By Katitza Rodriguez, Eff/TodayColombia – It seems like only yesterday that the Colombian government misused United States’ aid to spy on political opponents and human rights activists. Back in 2009, the “Las Chuzadas” scandal surrounding former Colombian President Alvaro Uribe landed former head of the intelligence agency Jorge Noguera in jail for 25 years for targeting political activists and collaborating with paramilitary death squads. This, and other various surveillance scandals, ultimately led to the dissolution of the Colombian intelligence agency.
On August 15, the Colombian Ministry of Justice and Technology issued Decree 1704 to compel Telecommunication Service Providers–including Internet service providers (ISPs)–to create backdoors that would make it easier for law enforcement to spy on Colombians.
The Decree claimed that the backdoor mandates provides “a public security mechanism” that seeks “to optimize” the investigation of crimes. However, mandatory back doors pose serious security risks. These security risks can be exploited by criminals as was the case in Greece, where unknown crackers broke into a Greek telephone network and subverted its built-in wiretapping features to intercept the communications of high-ranking Greek government officials, including the Prime Minister.
It’s important to remember that backdoor mandates do not regulate whether a prosecutor can intercept communications from new technologies at all, but only whether they can tap them instantaneously through specially-designed wiretap-friendly networks, and, whether such wiretapping can be done independently of which programs or protocols are being used to communicate. An existing amendment to the Colombian Constitution already permits Colombian prosecutors to place Internet users under surveillance without a court warrant subject only to a later judicial review.
A backdoor obligation to “surveillance by design” also impedes innovation by constraining the number of options available to those who are developing Internet and mobile services. The costs of such an endeavour are not trivial, and it isn’t clear who will bear the cost of the upgrades. While major ISPs may be able to bear such additional costs, smaller ISPs will be exposed to disproportionately high costs without any clear benefit. Perhaps most troubling is the open-ended technical neutrality of this “surveillance by design” mandate: it is not clear precisely what surveillance capacity, or what type of equipment, will be imposed upon service providers, as surveillance technologies are constantly evolving.
This Decree also forces ISPs and telecom providers in Colombia to continuously collect and store records for five years documenting the online location and subscriber information of millions of ordinary users in Colombia. This mandate will expand Colombia’s ability to surveil its citizens, ultimately damaging individual privacy, anonymity, and free expression. Most ISPs and telcos in Colombia currently give subscribers a dynamic IP address that changes periodically, but this mandatory data retention obligation will force Colombian ISPs and telecom providers to keep records of all of their IP address allocations to allow law enforcement to more easily identify a particular individual. This data will be available to the prosecutor or “any competent authority”.
EFF is alarmed at the path Colombia is taking. The Colombian government has failed to develop surveillance frameworks consistent with international human rights standards and consistently displayed its contempt for the communication privacy rights of its citizens. Such a policy, particularly in light of innovations in surveillance techniques, jeopardizes the freedoms of all law-abiding Colombians. EFF, together with other international watchdogs, are demanding that governments around the world establish stronger protections as required by their constitutions and human rights obligations.