Các Nguyên tắc Quốc tế về Áp dụng Quyền Con người trong Giám sát Thông tin Liên lạc
Bản cuối cùng ngày 10 tháng Bảy năm 2013
Khi kỹ thuật giám sát thông tin liên lạc của chính quyền ngày càng tinh vi, họ lại thất bại trong việc đảm bảo các luật pháp và quy định liên quan đến giám sát thông tin liên lạc sẽ tuân thủ luật nhân quyền quốc tế và bảo vệ một cách thỏa đáng các quyền riêng tư và quyền tự do biểu đạt. Tài liệu này nhằm giải thích làm thế nào để áp dụng luật nhân quyền quốc tế vào môi trường kỹ thuật số hiện nay, đặc biệt trong điều kiện gia tăng và thay đổi các công nghệ và kỹ thuật giám sát. Các nguyên tắc này có thể cung cấp cho các nhóm xã hội dân sự, ngành nghề, chính quyền… một khuôn khổ để đánh giá xem các luật hoặc dự luật giám sát hiện nay cùng việc thực thi chúng có phù hợp với quyền con người hay không.
Các nguyên tắc này là kết quả của sự tham vấn toàn cầu với các nhóm xã hội dân sự, ngành nghề và các chuyên gia quốc tế về luật giám sát thông tin liên lạc, chính sách và công nghệ.
Lời tựa
Quyền riêng tư là quyền cơ bản của con người, và là trọng tâm của việc duy trì xã hội dân chủ. Nó là điều thiết yếu đối với nhân phẩm và nó củng cố các quyền khác, như quyền tự do biểu đạt và tự do thông tin, quyền tự do hội đoàn, và nó được thừa nhận theo luật nhân quyền quốc tế .1 Các hoạt động hạn chế quyền riêng tư, bao gồm cả việc giám sát thông tin liên lạc, chỉ có thể được biện minh khi chúng được quy định theo pháp luật, là cần thiết để đạt được một mục đích chính đáng nào đó, và tương xứng với mục đích đặt ra.2
Trước khi Internet được sử dụng rộng rãi, các nguyên tắc pháp lý vững chắc và trở ngại vốn có về hậu cần trong việc giám sát thông tin liên lạc đã tạo ra những hạn chế đối chính quyền trong việc giám sát thông tin liên lạc. Trong vài thập kỷ gần đây, những khó khăn về mặt hậu cần đó, đối với việc giám sát, đã và đang giảm dần và việc áp dụng các nguyên tắc pháp lý trong bối cảnh công nghệ mới trở nên không rõ ràng. Sự bùng nổ về thông tin thuật số và thông tin liên lạc, hoặc “siêu dữ liệu về giao tiếp” – tức thông tin về hoạt động giao tiếp của một cá nhân hoặc việc cá nhân đó sử dụng các thiết bị điện tử - sự giảm chi phí lưu trữ và khai thác các tập hợp dữ liệu lớn, và việc cung cấp thông tin cá nhân thông qua các nhà cung cấp dịch vụ thứ ba làm cho sự giám sát của chính quyền đạt mức quy mô lớn chưa từng có.3 Trong khi đó, việc diễn giải luật nhân quyền hiện hành đã không bắt kịp với sự hiện đại hóa và khả năng cao của chính quyền trong việc giám sát thông tin liên lạc, sự tổng hợp và tổ chức thông tin thu thập từ các kỹ thuật theo dõi khác nhau của chính quyền, hoặc về tính nhạy cảm ngày càng tăng của những thông tin mà ai cũng có thể tiếp cận được.
Mức độ mà các quốc gia tìm cách truy cập vào nội dung thông tin liên lạc lẫn siêu dữ liệu về thông tin liên lạc đang gia tăng một cách đáng kể, mà không có một sự kiểm soát thỏa đáng .4 When accessed and analysed, communications metadata may create a profile of an individual’s life, including medical conditions, political and religious viewpoints, associations, interactions and interests, disclosing as much detail as, or even greater detail than would be discernible from the content of communications.5 Despite the vast potential for intrusion into an individual’s life and the chilling effect on political and other associations, legislative and policy instruments often afford communications metadata a lower level of protection and do not place sufficient restrictions on how they can be subsequently used by agencies, including how they are data-mined, shared, and retained.
In order for States to actually meet their international human rights obligations in relation to communications surveillance, they must comply with the principles set out below. These principles apply to surveillance conducted within a State or extraterritorially. The principles also apply regardless of the purpose for the surveillance – law enforcement, national security or any other regulatory purpose. They also apply both to the State’s obligation to respect and fulfil individuals’ rights, and also to the obligation to protect individuals’ rights from abuse by non-State actors, including corporate entities.6 The private sector bears equal responsibility for respecting human rights, particularly given the key role it plays in designing, developing and disseminating technologies; enabling and providing communications; and - where required - cooperating with State surveillance activities. Nevertheless, the scope of the present Principles is limited to the obligations of the State.
