[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Surveillance of Communications

Most countries around the world regulate the interception of communications by governments and private individuals and organizations. These controls typically take the form of constitutional provisions protecting the privacy of communications and laws and regulations that implement those requirements.

There has been great pressure on countries to adopt wiretapping laws to address new technologies. These laws are also in response to law enforcement and intelligence agencies pressure to increase surveillance capabilities. In Japan, wiretapping was only approved as a legal method of investigation in 1999. Other countries such as Australia, Belgium, Germany, New Zealand, South Africa and the United Kingdom have all updated their laws to facilitate surveillance of new technologies.

Legal Protections and Human Rights

It is recognized worldwide that wiretapping and electronic surveillance are a highly intrusive form of investigation that should only be used in limited and unusual circumstances. Nearly all major international agreements on human rights protect the right of individuals from unwarranted invasive surveillance.

Nearly every country in the world has enacted laws on the interception of oral, telephone, fax and telex communications. In most democratic countries, intercepts are initiated by law enforcement or intelligence agencies only after it has been approved by an judge or some other kind of independent magistrate or high level official and generally only for serious crimes. Frequently, it must be shown that other types of investigation were attempted and were not successful. There is some divergence on what constitutes a "serious crime," and appropriate approval.

Several countries including France and the United Kingdom have created special commissions that review wiretap usage and monitor for abuses. These bodies have developed an expertise in the area that most judges who authorize surveillance do not have, while they also have the ability to conduct follow up investigations once a case is complete. In other countries, the privacy commissioner or data protection authority has some ability to conduct oversight of electronic surveillance.

An important oversight measure that many countries employ is the requiring of annual public reporting of information about the use of electronic surveillance by government departments. These reports typically provide summary details about the number of uses of electronic surveillance, the types of crimes that they are authorized for, their duration and other information. This is a common feature of wiretap laws in English-speaking countries and many others in Europe. Countries that issue annual reports on the use of surveillance include Australia, Canada, France, New Zealand, Sweden, the United Kingdom, and the United States.

These countries recognize that it is necessary to allow for people outside governments to know about its uses to limit abuses. They are widely used in many countries by the Parliaments for oversight and also by journalists, NGOs and others to examine the activities of law enforcement. The reports have shown an increase in the use of surveillance in many countries including Australia,[170] the United States, and the United Kingdom while others such as Canada have remained steady.

These laws are designed to ensure that legitimate and normal activities in a democracy such as journalism, civic protests, trade union organizing or political opposition are free from being subjected to unwarranted surveillance because they have different interests and goals than those in power. It also ensures that relatively minor crimes, especially those that would not generally involve telecommunications for facilitation, are not used as a pretext to conduct intrusive surveillance for political or other reasons.

However, wiretapping abuses have been revealed in most countries, sometimes occurring on a vast scale involving thousands of illegal taps. The abuses invariably affect anyone "of interest" to a government. Targets include political opponents, student leaders and human rights workers.[171] This can occur even in the most democratic of countries such as Denmark and Sweden, where it was disclosed that intelligence agencies were conducting surveillance of thousands of left-leaning activists for nearly 40 years. More recent wiretap scandals have implicated the Italian and Greek governments.

The United Nations Commissioner on Human Rights in 1988 made clear that human rights protections on the secrecy of communications broadly covers all forms of communications:

Compliance with Article 17 requires that the integrity and confidentiality of correspondence should be guaranteed de jure and de facto. Correspondence should be delivered to the addressee without interception and without being opened or otherwise read. Surveillance, whether electronic or otherwise, interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations should be prohibited.[172]

Many democratic countries around the world recognize the need for greater protection. Most recently, the German Federal Constitutional Court has considered whether the interception laws passed in 1998 are constitutional.[173] In March 2004, the German Federal Constitutional Court ruled[174] that significant portions of the 1998 Grosser Lauschangriff[175] wiretapping laws infringed upon the guarantees of human dignity and the inviolability of the home under Articles 1 and 13 of the constitution, or Basic Law.[176] The court held that certain communications are protected by an absolute area of intimacy where citizens can communicate privately without fear of government surveillance.[177] This includes conversations with close family members, priests, doctors and defense attorneys, but excludes conversations about crimes that have already been committed or the planning of future crimes. However, to justify surveillance between the target and such persons of trust, the government must show "there is strong reason to believe that the content of conversation does not fall in the area of intimacy,"[178] and that the crime is "particularly serious".[179] The European Court of Human Rights issued an opinion of similar significance in 2007. In Copland v. UK, the Court stated, “The collection and storage of personal information relating to the applicant’s telephone, as well as to her e-mail and internet usage, without her knowledge, amounted to an interference with her right to respect for her private life and correspondence within the meaning of Article 8.”[180]

