You are here

State of Privacy Colombia

Last modified: 
Tuesday, March 14, 2017 - 14:22

Introduction

Acknowledgement

The State of Surveillance in Colombia is the result of an ongoing collaboration by Privacy International and Fundación Karisma and Dejusticia.

Right to Privacy

The constitution

The Colombian legal framework provides a number of essential protections for the right to privacy, both in the text of the 1991 Constitution, and in the constitutional instrument (bloque de constitucionalidad) in accordance with Article 92 of the Colombian Constitution. This article incorporates Colombia’s international human rights obligations into Colombian law and confers upon them the status of constitutional law, meaning they take precedence over statutory provisions. Article 15 of the 1991 Constitution provides that everyone has the right to personal and family privacy. It states:

“Correspondence and other forms of private communication are inviolable. They may only be intercepted or recorded pursuant to a court order, following the formalities established by law.”

Communication Surveillance

Introduction

Colombia, with a population of 47.6 million in 2014, had 51.59 million mobile subscribers in 2014, according to the Ministry of Information Technology and Communications (MINTIC) and there were 7.14 million fixed line phone subscribers in 2013. MINTIC also reported 22 million internet subscriptions in 2014, representing a penetration rate of 22.3 %.

DANE, the Colombian government statistics agency estimated that 22.5 million Colombians used the internet in 2014, and that Facebook, Twitter, Instagram were among the most popular social media sites.

Surveillance laws

The interception of communications in Colombia is regulated primarily by the Constitution, the Criminal Procedure Code and a number of intelligence laws. The Constitution empowers the Office of the Attorney General (Fiscalía General) to “[c]onduct searches, house visits, seizures and interceptions of communications” subject to judicial control (Article 250). The Criminal Procedure Code provides further details. It begins with a reiteration of the right to privacy, stating in Article 14:

“Everyone has the right to respect for his/her privacy. No one shall be disturbed in his/her private life.

No records, searches and seizures at home, residence or workplace can be made but by written warrant of the Attorney General or his/her delegate, in accordance with the forms and for the reasons previously defined in this code, excluding In flagrante situations as well as other situations authorized by law.

The same process is applicable when it is necessary to conduct a selective search in computerized, mechanized or any other form of database, which are not freely available, or when necessary to intercept communications.

In these cases, within thirty-six (36) hours there shall be a respective hearing before the supervisory judge, in order to determine the formal and material legality of the action."

Article 235 of the Code stipulates the conditions under which the Fiscalía can order the interception of communications. The Article states:

“The prosecutor [Fiscalía] may authorize, with the sole purpose of seeking probatory material and physical evidence, the interception, by tape-recording or similar, of telephone or radiotelephone communications or similar that use the electromagnetic spectrum, whose information have relevance for the purposes of the action. In this sense, the entities responsible for the technical operation of the respective interception are required to undertake it immediately after the notification of the warrant.

In any case, the order shall be in writing. Persons involved in these proceedings are obliged to keep the proper confidentiality. Under no circumstances the communications of the defending counsel shall be intercepted.

The warrant will be in effect for a maximum of three (3) months, but may be extended for the same period, if in the opinion of the prosecutor the reasons that originated it persist.”

The provision stipulates that the prosecutor may only lawfully order the interception of communications being transmitted via the electromagnetic spectrum (‘EMS’) (telephone, radio or fibre optic cable) for the sole purpose of seeking evidence. The order must be made in writing and is valid for three months.

In April 2013, a new Intelligence Law was adopted, stipulating that intelligence and counter-intelligence activities “include monitoring the electro-magnetic spectrum”. Article 4 of the Law provides that information may only be obtained for a lawful purpose. Those purposes are: ensuring national security; sovereignty; territorial integrity; the security and defence of the nation; the protection of democratic institutions and the rights of Colombian residents and citizens; and the protection of natural resources and economic interests of the nation. Article 17 of the Law is entitled “Monitoring the Electromagnetic Spectrum and Intercepting Private Communications” and states:

“Intelligence and counter-intelligence activities include monitoring the electromagnetic spectrum when this is duly established in operational orders or work assignments. Information gathered during such monitoring in the context of intelligence and counter-intelligence activities that does not serve to achieve the aims established in this Law shall be destroyed and may not be stored in intelligence or counter-intelligence databases. Monitoring does not constitute interception of communications.

Intercepting private mobile or land-line telephone conversations, as well as private data communications shall be subject to the requirements established in Article 15 of the Constitution and the Criminal Procedure Code and may only be conducted in the context of legal proceedings.”

The second paragraph states clearly that the interception of communications is not authorised by the Intelligence Law, but rather must only occur under the lawful authority of the Criminal Procedure Code, on a targeted basis, in accordance with the procedures stipulated in the Code. The provision, therefore, cannot be said to sanction the interception of communications by the intelligence or law enforcement agencies.

A report published by Privacy International in August 2014 sets out the logical inconsistencies in the government's interpretation of the Intelligence Law as relates to electromagnetic spectrum monitoring and lawful interception.

Surveillance actors

In Colombia, the Police and Army are two branches of the ‘public force’ that come under the control of the Ministry of Defence. The armed forces of Colombia also carry out significant interception and monitoring activities in the course of operations against armed groups. Below are the main law enforcement and security agencies, outside of the military, who conduct communications surveillance.

