Access Now at the United Nations: spyware in UAE, surveillance in France, and shutdowns in Africa

Over the past year, news reports have revealed that spyware from an Israeli-made, U.S.-owned firm is being used to target human rights defenders, journalists, and opposition leaders. We helped with one investigation of an attack that deployed malicious messages to snare Mexican public health advocates with malware.

Now we have brought evidence of these attacks to the attention of world governments reviewing the human rights records of the United Arab Emirates and Israel. We have also submitted evidence relevant in human rights reviews of France, Burundi, and Mali. Here’s an overview of and links to our submissions.

Spyware in the United Arab Emirates and Israel

Governments like Mexico and the UAE have used surveillance products made by the Israeli-U.S. firm NSO Group to target peaceful advocates, we told the United Nations Human Rights Council in its 3rd Universal Periodic Review of Israel and the UAE. “Based on available evidence,” we submitted, “the surveillance enabled by NSO Group’s products does not comply with international human rights law respecting the right to privacy. Israel must do more to prevent its businesses from profiting off human rights violations, and UAE must cease employing the tech to spy on human rights defenders.”

NSO Group products were used to target human rights activist and UAE citizen Ahmed Mansoor. Police apprehended Mansoor, a renowned rights defender for UAE citizens, on March 20, 2017. He was accused of attempting “to publish false and misleading information” through social media. The arrest took place nearly a year after researchers revealed that Mansoor’s phone had been infected with surveillance malware sold only to federal governments. At the time, U.N. rights experts wrote that they “…fear that his arrest and secret detention may constitute an act of reprisal for his engagement with U.N. human rights mechanisms, for the views he expressed on social media, including Twitter, as well as for being an active member of organizations such as the Gulf Centre for Human Rights, and an active supporter of others, including Human Rights Watch.”

Access Now joined Amnesty International’s petition to release Mr. Mansoor, and you can sign on here.

Based on the evidence, researchers believe his own government engineered the multiple attacks Mansoor faced, we told the Human Rights Council.

We recommended that Israel and the UAE ensure human rights compliance by their own intelligence and law enforcement agencies, as well as by the companies producing, buying, selling, and servicing the surveillance tech.

The government of UAE must free Ahmed Mansoor immediately.

Further recommendations to the UAE and Israel include that they:

  • Publicly disclose any procurement of or contracts to purchase, maintain, develop, install, service, or operate surveillance technology, and consider more stringent regulations regarding any future contracts;
  • Ensure use of surveillance technology produced or sold by Israeli and Arab companies is only used when it is necessary and proportionate to a legitimate aim, subject to meaningful oversight, and only authorized via warrant;
  • Improve cooperation with United Nations treaty mechanisms and issue standing invitations to U.N. special procedures such as the U.N. special rapporteurs on the rights to freedom of expression and opinion, and the right to privacy.

Read our full submissions to UAE and Israel.

Surveillance state grows in France

For France’s review before the Human Rights Council, we detailed the vastly increased surveillance apparatus under new French laws that fail to protect the right to privacy.

France has some of the most expansive counter terrorism and surveillance laws in Europe. It has passed no fewer than four separate laws extending its surveillance powers since 2014.

In March 2014, French newspaper Le Monde revealed, through an internal document from Britain’s Government Communications Headquarters, that French intelligence agency Direction Générale de la Sécurité Extérieure (DGSE) has been cooperating with the telecommunications company Orange in monitoring French citizens and international users on the network. According to the leaked document and Le Monde’s investigation, the DGSE has “free and total” access to Orange’s networks and data passing through “without any oversight,” and has shared this data with allied foreign intelligence services such as Britain’s GCHQ.

This relationship differs from those between other governments and telecommunications or surveillance networks, as their exchange was entirely confidential and  not known to the public, and importantly not to Orange customers. “The relationship between France Telecom and DGSE is not the same as the one revealed in the NSA Prism program, which has contractual links with Internet giants,” said a former French intelligence chief. “In France, it is consubstantial.”

