Author Archives: Irene Poetranto

Regional Consultation on Freedom of Expression for Civil Liberties in Asia

On November 21-23, 2013, Cyber Steward Network partner Bytes for All (B4A) will be participating in the “Asia Regional Consultation on ‘Freedom of Expression for Civil Liberties’” held in Bangkok, Thailand. Working in collaboration with other civil society organizations such as ICT Watch, Global Partners Digital, Association for Progressive Communications and the Thai Netizen Network, the event will focus on three issues relevant to free expression cyberspace in Asia: access to the Internet, online surveillance, and political-electoral communication.

The event will feature Frank La Rue, Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. One of the objectives of the consultation will be to assess ways in which participants can best push forward the recommendations of the La Rue’s report on digital surveillance. The report urges states to strengthen existing laws on privacy and regulate the commercialization of surveillance software. The event will also highlight progress made on recommendations stemming from the La Rue’s previous report on access to information, which urges states to eliminate barriers to Internet access, discourage blocking and other means of filtering content, and encourage digital literacy. As an output, the event will produce and collect recommendations from participants on the concept of political-electoral communication for presentation to the UN General Assembly in 2014.

Bytes for All Condemns Instant Messaging Ban

Cyber Steward partner organization Bytes for All (B4A), based in Pakistan, joined with ARTICLE 19 to condemn a proposal developed by the government of Sindh Province for a three-month ban on instant messaging apps Skype, Viber, and WhatsApp. The provincial government maintained that this proposed ban is part of an effort to block access to networks used by criminals and terrorists for their activities. Legal experts in Pakistan argue that the ban is legally justifiable as the 1996 Telecommunications (Reorganisation) Act allows communication services to be suspended for security concerns. However, B4A and ARTICLE 19 have criticized the proposal as incompatible with international human rights standards.

The International Covenant on Civil and Political Rights (ICCPR), of which Pakistan is a signatory, accepts restrictions on free expression and access to information only if these restrictions are legally based, implemented for a legitimate aim, and are completely proportionate to those aims. B4A and ARTICLE 19 argue that the blanket ban on these services is extreme and disproportionate, and is therefore in violation of a central tenet of the Covenant. Furhan Hussain, coordinator for advocacy and outreach for B4A, also described the proposed ban as a “blow to the human rights and civic liberties of people.”

Other civil society organizations, politicians, and journalists also voiced their objections to the proposal. Pakistani advocacy group Bolo Bhi criticized the move, saying that the ban will negatively impact the local economy and families who rely on instant messaging platforms to communicate with members living abroad. The Sindh government has also been accused of being unclear as to how the ban will practically inhibit criminal and terrorist communication in the province. Other commentators have noted that many websites and pages associated with militant groups remain active, which raises questions as to the government’s intentions for and efficacy of the ban.

While Sindh’s Information Minister Sharjeel Memon has expressed his regrets for the “inconvenience” caused by the proposed ban, the province’s government has pledged to contact the Pakistan Telecommunication Authority (PTA) in order to move ahead with the blocking of the three messaging services. Pakistan’s Federal Interior Minister Chaudhry Nisar Ali Khan has stated that he is not in favour of any ban on messaging applications due to the country’s ineffective experience in jamming mobile communications to combat violent activity. The Interior Ministry will, however, consider the Sindh government’s proposal to see “how much significance the demand carries.” It is unclear when this ban is supposed to come into effect.

Update on Bytes for All Censorship and Surveillance Cases

In January 2013, Cyber Steward partner Bytes for All (B4A) submitted a petition to the Lahore High Court to challenge Internet censorship in the country. This case, in collaboration with the Media Legal Defense Initiative, a non-governmental organisation which helps journalists and independent media outlets around the world defend their rights, highlighted the ongoing censorship of YouTube in Pakistan. The popular video-sharing site has been blocked since 2012 since YouTube refused to remove the controversial anti-Islamic “Innocence of Muslims” video.

