Search
Content type: News & Analysis
On 30 January 2020, Kenya’s High Court handed down its judgment on the validity of the implementation of the National Integrated Identity Management System (NIIMS), known as the Huduma Namba. Privacy International submitted an expert witness testimony in the case. We await the final text of the judgment, but the summaries presented by the judges in Court outline the key findings of the Court. Whilst there is much there that is disappointing, the Court found that the implementation of NIIMS…
Content type: Advocacy
We welcome the effort by the Government of Kenya to give life to and specify the right to privacy, already enshrined in Article 31(c) and (d) of the Constitution of Kenya by proposing a draft Data Protection Act. We particularly appreciate the direct reference to this Constitutional right in the purpose of the Act and the way it is referred to on several occasions in the Act.
While these efforts have positive intentions and we are pleased that Kenya has adopted a comprehensive data protection…
Content type: News & Analysis
Today Advocate General (AG) Campos Sánchez-Bordona of the Court of Justice of the European Union (CJEU), issued his opinions (C-623/17, C-511/18 and C-512/18 and C-520/18) on how he believes the Court should rule on vital questions relating to the conditions under which security and intelligence agencies in the UK, France and Belgium could have access to communications data retained by telecommunications providers.
The AG addressed two major questions:
(1) When states seek to impose…
Content type: News & Analysis
Send a Freedom of Information Request to your local police for to see if they are using cloud extraction here.
On 12 December 2018 a member of Lancashire Police Department UK told viewers of a Cellebrite webinar that they were using Cellebrite's Cloud Analyser to obtain cloud based 'evidence'. In response to a Freedom of Information request Hampshire Constabulary told Privacy International they were using Cellebrite Cloud Analyser.
They are not alone. In Cellebrite's…
Content type: Advocacy
As any data protection lawyer and privacy activist will attest, there’s nothing like a well-designed and enforced data protection law to keep the totalitarian tendencies of modern Big Brother in check.
While the EU’s data protection rules aren’t perfect, they at least provide some limits over how far EU bodies, governments and corporations can go when they decide to spy on people.
This is something the bloc’s border control agency, Frontex, learned recently after coming up with a plan to…
Content type: Long Read
The pressing need to fix our cybersecurity (mis)understandings
Despite all the efforts made so far by different, cybersecurity remains a disputed concept. Some states are still approving cybersecurity laws as an excuse to increase their surveillance powers. Despite cybersecurity and cybercrime being different concepts, the confusion between them and the broad application of criminal statutes is still leading to the criminalise legitimate behaviour.
All of this represents a sizable challenge…
Content type: Long Read
Photo by Nadine Shaabana on Unsplash
Digital identity providers
Around the world, we are seeing the growth of digital IDs, and companies looking to offer ways for people to prove their identity online and off. The UK is no exception; indeed, the trade body for the UK tech industry is calling for the development of a “digital identity ecosystem”, with private companies providing a key role. Having a role for private companies in this sector is not necessarily a problem: after all, …
Content type: News & Analysis
Today, the High Court of South Africa in Pretoria in a historic decision declared that bulk interception by the South African National Communications Centre is unlawful and invalid.
The judgment is a powerful rejection of years of secret and unchecked surveillance by South African authorities against millions of people - irrespective of whether they reside in South Africa.
The case was brought by two applicants, the amaBhungane Centre for Investigative Journalism and journalist Stephen…
Content type: Long Read
In December 2018, Privacy international exposed the dubious practices of some of the most popular apps in the world.
Out of the 36 apps we tested, we found that 61% automatically transfer data to Facebook the moment a user opens the app. This happens whether the user has a Facebook account or not, and whether they are logged into Facebook or not. We also found that some of those apps routinely send Facebook incredibly detailed and sometimes sensitive personal data. Again, it didn’t matter if…
Content type: News & Analysis
The Watson/Tele2 decision of the CJEU concerned section 1 and 2 of DRIPA and the Data Retention Regulations 2014. This contained the legislative scheme concerning the power of the Secretary of State to require communications service providers to retain communications data. Part 3 of the Counter-Terrorism and Security Act 2015 amended DRIPA so that an additional category of data - that necessary to resolve Internet Protocol addresses - could be included in a requirement to retain…
Content type: News & Analysis
While people may think that providing their photos and data is a small price to pay for the entertainment FaceApp offers, the app raises concerns about privacy, manipulation, and data exploitation—although these concerns are not necessarily unique to FaceApp.
