Colombian “Collect It All” Policy Uncovered

Since 1958 more than 220.000 people have been killed in Colombia because of the internal armed conflict. Due to the brutal practices of violence that have been used during more than six decades, there are around 30.000 disappeared and close to six million internally displaced persons. In order to fight against different illegally armed groups, the Colombian state has employed a broad spectrum of strategies. One of these is communications monitoring. The state’s use of equipment for communication surveillance has been both within the limits established by national and international laws and beyond them. Proof of this is the shameful Administrative Department of Security (DAS) [Departamento Administrativo de Seguridad] scandal. As has been established by the authorities, the now-defunct intelligence agency used illegal wiretapping against opposition politicians, media and other state institutions. Among the targeted individuals are also former presidents, Human Rights defenders and judges of the Supreme Court.

Last month the London-based NGO Privacy International published a Special Report on Colombia titled “Shadow State: Surveillance, Law and Order in Colombia”. The document offers detailed and well-documented information on government programs to monitor Colombian citizens’ communications. It also gives a detailed account of the technologies the security forces employ to monitor and surveil. Once close attention is paid to these technological capabilities and to its concrete use, it becomes clear that the Colombian state is monitoring communications beyond the legal national framework. What follows is a very brief summary of Colombia’s programs and technologies for monitoring and surveillance. It is important to note that these are programs of the intelligence service of the state; which additional technologies the army uses is not revealed for security reasons.

The Attorney General’s Office [Fiscalía General de la Nación] employs a program called “Esperanza” running since 2004. “Interception through Esperanza involves capturing individuals’ communications on a targeted basis, with the knowledge and cooperation of the telecommunications service provider, and is explicitly authorised under Colombian law.” (21) Esperanza is a legally constrained program with limited technical capabilities. In 2012 this program was housed in at least 5 rooms at the Attorney General’s Office headquarters in Bogotá, 15 more rooms at regional ‘sectional directorates’ and a further 8 rooms for specialized analysis. It is worth noticing that “at least six of these rooms received financial and technical support from the DEA [the US Drug Enforcement Agency], and DEA analysts share workplace with their Colombian Colleagues” (23).

Because Esperanza seemed too limited in its monitoring capabilities, the Directorate of Criminal Investigation and Interpol (DIJIN) [Dirección Central de Policía Judicial e Inteligencia] launched the Single Monitoring and Analysis Platform (PUMA) [Plataforma Única de Monitoreo y Análisis] in 2007. PUMA is “a phone and internet monitoring system linked directly to the service providers’ network infrastructure by a probe that copies vast amounts of data and sends it directly to DIJIN’s monitoring facilities.” (8) This kind of mass automated communications surveillance technology has been implemented with the service providers’ knowledge. With this technology the DIJIN is able to process and combine call data records and SMS with other types of data including images, video, and biometrics details (8). As PUMA is a tool for gathering and analyzing mass communication data, compared to Esperanza, “PUMA conducts a completely different and far more invasive form of surveillance. This is not only of concern from the perspective of public transparency and accountability; it also raises serious questions about the lawful basis of such a system. Interception is lawful in Colombia only when is conducted pursuant to a court order, following the formalities established by law” (14).

For their part, the Directorate of Police Intelligence (DIPOL) [Dirección de Inteligencia Policial] uses a different technology: The Integrated Recording System (IRS).This mass interception system was established in 2005 before PUMA. With the IRS the police was looking for a way to monitor the then newly developed 3G technology for mobile phones. With the aim of consolidating the use of the IRS, the DIPOL acquired the VANTAGE system, which is able to intercept, filter and categorize information in a way that analysts can search it for patterns as well as specific persons, numbers, servers, and other data of interest. Just like PUMA, IRS is a technology that does not respect the Colombian legal requirements for communication interception.

