Thursday, 11 February 2016

Karisma Advises Colombia to Dismantle Data Retention Regime

Colombia, Latin America, SumRando Cybersecurity, VPN, Secure Messenger, data privacy, government surveillance
Lately, Colombian news has been plagued with problems in need of solutions: the threat of Zika, the persistence of female genital mutilation, an increase in violence against journalists and even a not-yet-agreed-upon peace following decades of civil war.

The issue that has not received its share of attention is data retention.

In January, the Karisma Foundation quietly released a report titled, “Is Data Retention Legitimate in Colombia?: Comparative Analysis of a Mass Surveillance Tool that Restricts Human Rights.” Karisma’s report may not have reached audiences everywhere, but its conclusion must: Out of respect for human rights, Columbia needs a new approach to data retention.

The report included a powerful reminder of why our metadata matters: “Our most personal information, a reflection of our life and our very thoughts, no longer remains exclusively in our private sphere. Now, personal information is also found in databases, built for different purposes and administered by entities both public and private. These databases are fed by constant flows of information. Together, they make up a file about each individual, a “personal dossier”. Computers register the time they are turned on, the applications they use, the webpages they visit, and the location from which they are used. Cell phones are constantly aware of their location, and they register incoming and outgoing calls, text messages, and photos. The strength of these data lies in their combination: an analysis based on cross referencing various databases can reveal enough about a person to constitute a violation of their rights.”

In the report, Karisma compared practices in Colombia with those in Brazil, Mexico and Peru and investigated the legitimacy of each country’s data retention as defined by the Organization of American States, which finds communications surveillance legitimate if it is established in a law; pursues a legitimate aim; is necessary, adequate and proportional to the objective pursued; and respects due process and judicial review.

Specifically, two Colombian laws were examined: Decree No. 1704 of 2012, regarding criminal investigations, which requires telecommunications service providers to keep subscriber information and device location data and Law No. 1621 of 2013, focused on intelligence activities, which mandates retaining “communications activity histories for telephone subscribers, technical identification data for subscribers subject to operation” and location data.

Karisma found Colombia’s data retention according to Decree No. 1704 and Law No. 1621 to be illegitimate because:

  • The laws are vague and limitless, not legitimate or proportional. What exactly must be kept and for how long is ambiguous. All criminal investigations are granted access to data, as are all “authorized” intelligence activities; who provides such authorization is not defined.
  • Data retention is not subject to judicial authorization or review. It’s automatic for all.
  • There is a lack of transparency. Users are not notified of monitoring practices and the state does not disclose information about requests for communication interception and surveillance. Therefore, citizens cannot appeal or respond to what they don’t know.

The report concludes: “Data retention law in Peru, Colombia, Mexico and Brazil are too permissive, too broad, and provide so few guarantees that it isn’t possible to rely on them as a legal framework for the protection and respect of their citizens’ human rights. It would be advisable for Colombia and the remaining countries to demonstrate their strong commitment to the protection of human rights and to dismantle the current data retention regime.

Colombia has her hands full right now, but if she can mitigate Zika while potentially concluding peace talks with the FARC, we’re confident there is also room at the table for data retention revisions.


SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

No comments:

Post a Comment