According to FaceApp's terms of use and privacy policy, people are giving FaceApp "a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license" to use or publish the…
Content type: Long Read
Join our campaign with Liberty and write to your local Police and Crime Commissioner (PCC). Your PCC works on your behalf to hold your local police force to account, so you can share your concerns about police spying tech with them.
You can download our new campaign pack (pdf link at the bottom of the page) to learn more about the police surveillance technology that might already be being used in your local area, and find out what you can do to get your police force to be more accountable to…
Content type: Long Read
When you go abroad, you expect to show your passport right? But what if immigration authorities wanted access to your Facebook, Instagram and Twitter accounts before they let you enter a country? What if they wanted to vet you based on your updates, photos, likes, retweets and even your DMs?
We think social media companies, who make literally billions of dollars out of you, and wield massive power and influence, should challenge governments on YOUR behalf. They should be protecting their users…
Content type: Long Read
Details of case:
R (on the application of Privacy International) (Appellant) v Investigatory Powers Tribunal and others (Respondents)
[2019] UKSC 22
15 May 2019
The judgment
What two questions was the Supreme Court asked to answer?
Whether section 67(8) of RIPA 2000 “ousts” the supervisory jurisdiction of the High Court to quash a judgment of the Investigatory Powers Tribunal for error of law?
Whether, and, if so, in accordance with what principles, Parliament may by…
Content type: Press release
The Irish Data Protection Commission has today launched an inquiry into the data practices of ad-tech company Quantcast, a major player in the online tracking industry. PI's 2018 investigation and subsequent submission to the Irish DPC showed how the company is systematically collecting and exploiting people's data in ways people are unaware of. PI also investigated and complained about Acxiom, Criteo, Experian, Equifax, Oracle, and Tapad.
PI welcomes this announcement and its focus on…
Content type: News & Analysis
In December 2018, we revealed how some of the most widely used apps in the Google Play Store automatically send personal data to Facebook the moment they are launched. That happens even if you don't have a Facebook account or are logged out of the Facebook platform (watch our talk at the Chaos Communication Congress (CCC) in Leipzig or read our full legal analysis here).
Today, we have some good news for you: we retested all the apps from our report and it seems as if we…
Content type: Impact Case Study
What Happened
On 5 June 2013, The Guardian published the first in a series of documents disclosed by Edward Snowden, a whistleblower who had worked with the NSA. The documents revealed wide-ranging mass surveillance programs conducted by the USA’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ), which capture the communications and data of hundreds of millions of people around the world. In addition to revealing the mass surveillance programs of the…
Content type: Long Read
Yesterday, the European Court of Human Rights issued its judgement in Big Brother Watch & Others V. the UK. Below, we answer some of the main questions relating to the case.
What's the ruling all about?
In a nutshell, one of the world's most important courts, the European Court of Human Rights, yesterday found that certain UK laws about how intelligence agencies can spy on our internet communications breach our human rights. These surveillance laws have meant that the UK intelligence…
Content type: Advocacy
We welcome the effort by the Pakistani Ministry of Information Technology and Telecommunications to regulate the processing of personal data in Pakistan, and take measures to guarantee the right to privacy as guaranteed under Article 14(1) of the Constitution: “[t]he dignity of man and, subject to law, the privacy of home, shall be inviolable.”
This legislative development is crucial and timely as Pakistan continues to embrace innovative governance initiatives and deploy data-intensive systems…
Content type: Impact Case Study
PI and our global partners have been at the forefront of challenging communications data retention for over a decade.
What is the problem
Communications data, also known as metadata, tells a story about your digital activity and answers the who, when, what, and how of a specific communication. While communications data doesn't include the contents of a message, all of the other information about the message can be very revealing about people, their habits, thoughts, health and personal…
Content type: Impact Case Study
What happened
The Clinton Administration kicked off the cypto-wars in 1993 with the Clipper Chip. The continued application of export controls restrained the deployment of strong cryptography in products at a key moment of internet history: as it began to be embedded in software and networking.
