Citing the United Nations’ Universal Declaration of Human Rights, Access Now, an organization that advocates for open digital communication, called for the prohibition of government hacking in its report “A Human Rights Response to Government Hacking,” released on Tuesday.
“Hacking is one of the most invasive activities governments can engage in, yet it is occurring in the dark, without public debate. It is critical for governments, law enforcement, technologists, and civil society to have an honest conversation about the impact of government hacking in the digital age,” said Amie Stepanovich, U.S. policy manager at Access Now.
The report said that most government hacking infringes upon the human rights of property, freedom of opinion, freedom of thought, freedom from arbitrary attacks on privacy, freedom of assembly, and right to a fair trial.
It defines hacking in three areas: to control messaging to the public, to intentionally cause damage, and to commission intelligence or surveillance gathering.
The report condemns the first two hacking practices outright, and proposes “Ten Human Rights Safeguards for Government Hacking,” restricting intelligence and surveillance hacking to the “rare, limited, exceptional cases” for which it is essential:
- Government hacking must be explicitly provided for by law.
- The government must explain why hacking is the least invasive means for accessing protected information.
- Hacking operations must never occur in perpetuity.
- Governments must apply to a “competent judicial authority who is legally and practically independent from the entity requesting the authorization.”
- Governments must provide notice to the target of the operation and to owners of the devices and networks affected, when possible.
- Agencies must publish the extent of their hacking in annual reports.
- Governments cannot compel private entities to act in a way that would undermine the security of their products and services.
- Governments must report back to the judicial authority if their hacking exceeds initial authorization.
- Extraterritorial hacking should not occur without specific authority.
- Agencies conducting hacking should disclose all vulnerabilities that they discover or purchase.
Through the seventh requirement, the report strongly sides with the private sector’s stance on strong encryption, which has often run up against the FBI stance that law enforcement should have some means of access when in possession of a warrant.
Though the report cites U.N. policy and international law, it is less specific about who should ideally enforce its Ten Human Rights Safeguards for Government Hacking.