IGF 2016 - Day 3 - Room 4 - WS267: Surveillance and International Human Rights Law

 

The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

>> MODERATOR:  Thank you for your patience.  Thanks for the organisers of R3D.  We have the speakers here.  We will start with Amos.  He's an advisor to the UN Special Rapporteur on freedom of expression and MC from Google.  And I'm going to take the moderator stand and take advantage of this by saying that for us, this is a very important topic and very important discussion.  I'm really at tentative to this but kind of leave you with a few questions in your mind on proportionality, the necessity to know security and transparency and sort of four guiding principles for the discussion that I know the speakers will talk about.  On to Amos.

>> AMOS TOH:  Thanks so much, MC and Katitza and Luis as well, for organizing the panel.

I want to kind of briefly give a round up of some of the standards promulgated within the UN system that might apply to the fast evolving surveillance technologies in the operations around the world.  And I mean, I think I also want to throw out challenges and ask questions in the hope there will be panel and audience participation so we can make this more interactive.

We recently briefed case on a special procedures, the freedom of expression mandate as well as freedom of association and human rights defenders.  We recently filed an amicus brief in the United States court case called Kigani versus Ethiopia which basically concerns -- I should start my timer.

Which basically concerns an activist being surveilled by the State of Ethiopia in Maryland.  This is an Ethiopian American activist.  Cutting to the chase, this case is up for appeal.  We basically laid out our positions on why this surveillance, this type of surveillance, this type of malware to infect another activist's computer extra territorially affects the right to freedom of association, freedom of expression, privacy, so on.

One of the most under discussed norms that has taken on increasing importance in the digital age is the freedom of opinion, enshrined under Article 19.1 it is separable from Article 19.2.  The right to a freedom of opinion is an absolute right and does not permit any interference.  We see in the digital age where we form and hold opinions are not longer confined to processing them in our own heads or writing them in a diary.  We hold opinions on a Microsoft Word document, and by browsing the Internet and having the history of the websites being recorded somewhere.

To the extent that Internet browsing histories, drafts of documents and digital memoranda that we do not share with anyone, to the degree that these are mechanisms for opinion is it ever legitimate for governments to collect such information given the absolute nature of the Article 19.1 right?  I think when we go into communication surveillance we are talking about Articles 19.2 and 19.3.  I'm talking about the ICCPR, I'm sure you know and we go into the limitations criteria, three provided by law:  Necessity and proportionality.

I want to highlight one or two things.  Provided by law is not simply to, in our view it is not simply for it to go to a formal legal process and you have legislation and therefore that makes it provided by law and satisfying the standard.  I think law might also be reasonably clear and precise about the conditions under which surveillance may target each and every one of us.  I think under necessity and proportionality we have to be clear that it implies surveillance must not be reasonable, desirable or even useful to accomplish an aim, there must be a immediate connection between the surveillance and the legitimate aim, whether national security or otherwise that is sought to be pursued.

So I think there has been a greater development and strengthening of the human rights norms and criteria on digital surveillance, especially since the Snowden revelations in 2013.  I think this is where the challenge lies.  Surveillance schemes around the world are expanding, in ways that raise extremely grave concerns for digital rights and digital expression.  So the challenge for us, I think, as a human rights community as well as for governments, private actors and international organisations, is how do we translate these norms?  How do we translate these international norms into concrete and enforceable protections that governments respect?

And so I have two questions here I want to throw out to the audience and the Panelists.  What can the UN system, whether the freedom of expression mandate but broader than the special procedures, the Human Rights Council, General Assembly, any of the UN agencies, what can they do better or do more of in terms of supporting grassroots and local movements for more surveillance accountability?

And the second question I want to ask which is really related, how do we develop and socialize standards that give concrete meaning to the criteria of necessity and proportionality?  This may be a process question in the sense that we might ask for more transparency and more quality of transparency from governments in the private sector.  We might also ask for judicial oversight.  Again I think we need model legislation, we need moldings for the kinds of oversight that we see.  I think the necessity and proportionality principles provide a good template for that.  I also think it is an outcomes question, less talked about.  Some kinds of surveillance that are almost never permissible under international law.  The example, for instance, of mass surveillance.  We try to get meaningful perspective on how to provide guidance on what are legitimate national security aims.  National security is a catch-all phrase for all kind of surveillance and it is untenable and we must start coming to a more well-defined definition or at least provide checks and balances that can limit the use of that term in the pursuit of surveillance regimes and operations.