After months of deliberations, the Lahore High Court has decided to move the case to a larger bench presided by three or five judges, a move B4A sees as indicating how serious the stakes of the petition are, as cases presided by a full bench of judges “carry greater weight in terms of judgment.” B4A pledges to pursue the case as a constitutional issue and hopes for the speedy end to the blocking of YouTube in Pakistan. Minister for Information and Broadcasting Senator Pervaiz Rashid stated recently that the government is not interested in prolonging the YouTube ban and that Pakistanis “will hear good news soon.” Rashid then clarified that the ban will be overturned only after the installation of filters to block blasphemous and other objectionable content online. Last year, the Pakistani Ministry of Information Technology called for bids on a national URL filtering system. Research by the Citizen Lab found that filtering products produced by Netsweeper, a Canadian company, have been installed on the networks of the Pakistan Telecommunication Company Limited (PTCL), the country’s largest telecommunications corporation.

B4A is also initiating a contempt charge against the government for not appearing at court in regards to the ongoing FinFisher petition. The court ordered the Pakistan Telecommunication Authority (PTA), the country’s telecommunications regulatory agency, to investigate FinFisher’s presence in Pakistan. The petition also asks for accountability from other corporate and government entities, including the Federation of Pakistan, through the Ministry of Interior, the Ministry of Information Technology, and the Pakistan Telecommunications Company Limited (PTCL).FinFisher, a product advertised as “governmental IT intrusion” software, is marketed and sold to law enforcement and intelligence agencies by the UK-based Gamma Group.  Research conducted by the Citizen Lab on the presence of FinFisher found the software present in 36 countries across the globe, including Pakistan.

 

Cyber Steward Network and Local Activists Investigate Surveillance in Mexico

by Renata Avila

While the Mexican government has long been suspected of purchasing surveillance equipment, the frequency of these purchases and the level of public funds allocated to them are rapidly increasing. Last February,  New York Times published an investigative report on a USD 355 million outlay by the Mexican Ministry of Defense for sophisticated surveillance equipment. Six months earlier, Carmen Artistegui, a renowned investigative journalist in Mexico, published a report documenting five contracts from the Secretariat of National Defense for the purchase of surveillance technologies. All five contracts were confidential and granted to a single company headquartered in the state of Jalisco called Security Tracking Devices, Inc.

On March 13, 2013, Citizen Lab published “You Only Click Twice: FinFisher’s Global Proliferation,” in which researchers conducted a global Internet scan for the command and control servers of FinFisher surveillance software. The Citizen Lab found FinFisher servers hosted on two Mexican Internet service providers: Iusacell, a small service provider; and UniNet, one of the largest ISPs in Mexico.

As part of my work investigating surveillance in the Northern Triangle, I recognized that the findings revealed potential legal violations. I quickly translated the findings and disseminated them to human rights groups and technology collectives in Mexico.

The findings were widely shared via social networks and later translated by the online activist group YoSoyRed. Shortly thereafter, Mexican magazine Proceso published an investigative report on the harassment of human rights defenders online. The report  asked Iusacell  and UniNet to explain the presence of FinFisher on their servers. Neither of the ISPs responded to any of the magazine’s questions.

I connected with human rights activists in Mexico City  to raise awareness about civil society efforts in other countries that have resulted in legal action against the use of surveillance technology by repressive regimes, including cases against Amesys in France and Finfisher in Pakistan. A coalition of human rights lawyers and international experts, including Citizen Lab, ISOC Mexico, Privacy International, and other organizations, discussed the possibility of taking legal action to reveal the identity of those parties responsible for the purchase and deployment of FinFisher software in Mexico. At the time, however, we did not have enough information to present a strong case.

On May 1, 2013 Citizen Lab published “For Their Eyes Only: The Commercialization of Digital Spying,” which once again implicated Mexican ISPs in deploying FinFisher surveillance software. Two Mexico City-based human rights non-governmental organizations, Propuesta Cívica and ContingenteMx, requested a verification procedure regarding FinFisher’s presence in Mexico with the Instituto Federal de Acceso a la Información y Protección de Datos Inicio (Federal Institute for Access to Information and Data Protection or IFAI), Mexico’s privacy authority. Their filing cited Citizen Lab’s FinFisher research.