Changing technology and definitions
“Communications surveillance” in the modern environment encompasses the monitoring, interception, collection, analysis, use, preservation and retention of, interference with, or access to information that includes, reflects, arises from or is about a person’s communications in the past, present or future. “Communications” include activities, interactions and transactions transmitted through electronic mediums, such as content of communications, the identity of the parties to the communications, location-tracking information including IP addresses, the time and duration of communications, and identifiers of communication equipment used in communications.
Traditionally, the invasiveness of communications surveillance has been evaluated on the basis of artificial and formalistic categories. Existing legal frameworks distinguish between “content” or “non-content,” “subscriber information” or “metadata,” stored data or in transit data, data held in the home or in the possession of a third party service provider.7 However, these distinctions are no longer appropriate for measuring the degree of the intrusion that communications surveillance makes into individuals’ private lives and associations. While it has long been agreed that communications content deserves significant protection in law because of its capability to reveal sensitive information, it is now clear that other information arising from communications – metadata and other forms of non-content data – may reveal even more about an individual than the content itself, and thus deserves equivalent protection. Today, each of these types of information might, taken alone or analysed collectively, reveal a person’s identity, behaviour, associations, physical or medical conditions, race, color, sexual orientation, national origins, or viewpoints; or enable the mapping of the person’s location, movements or interactions over time,8 or of all people in a given location, including around a public demonstration or other political event. As a result, all information that includes, reflects, arises from or is about a person’s communications and that is not readily available and easily accessible to the general public, should be considered to be “protected information”, and should accordingly be given the highest protection in law.
In evaluating the invasiveness of State communications surveillance, it is necessary to consider both the potential of the surveillance to reveal protected information, as well as the purpose for which the information is sought by the State. Communications surveillance that will likely lead to the revelation of protected information that may place a person at risk of investigation, discrimination or violation of human rights will constitute a serious infringement on an individual’s right to privacy, and will also undermine the enjoyment of other fundamental rights, including the right to free expression, association, and political participation. This is because these rights require people to be able to communicate free from the chilling effect of government surveillance. A determination of both the character and potential uses of the information sought will thus be necessary in each specific case.
When adopting a new communications surveillance technique or expanding the scope of an existing technique, the State should ascertain whether the information likely to be procured falls within the ambit of “protected information” before seeking it, and should submit to the scrutiny of the judiciary or other democratic oversight mechanism. In considering whether information obtained through communications surveillance rises to the level of “protected information”, the form as well as the scope and duration of the surveillance are relevant factors. Because pervasive or systematic monitoring has the capacity to reveal private information far in excess of its constituent parts, it can elevate surveillance of non-protected information to a level of invasiveness that demands strong protection.9
The determination of whether the State may conduct communications surveillance that interferes with protected information must be consistent with the following principles.
The Principles
Legality
Any limitation to the right to privacy must be prescribed by law. The State must not adopt or implement a measure that interferes with the right to privacy in the absence of an existing publicly available legislative act, which meets a standard of clarity and precision that is sufficient to ensure that individuals have advance notice of and can foresee its application. Given the rate of technological changes, laws that limit the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process.
Legitimate Aim
Laws should only permit communications surveillance by specified State authorities to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society. Any measure must not be applied in a manner which discriminates on the basis of race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.
Necessity
Laws permitting communications surveillance by the State must limit surveillance to that which is strictly and demonstrably necessary to achieve a legitimate aim. Communications surveillance must only be conducted when it is the only means of achieving a legitimate aim, or, when there are multiple means, it is the means least likely to infringe upon human rights. The onus of establishing this justification, in judicial as well as in legislative processes, is on the State.
Adequacy
Any instance of communications surveillance authorised by law must be appropriate to fulfil the specific legitimate aim identified.
Proportionality
Communications surveillance should be regarded as a highly intrusive act that interferes with the rights to privacy and freedom of opinion and expression, threatening the foundations of a democratic society. Decisions about communications surveillance must be made by weighing the benefit sought to be achieved against the harm that would be caused to the individual’s rights and to other competing interests, and should involve a consideration of the sensitivity of the information and the severity of the infringement on the right to privacy.
Specifically, this requires that, if a State seeks access to or use of protected information obtained through communications surveillance in the context of a criminal investigation, it must establish to the competent, independent, and impartial judicial authority that:
- there is a high degree of probability that a serious crime has been or will be committed;
- evidence of such a crime would be obtained by accessing the protected information sought;
- other available less invasive investigative techniques have been exhausted;
- information accessed will be confined to that reasonably relevant to the crime alleged and any excess information collected will be promptly destroyed or returned; and
- information is accessed only by the specified authority and used for the purpose for which authorisation was given.
If the State seeks access to protected information through communication surveillance for a purpose that will not place a person at risk of criminal prosecution, investigation, discrimination or infringement of human rights, the State must establish to an independent, impartial, and competent authority:
- other available less invasive investigative techniques have been considered;
- information accessed will be confined to what is reasonably relevant and any excess information collected will be promptly destroyed or returned to the impacted individual; and
- information is accessed only by the specified authority and used for the purpose for which was authorisation was given.