I think that is really the remarks I had and hopefully those questions may be answered as we go along.  Thank you so much.

>> MODERATOR:  Moving on to the example in India, I will move to Arjun Jayakumar, Policy Director at LSFC, yes, the example of India.

>> ARJUN JAYAKUMAR:  Hello?  I think it is working now.  Thank you for the introduction.  I am Arjun.  I work with Software Freedom Law Centre, a private organisation that works to protect digital liberties.  One of the main projects we have worked on in the past is communication surveillance.  This is something I was involved with drafting, which is why I was looking forward to this session as much as anyone else here.  We had a report called communication surveillance in India, a couple of years ago.  What this report did was take a look at how communication surveillance is conducted in India and more particularly one of the chapters of the report was dedicated to comparing the landscape in India against the principles that we have just spoken about here.  The proportional principles are an excellent reference to look at any regime in any jurisdiction.  I thought I would quickly go over a couple of the principles and see how the Indian landscape stacks up against these principles.  This would serve the purpose of evaluating the landscape itself and give you an oiled of how the whole thing works.

The first principle in the list of 13 principles is legality which says that surveillance should always be carried out in accordance with law that has been clearly laid out and that is the first principle.

But we have determined in our reports that in India this principle is not always observed very well in the sense that we do have a set of laws that set out when communication surveillance can be undertaken but these laws are anything but clear.  For instance, the technology act are the two main legislations that sanction communications surveillance in language.  But the language of these sections are extremely broad and make room for the conduct of surveillance at basically any turn of the time.

More importantly in India the citizens do not have a constitutional right to privacy.  Some judicial interpretations by the Supreme Court have interpreted the right to privacy as being implicit in the right to life and personal liberty under the constitution, but this has been recently up for debate.  The standing of the right to privacy in India is very, very questionable as of now.

Moreover, there is also now no periodic review of the laws that sanction and oversee surveillance which means the legality principle is not very well met in India.

Again, the principles of legitimate aim, adequacy and proportionality are more or less related and state that surveillance must only be carried out in accordance with these principles when there is a legitimate aim when it is necessary to carry out surveillance, when you exhausted all the means of gathering this information.  None of this is observed in India again because the reasons under which surveillance is permitted to be carried out range from everything from the very broad ambit of protection of national security right down to the spreading of computer viruses.

There are standing mandates within the provisions of law to exhaust all other means of procuring this information, but this not always seen to be done, which is demonstrated by the fact that one of the requests that we had, one space before the government entered the Right to Information Act about how often communication surveillance is gathered in India, on average every month about 9,000 orders of surveillance are issued by one particular authority in the central government which means there is absolutely no scope of application, there is no scope for weighing these instances against the benefits and the costs and coming to informed set of conclusions on whether or not this is a situation that warrants surveillance to begin with.

And then moreover, surveillance in India is not carried out under the supervision of any sort of judicial oversight.  So the entire surveillance process, starting with the sanctioning of the surveillance order right down to the conduct of the surveillance itself and view of the order, everything is carried out with executive arm of the government and there is no intervention by any other arm of the government.  It is a monopolistic situation, where there is abuse of process.  There is no user notification.  Nobody is notified when surveillance is initiated or concluded regardless notifying people of this would in fact take away from the surveillance process all together and there is no transparency whatsoever when it comes to the surveillance landscape in India. 

As I said, any request to provide information on how communication surveillance is carried out is usually met with response to the effect that this is a matter that relates to national security and which cannot be discussed as easily as people seem to think.  Usually the request is denied and we have to rely on reports in newspapers or information leaks to get an idea of how the whole thing works in India.

So that is just some of the more important principles I think from the list of 13 that I already covered.  Do not take too much time I conclude here and allow the discussion to carry on.  Thank you.

>> MODERATOR:  Thank you.  We are going to move to Peter from the Council of Europe and Data Protection Unit.

>> Thank you very much to the organisers for having any intervention.  I just would like to invite you to have a brief look into the interpretation of and the set of requirements, the European Court of Human Rights established regarding surveillance and surveillance measures.  But for beginning, it has to be said that surveillance is basically left to the discretion of the national sovereign states. 

