Critics say Peru's new law on cybercrime is vaguely worded and threatens access to information. Credit: Public domain

By Milagros Salazar
LIMA, Nov 27 2013 (IPS)

A new law against cybercrime that restricts the use of data and freedom of information in Peru clashes with earlier legislation, on transparency, which represented a major stride forward in citizen rights.

The advances made in the law on transparency and access to public information have been undermined by the hastily passed law on computer crimes, which restricts and penalises the use of online databases, according to experts consulted by IPS.

The new law was put into effect to crack down on cybercrimes, including sexual harassment of minors. But civil society organisations complain that elements attacking the right to information were incorporated without debate or public input.

The Defensoría del Pueblo or ombudsman’s office says the transparency law, which entered into force in 2002, has a few shortcomings, but is important because of the creation and use of government databases – which would be hindered, however, by the law on cybercrime.

The transparency law was passed with the aim of making government more transparent, to comply with the 1993 constitution, which guaranteed the right of people to request and obtain public information, and established the right of habeas data, under which any government official or civil servant who denies that right can be sued.

Since then, the Defensoría del Pueblo has received 6,714 complaints about requests for public information that did not receive a satisfactory response from the authorities, according to a report to be published in the first week of December, to which IPS had access.

Based on those complaints, the assistant ombudsman on constitutional affairs, Fernando Castañeda, told IPS that his office identified and interviewed 122 public employees responsible for turning over the information, to find out why the requests had not been met.

The main conclusion reached by his office was that an independent authority was needed to monitor and oversee responses to information requests, because civil servants are limited by the orders of their superiors, and in some cases have been punished when they provide information to members of the public.

And things do not get any better when citizens take legal action to complain about the lack of response to their requests for information, especially in rural areas.

Between January 2007 and March 2013, 841 habeas data actions were handled in the justice system, where cases can take up to a year in the first instance court, another year in the second instance court and two more in the Constitutional Court, Castañeda pointed out.

In other words, a four-year journey to try to obtain public information that has been denied.

The official said that the most significant aspect of the law was the creation of tools to facilitate citizens’ access to information, with websites and open access to databases, under the concept of open data.

However, that access will be directly restricted by the new law on computer crimes, which was given fast-track treatment in Congress and signed into law a few weeks later, on Oct. 22, by President Ollanta Humala.

Protests by experts and civil society groups forced Justice Minister Daniel Figallo to state on Nov. 13 that he would study proposed reforms to the law. “We will revise some articles of the law,” he said.

But Figallo defended the legislation, saying the aim was to fight data interference or interception rather than the dissemination of information. His ministry argues that Peru is thus accepting the guidelines of the Council of Europe’s Convention on Cybercrime, the first international treaty of its kind, which since 2001 has provided global guidelines for the adoption of laws against computer crimes.

The president of the congressional justice commission, Juan Carlos Eguren, also said he was open to suggestions.

The law creates a three- to six-year sentence for people found guilty of capturing computer information from a public institution, to find out, for example, what is spent on social programmes and to complement that with the introduction of new data or alteration to analyse the information, lawyer Roberto Pereira of the Press and Society Institute (IPYS) told IPS.

That is based on article three of the law, which penalises those who use computer technologies to “introduce, delete, deteriorate, alter or suppress data, or render data inaccessible.”

The law also establishes a three- to five-year sentence for creating a database on an identified or identifiable subject to provide information on any aspect of his or her personal, family, financial or labour life, whether or not it causes harm.

A common practice by journalists is to create databases on companies that are subcontractors for the state, in order to monitor public spending. But under the new law, doing that would automatically make them “cyber criminals,” Pereira explained.

The IPYS stated in a communiqué that the law poses “a serious threat to the freedom of journalistic information, and to research and investigation in general.” The majority of the local media, regardless of their ideological bent, agree with that criticism.

The law on cybercrime could “end up criminalising legal behaviour in cyberspace,” said Pereira.

It also creates “an unacceptable framework of discretionality in its application,” because of the broad, ambiguous criteria it contains, and ends up undermining other basic rights, he said.

There has been a great deal of speculation in Peru on what lay behind the passage of the controversial law.

Pereira cited three explanations: the legislators’ ignorance about cyberspace; the interest on the part of some public figures in criminalising digital freedom and thus blocking investigations of corruption; “and the genuine interest of sectors of the government in improving penal legislation on cybercrime.”

The non-governmental organisation Hiperderecho, which defends digital rights, noted in a communiqué that Congress passed the law “in less than five hours, with their backs turned to the public.”

The organisation criticised the fact that on Sept. 12, Congress suddenly began to debate a bill that had just been introduced by the government, without incorporating in the discussion a long-debated justice commission ruling on another cybercrime bill.

The executive branch presented its bill after a telephone conversation by Defence Minister Pedro Cateriano was made public, and after progress was made towards a common regional code against cybercrime during a technical level meeting of experts of the Ibero-American Conference of Justice Ministers (COMJIB), held in Lima in June.

Miguel Morachimo, a representative of Hiperderecho, admitted to IPS that it was reasonable for the government to fight cybercrime. But he said that when the bill was debated in Congress, “it was completely overhauled.”

In his view, the government was pressured by COMJIB and the banking association – which is worried about card cloning – and ended up acting in haste as a result.