IFAI is legally mandated to protect citizen data and investigate possible personal data violations by private sector entities, as provided by the Federal Law on Personal Data Protection Held by Private Parties. It is also mandated to impose sanctions if a law has been breached. IFAI has the ability to launch a procedure either on its own initiative or at the request of affected parties. If, after preliminary findings, the IFAI determines that there is sufficient evidence to proclaim that a data breach has taken place, a formal investigation and possible sanctions will follow.

IFAI subsequently opened an official preliminary inquiry asking ISPs whether they were hosting FinFisher servers and what measures they were taking to protect the data of their clients. At the same time, Federal Deputy Juan Pablo Adame proposed a resolution before the Mexican Senate and Congress encouraging IFAI to investigate the use of FinFisher with reference to Citizen Lab’s findings and the requests submitted by civil society to investigate the deployment of FinFisher (registered as IFAI/SPDP/DGV/544/2013 and IFAI/SPDP/DGV/545/2013). The Permanent Assembly approved Adame’s motion, thereby imposing an obligation on the data protection authority to answer all questions submitted by the government.

After the Congress and Senate passed a joint resolution, IFAI announced that it required further information from ISPs and government agencies with powers to acquire surveillance technologies before deciding whether it would open a verification process for Iusacell and UniNet. UniNet denied responsibility for any programs that clients run on their servers, while Iusacell made no comment.

Purchase of FinFisher is confirmed by authorities 

On July 6, 2013, following the Congressional resolution and an IFAI public statement announcing the inquiry, YoSoyRed published a leaked contract and other documents implicating the Mexican Federal Government in the purchase of FinFisher software. The Procuraduría General de la Nación (Office of the Prosecutor or PGR) purchased the surveillance tool from Obses, a security contractor, for up to USD 15.5 million. José Ramirez Becerril, a representative from Obses, unveiled details about the equipment provided to PGN and claimed that other Mexican governmental institutions purchased the software as well. Mexican authorities confirmed that the equipment was purchased directly rather than through the governmental bid system that usually characterizes defence contracts so as not to  “alert organized crime.”

The media heavily scrutinized the leaked FinFisher contracts. The press, however, was more concerned about the amount of public funds allocated to purchasing these technologies than about the technologies themselves. In circumventing the public bid procedure, FinFisher and another surveillance tool called Hunter Punta Tracking/Locsys were sold at an inflated price to Mexican authorities during the Felipe Calderon administration. In response, authorities indicated they would prosecute culpable individuals who conduct illegal surveillance activities. To date, no criminal complaint has been filed, despite strict provisions that prohibit the interception of communications unless authorized by a federal judge and a warrant. The full content of the contracts has not yet been made public.

As the scandal unfolded, Congress offered help to activists on the ground demand greater transparency and accountability. On July 11, 2013, the Mexican Senate and Congress passed a joint resolution in which they demanded a full investigation and disclosure of any contracts between the Secretary of Interior, the PGR, and any other relevant institution. They were asked to send a full report about the purchase of surveillance and hacking systems capable of monitoring mobile phones, electronic communications, chats, and geolocation data from Obses, Gamma Group, Intellego, and EMC Computer Systems, and its affiliates. Congress also called for laws to regulate and restrict purchases of surveillance equipment, extensively quoting the Citizen Lab report in their request. The commercial entities named have not yet responded. IFAI also informed Congress that they would continue the investigation.

Iusacell and UniNet continued to deny hosting FinFisher servers. Iusacell indicated that the servers were located in Malaysia. Further evidence indicates otherwise: Wikileaks’ and La Jornada’s Spyfiles 3 publication revealed that FinFisher developers visited and were active in Mexico.

All Mexicans enjoy a constitutional right to privacy according to the recently amended Article 16 of the Mexican Constitution and the Federal Law on the Protection of Personal Data held by Private Parties, a general privacy framework. IFAI’s mandate ensures full monitoring powers and verification of compliance with these laws. If IFAI fails to open a full investigation, criminal and constitutional complaints can follow and any failure to investigate will be challenged under the basis of flagrancy. Technical assistance is often necessary to test devices and find examples  of infected individuals to support any legal course of action.

