II. What risks does direct access raise for human rights?
Direct access regimes tend to remove the service providers as a potential source of scrutiny, transparency, and accountability from government surveillance activities. In so doing, they significantly increase the risk that such activities will result in arbitrary or unlawful interference with the privacy rights of the users of such services. Where such arrangements are known or suspected, they are likely to also chill users’ freedoms of expression, association, and peaceful assembly. And when data extracted via direct access is used to accuse, detain, convict, or imprison individuals, it could violate their rights to liberty, security of person, and due process. More broadly, states that resort to direct access are likely to undermine public trust in both the accountability of government and the reliability and security of communications technologies. This breach of confidence can lead to widespread, harmful political, social, and economic consequences.
III. What can be done to avoid or mitigate these risks?
Governments considering means of access to user data must recall and remain true to their commitments under international human rights law. GNI calls on governments to use only targeted measures proportionate to their justifiable need to access user data, and refrain from implementing or broadening direct access approaches.
If, despite our concerns, governments choose to implement or broaden direct access approaches, in order to mitigate their harms to the greatest extent possible, they must be authorized in publicly available, clear and easily accessible and understandable laws and accompanied by explicit transparency, oversight, and accountability measures. While the precise design of such measures may differ depending on a country’s legal framework and other contextual factors, they must at a minimum (i) provide sufficient authorization procedures, supervision, and remedy so as to ensure that surveillance conducted is proportional to the purpose for which it is authorized and provide effective guarantees against abuse; (ii) allow companies to disclose information about interception and access to data on their networks, and (iii) ensure that such access is disclosed to the subject in a timely manner if that data is used in any civil, administrative, or criminal proceeding.
Governments should also consider strengthening export controls for technologies that are intended for use in direct access in countries with repressive track records and/or weak rule of law, in line with UN Guiding Principles for Business and Human Rights. Companies that sell technologies that may be used by governments for direct access should consider including licensing requirements related to respecting due process and the rights to freedom of expression and privacy.
IV. Moving forward
For all of the reasons set out above, direct access arrangements raise significant threats to human rights and require further inquiry and discussion. This includes a need for more information about existing legal and technical architectures, as well as possible variations or modifications thereto, and additional analysis of their human rights impacts. GNI is committed to further exploring this issue and welcomes others who are interested in sharing information and otherwise collaborating with us on this work.
 These are sometimes referred to obliquely as “black boxes,” which is not a very helpful descriptive term. These technologies may include “network taps,” “deep packet inspection,” and “SSL proxies.” Many of these can be used for legitimate, network management, and quality of service purposes, as well as to facilitate interception. They may copy entire communication streams without disrupting the original communications activity – tactics that are sometimes also be referred to as “mirroring” or “probe-based monitoring.”
 In its 2015 decision in Roman Zakharov v. Russia, the European Court of Human Rights ruled that Russia’s legal provisions governing interceptions of communications contravened Article 8 of the European Convention on Human Rights because, inter alia, they failed to provide sufficient authorization procedures, supervision of interceptions, or effective remedies.