In July 2015, following the terrorist attacks which took place earlier that year, the French Parliament passed the Projet de loi relatif au renseignement (Intelligence Act). This law greatly increased France’s surveillance capabilities, and was first introduced through an emergency procedure, removing the possibility of much-needed democratic debate in France. The law mandated all domestic internet providers install network “black boxes” that collect and store all internet connection data. Using algorithms to detect and report suspicious online behavior, “black boxes” flag users with questionable internet usage. However, this automated processing of data signifies that black boxes are also likely to produce “false positives,” placing innocent citizens under surveillance. The Intelligence Act also enables French intelligence agencies to intercept phone calls or access private communications, such as email, without a court issued warrant.

Despite widespread criticism from civil rights groups and the U.N. Human Rights Committee, in July 2015, the French Constitutional Court upheld the vast majority of the provisions within the Intelligence Act. While the court declared that surveillance by French intelligence agencies in foreign countries is unconstitutional, the court disregarded the serious domestic concerns raised regarding the law’s violation of the right to privacy.

Additionally, in October 2015, France adopted the Projet de loi sur la surveillance des communications internationales (Surveillance Act). The Surveillance Act authorizes a system of mass monitoring, enabling the government to: monitor communications that are sent or received abroad; issue a permit to access personal data in order to obtain the geographic locations of organizations, groups, or individuals; and indefinitely retain any and all information that may be pertaining to a “cyber attack.” The act also provided an extension for a clause in the Intelligence Act which allows France to collect the login information of private citizens.

In November 2015, France declared a state of emergency in response to terrorist attacks in Paris which killed 132 people. While initially declared for only 12 days, the state of emergency was extended five times. It was set to expire on July 15, 2017, one day after the two year anniversary of the 2015 Bastille Day attack. However, in May 2017, President Macron issued a statement that he will request that the French National Assembly extend the state of emergency until November 1, 2017.  This exercise of presidential power has rarely been used since World War II, and grants French authorities “powers without judicial safeguards that undermine the rights to liberty, freedom of movement, privacy, security and freedoms of association and expression,” according to Human Rights Watch. These new powers include warrantless searches of houses and electronic as well as authorization to access and copy data from electronic devices. Furthermore, Human Rights Watch reports that French authorities have “carried out abusive and discriminatory raids and house arrests against Muslims” under the state of emergency law.

Laws passed in July 2016 provided an extension to the state of emergency, as well as creating provisions for French security officers to undertake warrantless searches of luggage and cars, carry out identity checks, and wiretap and surveil not only suspected individuals but also a “close circle” of acquaintances.

In October 2016 the highest French court, the Constitutional Council, declared unconstitutional a section of the Intelligence Act. In its decision, the council found that due to their disproportionate scope, unlimited purpose, and a lack of safeguards and oversight mechanism, many security measures violated “the right to privacy and the confidentiality of communications” and were therefore unconstitutional. However, the council did not entirely strike down the practice, and instead set a December 2017 deadline for the government to adopt a new law that includes the necessary robust safeguards for human rights. The decision is an opportunity for the French government to bring the law in line with human rights obligations, and we encourage lawmakers to apply the International Principles on the Application of Human Rights to Communications Surveillance in the reassessment of French surveillance policy.

Our recommendations for France include to:

  • End the state of emergency;
  • Amend the provisions regarding surveillance and access to personal information in the Intelligence Act and Surveillance Act to ensure that law enforcement and intelligence only interfere with privacy to the extent necessary and proportionate in pursuit of a legitimate aim, restricting access to private user data;
  • Protect, rather than obstruct or interfere with, the use of encryption, an essential enabler of the rights to privacy and freedom of expression in the digital age;
  • Develop a strategy for fast, reliable and secure connectivity in the whole French territory and continue strengthening internet connectivity throughout the French-speaking world, and work with governments to prevent intentional shutdowns and disruptions;
  • Promote investments into privacy and data protection friendly digital products and services.