Police Intelligence Directorate (Dirección de Inteligencia Policial, DIPOL)

DIPOL is the police directorate responsible for producing strategic and operational intelligence related to disturbances in public order, security and defence. It is mandated to conduct national counterintelligence activities. It is one of eight Police directorates accountable to the General Directorate under the Ministry of Defence. DIPOL is also responsible for leading technological development plans with regard to intelligence activities within the Police. DIPOL officers have been accused of illegal surveillance against journalists.

The Directorate of Criminal Investigation and Interpol (Dirección de Investigación Criminal e Interpol, DIJIN)

DIJIN is the police directorate in charge of judicial investigation. It is one of eight police Directorates accountable to the General Directorate under the Ministry of Defence. Its role is to support criminal investigation in technical, scientific and operational areas, of its own initiative or according to orders from the Fiscalía. DIJIN officers have lent forensic expertise to the investigations of illegal interceptions.

The Office of the Attorney General (Fiscalía General de la Nación)

The Fiscalía is not a security and law enforcement agency, but it does carry out communications surveillance. Rather it is an entity of the judicial branch of government with full administrative and budgetary autonomy with responsibility for the effective administration of justice. Established in 1991, it is mandated to carry out criminal investigations for the purpose of judicial prosecution, to ensure the protection of victims and witnesses, and to direct and coordinate the functions of the judicial police. The Fiscalía is responsible for administering the Esperanza platform, reviewing and approving interception orders from other agencies including the DAS and the Police. The Fiscalía leads the ongoing investigation into the DAS’ illegal surveillance in the mid-2000s, reportedly by abusing access privileges to the Esperanza platform.

The National Intelligence Directorate (Dirección Nacional de Inteligencia, ‘DNI’)

In 2011 a new agency, the National Intelligence Directorate (Dirección Nacional de Inteligencia, ‘DNI’), was established to head the intelligence and counterintelligence sector within the overall structure of the state. Very little is known publicly about its mandate or powers.

Surveillance capabilities

Colombia both hosts and attends a number of surveillance and security technology trade shows. Intelligence Support Systems World (ISS World), also known as the ‘Wiretappers’ Ball’ is one of the largest trade shows and focuses on North American and European providers. The Colombian police attended ISS World in 2012 where three Colombian companies exhibited their products: Biotekne SAS, Colombia ASOTO Technology Group, and the supplier to the Fiscalía of their Esperanza surveillance system STAR Colombia Inteligencia & Tecnología (STAR). The annual Cibercolombia trade show and conference where primarily Israeli surveillance products are displayed is sponsored by the Israeli embassy in Bogotá.

Much of the security equipment in Colombia is provided by international, especially American, companies. Over the past decade, the American funds, equipment and training supplied to elite units of the Colombian intelligence services were reportedly used to spy on Supreme Court justices, then-President Alvaro Uribe’s political opponents and civil society groups. Intercepted communications were vital to covert Colombian and US Central Intelligence Agency (CIA) operations against the FARC. While Colombian contracting law (Ley 80 de 1993) accords priority to security and national defence products made in Colombia by local manufacturers, the National Treatment caveat of the 2006 United States-Colombia Bilateral Trade Agreement allows American companies to be treated as locals when they participate on public bids. Israel is also a significant military supplier. Israeli-American company Verint Systems provided critical interception infrastructure used by the DAS, DIPOL and DIJIN from at least 2005. Verint Systems Ltd, is the Israeli sister company to US- headquartered Verint Systems Inc.

Forensic analysis

In July 2007, the DAS published technical specifications for a tender for equipment that would allow them to copy and inspect targets’ devices. Although the bid was ultimately cancelled in December 2006, the DAS acquired the technology before 2010. La Curacao won a maintenance contract, beating out competitors Internet Solutions Ltda and SF International. The software the DAS used was Forensic Toolkit (FTK), a computer forensics software made by US-based AccessData. The 3.0 FTK software specified in the 2010 contract allows the analyst to not only ‘preview a target’s machine from across the network to determine relevancy prior to acquisition, but ... also acquire and fully analyse the data on the system, including the system’s RAM [random access memory]’. A remote drive feature enables analysts to forensically analyse live data – such as system memory, logical volumes, physical devices – on a remote device from the analyst system. The software could also be used to decrypt PGP-encrypted disks.

IMSI Catchers

Many companies offer IMSI catchers in Colombia, according to a Privacy International investigation. New Zealand-based Spectra Group via Colombian company Maicrotel Ltda provided its Laguna IMSI catcher to DIPOL in September 2005. The Laguna system is designed to monitor and record telephone conversations and data in mobile communication systems and could be mobile or assembled in fixed stations. Bulldog and Nesie, manufactured by UK surveillance company Smith Myers, are two other popular IMSI catchers sold in Colombia. In 2010, the DAS was preparing to purchase a Bulldog interception system for over US$ 250,000 and a Nesie system for over US$ 320,000. The Fiscalía was also planning to buy a Bulldog system for just over US$ 280,000 as was the sectional division of DIJIN in Bogotá. In 2014, the Finnish branch of Canadian telecommunications company Exfo exported its NetHawk F10 IMSI catcher to Colombia.