However, it is widely recognised, and I will of course point out in the court of jurisprudence as well, the use of surveillance measures represents interference to Article 8 of the European Convention on Human Rights as well as to Article 12 of the Universal Declaration on Human Rights as well.  Now we are going to focus on European legislation.  So it has to be in accordance with law, but the surveillance measures are basically used for very specific purpose which is of public interest.  And here I would like to invite you to really make the difference and to understand the difference, the European court is making between interest and rights because human rights are embedded in those declarations I was referring to, but the interests are set by the states and public interest is only and the use of surveillance measures can only be legitimate if they are respecting human rights.

So with then introduction, I just would like to have a more detailed look at the court jurisprudence on this measure.

As I mentioned there's a measure of discretion whenever evaluating threats to national security left to the states.  And we are deciding how to combat this.  Nevertheless, the court in its jurisprudence which is very extensive and it starts from the case called Klaus and Others, and hence the case of Zakarov and other cases which I won't cite here, but I invite you to read those.

So the court in these cases established a three-fold test of requirements, where the Member States have to request when applying those measures.  Three fold set of requirements consist of the obligation that the measures have to be foreseen by law, have to be necessary in a democratic society, and an independent and effective supervision has to be in place regarding towards this measure.  I would like to stop at the requirements number two because this requirements number two has some sub-requirements or elements which has to be taken care of.  The necessary and democratic society for the Court of Human Rights means that the measure has to be foreseen by the law and it has to pursue legitimate interest and has to be necessary and proportionate with a view to the legitimate pursuit.

So we are now in a situation where the state's margin for appreciation is no longer uniformly brought.  For example, in the case law there is absolute prohibitions.  So there is a reference to Article 3 of the European Convention which speaks about torture, or human degrading treatment as well as punishment.  And there is no margin of appreciation whatsoever.  It goes on in the same direction regarding Article 6 as well, which is where the court stated if it exists, a less intrusive measure available.  So the use of surveillance measures cannot be legitimate.  Or cannot be considered legitimate anymore.  And it has also established a very detailed requirements for independent court supervision.

About secret surveillance, the court is relatively flexible on the subject of recognition of victim status.  So it is quite open on receiving claims regarding the use of this measure and the criteria of the "in accordance with law" has to be understood that the law should be accessible and foreseeable and relatively detailed.

There is also an obligation for the when it comes to the use of this measure to impose safeguards which must be accompanied, or which must accompany the surveillance measures.  And there is also the fourth criteria which is the necessity criteria regarding the secret surveillance where the court usually make a balance of the national security interests and the intrusion into the private life of the data subject.

Usually it requires that guarantees against abuse have to be in place as well as supervision, as I mentioned before.

Basically, these are the requirements that the European court established and I will be open for questions.

>> MODERATOR:  Thank you.  Moving on to Katitza Rodriguez from EFF.

>> KATITZA RODRIGUEZ:  Thank you.  Before explaining, we have been working over a year on a competitive analysis of surveillance laws in Latin America.  I think it is important to remember the history in Latin America and reflect on the horrific consequence of unchecked surveillance.  And just to illustrate a case, in December 1992 following, a Paraguayan lawyer drove to a secure police station in Asuncion.  A police officer discovered a cache of 100,000 documents piled near to the ceiling.  This was called the Terror of the Archives and almost complete record of the interrogations, torture and surveillance carried by the dictatorship of Paraguay. 

The files report details the Operation Condor, a clandestine programme between the military dictatorships in Bolivia, Argentina, Chile and other countries in the '70s and '80s.  The countries agreed to cooperate in sending teams to other countries to track and kill their opponents.  They used informants, cameras, wiretaps to build a paper database of everyone that was viewed as a threat, plus their friends and associates.  The Terror of Archives show how far a country government might sink when unchecked by judicial authorities, public oversight bodies and knowledge of the general public.  That was a quarter of a century ago.  A modern Operation Condor would have more powerful tools at hand than just paper files, cameras or wiretap, phones.  Today the surveillance technology leaves these techniques documented in the Terror of Archives in the dust.

