Peru's Online Crime Bill Harms Innovation and Privacy (EFF.org)
Wednesday August 1st, 2012
The Peruvian National Anthem proudly proclaims: "We are free! May we always be so!" Yet the Peruvian Congress is considering a sweeping new computer crime bill that threatens the privacy and online free expression of law-abiding Peruvians. Peruvians should stand against this ill-conceived bill that will place limits on what they are allowed to do with their own computers. Peruvians should take a cue from Canadians, who mobilized resistance to a similar online surveillance bill earlier this year.
The bill's current wording would create legal woes for security experts working to expose security flaws. As currently written, the bill threatens coders' ability to access information systems for security testing without explicit permission. If the Peruvian Congress moves to enact this bill as currently written, Peruvian engineers who study others' systems for legitimate security research and testing may become criminals. A bill like this threatens the ability of new, engineering-driven companies to develop a wide range of innovative third-party applications and platforms that are capable of interacting and interoperating with online companies. It also shuts down the possibility of fostering a local security industry that seeks to responsibly report security vulnerabilities, so as to improve security of Peru's critical infrastructure.
The bill also threatens the privacy of law-abiding Peruvians. The Peruvian government plans to give police and prosecutors greater online surveillance powers to collect personal identifiers--including IP addresses, mobile device identifiers, and device owner's names--by excluding these identifiers from its current constitutional and regulatory framework protections. The bill reinforces the misconception--popularized by the 2001 Cybercrime convention--that traffic data is "less sensitive" than the content of an online communication. This misconception is not only dead wrong; it also poses a serious threat to people's privacy.
Personal identifiers (such as IP addresses) when linked to another piece of information can reveal far more sensitive information than ever before, such as online identities, activities, social contacts, and location trails. Once an IP address is linked to an individual, it becomes easy to construct a dossier that can be profiled, mined, and analyzed. Mobile device identifiers also disclose a vast amount of personal information. New technologies can easily track people's mobile devices to reveal their locations, this is why effective legal safeguards and check and balance are needed.
While the bill explicitly states its intention to exclude Peruvians' IP addresses and other identifiers from constitutional protection, it also compels telecommunications and Internet companies to hand over these identifiers to law enforcement and prosecutors upon a judge's authorization. This murky landscape shouldn't be murky: Personal identifiers should keep enjoying the same level of protection as currently guaranteed by the Peruvian Constitution and other regulatory frameworks, including its judicial guarantee.
In sum, the Peruvian Congress should postpone voting on the bill, and hold an open and democratic debate. This bill, as currently written, converts legitimate activities of ordinary people into "criminal" activities. Moreover, it jeopardizes the rights of law-abiding Peruvian citizens and hinders the development of an innovative technology industry. Stay tuned: We will keep an eye on the overall proposal as the debate unfolds.