New technologies make it easier than ever for spy agencies to invade privacy. In the photo, students at the Campus Tecnológico in Guatemala. Credit: Danilo Valladares/IPS

By Emilio Godoy
MEXICO CITY, Oct 3 2013 (IPS)

Governments of countries that engage in large-scale electronic espionage, like the United States, and companies that develop spying software could theoretically face legal action for violating the Convention on Cybercrime.

The Convention, adopted in Budapest in 2001 and in force since 2004, is the first international treaty seeking to address Internet and computer crime, and has a provision that aims to protect the right of privacy of data communication from unauthorised interception.

The treaty, also known as the Budapest Convention, requires member states to criminalise four kinds of conduct against confidentiality or the integrity and availability of computer systems or data: illegal access, illegal interception, data and system interference, and misuse of devices for the purpose of committing these offences.

These are precisely the practices engaged in by the U.S., British and other governments, according to documents leaked to the media in June by former U.S. National Security Agency (NSA) contractor Edward Snowden.

Cyber surveillance “violates the Convention, and perpetrators can be sued” under the Cybercrime Convention Committee, Lorena Pichardo, a law school professor at the National Autonomous University of Mexico (UNAM), told IPS.

The Convention was adopted by the Council of Europe, which was set up to promote democracy and protect human rights and the rule of law in Europe. But the treaty has also been signed by non-member states, like Canada, the United States and Japan. The United States ratified it in 2006.

So far, 51 states have signed the Convention and 40 have ratified it.

It is possible to file a complaint with the Cybercrime Convention Committee, but any action taken is based on the national laws that its members must approve in order to live up to the Convention. Complainants can also turn to the European Court of Human Rights.

A complaint “can be successful, but it would be partial, because among the countries that are party to the Convention, there are interests at stake. The law can be bent and accommodated to national legislation,” Enoc Gutiérrez, a professor of information and communications technology (ICT) at the Autonomous University of the State of Mexico, told IPS.

In a 2012 study that analysed Mexican, U.S. and EU laws, Gutiérrez and his colleagues Lucio Ordóñez and Víctor Saucedo argued the need for special legislation and a special court on computer crime.

The problem is that the Convention does not take into account that cybercrimes can include espionage by a state. The general impression is that when a government seeks cross-border access to computer data, it is doing so to investigate crimes and pursue criminals.

Article 32b of the Budapest Convention introduced an exception to the principle of territorial sovereignty:

“A Party may, without the authorisation of another Party [..] access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.”

The Cybercrimes Convention Committee held its ninth full session Jun. 4-5 – one day before the Guardian and the Washington Post published the first leaks by Snowden. In the meeting, the Committee did not debate anything related to cyber espionage.

But in a recent report, the Committee’s ad hoc sub-group on jurisdiction and transborder access to data said that new developments, such as cloud storage of data and the activities of law enforcement authorities, made it necessary to revise the reach of article 32b.

“Current practices regarding direct law enforcement access to data as well as access via Internet service providers and other private sector entities…illustrate that law enforcement authorities of many States access data stored on computers in other States in order to secure electronic evidence. Such practices frequently go beyond the limited possibilities foreseen in Article 32b and the Budapest Convention in general,” the sub-group says.

This poses risks to human rights, they warn.

“Personal data are increasingly stored by private entities, including cloud service providers. Access by law enforcement to, or the disclosure to law enforcement authorities of personal data stored in a foreign jurisdiction by such private sector entities may violate data protection regulations,” they add.

The NSA and other intelligence agencies use software that enables them to intercept private communications around the world.

Mexico, for example, acquired software from U.S. and European companies to monitor telephone calls, email, chats, Internet browsing histories and social networks.

Of the at least 95 corporations that develop and distribute this kind of software worldwide, 32 are in the U.S., 17 are British and the rest come from some two dozen other nations, according to confidential documents from intelligence contractors published by Wikileaks in December 2011.

The list mentions 78 different products, including Trojan viruses, audio transmitters, audio and video recorders, and tracking tools.

“Any technology with such a huge potential for the violation of fundamental rights should be the focus of the highest level of legal protection, especially if it’s in the hands of private corporations that operate according to purely business objectives,” two officials from Spain’s Interior Ministry, Miguel Ángel Castellano and Pedro David Santamaría, wrote in a December 2012 article, “El control del ciberespacio por parte de gobiernos y empresas” (“Control of cyberspace by governments and companies”).

Pichardo, the law professor, said national legislation tends to take precedence in cases that invoke international principles.

“If we already have a charge of espionage, the serious problem of asking for data from other states is redundant,” she said.

Gutiérrez believes the existing international legal frameworks do not protect citizens, and specific laws are necessary. His studies focus on how to move from ICTs to technologies of learning and communication.

“When citizens are active in a social network like Facebook, by the simple act of accepting the terms of the contract they are saying their information can be shared with banks or government institutions,” he said. “They steal information from us and we don’t even realise it.”

Edward Snowden, interviewed in Hong Kong. Credit: The Guardian/Glenn Greenwald and Laura Poitras

By Fabiana Frayssinet
RIO DE JANEIRO, Jul 16 2013 (IPS)

Brazil, reportedly one of the main targets of U.S. signals spying, is attempting to untangle a web of hi-tech espionage with low-tech equipment reminiscent of a novel by British author John le Carré.