Legal and Technical Standards for Surveillance: Building in Big Brother

The United States government has led a worldwide effort to limit individual privacy and enhance the capability of its police and intelligence services to eavesdrop on personal conversations. This campaign had two strategies. The first is to promote laws that make it mandatory for all companies that develop digital telephone switches, cellular and satellite phones and all developing communication technologies to build in surveillance capabilities; the second is to seek limits on the development and dissemination of products, both in hardware and software, that provide encryption, a technique that allows people to scramble their communications and files to prevent others from reading them.[181]

Law enforcement agencies have traditionally worked closely with telecommunications companies to formulate arrangements that would make phone systems "wiretap friendly." These agreements range from allowing police physical access to telephone exchanges, to installing equipment to automate the interception. Because most telecommunications operators were either monopolies or operated by government telecommunications agencies, this process was generally hidden from public view.

Following deregulation and new entries into telecommunications in the United States in the early 1990s, law enforcement agencies, led by the FBI, began demanding that all current and future telecommunications systems be designed to ensure that they would be able to conduct wiretaps. After several years of lobbying, the United States Congress approved the Communications Assistance for Law Enforcement Act (CALEA) in 1994.[182] The act sets out legal requirements for telecommunications providers and equipment manufacturers on the surveillance capabilities that must be built into all telephone systems used in the United States. In 1999, at the request of the Federal Bureau of Investigation, an order was issued under CALEA requiring carriers to make available the physical location of the antenna tower that a mobile phone uses to connect at the beginning and end of a call.[183]

Due to heavy lobbying, the Internet Service Providers (ISPs) in the United States were exempted from implementing these technical requirements under CALEA. Changes are in the wind, however as the FBI is calling for the Federal Communications Commission to expand the law to reconsider Voice Over IP, i.e., phone calls over the Internet and providers as telecommunications carriers under CALEA.[184] If these providers are reclassified as carriers, then the requirements for intercept capability under CALEA will also apply to them.

Intercepting content over digital services is a common legal practice in other countries. In Australia the Telecommunications Act 1997 places obligations on telecommunications operators to positively assist law enforcement in the performance of their duties and to provide an interception capability. The costs of these obligations are borne by the operators themselves.[185] [186]

In the United Kingdom the Regulation of Investigatory Powers Act 2000 requires that telecommunications operators maintain a "reasonable interception capability" in their systems and be able to provide on notice certain "traffic data."[187] It also imposes on obligation on third parties to hand over encryption keys. These requirements were further clarified in the Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002. In the Netherlands, a new Telecommunications Act was approved in December 1998 that required that ISPs have the capability by August 2000 to intercept all traffic with a court order and maintain users logs for three months.[188] The law was enacted after XS4ALL, a Dutch ISP, refused to conduct a broad wiretap of electronic communications of one of its subscribers. In New Zealand, the Telecommunications (Interception Capabilities) Act 2004 obliges telecommunications companies and ISPs to intercept phone calls and e-mails at the behest of the police and security services.[189] The legislation also requires a telecommunications operator to decrypt the communications of a customer if that operator had provided the encryption facility.[190] In January 2002, a new Law on the surveillance of mail and telecommunications entered into force in Switzerland, requiring ISPs to take all necessary measures to allow for interception.[191] In contrast, the Austrian Federal Constitutional Court held, in a decision[192] in February 2003, that the law compelling telecommunications service providers to implement wiretapping measures at their own expense is unconstitutional.[193]

