Tag Archives: Access Now

A Human Rights Response to Government Hacking - Access Now 201609


Recently we have seen several high-profile examples of governments hacking into consumer devices or accounts for law enforcement or national security purposes. Access Now released a report where we consider government hacking activity from the perspective of international human rights and conclude that based upon its serious interference with the rights to privacy, free expression, and due process, there should be a presumptive prohibition on all government hacking. There has yet to be an international public conversation on the scope, impact, or human rights safeguards for government hacking. The public requires more transparency regarding how governments decide to employ hacking and how and when hacking activity has had unanticipated impacts. Finally, we propose Ten Human Rights Safeguards for Government Hacking in pursuit of surveillance or intelligence gathering. The full report is available at: www.accessnow.org/GovernmentHackingDoc



We define hacking as the manipulation of software, data, a computer system, network, or other electronic device without the permission of the person or organization responsible for the device, data, or service or who is ultimately affected by the manipulation.

We consider government hacking in three categories based on the broad goal to be achieved:

  1. Messaging control: Hacking to control the message seen or heard, specifically by a particular target audience. to control a message, to cause damage, or to conduct surveillance.
  2. Causing damage: Hacking to cause some degree of harm to one of any number of target entities.
  3. Commission of surveillance or intelligence gathering: Hacking to compromise the target in order to get information, particularly on an on-going basis.

All government hacking substantially interferes with human rights, including the right to privacy and freedom of expression. While in many ways this interference may be similar to more traditional government activity, the nature of hacking creates new threats to human rights that are greater in both scale and scope. Hacking can provide access to protected information, both stored or in transit, or even while it is being created or drafted. Exploits used in operations can act unpredictably, damaging hardware or software or infecting non-targets and compromising their information. Even when a particular hack is narrowly designed, it can have unexpected and unforeseen impact.


Based on analysis of human rights law, we conclude that there must be a presumptive prohibition on all government hacking. In addition, we reason that more information about the history and the extent of government hacking is necessary to determine the full ramifications of the activity.

In the first two categories — messaging control and causing damage — we determine that this presumption cannot be overcome. However, we find that, with robust protections, it may be possible, though still not necessarily advisable, for the government to overcome the presumptive prohibition in the third category, government hacking for surveillance or intelligence gathering. We note that the circumstances under which it could be overcome are both limited and exceptional.

In the context of government hacking for surveillance, Access Now identifies Ten Human Rights Safeguards for Government Hacking, including vulnerability disclosure and oversight, that must both be implemented and complied with to meet that standard. Absent government compliance with all ten safeguards, the presumptive prohibition on hacking remains. In addition, the high threat that government hacking poses to other interests, defined in greater detail in our report, may (and probably should) necessitate additional limitations and prohibitions.

Government hacking threatens human rights embodied in international documents.

There should be a presumptive prohibition on all government hacking. In any instance where government hacking is for purposes of surveillance or intelligence-gathering, the following ten safeguards must all be in place and actually complied with in order for a government to successfully rebut that presumption.

Government hacking for the purposes of messaging control or causing damage cannot overcome this presumption.

1. Government hacking must be provided for by law, which is both clearly written and publicly available and which specifies the narrow circumstances in which it could be authorized. Government hacking must never occur with either a discriminatory purpose or effect;

2. Government actors must be able to clearly explain why hacking is the least invasive means for getting Protected Information in any case where it is to be authorized and must connect that necessity back to one of the statutory purposes provided. The necessity should be demonstrated for every type of Protected Information that is sought, which must be identified, and every user (and device) targeted. Indiscriminate, or mass, hacking must be prohibited;

3. Government hacking operations must never occur in perpetuity. Authorizations for government hacking must include a plan for concluding the operation. Government hacking operations must be narrowly designed to return only specific types of authorized information from specific targets and to not affect non-target users or broad categories of users. Protected Information returned outside of that for which hacking was necessary should be purged immediately;

4. Applications for government hacking must be sufficiently detailed and approved by a competent judicial authority who is legally and practically independent from the entity requesting the authorization and who has access to sufficient technical expertise to understand the full nature of the application and any likely collateral damage that may result. Hacking should never occur prior to authorization;

