Blog #2: Direct Access Systems and the Right to Privacy by Lisl Brunner and Patrik Hiselius

In the second installment of the FOC Working Group 2 (WG 2) blog series, WG members Lisl Brunner – Policy and Learning Director at the Telecommunications Dialogue – and Patrik Hiselius – Senior Advisor at TeliaSonera – discuss the challenges that direct access systems pose to the right to privacy.

Throughout this blog series, WG members will analyse current scenarios where the application of the rule of law online fails to promote human rights online, and highlight areas where further research should be undertaken to further strengthen rule of law principles and practices. To read previous blog posts in the series, follow this link.

Since the Snowden revelations of June 2013, transparency around the scope of government access to communications globally has increased. While the fact that some states use direct access systems is now known, less is known about how they are used, hindering informed debate about the methods and extent to which authorities impact the right to privacy. While there are no doubt legitimate reasons for governments to access user data – for example, crime and terrorism – these systems raise profound questions regarding proportionality and the applicability of rule of law principles such as transparency and accountability in the digital sphere.

Direct access systems allow law enforcement authorities to intercept the content of communications and to obtain non-content data by means of a direct connection to the networks of telecommunications operators.  The law generally requires a court or senior government official to authorize interception beforehand, and oversight mechanisms often exist.  The operator, however, does not need to be contacted before interception commences – nor can they control, or even know, which authorities are conducting surveillance and to what extent. The Telecommunications Industry Dialogue has advocated that companies should maintain control over their networks and services, as well as the scope of data collection.

The law enforcement disclosure reports of operators including Vodafone Group, Telenor Group, Millicom, and Telia Company, as well as the Industry Dialogue’s online legal resource, have shed more light on these practices.  At the same time, laws often prohibit operators from revealing that a direct access regime has been implemented.  This is difficult to reconcile with the principle of transparency, according to which the rule of law is bolstered when laws are clear and publicly accessible.   

Direct access regimes may also be inconsistent with the rule of law principle of accountability. In 2015, the European Court of Human Rights considered that the absence of a requirement to show an order authorizing interception to an operator or other non-governmental actor made the SORM system of direct access in Russia “particularly prone to abuse,” and it underscored “[t]he need for safeguards against arbitrariness and abuse.” The Court suggested, however, that direct access systems could be consistent with the right to privacy and the rule of law if equipment were configured to log all interceptions, and if robust oversight mechanisms were in place.

Governments and ICT companies can foster greater accountability by increasing transparency around direct access systems. We suggest that governments not only make the laws, regulations and oversight mechanisms relating to direct access public, but also provide companies with interception logs and allow them to disclose statistics regarding interception and access to communications data.  Increased transparency gives civil society and oversight bodies the basis to determine whether interferences with the right to privacy meet the tests of legality, necessity, and proportionality. 

Where direct access is not present, ICT companies can contribute to public debate by issuing law enforcement disclosure reports showing the number of requests (where this is permitted by law and would not endanger employees), and making clear their policies and procedures regarding government access to communications data.  Companies can also advocate for laws that provide robust protections for customers’ privacy rights individually or join the efforts of the Global Network Initiative or the Telecommunications Industry Dialogue.

Researchers can also support the development of laws and practices that promote human rights online.  Their analysis of existing laws on direct access – and the government-imposed processes which serve to implement them – could help identify best practices, and inform public debate.

Contributions to greater transparency regarding direct access practices will give the public more insight into  how governments both possess and use direct access systems to monitor communications networks and services. With this information at hand,  a more informed debate will be possible on the question of whether these systems meet the rule of law principles of accountability, transparency, and respect for fundamental rights.

The views expressed in this blog represent the views of individual authors, building on the work of the Working Group. They do not represent the views of the Freedom Online Coalition or its members.