International cooperation played a significant role in the development of these standards. In 1993, the FBI began hosting meetings at its research facility in Quantico, Virginia called the "International Law Enforcement Telecommunications Seminar" (ILETS). The meetings included representatives from Canada, Hong Kong, Australia and the European Union. At these meetings, an international technical standard for surveillance, based on the FBI's CALEA demands, was adopted as the "International Requirements for Interception." In January 1995, the Council of the European Union approved a secret resolution adopting the ILETS standards.[194] Following this, many countries adopted the resolution into their domestic laws without revealing the role of the FBI in developing the standard. Following the adoption, the European Union and the United States offered a Memorandum of Understanding (MOU) for other countries to sign to commit to the standards. Several countries including Canada and Australia immediately signed the MOU. Others were encouraged to adopt the standards to ensure trade. International standards organizations, including the International Telecommunications Union (ITU) and the European Telecommunication Standardization Institute (ETSI), were then successfully approached to adopt the standards.[195]

Internet Surveillance: Black Boxes and Key Loggers

A related development has been the use of "black boxes" on ISP networks to monitor user traffic. The actual workings of these black boxes are unknown to the public. What little information has been made public reveals that many of the systems are based on "packet sniffers" typically employed by computer network operators for security and maintenance purposes. These are specialized software programs running in a computer that is hooked into the network at a location where they can monitor traffic flowing in and out of systems. These sniffers can monitor the entire data stream searching for keywords, phrases or strings such as net addresses or e-mail accounts. It can then record or retransmit for further review anything that fits its search criteria. In many of the systems, the boxes are connected to government agencies by high-speed connections.[196]

New methods of surveillance, and in particular those capable of circumventing encryption, are also being developed. One such technological device is a "key logger" system. A key logger system records the keystrokes an individual enters on a computer's keyboard. Keystroke loggers can be employed to capture every key pressed on a computer keyboard, including information that is typed and then deleted. Such devices can be manually placed by law enforcement agents on a suspect's computer, or installed "remotely" by placing a virus on the suspect's computer that will disclose private encryption keys.

The question of such surreptitious police decryption methods arose in the case of United States v Scarfo.[197] There, the FBI manually installed a key logger device on the defendant's computer in order to capture his PGP encryption password. Once they discovered the password, the files were decrypted, and incriminatory evidence was found. In December 2001, the United States FBI confirmed the existence of a similar technique called "Magic Lantern."[198] This device would reportedly allow the agency to plant a Trojan horse keystroke logger on a target's computer by sending a computer virus over the Internet; rather than require physical access to the computer as is now the case. The new Danish Anti-Terrorism law, enacted in June 2002, appears to give law enforcement the power to secretly install this kind of snooping software on the computers of criminal suspects.[199]

Transactional and Location Data

As new telecommunications technologies emerge, many countries are adapting existing surveillance laws to address the interception of networked and mobile communications. These updated laws pose new threats to privacy in many countries because the governments often simply apply old standards to new technologies without analyzing how the technology has changed the nature and sensitivity of the information. It is crucial for the protection of privacy and human rights that transactional data created by new technologies is given greater protection under law than traditional telephone calling records and other transactional information found in older systems.

In the traditional telephone system, transactional data usually takes the form of telephone numbers or telephone identifiers, the call metrics (e.g., length of call, time and date), countries involved, and types of services used. This data is usually collected and processed by telephone companies for billing and network efficiency (e.g., fault correction) purposes. While telephone companies store this data, it is available to law enforcement authorities. Communications content, i.e., conversations, are not stored routinely. As a result, the obstacles to law enforcement access to this data were minimal: traffic data was available, legally less sensitive, and so accessible with lower authorization and oversight requirements. The content of communications was treated as more sensitive, and more invasive, and more difficult to collect, thus typically requiring greater authorization and oversight mechanisms.

Different communications infrastructures give rise to different forms of transactional data, however. When surfing the net, a user can visit dozens of sites in just a few minutes and reveal a great deal about their personal situation and interests. This can include medical, financial, social interests and other highly sensitive personal information. As the Council of Europe acknowledges in the Explanatory Report of the Convention on Cybercrime:

The collection of this data may, in some situations, permit the compilation of a profile of a person's interests, associates and social context. Accordingly Parties should bear such considerations in mind when establishing the appropriate safeguards and legal prerequisites for undertaking such measures.[200]

The detailed and potentially sensitive nature of the data makes it more similar to content of communications than telephone records.[201]