IFAI’s investigation is currently ongoing. The Citizen Lab and Cyber Stewards Network will continue supporting the case and helping both the Mexican authorities and the citizens to understand how surveillance systems operates so that they can evaluate whether those employing them are breaking the law.

 

Access Is My Right!: Bytes for All Launches Campaign Against Internet Filtering and Online Censorship in Pakistan

B4A - Prosperous Pakistan

Cyber Steward partner Bytes for All (B4A) has launched “Access Is My Right” — an advocacy campaign to engage Pakistani citizens on Internet censorship, privacy, and freedom of expression in the country. The campaign calls on citizens to raise awareness of information controls by sharing campaign visuals across the Internet, especially on social media sites such as Twitter and Facebook.

B4A describes the campaign as “a call for [a] larger human rights movement in the country and [for] citizens to fight the ongoing censorship as it will further take its toll on already compromised civil liberties in the country.”

The campaign features original art pieces by local artist Anny Zafar that highlight government practices and policies that limit the right to freedom of expression and information as guaranteed by the Pakistani constitution. It also complements larger campaigns that B4A has launched in response to threats to user rights, such as online filtering and surveillance.

Bytes for All (B4A) actively campaigns against the use of information controls in Pakistan. In recent years, the Pakistani government has blocked YouTube, Twitter, Facebook, and certain pages on Flickr and Wikipedia over content deemed to be threatening to national security or considered blasphemous. The Pakistani government has also on two occasions imposed cellphone communication bans in the name of national security.

In January 2013, B4A and the Media Legal Defense Initiative (MLDI) submitted a petition to the Lahore High Court challenging the government’s censorship of YouTube and other websites, claiming that Internet censorship is a violation of civil and political rights.

B4A’s Country Director, Shahzad Ahmad, has pointed out that this case is vital for upholding democratic rights and principles in Pakistan: “YouTube was shut down to try and control the news of massive corruption and human rights violations in the country. In Pakistan breaking news often first comes on citizen journalism platforms and not on mainstream media. YouTube has helped spread stories of human rights abuses, such as extra-judicial killings, and corruption, so from that perspective these channels are very important.” These issues have been highlighted in some of the artwork for the Access Is My Right! campaign.

B4A - Our Tube   B4A - YouTube Ban
These Access Is My Right! campaign posters highlights why the ban on YouTube violates the principles of right to information and freedom of expression.

In June 2013, research by the Citizen Lab in conjunction with B4A found that filtering software developed by the Canada-based company Netsweeper is deployed on a network operated by Pakistan Telecommunication Company Limited, Pakistan’s largest telecom company and operator of its Internet Exchange Point. Netsweeper is used for national level filtering that restricts access to content with political and social themes, including websites related to human rights, sensitive religious topics, and independent media. This development is significant because of the possibility that such censorship will be extended to lower-level ISPs in the country.

B4A has actively campaigned against Pakistan’s national filtering system since its proposal in 2012. Recently, it has raised concerns over Netsweeper filtering technology in the country. B4A submitted Citizen Lab’s Netsweeper research to the Lahore High Court as well as all relevant UN Special Mandate holders. The Access Is My Right! campaign has been used to raise public awareness about Netsweeper in Pakistan.

B4A - O Pakistan   B4A - Netsweeper
Access Is My Right’s Netsweeper campaign posters

Access Is My Right! also draws attention to B4A’s work around promoting privacy rights in Pakistan. In 2013, The Citizen Lab found evidence of two FinFisher command and control servers in Pakistan. FinFisher is a “governmental IT intrusion” software that can exfiltrate data, intercept e-mail and instant messaging communications, and spy on users through webcams and microphones. Although the presence of FinFisher command and control servers in the country does not necessarily imply that Pakistani government agencies are operating it, its presence is alarming given Pakistan’s lack of strong privacy laws and data protection legislation.

B4A - FinFisherAccess Is My Right’s FinFisher campaign poster illustrates how surveillance technologies violate the right to privacy.

B4A submitted a writ petition to the Lahore High Court, expressing concerns over increasing threats to citizen privacy, absence of individual protections and the violations of basic human rights granted by the country’s constitution, while questioning the existence of FinFisher in the country.This effort resulted in the court ordering the Pakistan Telecommunication Authority to investigate the use of FinFisher in Pakistan.

