What the Year 2016 Brought for Online Privacy
So far it seems that 2016 may go down in history as the worst year since at least 2001. It has been marked with continued armed conflicts and the refugee crisis, horrific terrorist attacks, a string of deaths of widely acclaimed artists, and several major political upsets, which are likely to echo around the world for decades to come.
Perhaps unsurprisingly, Internet privacy has also suffered this year, with China and Poland setting the tone with new intrusive surveillance laws introduced in January and February, respectively. They were just two of the countries that decided to further sacrifice the privacy rights of their citizens in exchange for increased security and control.
China’s first comprehensive anti-terrorism law was passed at the end of 2015 and came into effect on January 1, 2016. Prior to its approval, the draft bill had attracted harsh criticism from human rights groups, technology companies, the European Parliament and the US government.
The main point of contention was the requirement for telecommunications companies and ISPs to provide the Chinese government with technical support for counter-terrorism efforts, including backdoor access and data decryption. Ironically, Chinese officials claimed that this rule was in line with international practices – in part because other countries, including the United States and the United Kingdom, had been imposing the very same demands on technology companies.
To the relief of tech companies, the final version of the law no longer includes the requirement for backdoor access. However, “decryption and other technical support assistance” are still required.
Germany’s new data retention act, designed to provide law enforcement agencies with electronic data to combat “serious crimes,” went into effect on January 4. It requires public telecommunication and internet providers to retain various call detail records (CDRs). These include phone numbers, the date and time of phone calls and texts, the content of text messages, and—for mobile calls—the locations of call participants. In addition, Internet providers are required to store user metadata such as IP addresses, port numbers, and the date and time of Internet access.
The act requires providers to store CDR and metadata for 10 weeks and cell phone location data for four weeks. In response to privacy and data security concerns, the act provides extensive technical requirements for how providers store data, the most notable being the requirement to physically store it in Germany.
Despite the act’s relatively easy passage in the parliament, it remains controversial in Germany. Most importantly, the German Federal Constitutional Court had already declared the previous data retention law unconstitutional due to telecommunications secrecy and data privacy concerns. The new law also seems questionable on constitutional grounds, and the requirement to store data in Germany contradicts the EU principles of freedom of services and free data flow.
Poland’s law expanding government access to digital data and loosening restrictions on police spying was passed by the parliament on January 15 and signed by President Andrzej Duda on February 3. The law was fast-tracked through the approval procedures with only minor changes to the initial draft, despite harsh criticism from civil society groups and other experts. The opposition included massive protests and demonstrations as well as a joint statement from 10 NGOs, including Amnesty International.
The new law gives police forces, law enforcement agencies and secret services fast access to Internet and telecommunication data of Polish citizens without any preliminary review or as much as a rubber stamp from a judge.
The accessible data includes billings of phone connections, metadata of sent and received messages, geolocation, logins, contacts, Internet profiles, visited websites, and even personal settings. Disturbingly, this list goes well beyond the scope of the European Directive of Data Retention, which itself was struck down by the European Court of Justice in 2014 for interfering with individual “rights to respect for private life”.
The new law also extends the scope of cases where access to the retained data is allowed, from aid to ongoing investigations to detection and prevention of crimes. As a result, one doesn’t have to be an official suspect to be placed under surveillance for up to 18 months. In addition, the person being monitored will not be informed about it, compromising the protection of journalists’ sources and deterring potential whistleblowers.
On March 24, the Turkish parliament enacted a new Data Protection Law, which came into force on April 7. Although the legislation was promoted as a step to coordinate Turkey’s law on data protection with the EU, it actually signals a regression and, according to critics, brings Turkey closer to a total surveillance state. The Turkish government pushed the law through the approval process, ignoring concerns from opposition MPs and human rights groups that the state will take advantage of the legislation to collect extraordinary amounts of information on its citizens’ private lives.
How does a law designed for data protection manage to enable surveillance? By outlining a number of exemptions for collecting and processing personal data. Although the law does not explicitly mention any organizations that may benefit from these exemptions, it paves the way to unrestricted data access for multiple security agencies, such as police and secret services.
On the surface, the Turkish law encompasses an extremely broad range of personal data that can be collected but is supposed to be protected, unless an exemption applies. It includes race, ethnicity, political thought and philosophical beliefs, religious affiliation, outward appearance, membership of organizations, health, sexual life, criminal record, security-related information, and biometrics.
However, said exemptions mean that all of this data can actually be freely accessed by state agencies for “protection and intelligence activities related to national defence, national security, public security, public order or economic security”. No warrant is required, no restrictions determine how the data can be exploited. Citizens are not authorized to know what personal information the security services collect, or how it is used.
In June, the Ethiopian parliament passed a cybercrime law that criminalizes a variety of online activities, including the distribution of defamatory speech, spam, and pornography. Unfortunately, the law provides an exhaustive list of offenses and penalties that are grossly out of proportion to the outlined crimes. For instance, those convicted of disseminating libellous content face up to 10 years in prison.