Data Retention

A new technique of communications surveillance involves the retention of customer record information on individuals who are suspected of no crime and outside the context of any actual criminal investigation or business purpose.[202] On May 30, 2002, the European Parliament voted on the European Union Electronic Communications and Privacy Directive.[203] In a remarkable reversal of their original opposition to data retention, the members voted to allow each EU government to enact laws to retain the traffic and location data of all people using mobile phones, SMS, landline telephones, faxes, e-mails, chatrooms, the Internet, or any other electronic communication devices, to communicate. The new Directive reverses the 1997 Telecommunications Privacy Directive by explicitly allowing European Union countries to compel Internet service providers and telecommunications companies to record, index, and store their subscribers' communications data.[204]

In March 2006, the European Union amended the 2002 Directive on Privacy and Electronic Communications by enacting a Directive on Mandatory Retention of Communications Traffic Data.[205] The new Directive requires Member States to require communications providers to retain communications data for a period of between 6 months and 2 years. Member States have until September 2007 to transpose the requirements of the Directive into national laws; however, a delay of 18 additional months, until March of 2009, is available. Sixteen of the 25 member states of the EU have declared that they will delay the implementation of data retention of Internet traffic data for the additional period.[206]

The passage of this Directive has been highly controversial. A significant public movement against data retention has been formed, with some thousand people attending demonstrations and about 10,000 people declaring that they will be filing a case before the Constitutional Court in Germany.[207] Digital Rights Ireland filed a challenge to the EU government in July 2006. The case challenges the legal basis for the Data Retention Directive, alleging that this was a matter relating to criminal justice and as such the appropriate measure would have been a framework decision under the third pillar.[208]

Europe is not alone, however. Australia has proposed a code of practice for ISPs to retain traffic data on a voluntary basis.[209] Argentina also passed a law calling for the retention of traffic data for 10 years.[210] Other countries are also calling for the retention of subscriber details, and are preventing anonymous access to the Internet through ID card requirements at cybercafés,[211] while others are banning the use of anonymous mobile telephony.

Cybercrime: International Initiatives in Harmonizing Surveillance

A related effort for enhancing government control of the Internet and promoting surveillance is also being conducted in the name of preventing "cyber-crime," "information warfare" or protecting "critical infrastructures." Under these efforts, proposals to increase surveillance of the communications and activities of Internet users are being introduced as a way to prevent computer intruders from attacking systems and to stop other crimes such as intellectual property violations.

The international lead bodies are the Council of Europe and the G-8, while there has also been some activity within the European Union.[212] The United States has been active behind the scenes in developing and promoting these efforts.[213] After meeting behind closed doors for years, these organizations finally, in 2000, made public proposals that would place restrictions on online privacy and anonymity in the name of preventing cyber-crime.

Council of Europe

The Council of Europe (CoE) is an intergovernmental organization formed in 1949 by West European countries. There are now 45 member countries. Its main role is "to strengthen democracy, human rights and the rule of law throughout its member states." Its description also notes that "it acts as a forum for examining a whole range of social problems, such as social exclusion, intolerance, the integration of migrants, the threat to private life posed by new technology, bioethical issues, terrorism, drug trafficking and criminal activities."

On September 8, 1995, the CoE approved a recommendation[214] to enhance law enforcement access to computers in member states. In 1997, the CoE formed a Committee of Experts on Crime in Cyber-space (PC-CY). The group met in secret for several years drafting an international treaty, and in April 2000, released the "Draft Convention on Cyber-crime, version 19." Several subsequent versions were released until version 27 was released in June 2001.

The convention has three parts. Part I proposes the criminalization of online activities such as data and system interference, the circumvention of copyright, the distribution of child pornography, and computer fraud. Part II requires ratifying states to pass laws to increase their domestic surveillance capabilities to cater for new technologies. This includes the power to intercept Internet communications, gain access to traffic data in real-time or through preservation orders to ISPs, and access to secured or "protected" data. The final part of the treaty requires all states to cooperate in criminal investigations. So, for example, country A can request country B to utilize any of the aforementioned investigative powers within country B for a crime that is being investigated in country A. There is no requirement for the crime in country A to actually qualify as a crime in country B, i.e., no requirement for dual-criminality. In this sense, the convention is the largest mutual legal assistance regime in criminal matters ever created.

