Over time, governments have expanded the tactics and capabilities they use to obtain access to data, including access to voice and data communications. A particularly prevalent trend involves legal and technical arrangements that allow government authorities to access data streams directly – that is, without having to request access from, or even notify, the service providers that collect and/or transmit the data as part of their services. The Global Network Initiative (GNI) is increasingly concerned that these arrangements – which we refer to generally as “direct access” – may constitute and enable infringements on the right to privacy and other fundamental rights.
Direct access arrangements differ from traditional law enforcement requests and interception in a number of ways. First, they are usually not subject to the same legal procedures that mediate and provide oversight of law enforcement requests. Second, they tend to be carried out using a wide range of tools beyond standardized lawful interception solutions. Third, they are sometimes not publicly acknowledged or reported. Even when they are acknowledged in public laws, the details about how and when they are implemented are often confidential. And finally, in contrast to law enforcement requests, which tend to be target-based, direct access arrangements usually extract data in bulk.
While direct access arrangements vary considerably in approach and execution from country to country, they share a common outcome: restricting the ability of service providers (who are often companies) to possibly scrutinize, question, and provide user notice or public transparency regarding government access to data. By taking the company out of the loop, they remove an important potential safeguard for user rights. To make matters worse, these arrangements are often authorized and governed by secret or broadly worded laws or directives that are themselves not subject to adequate transparency (sometimes due to gag orders prohibiting companies from acknowledging them), independent oversight, and accountability.
On this webpage, we outline some of the ways that direct access arrangements work in practice, the risks they pose for human rights, and the safeguards that can help avoid or mitigate these risks.
Direct access arrangements can be no-tech, low-tech, or high-tech. For example, direct access can be achieved manually by legal provisions mandating that network operators accept government officials’ access to certain facilities and computer programs, whereby they can monitor and/or extract user data at will. In other scenarios, direct access is achieved by mandating that network operators route their networks through government installations or install certain technology[1] that allows government officials to extract data in bulk. In addition, some governments may compromise information technology networks without the operators knowledge. Beyond this range of actions, government actors can achieve similar ends by using spyware to extract data, or by intercepting communications over the air (i.e., satellite, Wi-fi).
More on Direct Access
Direct access regimes tend to remove the service providers as a potential source of scrutiny, transparency, and accountability from government surveillance activities. In so doing, they significantly increase the risk that such activities will result in arbitrary or unlawful interference with the privacy rights of the users of such services. Where such arrangements are known or suspected, they are likely to also chill users’ freedoms of expression, association, and peaceful assembly. And when data extracted via direct access is used to accuse, detain, convict, or imprison individuals, it could violate their rights to liberty, security of person, and due process. More broadly, states that resort to direct access are likely to undermine public trust in both the accountability of government and the reliability and security of communications technologies. This breach of confidence can lead to widespread, harmful political, social, and economic consequences.
Governments considering means of access to user data must recall and remain true to their commitments under international human rights law. GNI calls on governments to use only targeted measures proportionate to their justifiable need to access user data, and refrain from implementing or broadening direct access approaches.
If, despite our concerns, governments choose to implement or broaden direct access approaches, in order to mitigate their harms to the greatest extent possible, they must be authorized in publicly available, clear and easily accessible and understandable laws and accompanied by explicit transparency, oversight, and accountability measures. While the precise design of such measures may differ depending on a country’s legal framework and other contextual factors, they must at a minimum (i) provide sufficient authorization procedures, supervision, and remedy so as to ensure that surveillance conducted is proportional to the purpose for which it is authorized and provide effective guarantees against abuse;[2] (ii) allow companies to disclose information about interception and access to data on their networks, and (iii) ensure that such access is disclosed to the subject in a timely manner if that data is used in any civil, administrative, or criminal proceeding.
Governments should also consider strengthening export controls for technologies that are intended for use in direct access in countries with repressive track records and/or weak rule of law, in line with UN Guiding Principles for Business and Human Rights. Companies that sell technologies that may be used by governments for direct access should consider including licensing requirements related to respecting due process and the rights to freedom of expression and privacy.
For all of the reasons set out above, direct access arrangements raise significant threats to human rights and require further inquiry and discussion. This includes a need for more information about existing legal and technical architectures, as well as possible variations or modifications thereto, and additional analysis of their human rights impacts. GNI is committed to further exploring this issue and welcomes others who are interested in sharing information and otherwise collaborating with us on this work.
[1] These are sometimes referred to obliquely as “black boxes,” which is not a very helpful descriptive term. These technologies may include “network taps,” “deep packet inspection,” and “SSL proxies.” Many of these can be used for legitimate, network management, and quality of service purposes, as well as to facilitate interception. They may copy entire communication streams without disrupting the original communications activity – tactics that are sometimes also be referred to as “mirroring” or “probe-based monitoring.”
[2] In its 2015 decision in Roman Zakharov v. Russia, the European Court of Human Rights ruled that Russia’s legal provisions governing interceptions of communications contravened Article 8 of the European Convention on Human Rights because, inter alia, they failed to provide sufficient authorization procedures, supervision of interceptions, or effective remedies.