Thursday Dec 26, 2024
Wednesday, 23 September 2015 00:10 - - {{hitsCtrl.values.hits}}
The Budapest Convention on Cybercrime is the first international treaty seeking to address internet and computer crime by harmonising national laws, improving investigative techniques, and increasing cooperation among nations.
By Prabhath Sirisena
http://vesess.com: If you are being investigated for a “computer crime” in Sri Lanka, a police officer can—without a warrant, at his discretion—seize your computer data and intercept and collect your communications (“wiretap”). There is no specific authority to authorise or oversee such wiretaps beyond the investigating police officer.
To initiate a wiretap, the police officer only has to present a letter to the telecom service provider, stating that the investigation is urgent or evidence might be lost. The service provider is then obliged to hand over data and access. What’s more, the provider is not allowed to reveal any information about the existence of such wiretaps to anyone.
If the investigation is deemed sufficiently “confidential”, the law enforcement authorities might be able to directly initiate wiretaps, without the cooperation of service providers and without any judicial oversight. Information on this, however, is not easily forthcoming.
While such technical details about wiretaps might be murky, the law itself is quite clear: all of this appears in the Computer Crime Act, No. 24 of 2007 (PDF). Passed into law in May 2007 and effective since 15 July 2008, it is supposed to provide for the identification of computer crimes, and provide a procedure for the investigation and prevention of such crimes.
This is also the legislation that paved the way for Sri Lanka to be a fully-fledged member of the Budapest Convention of Cybercrime earlier this month, an event uncritically hailed in the media as a great achievement.
The Budapest Convention
The Budapest Convention on Cybercrime is the first international treaty seeking to address internet and computer crime by harmonising national laws, improving investigative techniques, and increasing cooperation among nations.
Drawn up by the Council of Europe, it was opened for signature in Budapest on 23 November 2001 and entered into force on 1 July 2004. So far 47 states including Sri Lanka have ratified the convention, and a further seven states have signed the convention but not ratified it.
The following offences are defined by the Convention: illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography, and offences related to copyright and neighbouring rights.
The Convention then sets out procedural law issues such as expedited preservation of stored data, expedited preservation and partial disclosure of traffic data, search and seizure of computer data, real-time collection of traffic data, and interception of content data (i.e. wiretaps).
Despite its purportedly lofty goals and meticulously planned recommendations, the Budapest Convention is considered by the Electronic Frontier Foundation to be one of the world’s worst Internet law treaties. A fundamental flaw of the treaty is its failure to specify a proper level of privacy protection necessary to limit the over-broad surveillance powers it grants law enforcement agencies.
While the Budapest Convention might be kept in check in Council of Europe member states where there are substantial and actionable constitutional protections for human rights, it can lead to serious abuse in countries like Sri Lanka where the common law does not recognise any right to the protection of personal information.
Government surveillance in Sri Lanka
Just three years ago, the current Foreign Minister—then Member of Parliament—Mangala Samaraweera accused the previous Mahinda Rajapaksa government of using equipment imported from China to tap people’s telephones and intercept personal e-mails.
He charged that the Defence Ministry along with the Telecommunications Regulatory Commission, both of which were under the office of the President, were engaged in monitoring mobile phones of over 687 persons on a regular basis. Among these were 54 members of the then–governing party, including senior Ministers of the Cabinet and three Chief Ministers, members of the clergy, leading business personnel, several newspaper editors and many journalists.
Neither Samaraweera nor the United National Party to which he belongs have changed their narrative on this matter. In fact, these allegations have only been confirmed by none other than the current President of Sri Lanka himself.
President Maithripala Sirisena’s special statement to the Nation on 23 April 2015 included the following:
You are fully aware of the conditions under which you brought me to this office. I recall that prior to January 8 if I spoke to one of our own Provincial Council members by telephone they would shout and ask me not to speak because the telephones were tapped. The government officers did not speak freely on the telephone. Ordinary people in the country would not speak freely. Members of the armed forces, the lower ranks of the police could also not speak freely on the telephone. None of them had the freedom to speak freely by telephone. In the past 3 months, this freedom has been restored and strengthened.