Intrusion malware and hacking

Hacking Team, an Italian company, produces an intrusion system that was acquired by the Colombian police. The company’s Remote Control System (RCS) can be used to hijack computer and mobile devices while remaining undetectable to users, as it is designed to bypass common antivirus programmes and encryption. By infecting a target’s device, the RCS suite can capture data on a target’s device, remotely switch on and off webcams and microphones, copy files and typed passwords. In 2014, Hacking Team had a Colombia-based field engineer and an active contract with the Colombian police. The Colombian government’s use of offensive Hacking Team malware products had been suspected since researchers at the Citizen Lab identified a command and control server for the RCS suite in Colombia. Hacking Team supplied its technology to the DEA, which according to internal emails was reportedly using the spyware to conduct surveillance from the U.S. embassy in Bogotá. Hacking Team also had two projects with the Colombian police, one of which appears to relate to the PUMA surveillance system.

The Colombian army has also employed hackers, as revealed in the Andromeda spying scandal. The army also trains cadets to hack in the Army Intelligence and Counterintelligence School (Escuela de Inteligencia y Contrainteligencia), as seen by Privacy International.

Network interception 

The nation’s most visible communications interception system is Esperanza (Sistema Esperanza); it is heavily supported by the US Drugs Enforcement Agency (DEA). The Office of the Attorney General (Fiscalía General de la Nación, ‘Fiscalía’) manages and administers the platform, which can obtain mobile and fixed-line call data and content. Esperanza, to which various law enforcement agencies have access, is connected to the nation’s telecommunications operators. It is used to obtain evidence for judicial prosecution on a case-by-case basis. It requires that a Fiscalía agent physically request an individual phone line or record be intercepted. Other safeguards built in to the Esperanza system include an electronic warrant submission system and supervisory judges (jueces de control de garantías). However, a Privacy International investigation showed, Esperanza suffered from various security vulnerabilities and its restriction to accessing data only for pre-defined individual targets on the basis of a warrant was a point of friction for other law enforcement agencies.

The Police Directorate of Criminal Investigation and Interpol (Dirección de Investigación Criminal e INTERPOL, ‘DIJIN’) has built the Single Monitoring and Analysis Platform (Plataforma Única de Monitoreo y Análisis, ‘PUMA’), a phone and internet monitoring system linked directly to the service providers’ network infrastructure by a probe that copies vast amounts of data and sends it directly to DIJIN’s monitoring facility. PUMA is capable of intercepting and storing potentially all communications that pass through its probes. Communications service providers know of its existence and cooperated in its installation but are excluded from its day-to-day operation. The PUMA system is outlined in a Privacy International report.

PUMA was acquired in 2007 using technology from Israeli surveillance company Verint Systems Ltd and maintained by Compania Comercial Curacao de Colombia, a Colombian firm. In 2013, the Police put forward proposals to extend the system, claiming that an expanded PUMA would be capable of capturing three times more phone calls and data. The expanded PUMA was to include a monitoring module for internet service providers (ISP) and up to 700 workstations throughout the country. The contract for the expansion was concluded with NICE Systems, another Israeli surveillance company, in partnership with Colombian company Eagle Comercial. Yet disagreement between the Fiscalía and the Police over its management stalled the expansion, and the project was put on hold. Nonetheless, new contracts are still being settled and the revamped system was supposed to be operational by the end of 2015.

Additionally, the Police Intelligence Directorate (Dirección de Inteligencia Policial, ‘DIPOL’) acquired and deployed its own mass, automated communications surveillance system, the Integrated Recording System (‘IRS’). Established in 2005, the IRS monitors massive communications traffic across E1 lines and 3G mobile phone traffic. Like PUMA, it is set up with service providers’ knowledge and monitoring is done without their knowledge. Our analysis of the technologies is that the system is capable of collecting 100 million call data records per day and intercepting 20 million SMS per day. This vast data store is then processed and combined with other types of data including images, video, and biometric details.

The technologies undergirding both the DIPOL and DIJIN systems automatically collect and store communications data passively via a set of probes linked to a monitoring centre.

Open Source Intelligence

In 2012, DIPOL also negotiated over a potential purchase of powerful open source intelligence technology from Palantir, an American data analytics company, according to Privacy International. This would have allowed DIPOL to build on their existing databases to analyse and process vast amounts of data and communications. Palantir denied engaging in this contract, though it is likely that DIPOL procured the technology from another vendor.

Surveillance oversight, checks and balances

The regulator for the telecommunications industry in Colombia is the Communications Regulation Commission (Comisión de Regulación de Comunicaciones, 'CRC'). Its role, among others, is to promote competition in the telecommunications industry, promote the use and deployment of ICT infrastructure sector, promote quality in the provision of ICT services, and regulate access and use of all the networks and access to markets for telecommunications services.

Surveillance case law

We are not aware of any surveillance case law in Colombia. Please send any tips or information to: research@privacyinternational.org

Examples of surveillance

Communications interception scandals (sometimes called by the Colombian Spanish term chuzadas) have been a feature of Colombian security politics since the 1990s. Authorities have been tapping phone lines since at least 1971 and surveillance has played an important role in military operations against the FARC in recent years. In 2011, intercepted phone calls were reportedly crucial to locating FARC’s supreme leader, Alfonso Cano, subsequently killed in a military attack. The military reportedly used the Esperanza interception system to locate the FARC’s military leader, Mono Jojoy, also subsequently killed.

