One year ago, in resolution 48/4, the Council asked the Office of the High Commissioner to prepare a report on the right to privacy to identify recent trends and challenges with regard to the human right to privacy and to identify and clarify related human rights principles, safeguards and best practices.
In today’s vastly expanding and ever-evolving digital environments, there are countless challenges. The features of modern networked digital technologies can make them formidable tools for surveillance, control and oppression, if they are not deployed with full compliance with human rights law.
And indeed, the right to privacy is under increasing pressure, coming from State and non-State actors. The present report zooms in on three areas where strong action is needed by States and companies to prevent and mitigate potential adverse effects on privacy and other rights.
The first of these areas is the widespread abuse of spyware. This topic gained worldwide attention when last year investigative reporters revealed the shocking extent to which the spyware Pegasus had been abused by dozens of governments. Our report explains in detail the deep intrusiveness of spyware tools such as Pegasus that can turn people’s phones into around the clock surveillance tools, granting access to all aspects of the lives of their targets, as well as intruding on the privacy of their families and friends. The impacts on those affected are profound, but the broader societal risk is even greater. The use of spyware against journalists, human rights defenders, and political dissidents and opposition threatens the free discourse which is the life blood of democracy, and even the fear of such intrusions can chill free expression. Urgent steps are needed to address this ongoing threat.
Encryption is the second focus area of the report.
Encryption is a key enabler of privacy and security online and is essential for safeguarding rights, including the rights to freedom of opinion and expression, freedom of association and peaceful assembly, security, health and non-discrimination.
Nevertheless, some States have taken or are considering actions to restrict access to and use of encryption technology, putting the security and confidentiality of encrypted communications at risk. Restrictions include bans and criminalization of encryption, registration requirements, key escrows, mandatory backdoors, and traceability requirements. Mechanisms have recently been proposed as well that would constantly scan and analyse every message on every device. These measures pose serious human rights concerns, as such restrictions should only be imposed upon a clear showing that they are the least intrusive method to accomplish a legitimate aim, and that they are proportional – in other words, the benefits that would accrue need to be sufficient to outweigh the risks posed.
Finally, the report raises the alarm about common practices of mass surveillance of public spaces, both offline and online. Surveillance cameras are now commonplace in public places, with the number of cameras in use globally expected to exceed one billion in 2021.
Sophisticated video surveillance coupled with modern data-driven technologies relying on artificial intelligence and facial recognition have dramatically shifted the balance of power between those who conduct surveillance and those being monitored. The ease of use of these systems allows states and private actors to operate at a scale never before possible, obtaining and storing massive amounts of data, and targeting communities, neighbourhoods and groups, particularly the most marginalized. Yet, these systems have become a feature of our landscape with little or no regulation imposed on how these powerful and intrusive tools are used.
In parallel, monitoring of public online discourse has become widespread. Globally, many authorities are collecting and analysing social media posts and the networks built on publicly accessible communications platforms. Such social media intelligence ranges from the investigation of specific users to dragnet collection, storage and analysis of vast amounts of data.
While certain surveillance activities may be necessary to protect public safety or national security, surveillance is too often a routine measure that is employed without much consideration for human rights – and is frequently abused to target dissenting voices and minorities. And again, our analysis points to a troubling lack of applicable legal frameworks and safeguards.
Many other developments relating to the right to privacy are not covered in this report but would be worthy of future attention by the Council. Covert mass surveillance, discussed in previous reports of the High Commissioner, remains a serious problem. Every day new biometric surveillance, identification and authentication systems are being rolled out. Internet users are constantly tracked and assessed by countless companies, such as advertisers, financial institutions and data brokers. Mass adoption of expanded and virtual reality technologies will produce even more interactions and more personal data to collect and use.
All this leads to the conclusion that the right to privacy is more at risk than ever before. The manifold ways in which pervasive surveillance threatens human rights and the rule of law and may erode vibrant, pluralistic democracies are profoundly alarming. If more and more spaces, and more and more of our actions are monitored, if being observed becomes the rule rather than an exception, we will indeed reach the dystopian world where the erosion of privacy makes living a life of dignity impossible.
We have the power to avoid that nightmare scenario if action is taken now. The report contains a broad range of recommendations for States, companies, and others.
It starts from the foundation that any interference with the right to privacy, including USE OF ___ hacking, restrictions of encryption and surveillance of the public, must comply with international human rights law, including the principles of legality, legitimate aim, necessity and proportionality and non-discrimination.
To achieve that objective, we recommend that States conduct human rights due diligence systematically, including regular comprehensive human rights impact assessments, when designing, developing, purchasing, deploying and operating surveillance systems.
In addition, States should be more transparent about their use of surveillance technologies and encourage public debate about their use.
With regard to surveillance tools, the report calls upon States to implement moratoriums on the domestic and transnational sale and use of surveillance systems, such as spyware tools and biometric systems that can be used for the identification or classification of individuals in public places, until adequate safeguards to protect human rights are in place.
States should use such spyware only as a measure of last resort, used only to prevent or investigate a specific act amounting to a serious threat to national security or a specific serious crime, narrowly targeted and with strong safeguards in place.
The report also calls for States to promote strong encryption and avoid all direct or indirect restrictions on its use.
As noted, public surveillance measures should be strictly necessary and proportionate for achieving important legitimate objectives. In particular, surveillance of social media should be done on the basis of clear, publicly accessible legal frameworks that define the permissible grounds, prerequisites, authorization procedures and which include adequate oversight mechanisms.
Biometric recognition systems should only be used in public spaces to prevent or investigate serious crimes or serious public safety threats and if all requirements under international human rights law are implemented.
Without such measures, we risk walking into surveillance societies where the right to privacy will become more an illusion than a reality.