Everyday governments around the world seek to extend their ability to monitor citizens’ communications. A tool for doing so is data retention.

By Juan Diego Castañeda*

Every sixty seconds on internet about 4 million Google searches are made, more than 200 million emails are sent and nearly 2 and a half million photos are uploaded to Facebook. Everyday governments around the world seek for ways to be more effective in the prosecution of crimes, but also plan to extend their ability to monitor citizens’ communications. A tool for doing so is data retention. Data retention is a policy consisting in capturing and retaining for a certain time some data generated by those using telecommunication services. Companies providing these services are key player as they are the obligatory path taking by our calls, messages, emails or our internet access. Therefore, these policies speak to them. Unlike what happens with copyrighted content control, the main goal is not regulating the behavior of users but simply keep track of their communications. To explain how it works, we need to know what data retain operators and for how long. In addition, we must learn what authorities may access and for what reason. As the purpose of this policy is to help Colombia in two different activities –investigation and punishment of crimes, and intelligence and counterintelligence work–, let see how data retention for these two activities is explained. Criminal Investigation In Colombia, the Prosecutor General is responsible for investigating and bringing to justice the facts that may be related to a crime. To perform its functions, the law gave to the agency some faculties within which it is requesting to the telecoms operators the personal data of its users. The decree regulating this power says that apart from the Prosecutor General, “other authorities” may require the data. This broad power was suspended temporarily and a final decision is expected. What data may request the Prosecutor? The rule says that it is “subscriber data, such as identity, billing address and connection type.” A very broad wording if it is understood that the identity, address and connection are included in the law as an example of what can be requested. “Subscriber data” can be anything, including metadata or content, and therefore, is not clear the scope of data retention duty. Intelligence Since 2013, the intelligence agencies are:

• -National Intelligence Office,

-Units created within each branch of the Armed Forces, which are the Army, Navy and -Air Force, -National Police, -Intelligence and Financial Analysis. Any of them can request to operators identification data, “location of the cells” and “communication history of telephone subscribers.” The wording used in the standard suggests that it speaks only about cell phone data communications. It is not clear what means “communication history,” a term which can range from metadata to content. For the Constitutional Court, this imprecision was not an obstacle to approve this article. As with the Prosecutor, the way in which the rule is written might imply that the intelligence agencies have guaranteed access to a large amount of personal information of users. Besides identification data, they can know what numbers were dialed, how long the call lasted and from where it was made. What more could mean “communication history”? The time during which operators must preserve user data is an exaggeration: five years for both criminal investigations and intelligence. In that sense, Colombia is far below any standard of protection of the right to privacy. For instance, the European directive on data retention,recently abrogated, allowed a period between 6 and 24 months. In Australia, it is a debate on a retention scheme permitting a maximum of 24 months. Unfortunately, time limit is not the only problem. Operators do not have to wait for the Prosecutor or an intelligence agency asks for data about specific individuals. Thanks to the samelaw that prohibits cell phone communications encryption, operators must ensure that the Police has remote access to a database containing the names and identification, location and residence address of the recipients of the service, as well as the cell phone number, and date and activation status (see Resolution 0912 of 2008 of the National Police). In addition, this information may be shared with other intelligence agencies through agreements between them, as provided by the Intelligence Law and rules that complement the first. Another feature of data retention in Colombia is that there is one scheme for criminal investigation and another for Intelligence. This difference makes more difficult to understand what authorities can do with our information. A data retention policy that best guarantees fundamental rights of citizens should be clear about what kind of data affect on, what type of communication is applied, who and for what reasons exist for accessing data. Having two standards on data retention, it not make hardest intelligence work, as it is expected that these agencies can request to the Prosecutor information they have collected in the criminal investigation. If effectively intelligence may only access to telephone communications data, they may also request the Prosecutor the result oflegal interception, ofdata retrieval andcommunication equipment passing through any means or database analysis. At first we said that data retention does not seek to change the behaviour of those who use the services provided by intermediaries. However, we know that constant vigilance can erode privacy, so that, among other behaviours, encourages obedience, as only when the individual becomes a defenceless and powerless person no longer is an interesting target. Shed any capacity for action seems to be the only way to get rid of the massive andindiscriminate surveillance. Nothing is more contrary to the ideal of democracy that these measures intended to defend. Moreover, along with the surveillance threat, we confront the historic capacity to monitor communications for a disproportionate period, equivalent to treating all citizens as suspicious. Some argue that “who owes nothing, fears nothing”, but repeating this adage in the context of mass surveillance is ignoring the necessity and importance of the right to privacy. On the contrary, if we were not involved in a crime, why would the Prosecutor or intelligence agencies wants to have access to our personal data and communications? That does not mean that persons suspected of committing a crime are not entitled to privacy. Even in these cases there are limits. The problem then is that data retention is an unjustified security measure against all citizens, and, asrecognized by the European Court of Justice, in itself, a violation of the fundamental right to privacy. While clarity on the data from our communications to be retained by the operators is lacking, despite they must do so for five years, documents of the former intelligence agency responsible for the worst scandals of illegal surveillance and harassment of opponents, judges and journalists that this country has seen are being lost. ::: * Juan Diego Castañeda (athpernath). Lawyer and investigator at  Fundación Karisma’s “Law, Internet and Society” Group. Translated by Amalia Toledo.