Increasing Anti-Surveillance Momentum and the Necessary and Proportionate Principles

Last Monday, eight of the largest Internet companies took the unprecedented step of publicly calling for an end to bulk collection of communications data. Then on Tuesday, a coalition of over 550 of the world’s leading authors (including 5 Nobel prize winners) issued a statement calling for a reassertion of our digital privacy. In the next few days, the United Nations General Assembly is expected to pass a key privacy resolution.

While all of these are heartening steps, the time is coming to fill in the details of the more general international calls for reform. Luckily, EFF and several other NGOs and legal scholars around the world have already developed a set of robust principles, called the 13 International Principles for the Application of Human Rights to Communications Surveillance—or more commonly, the Necessary and Proportionate Principles. These can be used by people around the world to push for stronger local legal protections, as well as by the United Nations and other international bodies. The Principles have so far been endorsed by over 329 organizations, 43 experts and elected officials, and thousands of individuals from around the world. It's also open for signature by companies. If you haven't already signed it, you can do so today.

The Principles look beyond the current set of revelations to take a broad look at how modern communications surveillance technologies can be addressed consistent with human rights and the rule of law. Some of the key factors are:

Protect Critical Internet Infrastructure: No law should impose security holes in our technology in order to facilitate surveillance. Dumbing down the security of hundreds of millions innocent people who rely on secure technologies in order to ensure surveillance capabilities against the very few bad guys is both overbroad and short-sighted. Yet one of the most significant revelations this year has been the extent to which NSA, GCHQ and others have done just that—they have secretly undermined the global  communications infrastructure and services. They have obtained private encryption keys for commercial services relied on by individuals and companies alike and have put backdoors into and generally undermined security tools and even key cryptographic standards relied upon by millions around the world. The assumption underlying such efforts—that no communication can be truly secure—is inherently dangerous, leaving people at the mercy of good guys and bad guys alike. It must be rejected.

Protect Metadata: It’s time to move beyond the fallacy that information about communications is not as privacy invasive as communications themselves. Information about communications, also called metadata or non-content, can include the location of your cell phone, clickstream data, and search logs, and is just as invasive as reading your email or listening to your phone calls—if not more so. What is important is not the kind of data is collected, but its effect on the privacy of the individual. Thus, the law must require high standards for government access -- for criminal prosecutions this means the equivalent of a probable cause warrant issued by a court (or other impartial judicial authority)—whenever that access reveals previously nonpublic information about individual communications. This includes revealing a speaker’s identity if it is not public; the websites or social media one has encountered; the people one has communicated with; and when, from where, and for how long. In the pre-Internet age, the much more limited amount and kind of “metadata” available to law enforcement was treated as less sensitive than content, but given current communications surveillance capabilities, this can no longer be the case. Our metadata needs to be treated with the same level of privacy as our content.

Monitoring Equals Surveillance: Much of the expansive state surveillance revealed in the past year depends on confusion over whether actual "surveillance" has occurred and thus whether human rights obligations apply. Some have suggested that if information is merely collected and kept but not looked at by humans, no privacy invasion has occurred. Others argue that computers analyzing all communications in real-time for key wor