Between 15th-19th of September, in the week leading up the first year anniversary of the 13 Necessary and Proportionate Principles, EFF and the coalition behind the Principles will be conducting a Week of Action explaining some of the key guiding principles for surveillance law reform. Every day, we'll take on a different part of the principles, exploring what’s at stake and what we need to do to bring intelligence agencies and the police back under the rule of law. You can read the complete set of posts at: https://necessaryandproportionate.org/anniversary. The Principles were first launched at the 24th Session of the United Nations Human Rights Council in Geneva on 20 September 2013.

Let's send a message to Member States at the United Nations and wherever else folks are tackling surveillance law reform: surveillance law can no longer ignore our human rights. Follow our discussion on twitter with the hashtag: #privacyisaright

Location Privacy is a Human Right

Most of us, most of the time, expect our location to remain private. By its very nature, our location is unique and uniquely revealing. Knowledge of where a person is and has been can reveal affiliations and habits, customs and patterns, religious affiliations, politics and preferences. While social media allows people to voluntarily share their location information with others, no one reveals all their location information all the time to others – especially not to the government.

But location privacy is one area where states have increasingly intruded. Technological developments have enabled governments to keep tabs on where a person has been in the past and where they are at any given moment. Our laws, however, have struggled to keep track with this new power. The 13 Principles makes clear that communications surveillance – including information that allows for the monitoring of a person’s location – must be conducted consistently with human rights principles. The US serves as a compelling case study on how we might apply the 13 Principles to location surveillance technologies. A look at existing law and practices shows that the US, like many other countries, has a lot of work to do to ensure its standards respect international human rights.

Disproportionate Cell Phone Tracking

One of the most important Principles is “ proportionality ,” the idea that communications surveillance is a highly intrusive act that should not be undertaken lightly. While there are obviously situations where a state will need to engage in surveillance to solve crime and protect national security, such surveillance should only be undertaken after a judicial official has considered the request and found a high probability the surveillance will lead to evidence of criminal activity, while also imposing limits on the surveillance so government monitoring does not become open-ended.

Courts and legislatures in the US are grappling with this “proportionality” principle as they determine whether police are required to obtain a search warrant in order to collect historical cell site information from a cell phone provider. Cell phone providers keep a record of which specific cell phone towers individual users connect to. The government has been keen to get their hands on this information to tie criminal suspects to a specific crime scene or to locate suspects. But this location information is also incredibly revealing, capable of disclosing a person’s patterns of movement and their associations. Thus, under the 13 Principles, the only way for the government to satisfy the proportionality principle would be to obtain a search warrant by a judge, granted with clear limitations on how much information the government could obtain.

Both state and federal governments have argued they do not need a warrant since the phone companies store the records and users have no right of privacy in information they disclose to others. As the Principles note, this is an archaic distinction: what is important for human rights is that the law protects sensitive electronic information regardless of who is holding it. Individual US courts and state legislatures have increasingly recognized this and have begun to require police use a search warrant to obtain this location information. This is a step in the right direction. Hopefully a warrant requirement will become the nationwide trend in the US, with other states imposing the same requirement.

Stingrays: Exploiting the Integrity of Communication Systems

Because people around the world increasingly rely on electronic means to communicate with others, it is crucial that private actors or the state not compromise the integrity of communications architecture, such as hardware, software and the technology systems delivering messages around the world. The Principles command states not to compel service providers or communication vendors to build surveillance or monitoring capability into their systems and for vendors to take steps to ensure their systems are secure. Otherwise, malicious actors and the state itself can take advantage of vulnerabilities to engage in mass surveillance.

That is precisely what has happened in the US when it comes to cellular network vulnerabilities that enable law enforcement to operate “Stingrays.” A portable electronic device small enough to fit in a car, Stingray is the brand name of a device known as an IMSI catcher, which effectively works as a fake cell phone tower. IMSI catchers masquerade as powerful cell towers, encouraging phones near the device to connect to them instead of a normal cell service and allowing the government to identify and locate specific cell phones. The devices can be used to locate suspects within an apartment complex or identify individuals near political protests and warn them to disperse. By their nature, they collect data about all the other phones nearby the target phone, providing an invasive form of mass surveillance.

The reason Stingrays work in the US is because of vulnerabilities in older cell phone architecture that remain unfixed by providers and are exploited by the government. While the US Federal Communications Commission recently announced it was launching an investigation into illicit use of these devices by criminals and foreign spies, it has avoided consideration of the law enforcement use of these devices, nor does it intend to address the more fundamental issue of whether the government should exploit or maintain vulnerabilities in our telecommunications infrastructure.

Under the Principles, the US government cannot have it both ways. The only way to address illicit use of Stingrays is to confront and fix vulnerabilities in the cellular network, even if that prevents law enforcement use of Stingrays in some instances. The integrity of our communications system cannot be sacrificed for state surveillance.

Keeping Stingrays Secret

The Principles make clear that states must be transparent about their use of communications surveillance technology in order to respect human rights. States must give their citizens the knowledge necessary to comprehend the means and scope of surveillance and the situations where they may be subject to monitoring by the state.

But when it comes to Stingrays, there has been a stunning lack of transparency by local and federal governments in the US. Police departments have adamantly denied having such devices even though there is clear evidence they do in fact have and use such devices. It’s not just the public; law enforcement have kept judges in the dark about how and when Stingrays are used. In Florida, police have admitted to hiding their use of the device in police reports and affidavits submitted to the court. In California, federal judges complained to prosecutors that agents were not making clear they were operating a Stingray device. This obfuscation is unacceptable. It deprives the public of understanding the circumstances of when they can be monitored and it prevents judges from fulfilling their obligations to assess the legality and proportionality of the surveillance.

Location information is revealing and surveillance of our movements must be handled with care. The US has work to do in aligning its location surveillance practices with the 13 Principles, particularly when it comes to preserving the integrity of communications systems and law enforcement transparency about surveillance practices. Other states should learn from these mistakes to ensure that location surveillance is consistent with their international human rights obligations.