However, stories of the illegal interception of private communications pervade accounts of extrajudicial disappearances and killings. Different agencies have been involved in these illegal interceptions. In one famous case, more than 2,000 phone lines were illegally tapped by the joint military-police Unified Action Groups for Personal Liberty (Grupos de Acción Unificada por la Libertad Personal, ‘GAULA’), according to the Fiscalía in 2002. Targeted were a group representing families of the disappeared, ASFADDES, who had seen at least two of its own members disappeared that year. In 2007, eleven police generals from DIPOL were dismissed following revelations that the agency had tapped influential opposition politicians’, journalists’, lawyers’ and activists’ phones. In 2014, the Colombian weekly magazine Semana alleged that a Colombia army unit codenamed Andromeda was spying for more than a year on the government’s negotiating team in ongoing peace talks with the country’s FARC guerrillas.

Yet the most notorious of the interception scandals involves the DAS and was revealed by Semana in February 2009. Special strategic intelligence groups of the DAS conducted targeted surveillance of an estimated 600 public figures including parliamentarians, journalists, human rights activists and lawyers, and judges among others. According to files retrieved during an investigation by the Fiscalía, the DAS intercepted phone calls, email traffic and international and national contacts lists, using this information to compile psychological profiles of targets and conduct physical surveillance of subjects and their families, including children.

Communications surveillance was central to the DAS abuses. The phone lines of journalist Hollman Morris were under near-constant surveillance. Morris was later forced into exile on several occasions. Claudia Duque, a lawyer and journalist formerly working with the CCAJAR lawyers collective survived kidnapping attempts and received graphically violent phone threats; DAS files about her contained extensive evidence of communications and physical surveillance.18 Such was the scale of the illegal interception that seven Supreme Court justices were recused from the 2011 trial of the former DAS head because evidence suggested that even they had been illegally spied on.

Although the DAS had weathered previous abuse scandals by publicly purging its ranks, the Semana revelations were the last straw. In his first speech after the scandal broke, then-President Álvaro Uribe announced that intelligence agency DAS was no longer allowed to intercept any phone conversation without Police authorization.

The scandal-ridden DAS was disbanded in October 2011. Several former DAS heads were convicted for illegal interception and associated crimes. Fernando Tabares, former DAS director, was convicted for illegal wiretapping of government opponents in 2010. Maria del Pilar Hurtado, who headed DAS in 2008 is the highest-ranking official to have been convicted for illegal surveillance. In 2011 a new agency, the National Intelligence Directorate (Dirección Nacional de Inteligencia, ‘DNI’), was established to head the intelligence and counterintelligence sector within the overall structure of the state.

In December 2015, La FM accused officials of the Police Directorate of Intelligence (DIPOL) of running a major gay prostitution ring. Previously, La FM editor-in-chief Vicky Davila had filed a complaint with the Attorney General's office with evidence that the Police had been spying on her, her team, and other journalists investigating irregularities within the National Police.

Data Protection

Data protection laws

Financial data in Colombia is protected by Law 1266 of 2008. This law was originally intended to be the general legal framework applicable to the management of personal information, according to analysis by Brigard & Urrutia Abogados. After review by the Constitutional Court (Decision C-1011 of 2008), its scope was reduced to be applicable only to financial, credit, commercial, and services information (and to information of the same characteristics coming from abroad) destined to financial risk and credit risk assessment (“Financial Personal Data”).

Therefore, in 2012 the Colombian Congress enacted Law 1581 of 2012 as the general legal framework applicable to the management of personal information. This law was reviewed by the Constitutional Court in Decision C-748 of 2011, and regulated by Decree 1377 of 2013. Bill 106 of 2015 aimed to amplify the scope of Law 1581 of 2012, in order to cover international collection and processing of personal data. Nevertheless, on June 16, 2016, the bill was withdrawn by its sponsor.

 

Accountability mechanisms

Law 1581 of 2012 is the general legal framework applicable to the management of personal data. Basically, it is intended to protect individuals' right to know, update and rectify information gathered about them in databases or files. In Colombia this right is known as habeas data. Besides, financial data is protected by Law 1266 of 2008. This law is applicable to financial, credit, commercial, and services information (and to information of the same characteristics coming from abroad) destined to financial risk and credit risk assessment (“Financial Personal Data”). 

Colombia has two statutory laws on regulating access to public information. There is Law 1712 of 2014, which seeks to regulate the constitutional right of access to public information, as well as the procedure by which ordinary citizens can obtain information from the government, and the exceptions that the government can cite to refuse to publish information. This law includes a figure called “request for access to public Information”, a request that any person can file in oral or written form, including electronic means, in order to have access to public information.

On the other hand, Colombian Congress also enacted Law 1755 of 2015, which seeks to regulate the constitutional right of petition. This law includes a procedural guarantee called “right of petition”, by which, for reasons of general or particular interest, any person can file to the authorities a respectful request in order to obtain a prompt, full and substantive reply.