As a result, the law may have a chilling effect on freedom of speech and could serve as a tool for censoring political opposition, which relies heavily on online publishing since the government has taken severe measures against traditional media outlets.
The law also targets service providers; they are required to retain “computer data disseminated through its computer systems or data relating to data processing or communication service” for at least 1 year. If they fail to remove or disable access to illegal content data that has been distributed through their systems by third parties, they will be held criminally liable.
Access to the retained data requires a court warrant and formally can only be used as a means of last resort. However, the Information Network Security Agency can conduct “sudden searches” without a warrant under special circumstances. Critics of the law, including the Electronic Frontier Foundation and Article 19, have pointed out that the “sudden search” clause can be easily exploited to intimidate political opposition.
On July 7, Russian President Vladimir Putin signed into law several bills designed to help the government take measures against dissent online and demand unprecedented levels of data retention from the country’s telecom companies.
The government said the laws were necessary for counter-terrorism efforts in Russia, but critics claimed they were designed to intimidate Kremlin opponents ahead of parliamentary elections. For instance, the legislation warrants tougher sentencing for online commentary deemed as “an incitement to hatred or a violation of human dignity.” Such convictions now carry a minimum prison sentence of two years.
Russia’s largest mobile phone operators and internet providers have also spoken out against the legislation, which they said would significantly increase costs. The law requires service providers to monitor and store all calls, texts, chats and web browsing activity. The retained data can be accessed by several government agencies without a warrant.
The UK’s Investigatory Powers Act was approved by the House of Lords on November 16 and received the royal assent on November 29, opening up the gate for a disturbingly intrusive surveillance system. Among other things, the so-called Snoopers’ Charter gives the state the ability to indiscriminately hack, intercept, record, and monitor the communications and internet use of the entire population.
The act also expands the scope of the data that must be retained by telecommunications and internet service providers, including services, websites and data sources accessed in each online session. It means that almost the entire browsing history of every resident of the UK will be stored for one year, in addition to the usual metadata such as time and duration of the communication.
Another concern expressed by the multiple critics of the legislation is the long list of the agencies authorized to access the data. It includes almost 50 police forces and government departments, ranging from the Metropolitan Police Service and GCHQ to the Food Standards Agency.
A new amendment to the Rule 41 of the US Federal Rules of Criminal Procedure quietly went into effect on December 1, after senators failed to halt its implementation. It allows the FBI to be given permission to hack computers and phones outside the jurisdiction in which the warrant was granted.
Many privacy advocates are concerned about innocent bystanders becoming collateral in these remote searches. For instance, anyone who has weak security protocols on routers, security cameras and other devices can fall victim to a botnet attack. The new rule would allow federal agencies to copy all material on these hacked devices, including a wide range of sensitive, unrelated personal data.
Although Belarusian authorities issued several restrictive decrees back in early 2015, mandating data retention and banning anonymizing services, it took them almost two years to finally block Tor. The onion-routing network has seen a severe drop of Belarusian users in December. However, it’s still not clear at the moment whether Tor will remain blocked in the future.
Meanwhile, Belarusian users continue using various VPN services to break free from the information blockade imposed by the state authorities.
The Bright Side
Among all the bad news for privacy this year, a few positives must be mentioned, even though they are not entirely without fault. Nonetheless, these initiatives are still steps in the right direction towards securing users’ privacy and security.
On August 1, the United States – European Union data agreement known as Privacy Shield became operational. It’s a framework designed to protect the fundamental rights of European online users whose personal data is collected and handled by US companies and organizations.
However, the EU’s main privacy regulating body, the Article 29 Data Protection Working Party, has said that commitments by the US regarding mass surveillance of EU citizen data were still lacking in three areas: the process of data deletion, the continuing collection of massive amounts of data, and clarifications on the role of the new Ombudsperson. Essentially, all this means that the issue of the mass surveillance hasn’t gone away with the new agreement.
On October 27, new private data collection rules for US internet service providers came into effect. ISPs now have to impose opt-in rules, meaning that users have to click “I agree” or something similar before ISPs can share their data.
There is one allowance, however. The Federal Communications Commission has not banned “pay-for-privacy” schemes, which means ISPs are able to charge more for users who don’t opt-in (as in the case of AT&T’s Internet Preferences). In addition, the new rules don’t affect social media websites and other services offered by broadband providers, nor do they cover government surveillance.
There are a few solutions to bypass some of the restrictive laws mentioned in this article, the most reliable being a VPN service. A VPN sends your data through a securely encrypted tunnel before accessing the Internet – this protects any sensitive information about your location by hiding your IP address.
Connecting through a VPN tunnel hides your online activity from your internet service provider (ISP). The only information visible to the ISP is that you are connected to a VPN server, while all other information is encrypted by the VPN’s protocol. This prevents ISPs from collecting potentially sensitive data and passing it onto any third parties.
It’s also important to use a VPN service that does not store activity records to ensure your data is not logged and forwarded to any agencies. NordVPN has a strict no-log policy and could not supply any information on your online activities even if requested.