The draft convention text was strongly criticized by a wide variety of interested parties including privacy and civil liberties groups for its promotion of surveillance and lack of controls such as authorization requirements and dual criminality;[215] prominent security experts for previously articulated limitations on security software;[216] and industry for the costs of implementing the requirements, and the challenges involved in responding to requests from 43 different countries. The Article 29 Data Protection Working Group has expressed concern regarding the convention's implications upon privacy and human rights, concluding that:

The Working Party therefore sees a need for clarification of the text of the articles of the draft convention because their wording is often too vague and confusing and may not qualify as a sufficient basis for relevant laws and mandatory measures that are intended to lawfully limit fundamental rights and freedoms.[217]

The convention text was finalized in September 2001. After the terrorist attacks on the United States, the convention was positioned as a means of combating terrorism. A signing ceremony took place in November 2001 where it was signed by 30 countries, and later signed by another eight.

The convention came into force on January 7, 2004, once it was ratified by five signatory states, all members of the Council of Europe.[218] The Convention was originally open to the members of the CoE and to countries that were involved in its development, which includes Canada, Japan, South Africa and the United States. Now that it is in force, other non-COE countries such as China and Singapore can also ask to join.

The Organization for Economic Co-Operation and Development

In contrast to many of the law enforcement-driven initiatives, the Organization for Economic Cooperation and Development (OECD) has tended to take a broader view of security issues. In 1992, the OECD issued Guidelines for the Security of Information Systems.[219] Containing nine principles, the Guidelines stress the importance of ensuring transparency, proportionality and other democratic values when establishing measures, practices and procedures for the security of information systems. In the fall of 2001, the OECD Working Party on Information Security and Privacy (WPISP) established a group of experts to conduct a review of these guidelines (such a review must take place every five years). The group of experts met four times between December 2001 and June 2002 and recommended several changes. The OECD Council adopted the 2002 Security Guidelines[220] on July 25, 2002 and they remain in effect.[221] Although the guidelines have been substantially revised, the need to ensure key democratic values, such as openness, transparency and the protection of personal information, is nonetheless reiterated in the principles. The OECD also developed a "Culture of Security" web site[222] launched after the "OECD Global Forum on Information Systems and Network Security: Towards a Global Culture of Security" held in Oslo, Norway in October 2003. The site provides member and non-member governments with an international information-exchange tool on initiatives to implement the Guidelines and serves as a portal to relevant Web sites as a first step towards creating a global culture of security. OECD member countries adopted an implementation plan[223] and released it to the public in January 2003. The OECD also took a survey of OECD member countries in July 2003, analyzing measures taken since the adoption of the Security Guidelines in July 2002 as consistent with the OECD Implementation Plan. The survey results[224] were released on June 7, 2004.

On June 12, 2007 the OECD Council adopted a new Recommendation setting forth a framework for co-operation in the enforcement of privacy laws.[225] The framework reflects a commitment by governments to improve their domestic frameworks for privacy law enforcement to better enable their authorities to co-operate with foreign authorities, as well as to provide mutual assistance to one another in the enforcement of privacy laws. Specific recommendations include the development of international enforcement cooperation mechanisms and mutual assistance tools such as notification, complaint referral, investigative assistance and information sharing, subject to appropriate safeguards. The recommendations also call for stakeholder discussion and collaboration and instruct the relevant OECD committee to monitor and report on the implementation of these measures.

National Security, Intelligence Agencies and the "Echelon system"

In the past several years, there has been considerable attention given to mass surveillance by intelligence agencies of international and national communications. Investigations have been opened and hearings held in parliaments around the world about the "Echelon" system coordinated by the United States.

Immediately following the Second World War, in 1947, the governments of the United States, the United Kingdom, Canada, Australia and New Zealand signed a National Security pact known as the "Quadripartite," or "United Kingdom– United States" (UKUSA) agreement. Its intention was to seal an intelligence bond in which a common national security objective was created. Under the terms of the agreement, the five nations carved up the earth into five spheres of influence, and each country was assigned particular signals intelligence (SIGINT) targets.

The UKUSA Agreement standardized terminology, code words, intercept handling procedures, arrangements for cooperation, sharing of information, Sensitive Compartmented Information (SCI) clearances, and access to facilities. One important component of the agreement was the exchange of data and personnel.