Public entities, as well as the rest of subjects bound by Law 1712 of 2014 are required to disclose any information requested under the two previous figures, unless it falls under one of the exceptions which protect interests such as personal privacy and national security. Specifically, Law 1712 of 2014 authorizes to deny information when its access may cause damage to (i) third party’s rights to life, health, security or privacy, or (ii) commercial, industrial and professional secrecy. Besides, authorities can also deny access in order to protect (i) the defense and national security; (ii) public safety; (iii) international relations; (iv) the prevention, investigation and prosecution of offenses and disciplinary offenses; (v) the due process and equality of parties in court proceedings; (vi) the effective administration of justice; (vii) the rights of children and adolescents; (viii) the macroeconomic and financial stability; or (ix) public health.

Moreover, according to Law 1755 of 2015, the government can deny access to public information related to (i) defense or national security; (ii) instructions regarding diplomatic matters or negotiations reserved matters; (iii) matters involving privacy of individuals (data included in the resumes, curriculum vitae, pension records and medical records); (iv) matters concerning the financial conditions of public credit operations; (v) data on financial and business information: (vi) information protected by commercial or industrial secrecy and strategic plans of public utilities; (vii) information covered by professional secrecy; or (viii) genetic data.

Data breaches: case law

Since 1991, the Colombian Constitutional Court has issued numerous decisions regarding data protection. Initially, judicial decisions addressed cases related to personal financial data gathered by credit bureaux. Within these cases, ruling T-414 of 1992 firstly addressed financial data protection as a new social dimension of the individual freedom, diverse from other classic manifestations of freedom, called “information processing liberty”. Afterwards, ruling T-022 of 1993 considered the collection and circulation of personal financial information as a problem of privacy. Finally, since 1995 habeas data has been addressed as an autonomous right, clearly differentiated from the right to privacy, and its core was initially composed of the right to information processing self-determination as well as freedom, in general, and economic freedom, in particular.

In recent years, court rulings have tackled other topics, such as the processing of personal data in social networks. For example, ruling T-260 of 2012 decided the case of a father who created his a Facebook account for his 4 year-old daughter. In this case the Court declared that the principle of freedom in the handling of personal information had been breached. Therefore, given that the child was not aware of the creation of the account on Facebook, the Court considered that her right to data protection had been violated, and ordered her father to delete the account. Thereafter, the Court reviewed the case of a creditor who decided to publicly denounce her defaulting debtor on Facebook. In ruling T-050 of 2016 the Court decided that the message published on Facebook violated the right to privacy of the defaulting debtor, not only because it exposed part of her personal data, but also because the debtor did not give authorization for such information to be revealed. Although the right that was finally protected in this ruling was the right to privacy, the reasoning of the Court took particular account of the right to data protection of the debtor involved.

The Court’s position has not been as clear in regards to personal data disseminated by mass media. In the rulings that have been recently adopted about personal data published on media, the Court has addressed the problem as a conflict between the right to freedom of expression and access to information, on the one hand, and the right to honor and good name of the person involved, on the other hand. Therefore, it has not mentioned the right to habeas data, or has even declared that the right to habeas data is not applicable to the case, since the discussion focuses on journalistic information disseminated by media in the exercise of freedom of expression, and not on information gathered in databases (T-040 of 2013).

In relation to the work of the data protection authority, in Colombia, the Office of the Attorney General is the national authority in charge of controlling the correct management of public databases. When it comes to private databases, the Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio, 'SIC') is the Colombian data protection authority. Regarding the later, there are two pronouncements that are worth mentioning. On 24 November 2014, the SIC published a legal concept stating that the processing of personal data on social networks does not fall within the purview of Law 1581 of 2012 (the general legal framework applicable to the management of personal data), as in these cases the collection, use, circulation, storage or suppression of personal data is not made within the Colombian territory (since social networks are domiciled abroad). Nevertheless, on 3 March 2016, the SIC revised its position, arguing that the processing of personal data is carried out in the Colombian territory not only when the data collector is domiciled in Colombia, but also when, in order to undertake the collection, use, circulation or storage of the personal data, it uses "means" that are located in the Colombian territory.

Examples of data breaches

On 26 January 2016, the journalist Daniel Coronell wrote an op-ed on the digital magazine Semana.com in which he released some intimate photos of the Colombian Ombudsman, which would prove an alleged sexual harassment committed by him against his assistant. This scandal, which turned on issues of the right to privacy of public servants, resulted in the resignation of the Ombudsman.

On 16 February 2016, the journalist Vicky Dávila, director of “La Fm” radio station, disclosed a recording in which a Colombian vice-minister appears holding a conversation of a sexual nature with a Police officer. According to the journalist, who alleged being tapped by the Police, this recording is part of the records that would evidence the vice-minister’s relationship with a prostitution network that is operating within the Police. This scandal ended up both in the resignation of the vice Minister and in the dismissal of the journalist.

On 3 April 2016, 11.5 million documents of the Panamanian law firm Mossack Fonseca & Co., which detail financial information of more than 214,488 off-shore entities, were leaked, exposing hundreds of people who have used Panama as a tax haven to evade taxes in their own countries. This scandal, commonly known as “Panama Papers”, involved more than 850 Colombians. Therefore, based on this information the Colombian tax authority (DIAN) expects to open at least 500 formal processes to rule out or confirm tax evasion practices.