The Defensoría del Pueblo’s office on constitutional affairs has not yet taken a stance on the details of the new law, said Castañeda. But it did acknowledge that it runs counter to some objectives of the transparency law.

Hiperderecho has sent suggestions to Congress for improving the law on cybercrime. Meanwhile, what one law defends, the other blocks.

New technologies make it easier than ever for spy agencies to invade privacy. In the photo, students at the Campus Tecnológico in Guatemala. Credit: Danilo Valladares/IPS

By Emilio Godoy
MEXICO CITY, Oct 3 2013 (IPS)

Governments of countries that engage in large-scale electronic espionage, like the United States, and companies that develop spying software could theoretically face legal action for violating the Convention on Cybercrime.

The Convention, adopted in Budapest in 2001 and in force since 2004, is the first international treaty seeking to address Internet and computer crime, and has a provision that aims to protect the right of privacy of data communication from unauthorised interception.

The treaty, also known as the Budapest Convention, requires member states to criminalise four kinds of conduct against confidentiality or the integrity and availability of computer systems or data: illegal access, illegal interception, data and system interference, and misuse of devices for the purpose of committing these offences.

These are precisely the practices engaged in by the U.S., British and other governments, according to documents leaked to the media in June by former U.S. National Security Agency (NSA) contractor Edward Snowden.

Cyber surveillance “violates the Convention, and perpetrators can be sued” under the Cybercrime Convention Committee, Lorena Pichardo, a law school professor at the National Autonomous University of Mexico (UNAM), told IPS.

The Convention was adopted by the Council of Europe, which was set up to promote democracy and protect human rights and the rule of law in Europe. But the treaty has also been signed by non-member states, like Canada, the United States and Japan. The United States ratified it in 2006.

So far, 51 states have signed the Convention and 40 have ratified it.

It is possible to file a complaint with the Cybercrime Convention Committee, but any action taken is based on the national laws that its members must approve in order to live up to the Convention. Complainants can also turn to the European Court of Human Rights.

A complaint “can be successful, but it would be partial, because among the countries that are party to the Convention, there are interests at stake. The law can be bent and accommodated to national legislation,” Enoc Gutiérrez, a professor of information and communications technology (ICT) at the Autonomous University of the State of Mexico, told IPS.

In a 2012 study that analysed Mexican, U.S. and EU laws, Gutiérrez and his colleagues Lucio Ordóñez and Víctor Saucedo argued the need for special legislation and a special court on computer crime.

The problem is that the Convention does not take into account that cybercrimes can include espionage by a state. The general impression is that when a government seeks cross-border access to computer data, it is doing so to investigate crimes and pursue criminals.

Article 32b of the Budapest Convention introduced an exception to the principle of territorial sovereignty:

“A Party may, without the authorisation of another Party [..] access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.”

The Cybercrimes Convention Committee held its ninth full session Jun. 4-5 – one day before the Guardian and the Washington Post published the first leaks by Snowden. In the meeting, the Committee did not debate anything related to cyber espionage.

But in a recent report, the Committee’s ad hoc sub-group on jurisdiction and transborder access to data said that new developments, such as cloud storage of data and the activities of law enforcement authorities, made it necessary to revise the reach of article 32b.

“Current practices regarding direct law enforcement access to data as well as access via Internet service providers and other private sector entities…illustrate that law enforcement authorities of many States access data stored on computers in other States in order to secure electronic evidence. Such practices frequently go beyond the limited possibilities foreseen in Article 32b and the Budapest Convention in general,” the sub-group says.

This poses risks to human rights, they warn.

“Personal data are increasingly stored by private entities, including cloud service providers. Access by law enforcement to, or the disclosure to law enforcement authorities of personal data stored in a foreign jurisdiction by such private sector entities may violate data protection regulations,” they add.

The NSA and other intelligence agencies use software that enables them to intercept private communications around the world.

Mexico, for example, acquired software from U.S. and European companies to monitor telephone calls, email, chats, Internet browsing histories and social networks.

Of the at least 95 corporations that develop and distribute this kind of software worldwide, 32 are in the U.S., 17 are British and the rest come from some two dozen other nations, according to confidential documents from intelligence contractors published by Wikileaks in December 2011.

The list mentions 78 different products, including Trojan viruses, audio transmitters, audio and video recorders, and tracking tools.

“Any technology with such a huge potential for the violation of fundamental rights should be the focus of the highest level of legal protection, especially if it’s in the hands of private corporations that operate according to purely business objectives,” two officials from Spain’s Interior Ministry, Miguel Ángel Castellano and Pedro David Santamaría, wrote in a December 2012 article, “El control del ciberespacio por parte de gobiernos y empresas” (“Control of cyberspace by governments and companies”).

Pichardo, the law professor, said national legislation tends to take precedence in cases that invoke international principles.

“If we already have a charge of espionage, the serious problem of asking for data from other states is redundant,” she said.

Gutiérrez believes the existing international legal frameworks do not protect citizens, and specific laws are necessary. His studies focus on how to move from ICTs to technologies of learning and communication.

“When citizens are active in a social network like Facebook, by the simple act of accepting the terms of the contract they are saying their information can be shared with banks or government institutions,” he said. “They steal information from us and we don’t even realise it.”