The strongest alliance within the UKUSA relationship is the one between the United States National Security Agency (NSA), and Britain's Government Communications Headquarters (GCHQ). The NSA operates under a 1952 presidential mandate, National Security Council Intelligence Directive (NSCID) Number 6, to eavesdrop on the world's communications networks for intelligence and military purposes. In doing so, it has built a vast spying operation that can reach into the telecommunications systems of every country on earth. Its operations are so secret that this activity, outside the United States, occurs with little or no legislative or judicial oversight. The most important facility in the alliance is Menwith Hill, a Royal Air Force base in the north of England. With over two dozen domes and a vast computer operations facility, the base has the capacity to eavesdrop on vast chunks of the communications spectrum. With the creation of Intelsat and digital telecommunications, Menwith Hill and other stations developed the capability to eavesdrop on an extensive scale on satellite-borne fax, telex and voice messages. [226]

The use of Echelon to target diplomatic communications was highlighted as a result of disclosures made in 2003 by a British intelligence employee, former United Nations officials, and a former British Cabinet Minister concerning eavesdropping by the US NSA and the British GCHQ over UN Secretary General Kofi Annan's telephone communications and private conversations.[227]

The issue of eavesdropping on the diplomatic communications of the UN and its member nations' missions is covered by four international conventions: the Universal Declaration of Human Rights (Article 12),[228] the 1961 Vienna Convention on Diplomatic Relations (Article 27),[229] the 1947 Headquarters Agreement between the UN and the United States,[230] and the 1946 Convention on the Privileges and Immunities of the UN (Article 2).[231]

[170] Reuters News Agency, "In Australia, Chances Are that Your Phone Is Tapped," September 16, 2002.

[171] United States Department of State, Country Report on Human Rights Practices 1997, January 30, 1998.

[172] United Nations Human Rights Commissioner, The right to respect of privacy, family, home and correspondence, and protection of honour and reputation (Article 17), CCPR General Comment 16, April 8, 1988.

[173] The Associated Press, "Top German Court Hears a Challenge to Eavesdropping," in New York Times, July 2, 2003.

[174] BVerfG, 1 BvR 2378/98 vom 3.3.2004, Absatz-Nr. (1 - 373), available at <http://www.bverfg.de/entscheidungen/rs20040303_1bvr237898.html> (in German).
[175] "Grosser Laushcangriff: Definition, Bedeutung, Erklärung im Lexikon", Net Lexicon, available at <http://www.lexikon-definition.de/Grosser-Lauschangriff.html> (in German).
[176] Basic Law for the Federal Republic of Germany, I. Basic Rights, Articles 1, 13, available at <http://www.bundesregierung.de/en/Federal-Government/Function-and-constitutional-ba-,10222/I.-Basic-rights.htm>.

[177] C. Schröder, "Wiretap in Germany", German American Law Journal: American Edition (March 11, 2004), available at <http://www.recht.us/amlaw/2004/03/11>.
[178] Schröder, Id.
[179] "German Legal News - Constitutional Law", University College of London, Faculty of Laws, Institute of Global Law, available at <http://www.ucl.ac.uk/laws/global_law/legal-news/german/index.shtml?constitution>.
[180] Copland v. The United Kingdom, Application no. 62617/00, April3, 2007, <http://www.bailii.org/eu/cases/ECHR/2007/253.html>.

[181] See David Banisar & Simon Davies, "The Code War," Index on Censorship, January 1998.

[182] See EPIC's Wiretap web page <http://www.epic.org/privacy/wiretap/>.
[183] Third Report and Order adopted by the Federal Communications Commission, In the Matter of Communications Assistance for Law Enforcement Act, CC Docket No. 97-213, FCC 99-230 (1999) (the "Order"). The Order was released on August 31, 1999. A summary of the Order was published in the Federal Register on September 24, 1999. See 64 Fed. Reg. 51710.

[184] EPIC Letter to the Honourable Michael K. Powell, Chairman of the Federal Communications Commission, December 15, 2003, available at <http://www.epic.org/privacy/voip/fccltr12.15.03.html>.

[185] Telecommunications Act 1997, Parts 14 and 15.
[186] Furthermore, the 2001 Cybercrime Act allows executing officers to require a "specified person" with "knowledge of a computer or a computer system" to provide assistance in accessing, copying or converting data held on or accessible from that computer. Failing to provide this assistance is an offence punishable by six months imprisonment. Cybercrime Act 2001, No. 161, 2001, inserting Sections 3LA and 201A in the Crimes Act 1914, available at <http://scaleplus.law.gov.au/html/pasteact/3/3486/pdf/161of2001.pdf>.