What we did
In the early phases of the crypto-wars we placed pressure on global industry to implement encryption in their products. We ran campaigns and events across the world on the need for…
Content type: Impact Case Study
What is the problem
Business models of lots of companies is based on data exploitation. Big Tech companies such Google, Amazon, Facebook; data brokers; online services; apps and many others collect, use and share huge amounts of data about us, frequently without our explicit consent of knowledge. Using implicit attributes of low-cost devices, their ‘free’ services or apps and other sources, they create unmatched tracking and targeting capabilities which are being used against us.
Why it is…
Content type: Impact Case Study
What happened
In the aftermath of 9/11, Governments across the world rushed to legislate to expand surveillance. Governments
Moved to limit debate and reduce consultations as they legislated with speed.
Created new systems to collect data on all travellers, for the purpose of profiling and risk scoring.
Expanded identity schemes, and began demanding biometrics, particularly at borders.
Developed financial surveillance mechanisms on an unprecedented scale.
What we did
Few non-…
Content type: Impact Case Study
What happened
Governments continuously seek to expand their communications surveillance powers. In the 1990s it was in the context of applying telephone surveillance laws to the internet. In the 2000s a spate of new laws arrived in response to 9/11. Expansions were then sought to monitor over-the-top services within the framing of Web 2.0. Then in the post-Snowden environment Governments rushed to legislate their previously secret powers.
What we did
We…
Content type: Impact Case Study
What happened
Under pressure to be more accountable for their use of resources, but also due to the post-9/11 push to track and identify terrorists across the world, the humanitarian and development sectors began increasingly to look to identity registration, including biometrics, and the collection and sharing of vast amounts of data on their beneficiaries.
Development funding was supporting the deployment of ID systems, and both sectors were enthralled with ‘big data’ initiatives, all…
Content type: Impact Case Study
What is the problem
In the 1990s privacy was often maligned as a ‘rich Westerner’s right’. We were told often that non-Westerners didn’t need privacy and had different cultural attitudes and would greet surveillance policies and technologies — often exported from the West.
Global civil society was composed mostly of a few individuals with no resources but great passion. The larger and more established NGOs, such as consumer and human rights organisations were less interested in ‘digital’ and ‘…
Content type: Impact Case Study
What happened
Since the late 1980s governments across the world have been trying to build identity registries. By the early 1990s, there were similar policies being pursued by a number of governments across the Pacific region, with similar technologies from the same companies. In the mid-90s ID cards became a ‘modern’ policy, implementing smart cards. By 9/11 biometric IDs became the preferred solution to undefinable problems. Then came vast databases of biometrics to identify people — with…
Content type: Impact Case Study
[Photo By Ludovic Courtès - Own work, CC BY-SA 3.0]
Last update: 14 December 2022
What is the problem and why it is important
Until the early '10s, the right to privacy had been sidelined and largely unaddressed within the UN human rights monitoring mechanisms, despite being upheld as a fundamental human right in the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights (ICCPR).
Beyond the ICCPR General Comment No.16:…
Content type: Impact Case Study
What happened
Strong and effective data protection law is a necessary safeguard against industry and governments' quest to exploit our data. A once-in-a-generation moment arose to reform the global standard on data protection law when the European Union decided to create a new legal regime. PI had to fight to ensure it wasn't a moment where governments and industry would collude to reduce protections.
In January 2012, the European Commission published a proposal to comprehensively reform…
Content type: Long Read
On 17 October 2016, the Investigatory Powers Tribunal handed down judgment in a case brought by Privacy International against the Foreign Secretary, the Home Secretary and the three Security and Intelligence Agencies (MI5, MI6 and GCHQ).
The case concerned the Agencies’ acquisition and use of bulk personal datasets (‘BPD’) – datasets that contain personal data about individuals, the majority of whom are unlikely to be of intelligence interest, such as passport databases and finance-related…