So one way to stop these powers from being used against the public is to create robust modern privacy laws to constrain its use that includes strong safeguards, and also judges who are strong and independent and knowledgeable on the topic and oversight mechanisms that allow the general public to know where the country's most secretive government agents are up to their time.  To assist in this task and help policymakers, we have been working over a year with our partner organisations in those countries in Latin America to release a comparative legal analysis of surveillance laws in those countries.  Our work, our goal was to shed light on the current state of surveillance in the region, both in law and in practice.  I don't know if we can show the page in the screen?  Okay, I will continue. 

What we have learned from this research, and I will be very brief.  It is really 100 pages.  You can read it.  There is a good summary too.  We analyzed all these laws against international human rights standards and we take the necessary and proportionate principles as a benchmark, as guidelines to assess compliance of each of these laws against international standards.

So in the legality principles we found in our research that many states only specifically authorize wiretapping, which means listening to or recording telephone conversations.  They do not have precise, to conduct new forms of surveillance even in many countries with a few locations for geo location tracking or even cell tower monitoring, using malware.  Like wiretapping these are inveigh sieve and raise far different privacy concerns and leave out questions that might be tackled.  In Colombia you don't have pure judicial authorization to authorize any kind of wiretapping.  Are we going to keep these insane legal safeguards in that country for the use of technology that is even more invasive than just a simple wiretapping?  It is a question.

Despite the lack of legal footing, there appears to be widespread use of these technologies.  Research by (non-English phrase) show that in the majority of Latin American countries, countries were in touch and sought to purchase malicious software.  In other countries legal framework that are written in very Broadway.  It might be interpreted as authorizing a outreach of surveillance and future surveillance.  For instance, just to cite an example, Article 200 of the criminal procedure code of Paraguay established that a judge can order the interception of communication of any accused person regardless of the methods to achieve it.  Whatever technical means to use are authorized by this provision.  This takes out the debate in Congress about the use of the right legal safeguards when you are using new surveillance technologies, or whether you should use it at all or you should actually authorize at all these kind of law enforcement powers.

There are more examples, but I will give up to the second topic which is the culture of secrecy.  We found a very strong culture of secrecy in Latin America.  Many states don't publish information about they have about surveillance technologies.  States are not complying with freedom of information law when faced with requests for records regarding their laws and capabilities also.  States issue transparency reports in order to provide useful information to citizens and users, but that is not happening.  Sometimes you cannot, any general public cannot access it unless you ask for freedom of information.  Telecommunications companies are not publishing, not even transparency reports or law enforcement guidelines to know which are the processes that the police have to follow when they knock at their door requesting users' data. 

So we really need to stop the culture of secrecy here and understand which are the capabilities.  This is an obligation for the states.  We can not rely on whistle blowers to do it, but of course whistle blowers have been fulfilling that role.  We have not had our Snowden in Latin America yet.

I want to talk about public oversight.  This is a problematic issue in Latin America.  Most of these oversight mechanisms were born in an era of escape from the dictatorship culture, when the culture of secrecy is very embedded in the system.

But oversight mechanisms have been weak, including legislative mechanisms.  We have seen concrete examples in Guatemala, in Colombia, Peru and Argentina of illegal surveillance targeting judges, politicians, opponents, activists for illegal surveillance.  So what we need and what we are trying to do is to have more public oversight.  Things like reports that the public can audit and not just rely on the traditional legislative oversight mechanisms that haven't worked in the region.

Finally, just to conclude, there are many other things that we need to improve, but we need to have necessary and proportionate principles.  In the Web site if you can navigate a little bit, this is the research we have in the table.  You can see the country reports.  There are four more reports coming from Central America.  And you can go back, under all the authors from all the organisations who work on this research and we have a map.  You can show ... you can click on each, Mexico, you can see what is happening in each of the countries and the major findings.

Please, this take a look at this and see what is happening in Latin America.

>> MODERATOR:  Thank you to the panelists.  I know that Mr. Fernando wanted to have an intervention and then we'll take questions from all of you.

>> LUIS FERNANDO GARCIA:  Thank you.  I just want to make some comments regarding the very interesting participations that happened before me.  And just wanted to tell you a tale about why these principles are important.  We talk about them and they seem very ethereal, don't seem very real.  For example, in 2013 in Mexico there was a telecommunications law passed that was particularly vague on certain aspects.  It was vague on who could do surveillance.  It was vague on whether you needed digital authorization to access data.