Identification Schemes

ID cards and databases

Established in 1938, Colombia's population registry is administered by the National Civil Registry (Registraduría del Estado Civil). The registry is composed of three main sections: birth, marriage and death. The birth registry, besides general identification information, such as name, date of birth, parents names and identification, their trades and the physician in charge of the medical procedures at birth, for example, records the footprints of the newborn. Those footprints with the collection of the full ten-print later on for the identity card are the only biometric information stored. The registry is the most important proof of the information it contains and will be demanded by any state agency accordingly. The registry information feeds the National Identification Archive (Archivo Nacional de Identificación) and the Civil Registry Database (Base de datos del Registro Civil). Even though the registry is public, the legislation imposes restrictions on issuing copies or certificates of it to protect privacy rights. However, the National Identification Archive can be consulted by public and private parties upon agreement with the National Civil Registry.

Since 1970, every newborn in Colombia has been assigned a unique identifier number. Until 2000, that number was composed from two parts: the first one was the date (for example, 840701 for a person born on 1 July 1984) and the second part is a 5-digit number that differentiates between all the people born the same day and allowed gender identification. Since 2000, the identifier is a 10-digit number. Many of these numbers are assigned to each registry office which then assigns them to anyone registered there at birth or when the person asks for an identity card.

The age of majority in Colombia 18 years which means that the person has full legal capacity and can vote in public elections. The medium to validate this circumstance is the identity card ("cédula de ciudadanía"). 

Voter registration

In order to secure the quantity and number of identity cards able to be used to vote, the National Civil Registry takes the last electoral census and adds the identity cards of the people over the legal age that do not appear in the census and the people who have acquired the Colombian nationality. The Registry also removes the identity cards of the deceased, of people who are part of the Military Forces abroad, and of other people who are unable to exercise public rights according to a confirmed criminal sentence and other irregular identity cards.

The census contains only the identity card number. 

SIM card registration

SIM card registration is not currently mandatory in Colombia but there's a IMEI registration system.

Since 2011 the Colombian government have been developing a cellphone registry system that aims to avoid and deter cellphone theft. The system has two main parts:

  1. IMEI databases
  2. Verification scheme

IMEI databases

There are two kinds of databases: positive and negative.

The positive database contains the IMEI allowed to work on Colombian mobile networks. Besides from registration of imported devices, this database connects IMEI with user identity. Thus, users are required to handle telecom operator personal information such as:

  • Full name
  • ID type and number
  • Address
  • Contact phone number

Telecommunications operators are required to verify this information on any of the following sources or databases:

  • National ID Archive
  • Civil State Registry
  • Credit History and Risk databases
  • Data gathered by the operator

Only one ID may be associated with an specific IMEI, even in the cases of corporate accounts.

The negative database contains IMEI that are not allowed to operate on Colombian networks because:

  • it was reported as stolen or lost
  • its IMEI was recognized as irregular: without format, without certificate of conformity (‘homologation process’ as is known in Colombian regulatory language) or duplicated.
  • it was not registered in the positive database

Police and judicial authorities may access to the databases containing this data as well as administrative authorities such as the Ministry of ICT and the telecom regulator. They are not required to motivate access to this information and there is no oversight of any kind upon this access.

Each operator should have its own positive and negative databases. This is called “operative database”. All operators should select a third party to manage the “administrative database”, which contains the information of all the operative databases and syncs them in order to avoid an IMEI reported in one operator to work on the networks of other operators. Currently the operator of the administrative database is Informática El Corte Inglés, which is part of the Spanish giant corporation El Corte Inglés.

This databases are populated also with reported IMEI from GSMA IMEI database and other national databases with which operators have agreements.

Verification system

Because IMEI can be reprogramed, the positive and negative databases are not enough measure for the regulator and the government to prevent cellphone theft. In order to debug the databases and ultimately guarantee that each legitimate IMEI is registered in the positive database (which implies user identification), a verification system was put in place.

The verification system demands all operators to take note of each IMEI that produced activity in their networks. This is achieved through Call Detail Record (CDR, voice and data) analysis, which are the metadatas of the comunications. The system takes place in three steps:

  • intra network analysis: each operator analyzes its CDR.
  • inter network analysis: each operator sends its CDR to a third party chosen by the operators, which analyzes them to find duplicates across all networks.
  • control measures: for each type of irregular IMEI (without format, not homologated, duplicated) the operators take measures as defined by the regulator.

For the time being, the regulator demands analysis of voice CDR. Data CDR are to be part of the system after February 2017. 

Specifically, the following information –metadata– should be analyzed by the operator:

  1. IMSI, which comprises:
    • MCC (mobile country code)
      • MNC (mobile network code)
      • MSIN (mobile subscription identification number)
  2. IMEI
  3. Date and time of beginning of the event
  4. Type of event: voice call or data session
  5. MSC - Mobile Station Classmark: in case the operator should check the coherence of the information provided by the device.

To calm down voices that pointed out a potential massive privacy violation, the regulator said that MSISDN number is not required, therefore the line number is not part of this analysis. However, it must be noted that the positive database contains an association of IMEI, user real identity and telephone number.

For the “inter network” phase of the analysis the operators should provide the third party with the geographic coordinates of all their stations. This information should be updated.

Besides the CDR information listed above, the operators must provide Cell Identity and Location Area Code fields which according to the regulator may contain: “location”, “location extension”, “location estimate”, LAC, “user location information”, “cell identifier”, or “user location info”.

