The laws in many Latin American countries haven’t kept pace with the increasing power of surveillance technology, creating the potential for serious abuses, according to a new report from a privacy watchdog.
Despite recent revelations of widespread use of spyware capable of infiltrating phones and computers by many governments in the region — including, in some instances, against political opposition and journalists — not a single Latin American country surveyed in the report has specific laws on the use of such invasive technology. Many countries, including Brazil, Colombia, Chile, and Mexico, require companies to log detailed data on their customers and give law enforcement access to the information on demand. Colombia has a ban on encryption, and El Salvador requires communications providers to decrypt traffic at the government’s demand.
The report, written by researchers for the San Francisco-based Electronic Frontier Foundation, looked at surveillance laws in 12 countries in Central and South America. It opens with a stark reminder of what is at stake: a history of the collaboration among military dictatorships in Argentina, Chile, Paraguay, Bolivia, Uruguay, and Brazil in the 1970s and ’80s known as “Operation Condor.” Files discovered later documented torture, disappearances, imprisonment, and executions, enabled through a regime of informants and surveillance.
Many intelligence agencies in the region were formed under these military dictatorships, and even after transitioning to democratic rule, most Latin American countries maintained strong executive branch powers “without well-placed controls or public oversight mechanisms.” Given the power vested in many presidents in the region, the report says, “intelligence agencies in Latin America have been powerful tools in presidential politics, specially used to spy on dissident groups, opposition politicians, or independent journalists.”
Colombia’s national security agency under former President Álvaro Uribe was found to have illegally wiretapped calls and hacked the emails of his political opponents. The revelation of the scandal in 2011 led to the dissolution of the agency and various reforms — though the authors of the EFF report still think the country’s broad intelligence law leaves room for abuse.
“We’re especially concerned with laws requiring data retention on the whole population for future use by law enforcement,” said Katitza Rodriguez, one of the authors of the report. “Colombia has a retention period of five years, and there are no clear rules of who can access the data and how it will be deleted after the fact.”
While Mexico’s Supreme Court recently put some safeguards on the country’s data retention law, limiting who could access the information, Paraguay was the only country EFF found that had rejected data retention policies entirely.
Earlier this year, a state judge in Brazil shut down the messaging service WhatsApp for 72 hours after demanding that the company turn over the content of messages for a criminal investigation. WhatsApp stated that it could not turn over what it didn’t have, since the app, with end-to-end encryption, doesn’t have a record of what users send. (The judge’s order was overturned by another court.)
EFF found that Colombia has a law on the books that actually bans the use of encryption.
“If it were actually enforced, many things would be illegal,” Rodriguez said. “They aren’t enforcing it now, but as the use of encryption becomes more widespread, that old law is becoming more relevant.”
The report is also concerned with the increased surveillance firepower readily available to governments. When company records for the Italian spyware manufacturer Hacking Team were hacked and released online last year, it came out that Brazil, Colombia, Chile, Ecuador, Honduras, Mexico, and Panama had bought surveillance software from the company, and many other nearby countries had been in talks with the company.
Mexico was Hacking Team’s top client, and not just federal agencies bought the spyware but also many state governments and the national oil company PEMEX, which do not have the authority to conduct surveillance. Mexican journalists uncovered that the governor of the state of Puebla had used the malware to spy on political opponents.
Cases like Puebla get at the heart of one of the report’s main takeaways: While it found some positive trends in terms of legal protections and transparency reports, the issue is how the law is interpreted and enforced.
“Without public oversight — not just judicial oversight — the laws on the books just won’t work,” said Rodriguez.