5. Government hacking must always provide actual notice to the target of the operation and, when practicable, also to all owners of devices or networks directly impacted by the tool or technique;

6. Agencies conducting government hacking should publish at least annually reports that indicate the extent of government hacking operations, including at a minimum the users impacted, the devices impacted, the length of the operations, and any unexpected consequences of the operation;

7. Government hacking operations must never compel private entities to engage in activity that impacts their own products and services with the intention of undermining digital security;

8. If a government hacking operation exceeds the scope of its authorization, the agency in charge of the authorization should report back to the judicial authority the extent and reason;

9. Extraterritorial government hacking should not occur absent authorization under principles of dual criminality;

10. Agencies conducting government hacking should not stock vulnerabilities and, instead, should disclose vulnerabilities either discovered or purchased unless circumstances weigh heavily against disclosure. Governments should release reports at least annually on the acquisition and disclosure of vulnerabilities. In addition to these safeguards, which represent only what is necessary from a human rights perspective, the judicial authority authorizing hacking activity must consider the entire range of potential harm that could be caused by the operation, particularly the potential harm to cybersecurity as well as incidental harms that could be caused to other users or generally to any segment of the population.

Three facts about US surveillance the European Commission gets wrong in Privacy Shield - Access Now 20160303

Three facts about US surveillance the European Commission gets wrong in Privacy Shield - Access Now 20160303

On February 29, the European Commission released the draft text of the new Privacy Shield data-transfer arrangement between the EU and the US. Unfortunately, the arrangement has the same inherent flaws as the “Safe Harbour” mechanism it seeks to replace. Safe Harbourwas invalidated by the Court of Justice of the European Union (CJEU) for failing to comply with EU law and protect fundamental rights.

In issuing the Privacy Shield, the commission asserts that is has “carefully analysed US law and practice,” to determine whether it complies with EU law. The CJEU called for a showing of essential equivalence in protections between the two in order to allow data flows to continue. Far from an in-depth inquiry, the commission’s analysis relied on a series of letters sent by the US administration and published as annexesto the draft deal.  Unfortunately, the end result demonstrates the inadequacy of this approach, and the European Commission errs on several important facts. Here are our top three:

1.) Claim: “the U.S. government has given the European Commission explicit assurance that the U.S. Intelligence Community ‘does not engage in indiscriminate surveillance of anyone, including ordinary European citizens.’”

Fact: The US does not provide sufficient protections to non-US persons

The US government often makes this kind of broad statement, but almost always with an important and necessary qualification: “…under this programme.” Undoubtedly, what the statement is meant to refer to is the surveillance conducted under Section 702 of the FISA Amendments Act, the specific law at issue in the case in which Safe Harbour was invalidated. It doesn’t address surveillance that takes place secretly.

However, even this qualified statement is deceptive. As Access Now previously explained, there is a conflict in terms between the EU and the US. Most of the surveillance that the US administration considers “targeted” would qualify as “indiscriminate surveillance” in the EU, and would therefore be prohibited. But, more broadly, this statement isn’t even remotely correct. Under Executive Order 12333, the US conducts broad, inadequately overseen, non-transparent surveillance of innocent people around the world without having to meet any evidentiary standard at all. These kinds of programmes collect users’ address books and buddy lists, and record details about every phone conversation, across full countries.

The European Commission makes several statements asserting the adequacy of the protections that the US provides to non-US persons. But the truth is simple: the US does not respect the fundamental rights of those outside the United States.

Specifically, the EU Commission references limitations on government surveillance in Presidential Policy Directive 28 (PPD28), which provides that “all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside.” But this aspiration is not the same as a commitment to respect rights. In fact, the policies and protections that PPD-28 provides for non-US persons are only applied “[t]o the maximum extent feasible consistent with the national security.” This exception not only swallows the rule — it engulfs it.

2.) Claim: “U.S. law contains clear limitations on the access and use of personal data transferred under the EU-U.S. Privacy Shield for national security purposes as well as oversight and redress mechanisms that provide sufficient safeguards for those data to be effectively protected against unlawful interference and the risk of abuse.”

