Ending unchecked, illegal wiretapping practices
Technical equipment placed inside mobile telecommunications companies has allowed the authorities systematically monitor citizens’ mobile communications. Parliament should move to establish sufficient oversight over law-enforcement and security services to end abuse.
Using equipment they had installed in wireless communications service providers’ infrastructure, the Ministry of Interior’s Constitutional Security Department (KUD) and the Special Operations Department (SOD) have been able to directly access all communications data, an executive of a major telecommunications service provider told TI Georgia. The monitoring infrastructure still has not been removed and remains in place after the elections, according to the executive, who asked not to be named.
The telecom manager told TI Georgia that the only requests for the release of clients’ data coming from the authorities have concerned the release of billing information. In these cases, procedures were followed by the authorities and the necessary court orders were presented. All other data appears to have been – and continues to be – fully accessible to the authorities, without requiring further cooperation from the side of telecommunication operators, and most likely without any direct court oversight.
On 18 November, 12 employees of the Ministry of Interior were detained. According to a statement issued by the Prosecutor’s Office, the suspects had developed a computer virus, under orders from the head of the KUD. The virus, so-called spyware, was allegedly used for unauthorized audio and video surveillance of politicians, political activists and religious organisations. Audio recordings, which were posted on YouTube ahead of the parliamentary elections and which appeared to reveal internal discussions of Georgian Dream representatives, were also illegally obtained using this computer virus, according to the Prosecutor’s Office.
In September, the team of Bidzina Ivanishvili, at that time the opposition leader, had told the Washington Post that computers used by the Ivanishvili family and campaign staff had been infiltrated and that a virus had been installed, possibly through cooperation with internet service providers, allowing the authorities to spy on and monitor users’ behavior.
Need for independent oversight of law enforcement and security services
It is very likely that the direct access to telecommunications data and also the content of users’ communication has been accessed by the authorities without the necessary court permission. Such practice need to end, in order to protect citizens’ right to privacy and the rights of political groups, journalists, lawyers, and others whose activities are undermined if they cannot rely on the secrecy of their electronic communication.
The new government should ensure appropriate oversight over the activities of secret services and ensure that law enforcement agencies only use surveillance technologies and access private communications data in line with the law and with permission from a court to do so.
Furthermore, the new government should ensure a higher level of transparency and publicly disclose to what extent the law enforcement and security services have the technical ability to monitor the telecommunication and internet usage of people living in Georgia.
Is surveillance and data retention legal in Georgia?
On October 24, the Georgian Young Lawyers’ Association achieved an important victory when the Constitutional Court upheld the organizations’ complaint against a law allowing the authorities to monitor a citizen’s internet traffic without a court order.
The Georgian Constitution ensures the protection of the private life, place of personal activity, personal records, correspondence, and communication by telephone or other technical means (Article 20). These fundamental rights are not absolute and they can be restricted. However, the state has to justify all kind of restriction of these freedoms and is obliged to protect these freedoms. The constitution says that the restriction of these fundamental freedoms is allowed with the permission of the court or without such a decision in cases of the urgent necessity defined by law.
The law on Operative and Investigation Activity allows law enforcement agencies to use eavesdropping, wiretapping, accessing computer systems and the use of spy software (Articles 7, 14). The law requires a court permission for investigators to use these techniques. In urgent cases, investigators may act without a court permission but later shall inform a court and seek permission.
The Criminal Procedure Code protects a citizen’s right to privacy during a criminal investigation and states that there should be no arbitrary and illegal interference in the private lives of others (Article 7). Private data is protected, and a person whose rights were violated by illegally disclosing private information has a right to be compensated for damages. For infiltrating a computer or data storage, investigators require a court permission (the court has to decide within 24 hours).
The court order granting permission to access a suspect’s computer should define the type of communication service used, the timeframe, the user's communication identity, postal or geographic address, telephone and other access number, billing and payment information any other information concerning the location of the installation of communication equipment (Article 136).
The prosecutor also has to obtain a court order granting permission to monitor a suspect’s internet traffic and electronic communication. Telecommunication providers are obliged to cooperate with the investigation and provide the necessary support (Article 137). In case of urgent necessity, the investigative activity may be conducted without court order, however, the prosecutor has to inform the judge about any measures taken and submit the investigation’s materials within 24 hours (Article 112 (5)).
The Criminal Code of Georgia protects the private life of the persons including the secrecy of the private conversations, correspondence and communication. The illegal obtaining, storing or dissemination of personal or family secrets is punishable, as is the illegal interception of private conversation or disclosure of the information (Articles 157, 158). The unauthorized disclosure of the personal correspondence, including phone conversations, which has been received and/or transmitted through technical means is also illegal (Article 159).
The Law on Electronic Communication provides protection for secrecy of electronically transmitted information which can only be restricted under certain conditions. Communication data is considered the user’s property. The law also highlights that individuals working in telecommunications companies have to protect the privacy of the company’s customers and their information (Article 8).
The European approach to data surveillance
The European Union’s Data Retention Directive requires all 27 member states to store citizens’ telecommunications data for at least six but no longer than 24 months. Police and security services are able to request details including IP addresses, the senders and recipients of emails, the time and location of users and details about phone calls and text messages sent and received. However, a court permission is required for authorities to obtain such information from telecom operators.
The directive applies to traffic and location data that is necessary to identify users but it does not apply to the content of electronic communication. Nonetheless, even this information may reveal a lot about a citizen’s private life, as this visualization of communications data that a German member of Parliament obtained from his mobile phone operator highlights.
The EU Data Retention Directive has been sharply criticised by human rights and privacy activists for undermining people’s right to privacy and thus the concept of a free society. Critics argue that the rules also disrupt the activities of reporters, lawyers, politically active citizens and business people who can no longer ensure the protection of sources they communicate with electronically and use electronic communication to conduct activities that rely on discretion.
In Germany, the Federal Constitutional Court has declared part of the data retention legislation as unconstitutional; in several other countries courts have yet to rule on this issue.
The G-MEDIA program is made possible by support from the American people through USAID. The content and opinions expressed herein are those of Transparency International Georgia and do not reflect the views of the U.S. Government, USAID or IREX.