Human Rights Day: Advancing a concept of protected information

Access is celebrating International Human Rights Day by bringing you a series of blog posts about our work and its intersection with the right to privacy. Privacy is a fundamental human right codified in Article 12 of the Universal Declaration of Human Rights, which was signed 65 years ago today. 

Human rights are universal, interrelated, interdependent, and indivisible: we must protect each one to enjoy them all. The right to privacy ensures the protection of our rights to freedom of expression, association, and conscience, and is the foundation of democratic governance. With privacy under attack all around the world, Access is taking today to recognize its importance.


Even before Edward Snowden began leaking documents detailing the scale and scope of the NSA and other intelligence agencies’ violations with our privacy, Access had been working with civil society organizations (like Privacy International and EFF), as well as international law experts, and human rights scholars to draft the International Principles on the Application of Human Rights to Communications Surveillance (“the Principles”).

Applying to both national security related requests and traditional criminal law enforcement, the Principles provide a framework for assessing states’ human rights obligations when conducting surveillance. The Principles have already been endorsed by more than 300 civil society organizations worldwide, representing a growing international consensus.

In summary, the Principles are legality, legitimate aim, necessity, adequacy, proportionality, judicial authority, and due process. They also consider user notification, transparency, public oversight, integrity of communications and systems as well as safeguards, both for international cooperation and against illegitimate access. While this list contains many of the concepts this community has been fighting for for years, the Principles also contain many innovations.

Discussions about surveillance and access to user information are often fragmented and based on artificial and outdated categories. Separate dialogues occur in the security and criminal contexts, without necessarily acknowledging the existence of the other. The Principles bridge this divide by focusing on the impact on the user, rather than the government agent. They set out standards to protect users’ rights, regardless of whether the government seeks access for criminal or for security purposes.

Perhaps most notably, the Principles advance the concept of “protected information.” As the Principles highlight, “existing legal frameworks distinguish between ‘content’ or ‘non-content,’ ‘subscriber information’ or ‘metadata’, stored data or in transit data, data held in the home or in the possession of a third party service provider. However, these distinctions are no longer appropriate for measuring the degree of the intrusion that communications surveillance makes into individuals’ private lives and associations.” As the cost of data storage has plummeted, big data has become an integral part of many internet companies’ businesses. Metadata and other forms of non-content data may reveal even more about an individual than the content itself, and thus deserves equivalent protection. Accordingly, the Principles state that “all information that includes, reflects, arises from or is about a person’s communications and that is not readily available and easily accessible to the general public, should be considered to be ‘protected information,’ and should be given the highest protection in law.”

This definition stands in sharp contrast to the Electronic Communications Privacy Act (ECPA), a 1986 US law that governs a majority of today’s internet platforms. ECPA allows the government to access documents and email stored in the cloud for longer than 180 days without a warrant, assuming that any information left on a third party’s servers for more than six months has been abandoned. Just think about how many sensitive emails you have that are more than six months old.

What’s more, the impact of ECPA’s shortcomings are global; given that most of the world’s biggest internet platforms are based in the US, ECPA is the legislation that law enforcement around the world has to follow when they want access to user data — at least if they’re following a modicum of due process.

However, while the NSA’s mass surveillance programs have been making headlines for the last few months, they technically have a harder time reading the content of the emails of US citizens and residents than the local police department does. To read your email or obtain documents an American citizen or resident has stored online, the NSA must first get a court order from a judge. Meanwhile, the local sheriff, the DEA, and the IRS have all suggested that no such requirement applies to them.

In line with the Principles’ efforts to do away with outdated and formalistic categories for protecting user data, our friends at Vanishing Rights, are pushing for legislative reforms that would patch these gaping holes in our online privacy protections. This Human Rights Day, won’t you join us in advocating for ECPA reform?