Access Is My Right! has garnered significant support, with the campaign posters being shared across social media sites. To learn more about the campaign, visit: http://www.accessismyright.pk.

 

The Cyber Stewards Network Speak Out on PRISM

In June 2013, news broke out in media outlets around the world of a secret program operated by the United States’ National Security Agency (NSA) regarding the collection of information directly from several major U.S. Internet companies. The program, referred to as “PRISM”, involves data collection on a large scale from phones, streams of Internet traffic, and content stored by Internet companies. Despite denials by major Internet companies of their complicity with the NSA regarding this program, leaked reports have also indicated the agency paid millions of dollars to major technology companies to cover the costs of the program.

The revelation of the NSA’s PRISM program has raised concerns around the world over potential harms to online privacy. As the program’s efforts are directed primarily at non-American citizens, it is clear this is an issue of global concern, especially considering the dependence so many Internet users have worldwide on products and platforms developed by U.S. based companies such as Google, Yahoo, and Facebook.

In a CNN op-ed Ron Deibert, (Director, Citizen Lab) suggested that the revelation of the program’s existence will ultimately prove detrimental to Internet freedom. Authoritarian regimes may now cite PRISM as an excuse to tighten and restrict Internet access for their citizens while simultaneously engaging in a digital arms race to offset the United States’ intelligence capabilities. Deibert explained that it is incumbent on the United States to fully “consider the international implications” of actions done by government agencies in the pursuit of domestic security. In a separate article on the use of metadata by security agencies, Deibert also emphasized the need for citizens to ask the “big questions about the appropriate checks and balances of security agencies in a liberal democratic society as we undergo such a profound Big Data revolution.”

Partners in the Cyber Stewards Network have joined the chorus of voices speaking out against the program and its implications on domestic safeguards for data protection across the world. Alberto Cerda, International Program Director of Chilean NGO Derechos Digitales, wrote in an op-ed that the “violation of fundamental rights has a global character. What good is it for me to be protected in Chile if it’s actually the US government that’s violating my rights?” Derechos Digitales has cautioned users to be mindful of what content they upload on any network.

Ramiro Alvarez Ugarte, Director of Access to Information for Asociación por los Derechos Civiles, has also suggested that the PRISM revelations should force netizens in countries outside of the US—such as his native Argentina—to look at the powers that domestic intelligence agencies wield, especially where governmental oversight of these organizations is lacking. Ugarte has also participated in discussions on privacy rights in Argentina with other like-minded organizations in the context of the PRISM revelations.

The PRISM revelations have encouraged other Stewards to advocate for greater knowledge on data protection techniques. Lobsang Gyatso Sither of the Tibet Action Institute has placed increased emphasis on the use of encryption technology in his own everyday work and when training Tibetans on practices for securely transmitting sensitive information. Nathan Freitas, Director of the Guardian Project (an initiative to develop secure mobile applications) and  a member of the Tibetan Action Institute, expressed concern that the disclosure of the United States’ surveillance activities will erode the “moral high ground” from which the country has pressured the Chinese government to curtail its own digital spying.

The PRISM controversy is one of many issues involving surveillance that is part of the global campaign for Internet freedom and the freedom of citizens from unwanted privacy violations. ‘Gbenga Sesan, CEO of Paradigm Initiative Nigeria has warned of the dangers to citizens of increased government surveillance in the context of the Nigerian government’s multi-million dollar contract with Elbit Systems. Pakistani organization Bytes for All has also submitted a court petition challenging the use of the FinFisher software suite in the country.

Paradigm Initiative Nigeria Seeks Information on Surveillance Systems in Nigeria

Recent research from The Citizen Lab has detected the presence of devices capable of surveillance on networks operated by Nigerian Internet service providers. In January 2013, Citizen Lab researchers found installations of Blue Coat Systems’ PacketShaper device on netblocks associated with IPNX ISP and Cobranet. In April 2013, Citizen Lab released “For Their Eyes Only: The Commercialization of Digital Spying,” in which researchers identified FinFisher servers on a network operated by Suburban Telecom.

