[1] PEGASUS is a spyware developed by the Israeli cyber-arms company NSO Group, and is designed to be covertly and remotely installed on mobile phones.
By Carolina Botero Cabrera, EL ESPECTADOR, September 7, 2024
(Translated by Eunice Gibson, CSN Volunteer Translator)
In one of President Petro’s few Presidential addresses—he says more on Twitter—he read a communication indicating that DIPOL (Police Intelligence) was the Colombian agency that purchased the Pegasus software for spying in 2021. This has to be the straw that broke the camel’s back and it spurred discussion of a bill reforming intelligence law that was introduced in the Senate this week.
There could be some questions about the timing of Petro’s choice to tell us this, but what he related confirms that the government is responsible for the arbitrary activities carried out by Intelligence, as the Inter-American Court for Human Rights declared in its holding in the case of CAJAR v. Colombia. There exists no legal framework that authorizes Intelligence to use a spyware like Pegasus. On the contrary, without legal authority to intercept communications, Intelligence can’t assume that it is permitted to use spyware that is that intrusive. DIPOL has acquired a tool to carry out an activity for which it has no authority, to say nothing of the questionable conditions of transparency surrounding the purchase.
The Court ordered revision of the Intelligence Law to include provisions for human rights, and it also reminded us that intelligence activities are required to contain legal support—a clear description in the law—to respond to the criteria of necessity and proportionality, to identify those responsible, and to contain independent controls and mechanisms for accountability.
Karisma, where I work, worked together with CAJAR, the U.N. Human Rights Office, and the National Intelligence Headquarters in revising Representative Alirio Uribe’s bill to comply with the Court’s decision. We focused on the oversight of communications. We were trying to create a human rights framework for capabilities that, with digital technology, are challenging. I will summarize some interesting elements.
Different from Statute 1621 of 2013, which gave Intelligence the vague and abstract authority to “monitor the spectrum”, this bill describes its powers expressly, bringing them into the 21st century. This authority will be accompanied by principles, obligations, limits, and mechanisms for monitoring and control; that protect privacy rights, freedom of expression, and rights to free assembly and association, all based on applicable international standards.
These powers included in the bill are related to technology: (i) intercepting communications that are well understood, including activities like capturing data through electronic communications, such as when authorities use stingray antennas, that are able, for example, to collect text messages sent between cell phones that can be reached; (ii) entering electronic devices using tools like spyware with limits and controls adapted to international standards such as those constructed by the U. N. Rapporteur on Anti-terrorism; (iii) requests for collaboration to furnish personal data, but from now on, the operators of telecommunications will retain the data of its signatories, not for five years, (which at present is uneven internationally) but rather for six months. In addition, it requires judicial control both before and after, and includes other controls such as special requirements for the acquisition of the technology.
The Snowden scandal, when it revealed that the NSA in the United States had had direct access to the networks of telecommunications operators, sparked an international debate, which concluded that the massive oversight did not conform with human rights. So there are two prohibitions for massive oversight: capture, copying, or storage of massive data, metadata, or communications traffic is not permitted, nor is direct access to points of connection, or to the managers of the data of operators of telecommunications networks. In Colombia, Decree 1704 of 2012 on interception of communications seems to allow the Attorney General’s Office, in an irregular manner, to carry out activities of that kind, and as this is being debated and reformed, the bill makes it clear that Intelligence may not have direct access to these networks.
Another prohibition that should be stressed is access to personal devices that are encrypted. In 2016, the FBI obtained a court order allowing Apple to break the code of the iPhone of one of the attackers at San Bernardino where 14 people died. At that time, it was argued that Apple could not comply without compromising the digital security of all iPhones. Finally, the FBI hired a firm that was able to open the device. This bill expressly prohibits pressuring makers of devices to break the codes or to open back doors. In addition, to deal with the concerns about noxious effects of technologies like artificial intelligence, referring to decisions that are completely automated: intelligence activities will have to have sufficient human supervision and clear attribution of who is responsible for the information or the forecasting that provides for automated methods.
Finally, transparency will be a principle carried out through requirements, even in public information with statistical data and other details. This bill offers an opportunity to put forward a reform of Intelligence in a society that’s now resigned to abuses and anesthetized by scandals. It will contribute to allowing the citizens to have confidence in the agencies that carry out this function, and will provide security for those who do the work of intelligence in the legality and legitimacy of their activities. It’s not perfect, but I trust that the Congress can improve it as they debate it.