The effects of what happened have been documented, is very important to look at.  We are saying because these provisions are vague, what is going to happen is that there is going to be a lot of authorities that don't have legal powers to the surveillance and say well, I have legal powers and that is exactly what happened.

In a report we published last week called The State of Surveillance Out of Control, which is right now only available in Spanish but it will be soon available in English, and I advise you to keep track on us.  And what we did, we did a lot of information requests, more than 600 of them.  We had to do 200 transparency appeals.  It was a big effort to really know what were the effects of this law.  And what we found is that, for example, there was, when this new telecommunications law entered into effect, the number of authorities that asked for user data spiked, more than doubled.  The number of requests for user data also did.

But another issue that is very important is the fact of digital authorization.  Because it is useless to have very clear laws if there is no one to check whether those laws are being complied with.  What we found with the requests is that in effect as we suspected, there were a lot of authorities that do not have legal powers to do surveillance that ask the telecommunications companies to access user data.  99 percent of all access to user data happened without judicial warrant.  Something that the Supreme Court of Mexico, I mean we made a lawsuit against the telecommunications law.  In the process of doing the litigation inside of Mexican constitutional system, this is what is happening.  Authorities without authorization were asking for data without judicial warrant and they were getting it.  For example, the biggest mobile telecommunication company, for example in the first semester of this year received more than 25,000 requests for user data.  They never, ever, ever rejected one request.

Any authority without judicial warrant asked for personal data, they got it.  This is without legislation that is clear on whether you need judicial warrant.  Thanks to the litigation that we carried out, the Supreme Court established very clearly who can make surveillance, that you always need a warrant, except with an emergency system that has been established in law.  But in the meantime, all these illegal unwarranted uncontrolled surveillance happened.

Regarding transparency which was also mentioned, it is important that we have meaningful transparency because to have this number of how many requests doesn't really tell you much.  And what we have been fighting for is to not only get the number of how many requests an authority makes and gets authorized, but how many people or devices are surveilled because the number is totally different.  We actually got information from some companies and confirmed this.

For example, the federal police of Mexico, between 2013 and 2015 got the authorization of a little bit, a little over 200 requests for user data, or for President intervention of prior communications and with those 200 authorizations they were able to surveil 1,700 people.  So it is important to have more meaningful statistics and data that can really serve the society and the population as a real means of exercising control over these authorities.  Not just random data, for example, that you can find in some company's transparency reports that doesn't tell you much about what is going on.

Actually this Monday we also were successful in making the Supreme Court of Mexico order the national security agency here in Mexico to actually give us the number of how many people they surveilled in 2013 because they didn't want to give it because they say that it harms national security.  The number of people, I didn't ask who, I just asked the number.  They said it harmed the national security.  And now this precedent that we achieved in the Supreme Court I think is going to be useful and it can be also an example about what real transparency really means.

And by which numbers are important for transparency?  I want to add another point of data which is we asked, because we get sold on this surveillance provisions as useful, that they are needed for law enforcement, around in certain occasions when they are used correctly they certainly can be very useful for law enforcement.

However, why we document it here in Mexico is because of all the prosecutes in all the investigations where there was a use of surveillance technique, only a little bit over 8 percent of all those investigations became an accusation.  There was the case, the investigation became a formal prosecution of a person.  90 percent of the people who were surveilled in the context of a criminal investigation were never charged with any unlawful actions.  So we were able to make this statistical analysis thanks to the information that we got through transparency and it is important that we can get this -- we didn't get this from all prosecutors, but from some.  It is important that these transparency provisions allow us as society to make these kind of assessments.

Finally I want to mention something that Amos was mentioning about certain types much surveillance that shouldn't be legitimate, proportion national or necessary to achieve even very legitimate aims which is, of course, mass surveillance.  I just want to mention two more.  Data retention mandates which is very important because from the litigation that we carried out against the telecommunication laws before the Supreme Court of Mexico, even though we got some good provisions like this clarity about who can do surveillance and with which process and with which authorization, the bad part of that judgment was that the Supreme Court of Mexico validated a constitutionality of that intention in contrary to what the European Court of Justice has already ruled that it is mandatory that this mandates that telecommunications companies are disproportionate and unnecessary.