[187] Regulation of Investigatory Powers Act 2000, Sections 12 (1) and 22 (4) respectively, available at <http://www.hmso.gov.uk/acts/acts2000/20000023.htm>.
[188] Telecommunications Act 1998. Rules pertaining to Telecommunications (Telecommunications Act), December 1998.
[189] Telecommunications (Interception Capabilities) Act 2004, available at <http://www.legislation.govt.nz/browse_vw.asp?content-set=pal_statutes>.
[190] Id. at section 8.
[191] Loi fédérale sur la surveillance de la correspondance postale et des télécommunications, (www.admin.ch/ch/f/rs/c780_1.html) and the respective new decree (www.admin.ch/ch/f/rs/c780_11.html)
[192] <http://www.vfgh.gv.at/vfgh/presse/G37-16-02.pdf>.
[193] See for more details <http://www.epic.org/privacy/intl/austrian_vfgh-022703.html>.

[194] Council Resolution of 17 January 1995 on the lawful interception of telecommunications, Official Journal of the European Communities, November 4, 1996, available at
<http://europa.eu.int/eur-lex/en/lif/dat/1996/en_496Y1104_01.html>.
[195] See EPIC and Privacy International, Privacy and Human Rights: An International Survey of Privacy Laws & Developments 60 (EPIC 2006).

[196] See PHR 2005, supra, 62-63.

[197] United States v. Scarfo, 180 F. Supp. 2d 572 (D.N.J. 2001). See generally EPIC's Scarfo web page <http://www.epic.org/crypto/scarfo.html>.
[198] Elinor Mills Abreu, "FBI Confirms 'Magic Lantern' Project Exists," Reuters, December 12, 2001.
[199] Law No. 378, June 6, 2002.

[200] Council of Europe Convention on Cybercrime (ETS no: 185), opened for signature on November 8, 2001.

[201] See PHR 2005, supra.

[202] See EPIC's International Data Retention Page <http://www.epic.org/privacy/intl/data_retention.html>.
[203] Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector <http://register.consilium.eu.int/pdf/en/02/st03/03636en2.pdf>.
[204] Id. at Article 15 (1).

[205] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, available at <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:NOT>.
[206] Id.

[207] Data Retention is No Solution <http://www.dataretentionisnosolution.com/>.
[208] Digital Rights Ireland Data Retention page <http://www.digitalrights.ie/2006/07/29/dri-challenge-to-data-retention/>.

[209] Electronic Frontiers Australia, "Big Brother ISP Code Condemned," August 19, 2003.
[210] Pablo Palazzi, Terrorism Laws in Latin America, Privacy International, September 2004.
[211] Privacy International & the GreenNet Educational Trust, Silenced: An International Report on Censorship and Control on the Internet, September 2003.

[212] Dr Paul Norman, "Policing 'High Tech Crime' in the Global Context: the Role of Transnational Policy Networks," available at <http://www.bileta.ac.uk/99papers/norman.htm>.
[213] For details see <http://www.privacyinternational.org/issues/cybercrime/>.

[214] The Recommendation of the Committee of Ministers to Member States Concerning Problems of Criminal Procedure Law Connected with Information states: "Subject to legal privileges or protection, investigating authorities should have the power to order persons who have data in a computer system under their control to provide all necessary information to enable access to a computer system and the data therein. Criminal procedure law should ensure that a similar order can be given to other persons who have knowledge about the functioning of the computer system or measures applied to secure the data therein. Specific obligations should be imposed on operators of public and private networks that offer telecommunications services to the public to avail themselves of all necessary technical measures that enable the interception of telecommunications by the investigating authorities. Measures should be considered to minimize the negative effects of the use of cryptography on the investigation of criminal offenses, without affecting its legitimate use more than is strictly necessary."

[215] See, e.g., Global Internet Liberty Campaign (GILC) Member Letter on Council of Europe Convention on Cyber-Crime, October 18, 2000 <http://www.gilc.org/privacy/coe-letter-1000.html>; GILC Member Letter on Council of Europe Convention on Cyber-Crime Version 24.2, December 12, 2000 <http://www.gilc.org/privacy/coe-letter-1200.html>.
[216] Statement of Concerns, July 20, 2000. <http://www.cerias.purdue.edu/homes/spaf/coe/index.html>.

