The UN General Assembly has unanimously adopted a resolution called "The right to privacy in the digital age," introduced by Germany and Brazil. The resolution sets the stage for the adoption of broader privacy protection in UN treaties and resolution. The Electronic Frontier Foundation has written a set of (excellent) "People's Principles" (sign on here) for future work on digital privacy in the world.
The Principles make clear that:
* Critical Internet infrastructure must be protected: No law should impose security holes in our technology in order to facilitate surveillance. Dumbing down the security of hundreds of millions innocent people who rely on secure technologies in order to ensure surveillance capabilities against the very few bad guys is both overbroad and short-sighted. The assumption underlying such efforts—that no communication can be truly secure—is inherently dangerous, leaving people at the mercy of good guys and bad guys alike. It must be rejected.
*
Monitoring equals surveillance: Much of the expansive state surveillance revealed in the past year depends on confusion over whether actual "surveillance" has occurred and thus whether human rights obligations apply. Some have suggested that if information is merely collected and kept but not looked at by humans, no privacy invasion has occurred. Others argue that computers analyzing all communications in real-time for key words and other selectors is not "surveillance" for purposes of triggering legal protections. These differences in interpretation can mean the difference between targeted and mass surveillance of communications. Definitions matter. States should not be able to bypass privacy protections on the basis of arbitrary definitions.*
We must protect metadata: It's time to move beyond the fallacy that information about communications is not as privacy invasive as communications themselves. Information about communications, also called metadata or non-content, can include the location of your cell phone, clickstream data, and search logs, and is just as invasive as reading your email or listening to your phone calls—if not more so. What is important is not the kind of data is collected, but its effect on the privacy of the individual. Thus, the law must require high standards for government access. Our metadata needs to be treated with the same level of privacy as our content.*
Privacy must be protected across borders: Privacy protections must be consistent across borders at home and abroad. Governments should not bypass national privacy protections by relying on secretive informal data sharing agreements with foreign states or private international companies. Individuals should not be denied privacy rights simply because they live in another country from the one that is surveilling them. Where data is flowing across borders, the law of the jurisdiction with the greatest privacy protections should apply.*
We must restore proportionality: Authorities must have prior authorization by an independent and impartial judicial entity in order to determine that a certain act of surveillance has a sufficiently high likelihood to provide evidence that will address a serious harm. Any decisions about surveillance must weigh the benefits against the costs of violating an individual's privacy and freedom of expression. Respect for due process also requires that any interference with fundamental rights must be properly enumerated in law that is consistently practiced and available to the public. A judge must ensure that freedoms are respected and limitations are appropriately applied.
One Small Step for Privacy, One Giant Leap Against Surveillance