More recently, speaking to The Hindu, former Sri Lankan President Chandrika Kumaratunga—a key architect of President Sirisena’s ascension to power—revealed that they used Viber to counteract wiretaps. When asked whether there was any truth to the story that India provided communication devices—DRDO–made satellite phones—she replied:
No . . . completely false. We were using Viber. And the government didn’t know how to tap Viber. Apparently it is difficult for any intelligence agency anywhere to tap into Viber, although some can identify out who is calling whom. But Sri Lanka didn’t have that technology, otherwise we would have all been dead.
According to Dialog Axiata Group CEO Dr. Hans Wijesuriya, there were no general phone surveillance programmes in Sri Lanka during the Rajapaksa government, but the telecom service providers “ha[d] to be compliant” with specific requests from the government. What this probably means is that while bulk interception and collection of the general public’s data was not happening, telecom service providers had to support wiretapping of specific individuals.
The political environment in Sri Lanka has seen some significant changes in the past few months, but the law remains the same. The telcos are still obliged to “be compliant” with interception requests and remain silent about it.
It is in this context of poor legal protection for people’s privacy and the government’s tendency to engage in rampant, politically motivated wiretapping that we should review the Budapest Convention and Sri Lanka’s Computer Crimes Act.
Wiretapping post-Snowden
Warrantless wiretaps became a major issue of public debate around the world after Edward Snowden’s revelations of numerous global surveillance programs, many run by the National Security Agency (NSA) of the US and the Five Eyes (an intelligence alliance comprising Australia, Canada, New Zealand, the UK and the USA) with the cooperation of telecommunication companies and European governments.
Summarising the Snowden leaks, Barton Gellman, a Pulitzer Prize–winning journalist who led The Washington Post’s coverage of the issue, states:
Taken together, the revelations have brought to light a global surveillance system that cast off many of its historical restraints after the attacks of Sept. 11, 2001.
The cascading effects have made themselves felt in Congress, the courts, popular culture, Silicon Valley and world capitals. The basic structure of the Internet itself is now in question, as Brazil and members of the European Union consider measures to keep their data away from US territory and US technology giants including Google, Microsoft and Yahoo take extraordinary steps to block the collection of data by their government.
One very relevant fact for this discussion that stands out in the Snowden revelations is how the NSA often teamed up with its British counterpart, Government Communications Headquarters (GCHQ), to overcome legal obstacles in the US.
For example, when the NSA could not use its legally sanctioned programmes—even if they involved the highly controversial Foreign Intelligence Surveillance Court (FISC)—for collection of virtually all data from Google, Yahoo, Microsoft, Apple and five other US-based companies, it got GCHQ’s support to break into the private fibre-optic links that connected Google and Yahoo data centres around the world.
GCHQ is notorious for its Tempora programme which taps the fibre-optic cables that make up the backbone of the Internet to gain access to large amounts of internet users’ personal data, without any individual suspicion or targeting. With a budget of more than £1 billion, the system is capable of vacuuming signals from up to 200 fibre-optic cables at all physical points of entry into Great Britain.
Continued unhindered operation of these programmes is possible because privacy and data protection policies in the UK are weaker than those in the US. It is the British lackadaisical approach to data interception that echoes throughout the Budapest Convention, and reverberates in our own Computer Crime Act.
Wiretapping in the UK
The Regulation of Investigatory Powers Act 2000 (RIPA) is the UK legislation regulating the powers of public bodies to carry out surveillance and investigation, and covering the interception of communications.
According to RIPA, warrants for wiretaps are issued by the Home Secretary, a cabinet minister. Judges have nothing to do with it. There is an Interception of Communications Commissioner, but it is a role with limited authority: the Commissioner can only retrospectively review the arrangements and warrants for wiretaps. The UK is alone among the so-called Five Eyes powers in not having a judicial process for signing off interception warrants.
RIPA has some major problems. One lies in giving the sole authority of issuing interception warrants to an elected official in the executive rather than the judiciary branch of government. Another is the vague grounds on which interceptions are allowed, making it possible for that official to issue warrants in just about any circumstances. Finally, the strange loophole specifying that a warrant is not required to intercept communications if one party to the communication consents to the interception is a serious problem with RIPA.
