In March 2015, the United Nations Human Rights Council endorsed the creation of a special rapporteur on privacy. The landmark resolution1, spearheaded by Brazil and Germany and cosponsored by 46 states, including 10 other Latin American countries, gives the right to privacy the international recognition and protection it deserves.
For Latin America, this resolution couldn’t have come at a better time. An alarming legislative trend is unfolding in several countries in the region, aimed at passing data retention laws that compel telecommunications companies to retain the details of customers’ activities for future review by government agencies. Such details include whom they communicate with, for how long and from where. No one is exempt from this data collection, which is kept available for law enforcement (and other government bodies) to examine in the future.
Human rights advocates consider these laws a violation of the right to privacy. If Latin America’s governments want to take privacy seriously, they need to abandon the push to log their citizens’ online activity.
For example, Mexican companies currently retain the data of all domestic telecommunications users for two years.2 Brazil’s Marco Civil da Internet requires telecom companies to retain connection logs for one year. 3 In March 2015, the Paraguayan Chamber of Deputi es rejected an attempt to introduce a local data retention mandate.4 The Paraguayan bill sought a retention period of 12 months, access ible by authorities investigating any crime. It has been sent back to the Paraguayan senate, which must resolve the matter in the coming weeks.5
In each of these cases, politicians have made clear that the retention obligation does not extend to the content of communications (recording a call or e-mail, for example). It does, however, include a treasure trove of metadata about citizens’ communications, such as the time, date, location, and IP address used in a call or e-mail. This omission is the general justification for why every Internet or phone user can have his or her records collected, even if they are not suspected of a crime. Proponents of retention mandates say that logging, archiving and inspecting metadata isn’t as sensitive as recording the contents of a phone call.
The world’s human rights experts disagree. In March 2014, the UN Human Rights Committee expressed concern about the National Security Agency’s (NSA) surveillance programs, calling upon the U.S. to “refrain from imposing mandatory retention of data by third parties.”6 Just a few months later, in June 2014, the Office of the UN High Commissioner for Human Rights published a report on the right to privacy in the digital age, stating that forcing “telephone companies and Internet service providers to store metadata about their customers’ communications and location for subsequent law enforcement and intelligence agency access […] appears neither necessary nor proportionate.”7
Nevertheless, Latin America seems to be moving in an opposite direction from Europe, where there is a growing consensus that data retention violates human rights. In April 2014, the European Court of Justice declared the EU’s Data Retention Directive invalid, declaring that the mass collection of metadata in Europe entailed a “wideranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data.”8
Why has data retention provoked such a strong reaction from digital security experts and human rights advocates? Does it matter if citizens’ application logs or IP addresses— which may change with every new session—are catalogued? Such data, after all, is often dismissed by government officials as meaningless.
However, these bits of information can work more like pieces of a complex puzzle. Taken separately, they may seem irrelevant; but when carefully collected and combined, they reveal our online identities with surprising accuracy. In 2014, Stanford University researchers found that information about who people call can be used to infer extraordinarily sensitive facts about them, such as the fact that someone sought and received treatment for particular medical conditions.9 IP addresses collected by a web service can even reveal whether two people spent the night in the same place. Information disclosed by your phone can reveal whether two people were close to each other, and this proximity can reveal if a person attended a protest or cheated on their spouse.
The consequences of data retention mandates are far-reaching, but one particularly troubling outcome is the erosion of journalists’ right to refuse to hand over evidence to law enforcement to protect the confi dentiality of their sources.10 In Europe, there have been a few examples in which data retention policies have been abused. In Germany, Deutsche Telekom illegally used telecommunications traffic and location data to spy on roughly 60 individuals including journalists, managers and union leaders.11 Polish media reported two major cases where intelligence agencies used retained data to illegally disclose journalistic sources.12
One of the strongest arguments against data retention is the risk of accidental exposure through leaks and hacking. Unauthorized access to logs can lead to sales of sensitive information, blackmail or threats to public figures. They are a source of ongoing risk to all users, because the user can never be sure that the logs won’t be disclosed and used for criminal purposes.
It’s time for the Latin American countries that cosponsored the UN resolution on the right to privacy to turn their promises into action. They should lead by example, ensuring that they keep their own houses in order. Data retention has no place in a modern society that respects human rights—neither in Latin America nor anywhere else in the world.