We will in the next day, in a few days we will present a case to the International Commission of Human Rights for this.  We think it is important to develop a more robust jurisprudence on surveillance because the only piece of jurisprudence that has come out of the inter-American system that is related to surveillance is the case of discern versus Brazil.  Actually we mention it in the lawsuit before the Supreme Court.  The Supreme Court mentioned in the judgment and said it didn't apply to retention.  It only applied to access to metadata.  It is a very good opportunity for the inter-American system to develop a precedent that can help all the prevention.

Another measure that we believe is very problematic is the use of malware for surveillance because even when traditional surveillance that requires the cooperation of company, in Mexico it is really not been very successful as a control because the biggest company just gives the data without asking any questions and because some authorities don't even think they need a warrant.

The malware makes it even more difficult to exercise control over the surveillance techniques.  They don't need anyone.  They do this directly.  We think it is problematic and it should be considered unlawful and illegitimate way to do surveillance.  It can only be used if it's regulated with special safeguards in extreme situations where traditional surveillance means wouldn't be useful or successful.  We believe this is very important especially in a country like Mexico in which many times law enforcement and organised crime are the same thing.  We need very strong safeguards and don't give the authorities these extreme powers.  Thank you.

>> MODERATOR:  Great, because we don't have that much time, though we can stay in the room if you all have time, but let's take two or three questions and distribute them to the panelists.

All right.  We can start with you.

>> Is this working?  I'm Victor from the IGF Youth Programme for Brazil and part of the studies of technology at the University of Sao Paolo. 

The digital surveillance issue is connected with the national security issue.  They struggle to access information is obstructed by the justification that if this goes public, the country and the nation will be in danger.  At the same time transparency in this case seems not enough as the digital tube to accept communications can easily be hidden by the agencies who do that.  With that said, how can we evaluate the accountability in these questions and are we going to need one Snowden for each country?  Thank you.

>> MODERATOR:  Thanks.  Any further questions?  Sure.

>> AUDIENCE:  Steve Zeltzer, LaborNet, San Francisco.  The concern we have is the information being gathered by major tech companies like Google and Facebook, privacy of this information.  And the use of this information by not only these companies but by government agencies.

What rights do individuals have, working people have that the information they put up is not going to be used against them and used in retaliation, particularly workers who speak out about injustice on the job or health and safety on the job.

>> MODERATOR:  All right.  Any questions from remote participants right now?  No?

One more, over here.

>> Thomas from the German Federal Foreign Office.  I wanted to pick up the question of proportionality, necessity and maybe give a reply to what you just asked about, accountability.

The General Assembly resolution being run by Brazil and Germany for quite some time sent us around unlawful and arbitrary surveillance, mass surveillance, all of that.  So that is a term that was taken, of course, from the international covenant on civil and political rights.  It is about 50 years old.

Now, you may ask why did we stick to unlawful and arbitrary and didn't go into necessary an legitimate and proportional and all of this?  And why do we stick to this old language?  The answer is, of course, when the resolution -- we were criticized for doing that.  The answer is when the resolution was first introduced from 2014, please note the timing, the decision on the part of the cosponsors of that resolution was we would rather go for a consensus resolution rather than having something that is highly controversial that is being voted upon and then divides the international community.

After long negotiations the result was we have to stick to the language from the pack because many states said look, this is what we accepted by law.  We signed up to the treaty.  It's binding.  We are not ready to go in a resolution.  It is not binding beyond our legal obligations.  That's why the unlawful and arbitrary turns up again.  In the latest resolution about to be adopted in the general Sebastian this December, we have introduced a new provision that says, that calls upon states to develop or maintain and implement adequate legislation with effective sanctions and remedies that protect individuals against violations and abuses of the right to privacy, namely through unlawful and arbitrary collection, processing, retention, et cetera, by individuals, governments, business enterprises and private organisations.

So we still have the terminology but the kind of addresses have been enlarged quite a lot.  Thank you.

>> MODERATOR:  Thank you.  Any other panelist want to respond?  Amos?