Dr. Gus Hosein, Executive Director of Privacy International, calculates that, given the number of wiretaps in the UK, the home secretary approves a new wiretap every few seconds. It is humanly impossible for one person issue so many warrants on a daily basis with proper judgement, especially when her job functions extend well beyond the scope of issuing interception warrants. Thus, it is hardly surprising that this system easily leads to abuse.
For example, it was revealed that RIPA had been used by UK police forces to obtain information about journalists’ sources in inquiries related to two prominent politicians, Chris Huhne and Andrew Mitchell. In both cases, journalists’ telephone records were obtained using the powers of the act in order to identify their sources, bypassing the usual court proceedings needed to obtain such information.
In October 2014 Justice Minister Simon Hughes claimed that the police’s use of RIPA’s powers had been “entirely inappropriate” and in the future the authorisation of a judge would be needed for police forces to be given approval to access journalists’ phone records in pursuit of a criminal investigation. No such changes have materialised so far.
Trivialising surveillance
It is worth nothing that RIPA came into force more than a year before the 9/11 attacks. It is thus not some reactionary piece of legislation but a clear representation of the UK government’s attitude towards data interception. This intrusive attitude has spilled over to the Budapest Convention which it architected.
Even so, the Budapest Convention still leaves an opening for each signatory state to decide how to implement its recommendations. At no point does it ask for warrantless search and seizure of computer data or warrantless wiretapping.
The refrain goes: “each Party shall adopt such legislative and other measures as may be necessary to ensure” expedited preservation of stored computer data (Article 16), expedited preservation and partial disclosure of traffic data (Article 17), production order (Article 18), search and seizure of stored computer data (Article 19), real-time collection of traffic data (Article 20), and interception of content data (Article 21).
The foundations might be the UK’s, but the warrantless part is all ours. It is the Sri Lankan lawmakers who have decided that the “legislative and other measures as may be necessary to ensure” these things require disregarding the judiciary.
Computer Crime Act
Section 18 of Sri Lanka’s Computer Crime Act, rather misleadingly labelled “Powers of search and seizure with warrants,” reads as follows:
18. (1) An expert or a police officer may, for the purposes of an investigation under this Act under the authority of a warrant issued in that behalf by a Magistrate on application made for such purpose,—
(i) obtain any information including subscriber information and traffic data in the possession of any service provider;
(ii) intercept any wire or electronic communication including subscriber information and traffic data, at any stage of such communication.
(2)Notwithstanding the provisions of subsection (1), an expert or a police officer may without a warrant exercise all or any of the powers referred to in that subsection, if—
(a) the investigation needs to be conducted urgently; and
(b) there is a likelihood of the evidence being lost, destroyed, modified or rendered inaccessible; and
(c) there is a need to maintain confidentiality regarding the investigation.
The second subsection opens a can of worms.
It is hard to imagine an investigation that fails to fulfil the requirements that allow bypassing of a warrant. Most investigations—and not just those pertaining to computer crimes—are urgent, there is often a likelihood of evidence being lost, and investigations often have to be confidential. They might as well have dropped the first subsection altogether.
In fact, this is how Section 18 works in practice. Searching, seizing and wiretapping without warrants is the norm in computer crime investigations in Sri Lanka. Both the law enforcement authorities and the “experts” (defined in Section 17 as public officers “having the required qualification and experience in electronic engineering or software technology to assist any police officer in the investigation of an offence under this Act”) seem to have very little regard for the serious privacy concerns Section 18 raises.
And unlike UK’s RIPA (a problematic piece of legislation in its own right, as discussed above), under the right conditions—which are not difficult to achieve at all—there is absolutely zero judicial or executive oversight for such warrantless searches, seizures and wiretaps in Sri Lanka. There is no process to review wiretaps, and no obligation for government authorities to reveal information about them to the public.
Under Section 24(2) of the Computer Crime Act, the service providers are gagged indefinitely. It states:
Every service provider from whom any information has been requested or obtained and any person to whom a written notice has been issued for the preservation of any information shall maintain strict confidentiality in relation to such information and the fact that such information has been requested, obtained or required to be preserved, and shall not make any disclosure in regard to such matters other than with lawful authority.
This does not leave any room for service providers to have any level of transparency about wiretapping their customers, even if no specific details are shared with the public.