Competent Judicial Authority
Determinations related to communications surveillance must be made by a competent judicial authority that is impartial and independent. The authority must be:
- separate from the authorities conducting communications surveillance;
- conversant in issues related to and competent to make judicial decisions about the legality of communications surveillance, the technologies used and human rights; and
- have adequate resources in exercising the functions assigned to them.
Due process
Due process requires that States respect and guarantee individuals’ human rights by ensuring that lawful procedures that govern any interference with human rights are properly enumerated in law, consistently practiced, and available to the general public. Specifically, in the determination on his or her human rights, everyone is entitled to a fair and public hearing within a reasonable time by an independent, competent and impartial tribunal established by law,1 except in cases of emergency when there is imminent risk of danger to human life. In such instances, retroactive authorisation must be sought within a reasonably practicable time period. Mere risk of flight or destruction of evidence shall never be considered as sufficient to justify retroactive authorisation.
User notification
Individuals should be notified of a decision authorising communications surveillance with enough time and information to enable them to appeal the decision, and should have access to the materials presented in support of the application for authorisation. Delay in notification is only justified in the following circumstances:
- Notification would seriously jeopardize the purpose for which the surveillance is authorised, or there is an imminent risk of danger to human life; or
- Authorisation to delay notification is granted by the competent judicial authority at the time that authorisation for surveillance is granted; and
- The individual affected is notified as soon as the risk is lifted or within a reasonably practicable time period, whichever is sooner, and in any event by the time the communications surveillance has been completed. The obligation to give notice rests with the State, but in the event the State fails to give notice, communications service providers shall be free to notify individuals of the communications surveillance, voluntarily or upon request.
Transparency
States should be transparent about the use and scope of communications surveillance techniques and powers. They should publish, at a minimum, aggregate information on the number of requests approved and rejected, a disaggregation of the requests by service provider and by investigation type and purpose. States should provide individuals with sufficient information to enable them to fully comprehend the scope, nature and application of the laws permitting communications surveillance. States should enable service providers to publish the procedures they apply when dealing with State communications surveillance, adhere to those procedures, and publish records of State communications surveillance.
Public oversight
States should establish independent oversight mechanisms to ensure transparency and accountability of communications surveillance.2 Oversight mechanisms should have the authority to access all potentially relevant information about State actions, including, where appropriate, access to secret or classified information; to assess whether the State is making legitimate use of its lawful capabilities; to evaluate whether the State has been transparently and accurately publishing information about the use and scope of communications surveillance techniques and powers; and to publish periodic reports and other information relevant to communications surveillance. Independent oversight mechanisms should be established in addition to any oversight already provided through another branch of government.
Integrity of communications and systems
In order to ensure the integrity, security and privacy of communications systems, and in recognition of the fact that compromising security for State purposes almost always compromises security more generally, States should not compel service providers or hardware or software vendors to build surveillance or monitoring capability into their systems, or to collect or retain particular information purely for State surveillance purposes. A priori data retention or collection should never be required of service providers. Individuals have the right to express themselves anonymously; States should therefore refrain from compelling the identification of users as a precondition for service provision.3
Safeguards for international cooperation
In response to changes in the flows of information, and in communications technologies and services, States may need to seek assistance from a foreign service provider. Accordingly, the mutual legal assistance treaties (MLATs) and other agreements entered into by States should ensure that, where the laws of more than one state could apply to communications surveillance, the available standard with the higher level of protection for individuals is applied. Where States seek assistance for law enforcement purposes, the principle of dual criminality should be applied. States may not use mutual legal assistance processes and foreign requests for protected information to circumvent domestic legal restrictions on communications surveillance. Mutual legal assistance processes and other agreements should be clearly documented, publicly available, and subject to guarantees of procedural fairness.
Safeguards against illegitimate access
States should enact legislation criminalising illegal communications surveillance by public or private actors. The law should provide sufficient and significant civil and criminal penalties, protections for whistle blowers, and avenues for redress by affected individuals. Laws should stipulate that any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information. States should also enact laws providing that, after material obtained through communications surveillance has been used for the purpose for which information was given, the material must be destroyed or returned to the individual.
-
“]The term “due process” can be used interchangeably with “procedural fairness” and “natural justice”, and is well articulated in the European Convention for Human Rights Article 6(1) and Article 8 of the American Convention on Human Rights. ↩︎
-
The UK Interception of Communications Commissioner is an example of such an independent oversight mechanism. The ICO publishes a report that includes some aggregate data but it does not provide sufficient data to scrutinise the types of requests, the extent of each access request, the purpose of the requests, and the scrutiny applied to them. See http://www.iocco-uk.info/sections.asp?sectionID=2&type=top. ↩︎
-
Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, 16 May 2011, A/HRC/17/27, para 84. ↩︎