Ciudad Autónoma de Buenos Aires (Autonomous City of Buenos Aires), November 1st 2019
Federal Judge, Luis Rodriguez
Minister of Security, Patricia Bullrich
The undersigned civil society organizations, academics, and individuals dedicated to the study of internet policy and the defense of fundamental rights write to express our concern in the face of repeated cases of persecution of digital security researchers. On this occasion, the case that has attracted the attention of our organizations at a local and international level is the investigation on Javier Smaldone, a researcher in computer security and publicity and recognized spokesman for the public campaign # NoAlVotoElectrónico.
Recently, the Federal Justice of the Argentine Republic ordered the search of his home at the request of the Argentine Federal Police, a force that reports to the Minister of Security, Patricia Bullrich.
The search was approved as part of the investigation into data leaked from the security forces in August 2019. According to police, the case is related to another leak that occurred in 2017, though it is publicly known that in the earlier case the data was obtained using the technique known as “phishing.” Using a false account under the name of the Superintendence of Welfare of the Argentine Federal Police, the perpetrator was able to gain access to the victim’s username and password for the security forces’ database storing sensitive information and then publish the stolen data on social networks. This case was called “La Gorra Leaks 2.0”
According to the case file, when the security forces did not obtain specific data on who had illegally accessed their databases, they began to observe “open sources of data and social media networks” to detect users who had replicated the dissemination of this information.
The case file names Javier Smaldone as one of the “possible perpetrators” of the leak, even though he has not been criminally charged, and he previously testified as a witness in this same case providing valuable information to the Justice. This gained the attention of the undersigned and the broader public, as the evidence presented by the police has been arbitrary and weak.
Smaldone is named a suspect in part because he has specialized knowledge on digital security and because of the opinions about the case he expressed on social media (see “indicios” on page 5 of the file). The case’s judge considered this sufficient evidence to grant police broad access to Smaldone’s sensitive information — by collecting geolocation data from his mobile phone providers, monitoring his private communications, installing surveillance cameras in the area surrounding his home, monitoring the use of his public transport card, physically searching his home, and seizing his personal devices and work tools. Police also detained Smaldone for questioning for six hours, supposedly to investigate his criminal record, though he has none.
The limited evidence provided presents no solid fact or circumstance that would constitute a well-founded suspicion justifying the serious measures undertaken. The Argentine Supreme Court has already stated that intervention and access to data related to private communications must comply with an analysis of need and proportionality for any restriction on a suspect’s fundamental rights. Likewise, the Federal Criminal Procedure Code establishes reasonableness as part of the examination that the judge must do when authorizing direct verification measures such as the house search (art. 144).
International human rights standards provide the legal standard for accessing data and require that measures used are both necessary and proportionate. This is well established by the “International Principles on the Application of Human Rights to Communications Surveillance”, the product of a global consultation with civil society groups, industry, and experts in the field. These principles establish that any measure that implies deprivation of a fundamental right can only be justified when it is prescribed by law, is necessary to achieve a legitimate goal, and is proportionate to the objective pursued.
Unfortunately, this is not the first criminal investigation case without sufficient grounds against digital security researchers in Argentina. In 2016, Joaquín Sorianello’s case was dismissed only after he was subjected to a search of his home and faced charges for warning about the software vulnerabilities of the Electronic Single Ballot (Boleta Única Electrónica). Similarly, Iván Barrera Oro had his house searched in 2016 and was coincidentally accused of “production and trafficking of child pornography” after demonstrating deficiencies in the electronic voting system, including the possibility of loading up to 20 votes on a single ballot. HIs case was dismissed in 2017.
For Javier Smaldone, and other digital security researchers like him, the justice system has failed to meet its obligation to guarantee due process, protect the individual rights guaranteed by the National Constitution and international treaties (including freedom of expression and privacy), and duly substantiate its decisions when requested measures limit those rights.
The work of digital security researchers is protected under the right to freedom of expression and has been recognized in the jurisprudence covering Article 13 of the American Convention on Human Rights. It is normal for researchers to monitor, comment on, and criticize information related to their technical expertise in social networks or in media. Therefore, in the case of Javier Smaldone, his technical and critical opinion should not be seen as suspicious, but as a demonstration of his technical knowledge and his passion for information systems security. Moreover, and specifically in relation to the case of Smaldone, freedom of expression encompasses the right to impart information — that is, to publish and alert to the existence of vulnerabilities in IT systems, with the aim of raising awareness for their solution. There is also a public interest in knowing about failures in essential systems for the exercise and protection of citizens’ rights.
Contrary to what happened in this case, the justice system should be responsible for controlling the security forces’ actions in any criminal investigation and guaranteeing the protection of fundamental rights. This implies discarding reckless requests, rejecting advances on people’s private lives without duly founded suspicions, and avoiding the use of the criminal system in response to the work of digital security researchers.
Therefore, we reject all persecution of digital security researchers and respectfully urge that the exercise of their freedom of expression that their activity implies be respected. In that sense, we ask the judiciary to review the security forces’ actions in Javier Smaldone’s case and return his seized work tools and devices to prevent further violation of his fundamental rights.
Access Now (International)
Asociación de Software Libre (Ecuador)
Centro de Estudios Legales y Sociales (Argentina)
Conadu Histórica (Argentina)
Cooperativa Tierra Común (México)
Datos Protegidos (Chile)
Derechos Digitales (Latin America)
Electronic Frontier Foundation (Internacional)
Fundación Acceso (Centroamérica)
Fundación Internet Bolivia (Bolivia)
Fundación Karisma (Colombia)
Fundación Via Libre (Argentina)
Human Rights Matter (International)
Nodo TAU (Argentina)
Poder Ciudadano (Argentina)
Red en Defensa de los Derechos Digitales R3D (México)
Usuarios Digitales (Ecuador)