Peruvians understand the dangers of pervasive surveillance. Peru’s ex-spy chief, Vladimiro Montesinos is serving a long jail sentence for corruption and human rights abuses. In 2000, Peruvian authorities seized about 2,400 videotapes made by Montesinos, which he used to manipulate political opponents and journalists whom he caught on film, a scandal also known as the “Vladivideos”. That’s why so many in the country recognise the dangers of a pervasive surveillance state.
At the end of July, the Peruvian President adopted a new Decree which allows the police to access location data of any cell phone without a prior court authorization. In other words, law enforcement agencies in Peru no longer need a court order allowing real-time access to localization data. The Decree also compels local ISPs and telephone companies to retain communications and location details of the entire Peruvian population for a period of three years. The retained data could be accessible to law enforcement with a court order for possible use in the future.
Put simply, with the new Decree, the Peruvian government has shifted from surveillance of communications records based on individualized suspicion to the mass untargeted collection of communications data of ordinary, non-suspect people. No wonder it’s been dubbed by Peruvians as #Leystalker (“Stalker Law”), which has been described as someone who uses technology to spy on people every online movement, step-by-step.
Miguel Morachimo, Director of the Peruvian NGO Hiperderecho, an EFF ally who has been analyzing the law in Peru, told us:
“This legislative decree is troubling for what it says and also for what it means. It says that communications metadata is not protected under privacy protections and should be massively storaged. And it represents a government that is taking steps willingly to undermine the freedoms that we just recovered the past decade. We must not return to the past and ensure that the rule of law remains the foundation of our democracy in the digital age”
Indeed, Montesinos’ legacy of corruption and illegal spying is still live in Peru, so much so that even the Interior Minister José Luis Pérez Guadalupe wanted to calm the population, making public statements to distance the Stalker Law from the practices committed by the convicted former chief of Peru’s secret service, but his declarations in the media did nothing to stop Internet users to express their concerns to the Legislative Decree through the Internet.
#Leystalker immediately became a trending topic in the Peruvian Twitter community. Journalist and influential blogger, Marco Sifuentes, explained in an email to EFF:
“Thanks to the movement on Twitter, Ley Stalker became a trending topic, then jumped into the national agenda and ended up on the front pages of major newspapers. Peru has a tradition to repeal abusive laws when they are fought mainly from social networks. Peruvian politicians and the media pay much attention to online activism. This time was no exception.”
But civil society is not alone in criticizing Ley Stalker. In an interview to the main peruvian newspaper, El Comercio, the conservative archbishop of Lima Juan Luis Cipriani raised serious concerns against #LeyStalker. Cipriani added:”It is great that you put all means to try to control where [a phone call of extortion or blackmail] came from”, but there is a problem that is not easy to forget: “that there is interception of communication” referring to Stalker Law.
Former Interior Minister Daniel Urresti, criticized the archbishop of Lima, in a local radio interview, saying that “Cipriani is a priest, not a telecommunications engineer” referring to Monsieur Cardinal’s opinion on the Stalker Law. He added:
“I got lucky and that my specialty is Telecommunication and that’s why I push for the bill. Those who are afraid of this standard, it is because they lack the technical side”, Urresti told Radio Exitosa.
Digital Is Different – Metadata Matters
Perhaps Mr. Urresti, as a telecommunication expert, should have explained to the public how sensitive the information that Peruvian telcos are compelled to retain for three years really is. Location data paints a vivid portrait of when and where a person goes, including when a person is at home or spends the night somewhere else and with whom. Given the ubiquity of cellphones and the fact people carry them almost everywhere, the information can be more revealing than GPS information especially if this information is retained for longer periods of time. (Read more to learn how governments can spy on your mobile phone).
It should have been explained that the Stalker Law creates for the first time in Peruvian law a legal distinction between metadata and communications content and that only content is subject to constitutional protection. Hence, the Stalker Law creates a false distinction on the level of protection that each category merits.
Asthe rest of the world is slowly realizing post-Snowden, the increasing abundance of metadata, and the techniques for aggregating and analyzing it, means that “mere metadata” on its own reveals a devastating amount about private citizens. The Peruvian government’s ability to gather extraordinarily sensitive metadata such as location data on an entire population, over a long period of time, and organize it using modern surveillance techniques, can easily garner the kind of vicious insight that Montesinos’ could only have dreamed of.
In a study, Stanford researchers found experimentally that information about who people call can be used to infer extraordinarily sensitive facts about them, including the fact that they sought and received treatment for particular medical conditions, that they had an abortion, and that they purchased firearms, among other things.
Information about where people go reveals sensitive religious, medical, sexual, and political information, including the kinds of religious services, political meetings, and medical specialists a person attended or met with.
Information about the proximity or lack of proximity of multiple people to one another can reveal everyone who attended a protest, the beginning or end of a romantic relationship, or a person’s marital infidelity.
Erosion of Journalistic Sources
The consequences of data retention mandates are far-reaching, but one particularly troubling outcome is the erosion of journalists’ right to refuse to hand over evidence to law enforcement to protect the confidentiality of their sources. In Poland, the media reported on two major cases where intelligence agencies used retained traffic and subscriber data to illegally disclose journalistic sources. In Germany, Deutsche Telekom illegally used telecom traffic and location data to spy on about 60 individuals – including journalists, managers and union leaders—in order to try to find leaks. And in a particularly egregious case from Ireland, a law enforcement officer reportedly used retained communications data to spy on her ex-boyfriend’s phone activities.
False Sense of Security
National data retention laws are invasive, costly, and damage the rights to privacy and free expression. They compel ISPs and telcos to create large databases of information about who communicates with whom via our phones, the duration of the exchange, and the user’s location. Privacy risks increase as these databases become vulnerable to theft and accidental disclosure. Service providers must absorb the expense of storing and maintaining these large databases and often pass these costs onto consumers.
While there are serious crimes in Peru that deserve real attention by policy-makers including protecting victims of abuse, we must ensure that the measures the government takes to combat those crimes are effective and do not create a false sense of security.
On this point, Abel Revoredo an experienced Peruvian lawyer in Telecommunications, agreed that while the Stalker Law might have noble goals such as fighting crime, killings, extortions and kidnappings, “What is really being done here . . . risks our rights because [Ley Stalker] can not solve the bureaucratic problems in the relationship between two government institutions such as the judiciary and the police,” he concluded in an interviewed by the Peruvian videoblogger Luis Carlos Burneor.
There is still time to repeal the bill. In a blogpost, Miguel Morachimo explained that according to the rules of Congress, the President is obliged to notify Congress of the legislative decrees and Congress is responsible to refer the case to the competent Congressional Commission. Then, “the Congressional Commission will have to submit an opinion to assess their conformity with the Constitution and the delegation of authority granted by Congress. If inconsistencies are found, the rules provides that the Commission may recommend to repeal or modify the Decree to correct the excess or the violation, notwithstanding the political accountability of members of the Cabinet,”
Peru cannot be alone in this fight. Every nation – from Europe to Paraguay – that rejects data retention, strengthens the arguments in favor of rejecting it globally. Every country that falls prey to data retention law, from Australia to Colombia, encourages other states to press for it in their own legislatures. It’s a global fight, and one that will require solidarity and a global alliance against data retention to combat it. We need you. Join this fight against #leystalker.