Read our full submission to France.

Internet shutdowns, connectivity, and free expression in Burundi and Mali

In addition, we drew attention to internet shutdowns in Burundi and Mali, both of which will undergo their third Universal Periodic Review in 2018. Each has shut down the internet in the past year during public protests, an impermissible restriction on free expression.

Burundi’s connectivity rates remain pitifully low, while Malians widely enjoy mobile connections but have little access to broadband internet.

We recommended the governments to commit to keeping the internet on, and take urgent action to drastically increase access to the internet.

Though increasing, access to mobile communications networks in Burundi remains low. According to 2015 ITU statistics, Burundi only had 46.22 mobile-cellular telephone subscriptions per 100 inhabitants, and fewer than 2% of Burundi residents use the internet. Despite the low rates of internet and mobile connectivity, according to various reports, the government of Burundi ordered the shutdown of certain social media applications on the mobile internet beginning on April 27, 2015. The applications, including Twitter, Facebook, WhatsApp, and Viber, continued to be blocked as of the morning of April 29, 2015. The shutdown appears to have been timed to repress public demonstrations and the exercise of free expression. Protests had begun in the capital of Bujumbura in April 2015 when the ruling party nominated president Pierre Nkurunziza for a third term.

Despite its progressive Constitutional protection of privacy in communications, Burundi does not yet have a data protection regulation. Data protection is affirmed as a right in the African Union Convention on Cyber Security and Personal Data Protection. This convention requires each member state to ratify domestic protections on data privacy and establish a legal framework which affirms that, “personal data processing undertaken on behalf of the Government, a public institution, a local community, a private corporate body operating a public service, shall be in accordance with a legislative or regulatory act enacted after an informed advice of the protection authority” (African Union). Burundi has not signed or ratified the treaty.

Access to mobile communications networks in Mali has increased greatly. According to 2015 ITU statistics, Malians enjoy more than one mobile-cellular telephone subscriptions per inhabitant, however, access to broadband internet remains quite low. These low penetration rates show that Mali must take urgent steps to invest in digital communications infrastructure and networks, while improving its population’s digital literacy and capacity to realize the benefits of digital information and communications technology. Despite low levels of internet and mobile connectivity, according to various reports, the government of Mali appears to have ordered the shutdown of certain social media applications on the mobile internet in June 2017. During street protests against the referendum on the constitutional reform project, Malian internet users were deprived of Facebook and Twitter without explanation.

Positively, Mali does has a data protection regulation. Mali’s Personal Data Protection Authority (“APDP”), instituted by the Law n° 2013/015 on Personal Data Protection in the Republic of Mali, launched activities on March 10. 2016. However, Mali is similarly not one of the eight member states of the Convention, and could also benefit from implementing those principles into its data protection policy.

Both Burundi and Mali can improve their human rights records and treatment of digital rights in several areas.

Our recommendations to Burundi and Mali include to:

  • Sign and ratify the African Union Convention on Cyber Security and Personal Data Protection;
  • Commit to refrain from slowing, blocking, or shutting down internet and telecommunications services, including Voice over Internet Protocol (VoIP) and messaging applications, particularly during elections and public assemblies;
  • Commit to enhancing freedom of expression online and preventing violations by state and non-state actors, such as companies;
  • Commit to increasing access and use of digital information and communications technologies;
  • Enact laws and telecommunications regulations protecting access to information and preventing network discrimination to preserve these stronger connections, also known as Net Neutrality;
  • Improve cooperation with United Nations treaty mechanisms and issue standing invitations to U.N. special procedures such as the U.N. special rapporteurs on the rights to freedom of expression and opinion, and the right to privacy.

Read our full submissions to Burundi and Mali.

Our submissions will be considered for the Universal Periodic Review that will take place at the Human Rights Council in Geneva in early 2018.