In 2012 the DIPOL got an additional tool to effectively process the vast quantities of information they were receiving. With this new platform, provided by Palantir, a US private software and services company specialized in data analysis, “it is possible to map out the connections between datasets, and individuals, with the possibility to categorise and analyse both information and individuals”(45). It also includes data from other sources such as Facebook and Twitter.

It is worth noticing that Colombian Police deny that they currently have the ability to tap internet traffic (39). However, according to a hacked email from Hacking Team, the DEA bought a technology “that will receive all the traffic for Colombian’s ISPs”. It is not clear if the DEA is collecting information in cooperation with Colombian authorities or if they are doing it directly. It is difficult to judge which of these scenarios more severely undermines the sovereignty of Colombia. Nonetheless, to some extent this confirms the O Globo newspaper’s claim that Colombia is the third most spied on country in Latin America, after Brazil and Mexico

Other hacked emails from Hacking Team reveal that Colombian Police bought intrusion software from that company. The Remote Control System (RCS) software provided by Hacking Team enable the police to “undertake targeted remote exploitation –hacking and subsequent control- of individual’s devices” (15). This kind of malware allows the user to control the infected device to the extent of capturing data on the device, remotely switching on and off webcams and microphones, copying files and typed passwords.

It is also worrying that Colombian Police lack required managerial skills as revealed in the hacked emails. It is very likely that Colombian taxpayers paid twice for software that operates beyond the national legal framework. Emails disclosed by Wikileaks suggest that Hacking Team members probably met Police officials in Colombia introducing themselves as members of another enterprise called NICE in order to sell the RCS for the second time. They planned the scam in a series of emails now publicly available online. Massimiliano Luppi from Hacking Team says: “In order to do so, anyone going to Colombia will be introduced as NICE person (so, better if [it] is a new face)” (Email sent on Jul 21, 2013, at 9:33 AM). They obviously worried about what would happen if someone recognized the product they were selling as the one they had already bought. Alex Velasco expressed his doubts about Luppi’s plan in this way: “If the client recognizes the console what would be their reaction knowing their (sic) is a singed contract on place and that we are trying to sell them the same product twice.? (sic) Will they be offended? I don’t think we are fooling anyone.” (Email sent on July 21, 2013 05:30 PM).

Officially, PUMA is not currently running in Colombia due to the Attorney General’s concerns about citizens’ privacy. In August 2014 he stated that the Attorney General’s Office is the only state agency empowered to order interception of communication or manage the equipment used for this (53). Unfortunately, hacked emails suggest another story.

Some of Privacy International’s conclusions are that “Colombia’s interception and monitoring systems operate in a legal framework that inadequately protects Colombian citizens’ constitutional right to privacy”, and that “most surveillance tools do not have built-in checks to prevent unlawful, arbitrary or discriminatory access to private communications data” (56).

Against the background of the information revealed by both Privacy International and some hacked emails, there is a plethora of questions that not only Colombia but also the international community should address. Some of those questions are in relation with the general issue of the relation between political action and the use of technology, in particular of the Internet. Other questions concern private-public partnerships in the cybersecurity sector.

The DAS scandal shows the risks opened up when a state is unable to guarantee that its capabilities to target individuals and intercept their communications are used only within the legal limits and not as a political weapon against its own citizens. It could be argued that since keeping the use of collecting and analyzing technologies within the limits of the law is technically difficult (even impossible in certain cases) and it is hard to control their use, it is inconvenient to get them in the first place. Moreover, if the capabilities presented above are in the hands of state officials who do not understand them, as confirmed to International Privacy by persons with direct experience (39), their mere existence is a threat to the citizenry. Furthermore, in a context of insecurity, such as the one in Colombia, it is possible that these technologies offer great advantages for the state over illegal groups, but at a very high price for democratic rights. Whether it is worth paying this price because of the exceptional political and social context of Colombia is something that Colombian society should address. Undoubtedly, Privacy International has made a significant contribution to that coming debate. Hopefully Colombians will take this chance to get into an urgent discussion both on the national and international level.