[217] European Union Article 29 Data Protection Working Group, Opinion 4/2001 on the Council of Europe's Draft Convention on Cyber-crime, March 22, 2001 <http://www.europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2001/wp41en.pdf>.

[218] Council of Europe, Convention on Cybercrime, Status as of: 18/06/2004, available at <http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG>.

[219] OECD Guidelines for the Security of Information Systems, 1992, available at http://www.oecd.org/document/19/0,2340,en_2649_34255_1815059_1_1_1_1,00.html.
[220] OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, adopted July 2002, available at <http://www.oecd.org/document/42/0,2340,en_2649_34255_15582250_1_1_1_1,00.html>.
[221] OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, Questions and Answers, available at <http://www.oecd.org/dataoecd/27/6/2494779.pdf>.
[222] Culture of Security web site, available at <http://webdomino1.oecd.org/COMNET/STI/IccpSecu.nsf?OpenDatabase>.
[223] "Implementation Plan for the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security," adopted October 2003, available at <http://webdomino1.oecd.org/COMNET/STI/IccpSecu.nsf?OpenDatabase>.
[224] "Summary of Responses to the Survey on the Implementation of the OECD Guidelines for the Security of Information Systems and Networks: Towards A Culture of Security," June 2004, available at <http://webdomino1.oecd.org/COMNET/STI/IccpSecu.nsf?OpenDatabase>.

[225] OECD Recommendation on Cross-Border Privacy Law Enforcement, June 12, 2007, available at <http://www.oecd.org/dataoecd/43/28/38770483.pdf>.

[226] See PHR 2005, supra, 76-78.

[227] The controversy began when the British government suddenly dropped its Official Secrets Act case against Katharine Gun, a Chinese linguist working for GCHQ in Cheltenham, UK. Gun was accused of leaking to the British media a TOP SECRET/COMINT memorandum from NSA to GCHQ asking for its help in eavesdropping the communications of non-permanent members of the UN Security Council to determine their intentions on the Security Council resolution authorizing the war on Iraq. After the case against Gun was dropped, former British International Development Minister Clare Short revealed that she was shown a transcript of a confidential conversation of UN Secretary General Kofi Annan. It was reported that Annan's telephone communications and private conversations were bugged by NSA and GCHQ. Accordig to Andrew Wilkie, a former Australian intelligence official, the spying against the UN was supported by Australia, through the "five eyes agreement," a reference to Echelon and the UKUSA Agreement. (Mark Forbes, "Australia 'Party to Bugging of UN,'" The Age (Melbourne), June 19, 2004.) Since Short's revelations, several other former UN officials have come forward to describe similar eavesdropping by the British and Americans, which share a decades-old signals intelligence relationship known as the UK-USA Agreement, along with Canada, Australia, and New Zealand. Former UN Secretary General Boutros Boutros Ghali, UN weapons inspectors Hans Blix, Rolf Ekeus, and Richard Butler, UN Human Rights Commissioner Mary Robinson, former Mexican UN ambassador Aguilar Zinser, current Mexican UN ambassador Enrique Berruga, Chilean Foreign Minister Soledad Alvear, Chilean ambassador to Britain Mariano Fernandez, and former Chilean UN ambassador Juan Gabriel Valdes, have all spoken about eavesdropping against them and their countries by the Americans and British. See generally <http://www.epic.org/privacy/wiretap/diplomatic.html>.

[228] "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
[229] "1. The receiving State shall permit and protect free communication on the part of the mission for all official purposes. In communicating with the Government and the other missions and consulates of the sending State, wherever situated, the mission may employ all appropriate means, including diplomatic couriers and messages in code or cipher. However, the mission may install and use a wireless transmitter only with the consent of the receiving State; 2. The official correspondence of the mission shall be inviolable. Official correspondence means all correspondence relating to the mission and its functions."
[230] Section 9 provides: "The headquarters district shall be inviolable."
[231] "The premises of the United Nations shall be inviolable. The property and assets of the United Nations, wherever located and by whomsoever held, shall be immune from search, requisition, confiscation, expropriation and any other form of interference, whether by executive, administrative, judicial or legislative action."