Rights, Safety at Risk Without Lawful Interception Rules
Commentary, 27 January 2015
By Lucy Purdon, Policy Officer, Privacy International; Research Fellow, IHRB
This piece was originally published in The Myanmar Times.
Myanmar is among the fastest-growing telecommunications markets in the world. However, a key part of Myanmar’s telecommunications legal framework has yet to be finalised: rules governing the interception of communications by law enforcement, otherwise known as “lawful interception”.
Why is a legal framework governing this process important? It ensures that law enforcement officials have the necessary legal tools to fight crime. But it should also prevent the misuse of lawful interception and provide appropriate protection to human rights, such as freedom of expression and privacy.
Lawful interception intrudes into private communications. Law enforcement authorities clearly have legitimate reasons to intercept the communications of certain individuals and organisations – for example, people who are suspected of planning or carrying out a serious crime, such as a terrorist attack. But authorities may misuse the same technology, putting individuals or specific groups, such as political activists or minorities, under arbitrary surveillance, perhaps as part of a wider pattern of intimidation.
Regulations governing lawful interception in other countries are usually most strict when it comes to authorities requesting access to the content of communications, such as what is said in phone conversations, or written in text messages and emails. However, users of mobile phones and computers generate a lot of other data that could be potentially sensitive, such as their location. This information also needs to be protected under lawful interception regulations to prevent unauthorised access. That means only permitting access in accordance with strict criteria.
These criteria – the conditions under which communications can be intercepted, by which authorities, and for which suspected crimes – have not been established in Myanmar. The government has promised a public consultation before draft regulations on lawful interception are approved. This is a welcome step, and one that it has already undertaken with other telecoms regulations.
What should those draft regulations include? Building on good practice elsewhere, including in other countries’ legal frameworks and United Nations reports, the rules should include the need for requests for interception to fulfil the following criteria.
Firstly, interception of communications must be targeted against a specific person or organisation, and there must be prior suspicion that the target has been involved in a crime. In other words, it cannot be mass, indiscriminate interception.
Once this has been established, a lawful interception request must be subject to prior authorisation. In other countries, this is usually in the form of either a judicial or executive order that is presented to the operator as legal justification for intercepting communications.
Any lawful interception request made to the court should include an assessment of the necessity and proportionality of the contemplated interception, well-defined reasons supporting the request and be time bound. In other words, it should not permit surveillance for an indefinite period.
The terms of recently issued telecommunications licences already require that a valid court order must accompany any lawful interception request. But the process for this is not yet defined in regulations. These regulations also need to specify the route a lawful interception request takes from law enforcement authorities, such as the police, to the operator, such as Telenor and Ooredoo.
Emerging industry norms, such as the Global Network Initiative (GNI) Implementation Guidelines and the Guiding Principles of the Telecommunication Industry Dialogue on Freedom of Expression and Privacy – the latter of which is available in Myanmar language – provide useful guidance.
The request should be made to the operator in writing, either directly from a designated person in the requesting authority, or by the regulator – currently the Post and Telegraph Department (PTD) – on the authority’s behalf.
The request, accompanied by the court order, should contain as much information as possible, including the required time period for the interception. To ensure confidentiality, the data collected by the authorities should be destroyed after a specified amount of time.
Once the regulations are in place, judges likely to be involved in such court orders will need training.
On receiving the request or judicial order, the telecoms operator should then scrutinise the request to ensure all legal requirements are met. If they are, it can authorise the interception and allow access to the requested data. If they are not met – for example, if the request is too vague or broad – operators should seek clarification to narrow the request.
In order for communications to be intercepted, the telecommunications system needs to be configured in a specific technical way according to a set of standards. The European Telecommunications Standards Institute (ETSI) has taken the lead in producing globally applicable standards for ICTs, including lawful intercept requirements. Administrative bodies, manufacturers, research institutes and service providers from Malaysia, Singapore, Indonesia, South Korea and India are associate members of the ETSI.
In recent years, an industry has emerged around providing technical capability for lawful intercept solutions that are often unregulated. Civil society groups are concerned that many of these companies may be selling technology that goes beyond regulated, targeted and controllable interception of individuals under prior suspicion and instead permits the mass surveillance of citizens, in violation of their rights. As Myanmar develops its lawful intercept regulations, the PTD could take advice to ensure this kind of technology is not employed.
Finally, oversight – whether by parliamentary committee or ombudsmen – should be built into the regulations to ensure that they are being implemented correctly. Some countries, such as the United Kingdom, also publish an annual report from the oversight mechanism on the activities of that year that includes information on the number of lawful interception requests from the authorities to the operators.
These are complex issues. The government has asked the European Union for help in drafting its lawful interception regulations to ensure they reflect international best practice. Both business and civil society are keen to see Myanmar receive sound technical advice as soon as possible in support of a transparent consultation, drafting and adoption process. With Myanmar’s telecommunications sector developing at rapid pace, the need for clear and right-respecting regulations is becoming more urgent every day.
Lucy Purdon is ICT project manager at the Institute of Human Rights and Business (IHRB). IHRB and the Myanmar Centre for Responsible Business are conducting a sector-wide impact assessment of ICT in Myanmar that will be published in 2015.