For the control phase, all irregular IMEI must be blocked. It is noteworthy that for the case of duplicates, the user must prove the legitimacy of the device, which is to be determined using the information of the CDR (metadata recorded by the operator should match the device features and capabilities). When the legitimate owner of a device with a duplicated IMEI is found, the operator should record the pair IMEI-IMSI in order to allow only that specific pair to work on their networks.

Concerns

The system was not set by the Congress by a Law but was instead put in place by the telecommunications regulator (Comisión de Regulación de Comunicaciones). The positive and negative databases were sketched by Article 106 of Law 1453 (2011). Decree 1630 (2011) developed that article and specified that every IMEI should be tied to an identification. Resolution 3128 (2011) of the telecom regulator set the system in greater detail. Also, the verification system was not present in any of those legal documents and was instead set by the regulator through Resolution 4813 (2015).

Intelligence services can access the information produced by the operators, specially the CDRs, thus giving meaning to the obscure provision of the Intelligence Law (Law 1621/2013) that required operators to hand over “history of communications” of its customers (Article 44). Intelligence organisms lack proper control and the only mechanism of oversight, which is in charge of the Congress, is currently inoperative.

Even though the association of personal data with IMEI is problematic in itself, article 9 of Resolution 3128 (2011) grants total freedom to authorities of almost any kind to access this information. Specifically,  it provides that administrative authorities “such as” Ministry of ICT (and others) “as well as” police and judicial authorities may query the updated information of the negative and positive databases “entry by entry”. There is no oversight mechanism, no motivation these authorities must declare in order to access the database or any registry of such queries.

As for the verification system, the main concern is that regulator and government, by setting this system, overlooked the protection of communications ordered by Article 15 and 235 of the Constitution –judicial order in the context of a criminal investigation. When these concerns were raised during the regulatory process, the regulator asserted that the system is considered to be in compliance with Data Protection Law and thus, they argue, there is no bypass of privacy constitutional protections of any kind.

The whole system, databases and verification, is in hands of third parties not selected by the regulator or the government. The selection of the administrator of all this information and processes is systematically left to the operators, which they complete through private agreements. That hinders accountability and dilutes responsibility for any abuse of the system.

There are various scenarios when this system may come into play, deepening the risks to privacy. The customary (and sometimes arbitrary) police street search includes checking cellphone’s IMEI. This search allegedly aims to catch blacklisted devices but the system has the capability to identify the user, its cellphone number and address in the database. Also, the constitutional grounds on which the search of the cellphone is based are dubious at best. Other scenarios may include the use of IMSI catchers to extract information and the request of cellphone tower information that may be correlated with the cellphone registry.

In short, every device in Colombia (52M according to the most accurate estimates) should be associated with an individual, whose identity must be verified. At first look, any authority can access this database and is not required to provide reasons to do so or is subject to any control in this access. Also, the system forces operators to produce information on Colombians mobile communications which can later be required by authorities to analyze patterns, which includes geolocalization information. A system to prevent cellphone theft such as the one described above and implemented by the Colombian government is unlawful in the sense that it was not set by formal law as required for such a massive privacy compromise, disproportionate and unnecessary for its stated purposes.

Policies and Sectoral Initiatives

Cybersecurity policy

Since 2011, the Colombian government has been developing a cybersecurity policy with the help of OAS' Inter-American Committee against Terrorism. Up until 2014 Colombia has approved, enacted or promoted:

Most importantly, in 2011 CONPES 3701 recommended and secured financial resources to create four institutions which form the basic structure of cybersecurity in Colombia:

In spite of major illegal wiretapping scandals (See Examples of Surveillance), the cybersecurity policy was renewed in 2016 without addressing the flaws that allowed the abuse of security and surveillance capabilities.

Although the new strategy (CONPES 3854), heavily influenced by the OECD, changed part of its name from "cyber security" to "digital security" and included the protection of human rights as one of its pillars, it still contains a call to increase the capacities of intelligence and law enforcement agencies without a corresponding call to increase controls and transparency duties. The effects of the new strategy are yet to be assessed as it will be implemented over the next four years.

Cybercrime

Law 1273 of 2009 created new categories of offenses relating to cybercrime and data protection. These include abusive access to a computer system (modifying the Penal Code); unlawful obstruction of the computer system or telecommunications network; interception of computer data; computer damage; use of malicious software; theft using computers; violation of personal data; phishing to capture personal data and unauthorized transfer of assets.

The law also extended protection to systems that use information technologies and communications. Act 1273 of 2009 concretely created new criminal offenses related to computer crimes and the protection of information and data, with imprisonment penalties up to 120 months and fines up to USD 1,500 minimum statutory monthly wages.

In 2011, Colombian agencies – including the Ministry of the Interior and Justice, Ministry of Foreign Affairs, Ministry of Defense, Ministry of Information and Communication Technologies, and Department of Security Administration National Planning Department, Office of the Attorney General – issued a policy guidelines on cybersecurity and cyberdefense. The overall objective of the policy was to “to strengthen the capabilities the state to confront threats that undermine its security and defense in cyberspace (cybersecurity and cyberdefense), creating the necessary environment and conditions to provide protection therein.” It proposed a new collaborative coordination model overseen by a An Intersectoral Committee with the Cyber Emergency Response Team (ColCERT) coordinating cybersecurity and cyberdefense nationwide.