All these are symptoms of unrestrained bureaucratic thinking. The Act espouses a process entirely dominated by one viewpoint—criminal enforcement. In its overzealous attempt to combat crime, the system has no qualms about overstepping the boundaries of a modern democratic society.
UK reforms
After the 2010 general election in the UK, the Conservatives and Liberal Democrats formed a coalition government whose agreed programme initially promised a “a Freedom or Great Repeal Bill’. This was referred to in the ensuing Queen’s Speech, where Her Majesty said that “legislation will be brought forward to restore freedoms and civil liberties through the abolition of identity cards and repeal of unnecessary laws.”
The purpose of the bill was to “roll back the State, reducing the weight of government imposition on citizens that has increased in recent years through legislation and centralised programmes.”
On 1 May 2012 the Protection of Freedoms bill completed its passage through the UK Parliament and received Royal Assent. Under this new legislation, public bodies, including councils, need to justify their need to use RIPA powers before a magistrate’s court.
However, wiretap warrants are still being issued by the Home Secretary, without involving a judge’s opinion. This too has come under scrutiny in recent times.
A long-awaited independent review of UK government surveillance capabilities was published by David Anderson QC in June 2015. Anderson said the current legislation was “undemocratic, unnecessary and—in the long run—intolerable” and called for a new, comprehensive, comprehensible bill covering surveillance.
While Anderson’s review generally supports UK intelligence agencies having mass surveillance capabilities, Anderson stresses these powers should be “subject to strict additional safeguards”. A key recommendation in this wide-ranging report is having judges, rather than the Home Secretary, sign off wiretap warrants. It recommends establishing a new body, called the Independent Surveillance and Intelligence Commission (ISIC), to judicially authorise all interception warrants.
On 25 June, the UK parliament debated issues around the forthcoming new Investigatory Powers Bill which is supposed to take the Anderson recommendations into consideration. “On these recommendations the government has not yet reached a decision,” said Home Secretary Theresa May in a speech opening the debate, “but they are important matters, and we must look carefully at this.”
It remains to be seen to what extent the UK will be able to “roll back the state.” However, in these proceedings we see a clear template for fixing our own Computer Crime Act. If we could follow the British when creating it, surely we can learn a few lessons from them about reforming it.
Reforming the Computer Crime Act
The rationale behind warrantless wiretaps is a need to act fast. The nature of computer crimes do require law enforcement authorities to be swift in their operations. Sri Lanka’s response to this requirement implies that our judiciary is simply incapable of acting fast enough. We seem to believe that individual police officers have better judgement in these matters.
I believe we should have more faith in our judicial systems. In the seven years the Computer Crime Act has been in operation, we could have easily set up an institution like the proposed Independent Surveillance and Intelligence Commission in the UK, if our regular courts cannot issue wiretap warrants fast enough.
Such an institution, however, should not be a secret court like FISC in the US. It must be as transparent as our regular courts, and there must be some mechanism to inform the public about government wiretaps, like that of the Interception of Communications Commissioner in the UK.
In his paper ‘The Right to Privacy in the Information Era: A South Asian Perspective,’ Althaf Marsoof notes that Sri Lanka’s constitution does not have a provision such as Article 21 of the Indian constitution which, although it does not provide an express right of privacy, provides for the protection of ‘personal liberty’ from which courts have been able to infer a right of privacy.
According to Marsoof, the Sri Lankan legal regime also does not provide for the legal recognition of the right to privacy in any general sense, except in some limited situations which are not far reaching enough to cover modern trends in technology. Marsoof is only able to identify a few scattered instances of protection of household privacy, but considers that there is some possibility of a more general civil action for privacy developing under Roman-Dutch law.
Thus, a wider discussion needs to happen about introducing specific legislation that protects individual privacy and collection of personal information in Sri Lanka. ICTA is apparently working on a Data Protection Act, and much has been said about a Right to Information Act as well. Hopefully these will become important safeguards to reduce the weight of government imposition on citizens.
Following these principles, we also need to bring more balance to our Computer Crime Act. A good first step in that process would be reining in those warrantless wiretaps.
(The writer is the Co-founder of Vesess Inc., a digital design and online strategy consultancy firm based in the US and Sri Lanka.)