social networks, and the forced use of criminal offenses such as threats (Article 149 bis CPN) or public intimidation (article 211 CPN), which were not intended for this purpose. It is enough to know the cases of kevin war and the raids "against agitators in the networks". These are some of the cases that we know of as they became “famous”, but we do not know how many more there are, prosecuted, that have gone unnoticed.
In order to resolve some of these unknown issues, at the beginning of September we made a request for access to public information with the Ministry of Security in order to answer, among others, the following questions (5):
- Has the application of the Protocol been suspended as a result of the Note from the Access to Public Information Agency?
- Out of the total police crime prevention tasks in cyberspace, what percentage is carried out in an automated way, without the intervention of security agents reviewing the content displayed?
- How many cases arising from police crime prevention tasks in cyberspace were prosecuted? Indicate how many crimes were found through monitoring, corresponding to each of the crimes mentioned in Article 3 of the Protocol, since the Protocol entered into force.
- What security measures are implemented on the databases that house the information obtained as a result of police crime prevention tasks in cyber space?
On September 25, the bimonthly meeting of the Consultative Board was held, the purpose of which is to evaluate the observance of the Protocol, in accordance with Article 3 of Resolution 144/20 of the mentioned body. The meeting was attended by representatives of Civil Society organizations, including Beatríz Busaniche from the Fundación Vía Libre, who shared in her “Weekly summary of News and updates " the most relevant points of the meeting. At least one of the questions we asked in our request for information was answered at the meeting: the authorities confirmed that they did not acquire any device or system to carry out the tasks prevention referred to in the Protocol.
However, the Ministry's responses leave serious unknowns. Among the points to be highlighted, it is alarming that prevention tasks are carried out "by hand", as indicated by the authorities at the meeting. What does this mean? How are these tasks carried out on a day-to-day basis? How to anonymize content by being "manual" monitoring?
The impact of intelligence on social networks on our fundamental rights becomes more relevant in the current pandemic situation where, increasingly, our lives are developed through an electronic device. As a society, we need to demand accountability and speak out -as numerous organizations have done- to warn about the dangers of these practices and to ensure that our human rights are respected. We hope that, in response to our request for access to information, the Ministry will clarify the concerns that concern us.
- “Followers we don't see. A first approach to the state use of Open-source Intelligence (OSINT) and Social media intelligence (SOCMINT) ”, Asociación por los Derechos Civiles (ADC), 2018, available for download here.
- Article 2.1 of Law 25.520
- Article 2.3 of Law 25.520
- Article 4 of Law 25.520
- The access request was submitted on September 8, 2020 and as of the date of this publication, we have not yet received a response. Make click here. to download the complete information request.
By Morena Schatzky (@morschatzky) and Agustina Del Campo (@gustinadelcamp)
Photo Credit: @matthewhenry