In late 2014, the Colombian police released a report indicating that cybercrime levels had increased significantly.

Encryption

In Colombia, the discussion about the legitimacy of using encrypted communications must start from the fact that there is already legislation on the matter. Initially, Law 104 of 1993 prohibited sending “encrypted messages or in unintelligible language” in “all communication devices using the electromagnetic spectrum”. In ruling C-586 of 1995 the Colombian Constitutional Court reviewed this law and found it compatible with the Constitution. Four years later the text of this statute was revived in article 103 of Law 418 of 1997, which regulates the use of the electromagnetic spectrum. Thereafter, this disposition has been continuously renewed, with Law 1738 de 2014 extending its validity until 2018.

Therefore, according to these multiple laws, sending encrypted messages or in unintelligible language is banned in all communication devices using the electromagnetic spectrum. However, it is unclear whether these laws would also cover encrypted communications on the internet. Besides, this total ban has an exception. Law 1621 of 2013, by means of which intelligence activities are regulated, provides that telecommunications services providers must offer encrypted voice call service to high government and intelligence officials.

Licensing of industry

In 2014, nine operators provided mobile services in Colombia: Comcel, Movistar, Tigo, Uff Móvil, Une EPM, Avantel, ETB, Virgin Mobile, and Éxito. Of these, Comcel commanded 56.61 % of total subscriptions, followed by Movistar with 23.97 % and Tigo with 15.42 %.

The main internet providers in Colombia are Telecom/Telefónica, ETB, EPM, Coldecon, and Telmex Colombia S.A.

E-governance/digital agenda

According to the Colombian government, Colombia is the e-government leader in Latin America and the sixth country in the world in e-participation. In 2010 no local authority had a high level in e-government standards. Nevertheless, in 2014 52% of national and local authorities in the country registered a high level in the metrics of the Online Government Program.

The Online Government Program is the Colombian e-government strategy, intended to build a more efficient, transparent and participatory State through ICT. The strategy focuses on the following 4 specific topics: (i) ICT for Open Government: looking to build a more transparent and collaborative State, where citizens are actively involved in decision making through ICT; (ii) ICT in services: aims to create the best online procedures and services to meet the most pressing needs of citizens; (iii) ICT for public administration: intends to make public administration more efficient through ICT; and (iv) Security and privacy of information: seeks to ensure information security for citizen’s data.

One of the projects that has been developed within this strategy is The Open Data Website managed by the Colombian Ministry of Information, Technology and Communications. The main function of the website is to publish, in a unified way and in open format, all data produced by public entities in Colombia. According to the Terms of Use of the website, the data available can be freely used by anyone that wishes to develop applications or value-added services, carry out analysis and research, exercise control tasks or undertake any other commercial or noncommercial activity. The user does not have to log in in order to consult the databases or download them. Nevertheless, a unique identifier called the SOCRATA ID (composed of an email address, a username and a password) is requested once the user decides to save a consulted database or the filters introduced in it. Likewise, if the user wants to comment a database or suggest the platform the creation of a new database that is not yet available online, he should previously introduce his SOCRATA ID.

Another project developed as part of the Online Government Program is the Urna de Cristal, an initiative intended to foster citizen participation and government transparency. This initiative was launched in 2010 and is composed of a multichannel platform that integrates traditional communication channels (such as television or radio) with digital ones (such as social networks, SMS and a website). According to the government, through these channels Colombians can know the developments and results of government initiatives, pose questions and queries to the authorities and directly engage with public affairs. The user does not have to log in in order to access to the information that is available in the website. However, if the person wants to ask a question to a public entity, she must log in with her facebook/twitter account, or directly register at the website (by providing an email address and a username).

In addition, there is another project called Sí Virtual, a website intended to host procedures and integrated online services, with a unified interface to improve the user experience when performing transactions. Currently, the website includes 83 integrated online services and an intelligent search engine that helps the user to find the procedures for everyday situations. Besides, the website offers a map service, which assists the user with the location of public entities, as well as with the best routes to get there.

The Colombian data protection standards compiled by Law 1266 of 2008 and Law 1581 of 2012 are applicable to private and public databases. Therefore, any databases created by or hosted in any of the aforementioned platforms should comply with those standards.

Health sector and e-health

We are not aware of any privacy issues related to the health sector and e-health in Colombia. Please send any tips or information to: research@privacyinternational.org

Smart policing

Decades of insecurity and armed conflict have given rise to a burgeoning surveillance technology industry in Colombia, particularly for CCTV, video surveillance and biometric technologies.

Transport

We are not aware of any privacy issues related to transportation in Colombia. Please send any tips or information to: research@privacyinternational.org

Smart cities

We are not aware of any smart city initiatives in Colombia. Please send any tips or information to: research@privacyinternational.org

Migration

We are not aware of any privacy issues related to migration in Colombia. Please send any tips or information to: research@privacyinternational.org

Emergency response

We are not aware of any privacy issues related to emergency response in Colombia. Please send any tips or information to: research@privacyinternational.org

Humanitarian and development programmes

We are not aware of any privacy issues related to humanitarian and development programmes in Colombia. Please send any tips or information to: research@privacyinternational.org

Social media

We are not aware of any privacy issues related to social media in Colombia. Please send any tips or information to: research@privacyinternational.org