Brazilian foreign affairs expert Marcos Azambuja told IPS he was surprised by the extent of Washington’s spying on Brazil, as revealed by the Globo newspaper based on information from former U.S. intelligence contractor and whistle blower Edward Snowden.

“The violations of privacy and spying on phone conversations and email were so vast and invasive that it is hard to find any parallel in the past,” he said.

“In the past, spying had a specific target. It was very low-tech, and action was taken on the basis of suspicions,” said Azambuja, who between 1989 and 2003 served as head of the country’s delegation on disarmament issues and human rights to the United Nations in Geneva, secretary general of foreign relations in the foreign ministry, and ambassador to Argentina and France.

“But now, le Carré’s novels look like they were written in the Middle Ages,” he said. “We are looking at a qualitative and quantitative change in espionage.”

The governments of Brazil and other South American countries reacted angrily to news of the spying.

Brasilia asked for explanations from U.S. ambassador to Brazil Thomas Shannon, and launched an investigation to find out whether local telecoms companies were accomplices.

The government also reported that it would press for better multilateral rules governing telecoms security and would present initiatives in the U.N. with the aim of preventing abuses and the invasion of the privacy of users of social networking sites and protecting national sovereignty.

But Brazil “is still in diapers” in terms of cyber-security, Defence Minister Celso Amorim told Congress.

Less than 44 million dollars were earmarked for cyber-security in the 2013 budget – one quarter of what the United Kingdom spends, for example.

The documents reported on by Globo indicate that over the past decade, the U.S. National Security Agency (NSA) and foreign companies operating in Brazil spied on Brazilian citizens and companies and foreigners travelling or living in the country.

In January, Brazil came second only to the United States in terms of the number of phone conversations and emails intercepted – 2.3 billion – indicating that it was one of the top priorities for espionage, along with China, Russia, Iran and Pakistan.

It was reported that at least until 2002, Brasilia was a base for satellite espionage by the NSA and the CIA (Central Intelligence Agency), a “privilege” shared by just 15 other countries around the world. The base was the only one in South America, although neighbouring countries were also apparently spied on.

“I’m surprised by the importance given to Brazil, which has a marginal role to play in the fight against terrorism,” said Azambuja.

The only concern voiced by Washington in that respect is the tri-border region shared by Brazil, Argentina and Paraguay. According to the U.S. government, there is a supposed presence of Islamist groups in the area – an allegation that has been systematically denied by the three South American countries.

But the United States’ illegal activities would be more serious, the diplomat said, if the espionage was carried out for “even less justifiable reasons.”

Today Brazil is the world’s sixth largest economy, where giant ultra-deep offshore oil fields have been discovered in recent years. It is also developing nuclear technology for peaceful purposes, its fast-growing aviation sector competes in international bidding and tendering processes, and it has other companies operating abroad in areas like oil, mining and construction.

Clóvis Brigagão, a professor at the Cándido Mendes University, told IPS the reason for the espionage could be “Brazil’s independent stance in international politics.”

He added that Washington “may have found another phantom enemy in this country” because of Brazil’s aim to win a permanent seat on the U.N. Security Council, or its stance towards Turkey and Iran.

Raw materials, “which in Brazil involve strategic resources,” and the U.S. “obsession to maintain its hegemony in this area” also play a role, he said.

Celso Pereira, a professor at the Rio de Janeiro Federal University, said the espionage could be explained by “Brazil’s international weight and the stature of its economy.”

“The Brazilian government is not irresponsible, it has normal relations with Iran and with the Arab countries,” while maintaining “close ties with Venezuela, Ecuador and Bolivia,” all of which have “significant conflicts with the United States,” he said.

“It’s not that things are different from the times of the Cold War,” Pereira told IPS. “The novelty here is that we are looking at a new kind of espionage by means of the Internet, which facilitates the invasion of sovereignty and people’s privacy,” and not only by the United States, Pereira told IPS.

Rules without rules

“What are the rules in this new game? I don’t know,” said Azambuja. “In the past, it was rival countries that were spied on, with almost artisanal techniques, but now we are experiencing an unprecedented moment in international relations, marked by the penetration capacity of the global communications system, through supercomputers.”

It is a new international order or “disorder,” the diplomat said, which requires greater technological development at a national level, in first place to determine the scope of the espionage, which in the past was “selective, limited.”

In that sense, Brazil is staking its bets on the launch of a national satellite, undersea fibre optic cables, and an Internet data collection centre.

But there are still risks of cyber invasion.

The U.S. ambassador, who denied that such surveillance was carried out in Brazil and said there was no agreement with Brazilian companies to gather data in this country, reportedly admitted that the U.S. does collect “metadata” – records of addresses, telephone numbers, the date and time emails are sent – but supposedly without accessing the content of messages.
”Even if we protect data with encryption software, the mere detection of this kind of contact is already information of analytical value to an eventual adversary of the country,” said Minister Amorim.

Brigagão said the region was looking at a new kind of international cyber-espionage crime that must be placed on the world agenda.

Pereira was pessimistic. “In South America, we don’t have the technological conditions that the U.S. has to spy and carry out counterespionage. This is going to keep happening,” he said.