One Small Step for Privacy, One Giant Leap Against Surveillance

Today, the 193 members of the United Nations General Assembly unanimously approved a UN privacy resolution entitled "The right to privacy in the digital age."  The resolution, which was introduced by Brazil and Germany and sponsored by more than 50 member states, is aimed at upholding the right to privacy for everyone at a time when the United States and the United Kingdom have been conducting sweeping mass surveillance on billions of innocent individuals around the world from domestic soil.

The resolution reaffirms a core principle of international human rights law: Individuals should not be denied human rights simply because they live in another country from the one that is surveilling them.  We hope the resolution will make it harder for the US and its Five Eyes allies to justify their mass surveillance activities by claiming that their human rights obligations stop at their own borders.

The Resolution:

Requests the United Nations High Commissioner for Human Rights to submit a report to the General Assembly on the protection of the right to privacy, including in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale.

In short, this request opens the opportunity for further work on the issue by the United Nations on the protection of privacy across borders.  Fortunately, EFF and several other NGOs and legal scholars around the world have already developed a set of robust principles, called the 13 International Principles for the Application of Human Rights to Communications Surveillance—or more commonly, the “Necessary and Proportionate Principles.”

The Principles look beyond the current set of revelations to take a broad look at how modern communications surveillance technologies can be addressed consistently with human rights and the rule of law. The Principles can be used by states around the world to push for stronger legal protections at the United Nations and other international bodies as well as at home.

The Principles make clear that:

• Critical Internet infrastructure must be protected: No law should impose security holes in our technology in order to facilitate surveillance. Dumbing down the security of hundreds of millions innocent people who rely on secure technologies in order to ensure surveillance capabilities against the very few bad guys is both overbroad and short-sighted. The assumption underlying such efforts—that no communication can be truly secure—is inherently dangerous, leaving people at the mercy of good guys and bad guys alike. It must be rejected.

• Monitoring equals surveillance: Much of the expansive state surveillance revealed in the past year depends on confusion over whether actual "surveillance" has occurred and thus whether human rights obligations apply. Some have suggested that if information is merely collected and kept but not looked at by humans, no privacy invasion has occurred. Others argue that computers analyzing all communications in real-time for key words and other selectors is not "surveillance" for purposes of triggering legal protections. These differences in interpretation can mean the difference between targeted and mass surveillance of communications. Definitions matter. States should not be able to bypass privacy protections on the basis of arbitrary definitions.

• We must protect metadata: It’s time to move beyond the fallacy that information about communications is not as privacy invasive as communications themselves. Information about communications, also called metadata or non-content, can include the location of your cell phone, clickstream data, and search logs, and is just as invasive as reading your email or listening to your phone calls—if not more so. What is important is not the kind of data is collected, but its effect on the privacy of the individual. Thus, the law must require high standards for government access. Our metadata needs to be treated with the same level of privacy as our content.

• Privacy must be protected across borders: Privacy protections must be consistent across borders at home and abroad. Governments