>> AMOS TOH:  I think that point is very well taken on the distinction between arbitrary and unlawful and necessity and proportionality.  I think my comments on necessity and proportionality I mean in the context of Article 19 and the right to freedom of expression and the limitations clause and established in 19.3.  To the extent that we think surveillance measures or regard surveillance measures as restrictions on freedom of expression, that should be analyzed under the limitations clause under Article 19.3 and that's how necessity and proportionality kick in.  I wanted to make that clarification.  Thank you.

>> MODERATOR:  Peter?

>> PETER:  Thank you very much.

(Off microphone.)

-- we are also debating, there is a political debate.  Of course, I don't want to go into very much into the details on that.  So what would be the best of the solutions.  And the court, in the court decisions I was referring to there are no clear-cut answers either.  However, being said, there are some possibilities under the structure of checks and balances within the democratic society whereas institutions can be set up and empowered for the oversight of these kind of activities.

For example, in Europe it is now very much in the center of debate to give this power to the data protection authorities.  And I know Mexico has one.  The American States are also in the phase of considering the data pro television.  There is no clear answer in European jurisdiction, but there is a very stringent requirement that oversight has to be put in place and it has to be independent and effective.  I can continue for hours on these two issues, but I think the institutional oversight is very important as well as the public control of those institutions.

>> There is a lack of trust about how governments around the world are using surveillance technology.  Many of the reports that are being discussed within the oversights mechanisms, whether it is within the authority, whether it is legislative oversight mechanisms are not working.  We lost trust.  We don't have access.  The public cannot know what they are doing.  So we need mechanisms which allows discretion.  Some things remain secret but some others the public needs to know.  Thus we are calling for public oversight mechanisms.  There is not necessarily the secret legislative reports being written by intelligence agencies to the Members of Parliaments without us knowing what is going on there.  I just wanted to say that.

>> MODERATOR:  Any other questions in the back?  Other comments you want to bring up?

>> Just a very brief comment about accountability measures.  I mentioned the meaningful transparency, not just any transparency but meaningful transparency, but also with regard to, it is not only necessary that data protection authority exists but that it has a specific powers regarding surveillance.  For example, the ability to do random access to certain investigations, not to all of them but random sample of investigations in which they can get access to confidential information in order to be able to make an assessment on whether these provisions are being used correctly or not.

And other types of specific powers.  I believe that is what has been going on in Mexico, that type of authority exists but it hasn't got into these kind of issues because it doesn't feel like it has these powers, specific powers.

Also the right to notification is something that is very important to push for.  It is important, I think the basic principle should be that any authority that uses a surveillance measure needs to know that eventually it will be known that they did the surveillance measure and that they will be scrutinized by the independent body, the judge for sure, an independent body hopefully, and also the persons surveilled at the one moment.

This is something that needs to be guaranteed, but also I would second what Katitza said.  I think we need to have a discussion on whether -- I mean if authors want this power to invade privacy, they have to have a little transparency with regard to methods as well.  Many of the methods that they are using are not being revealed and it is being used, this argument that they can't reveal them because then you can circumvent.  But I mean, at some point you need to give up certain restrictions in order for society to really assess and discuss in a democratic way whether these methods are proportionate, necessary, which I understand necessary and proportionate as synonym of arbitrary, but maybe I'm incorrect.

So yeah, basically that's it.  Thank you.

>> I want to call attention to the notification principle because it is important for litigation to be able to notify users of surveillance method.  So they can challenge the requests.  Obviously it doesn't have to be in an ongoing investigation where they put in jeopardy the investigation.  But there are many cases that it is not.

The judge needs to assess whether that notification will put or not in jeopardy the investigation.  We need that so we can actually request a lawyer, the victim, the subject of surveillance and challenge the request, whether it is proportionate or not.  We have a case in the United States that my organisation litigated.  It was a case against Icelandic parliamentarian who was part of the Wikileaks case.  And the U.S. government gave Twitter an order that they are not allowed to comply with that request.  Twitter in that case litigated to challenge the gap order and then won in court.  That's why that person was able to go to EFF and we were able to provide counsel in the case and that request was disproportionate.  So that is a real principle we would like to see recognised at the international level.  We need it for litigation.  Without that, it is very hard.

>> MODERATOR:  Thank you very much for joining the session.  And good luck!

(Applause.)

(The session concluded at 1600 CST.)