The Nigerian government’s procurement of Internet surveillance capabilities attracted local media attention on April 25, 2013, when the Premium Times reported that President Goodluck Jonathan had awarded a USD 40 million contract to Elbit Systems, an Israeli company that markets itself as an “international defense electronics company.” One day earlier, Elbit Systems announced in a press release that it would supply its “Wise Intelligence Technology (WiT) System for Intelligence Analysis and Cyber Defense,” a device tailor made for digital data collection and reportedly capable of harvesting network traffic, to “a country in Africa.” Premium Times’ sources within the Jonathan administration confirmed that the country in question was Nigeria.

‘Gbenga Sesan, a Cyber Steward Network partner and Executive Director of the Paradigm Initiative Nigeria (PIN) called attention to the issue on Twitter by highlighting Section 38 of the Nigerian Budget Office’s 2013 Appropriation Act, which clearly detailed that the Nigerian government had allocated N 4,312,479,720 (USD 27.6 million) to the “Wise Intelligence Network Harvest Analyzer System,” in addition to similarly large allocations toward an “Open Source Internet Monitoring System” and a “Personal Internet Surveillance System.”

On May 6, 2013, PIN filed a Freedom of Information (FoI) request with the Nigerian government regarding the USD 40 million Internet surveillance contract to Elbit Systems. The FoI filing requested that the government provide details of the process through which the contract was awarded and any information that could shed further light on the substance of the contract itself.

As of May 23, 2013, President Jonathan was reportedly considering the option of canceling the contract with Elbit Systems and had convened a meeting with the company’s management to discuss their potential breach of confidentiality in publishing the initial press release.  However, the government failed to respond to PIN’s FoI request, and the group subsequently applied for an order of mandamus through the Federal High Court in Abuja. In response to the request, Federal High Court Justice Gabriel Kolawole asked the National Assembly to amend Nigeria’s 2011 Freedom of Information Act to henceforth bar unjustified requests for information. In a press release, PIN challenged the High Court’s dismissal and called on the National Judicial Institute to address the issue. As of September 2013, PIN’s lawyers have filed an appeal against Justice Kolawole’s ruling and are awaiting a response.

7iber Conducts Jordan’s First Internet Governance Research Project

In June 2013, Jordan’s Press and Publications Department initiated a ban on all Jordanian news websites that have not registered and been licensed by the government agency. 7iber was among the more than 300 news websites blocked as a result of this initiative. Since its website was blocked, 7iber has been working with lawyers and other media groups to challenge the law and has used the opportunity to raise awareness about Internet filtering and freedom of expression.

Jordan’s Press and Publications Law, first proposed in 1998, was amended in August 2012 to extend to digital media restrictions that have long been in place on print, radio, and television news. Among the restrictions are stories deemed insulting to the royal family, publications that promote sentiment antithetical to the Jordanian nation or “Arab-Islamic values,” and anything that might incite sectarian conflict or violence. The amendments effectively granted the government the power to block any website it deems to be in violation of the above provisions without obtaining a court order. The amendments also established the liability of publishers and website owners for the comments their readers post.

7iber develops content to raise awareness about Internet security, surveillance, and censorship circumvention in Jordan and the Middle East more broadly through  initiatives such as its Wireless blog. 7iber has organized multiple public sessions with the aim of discussing Internet issues with lawyers, cyber crimes experts, and activists working on Internet freedom and online freedom of expression.

It aims to map the scope of control of the Jordanian government, the private sector, and civil society over the Internet within its various physical and virtual layers. As part of the Cyber Stewards Network and partly inspired by the recent blocking of its website, 7iber has been working on the first-ever research project on Internet governance in Jordan. The project explores the roles of different stakeholders in shaping the state of Internet governance in Jordan and their impact on digital rights.

7iber’s research will analyze the implications of the jurisdiction of relevant physical and virtual entities on the fundamental rights of Jordanian netizens defined in the International Bill of Human Rights, mainly: the freedom of communication; the freedom of association; and the freedom to seek, receive and impart information and ideas without interference by public authorities regardless of frontiers and through any medium, freedom from surveillance and intrusion into one’s private life and social and political activities.