Fact: The system of congressional and executive oversight is inadequate

The European Commission relies heavily on the “multiple oversight layers” that are used to oversee US surveillance operations, including those in the executive branch (“civil liberties or privacy officers, Inspector Generals, the ODNI Civil Liberties and Privacy Office, the [Privacy and Civil Liberties Oversight Board], and the President’s Intelligence Oversight Board”), in Congress (“the House and Senate Intelligence and Judiciary Committees”), and in the courts (“the FISA Court…an independent tribunal whose decisions can be challenged before the Foreign Intelligence Court of Review”).

However, the commission does not  acknowledge that these three layers have frequently failed to accomplish their missions effectively. As the Snowden revelations demonstrated, even with most of these mechanisms in place, the US was able to conduct at least one known surveillance programme that, once revealed, was nearly universally believed to have been both unlawful and likely unconstitutional. And, where Executive Order 12333 is concerned, there is no judicial or congressional oversight at all.

One of the major problems is the lack of transparency. Broad exemptions for information even remotely related to national security insulate surveillance agencies from public scrutiny. Congressional oversight committees conduct most of their hearings behind closed doors, and, when they do decide to hold an open hearing, the lack of probing questions is a joke even among the members of Congress, and the FISA court is known for its secrecy. While recent reforms in the USA FREEDOM Act help address the transparency problem, it’s only a small step for an area of government where the black-curtain culture still reigns.

As Access Now previously pointed out, even without public transparency, federal judge John D. Bates publicly accused the National Security Agency of “repeatedly misleading” the court. In two of the few public hearings on surveillance, both former NSA Director General Keith Alexander and Director of National Intelligence James Clapper provided information that was a bit removed from the truth.

Finally, regardless of how robustly any of these mechanisms review intelligence programs, the ultimate truth is that they are looking for violations of US law, which doesn’t recognise rights for non-US persons. Mass surveillance is lawfully permitted under both Section 702 and Executive Order 12333, and entities like the Privacy and Civil Liberties Oversight Board have so far failed to address the impact of these authorities on the rights of non-US persons. This is not what oversight looks like.

3.) Claim: “the U.S. government has also committed to create a new oversight mechanism for national security interference, the Privacy Shield Ombudsperson, who is independent from the Intelligence Community…This mechanism builds upon the designation…of a Senior Coordinator…in the State Department.”

Fact: Proposed redress mechanism is unacceptably entrenched in the existing structure

With regard to improper government access to data, one of the biggest changes made from the Safe Harbour to the Privacy Shield is the creation of an “Ombudsperson,” to serve as a means for redress for EU citizens. However, the Ombudsperson is given authority only to coordinate responses to complaints filed by users and relevant authorities. The office is not empowered to initiate investigations.

Further, the European Commission specifically trumpets the ombudsperson’s independence from the intelligence community, explaining that such independence is necessary to ensure that complaints are “properly investigated.” However, the office will, in fact, be housed in the US Department of State, which is a central part of the US’s intelligence framework. In fact, the specific individual designated by US Secretary of State John Kerry as Ombudsperson, Catherine A. Novelli, is directly linked with the US intelligence community in her other role as Under Secretary of State.

Outside of the Ombudsperson, Privacy Shield offers no new alternative avenues for redress.

Road ahead for the Privacy Shield

Based on the same flawed foundations as its predecessor, the Privacy Shield is not likely to withstand future legal challenges. Comprehensive surveillance reforms on both side of the Atlantic must be conducted before any data transfer arrangement can meet the standards set forth by the Court of Justice of the EU.

Access Now urges the Working Party 29 and the Article 31 Committee to take into consideration all the abovementioned facts overlooked by the Commission negotiators when developing their opinions on the arrangement. The adoption of yet another flawed mechanism will benefit no one, and has the potential to further hinder users’ trust in the digital economy. We expect DPAs and representatives from EU member states to take seriously their duty to protect users’ fundamental rights to privacy and data protection.