A new and disturbing law has almost made its way through the system in Mexico, awaiting only Presidential assent. Under this law, the police would be able to use a mobile phone’s geolocation system immediately, and without a warrant, in order to find that phone (see http://humanrightsgeek.blogspot.co.uk/2012/02/la-inconstitucionalidad-de-la.html - in Spanish, but translatable, and the excellent EFF’s blog https://www.eff.org/deeplinks/2012/03/mexico-adopts-surveillance-legislation ).
The law has been brought in, as I understand, to combat kidnappings, primarily of the children of prominent and influential people – and in many ways it is a classical response to a threat, echoing the various laws that justify intrusion and surveillance to combat the threat of terrorism, from the USA PATRIOT Act downwards. The law, so far, seems to have passed through the parliamentary system without much resistance, and with huge majorities in votes. In that sense, in the eyes of the powerful at least, it seems to be very popular. And yet it sends shivers down my spine, for a number of reasons.
The first is a theoretical concern: any additional surveillance, any additional privacy-intrusive technology or law should be considered very carefully before bring brought in. When I first heard this story, it brought to mind the words of cybersecurity expert Bruce Schneier, writing in 2010: “It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers say, these systems cost too much and put us all at greater risk.”
What Scheier said about technology (which is excellent advice, though it seems to be consistently ignored) is equally – and perhaps even more perniciously – true about laws. It is very, very bad civic hygiene to enact laws that could be used to facilitate a police state. In the case of this Mexican law, the ‘police state’ analogy is much closer than in many situations. This doesn’t just make a police state a possibility – on the surface at least it provides the police with an exceptionally powerful tool, with almost no checks and balances.
The second is much more immediately and practically dangerous. As someone who works in the field of privacy and the net, I am all too aware of another story that has been coming out of Mexico over the last year or two: the way that at least four Mexican bloggers have been brutally murdered – decapitated – apparently by the drugs cartels. The bloggers try to work anonymously, but somehow the cartels locate them and kill them. Geolocation might have been used – it is hard to know – but providing another tool to the cartels would seem to put the crucial blogging community at even more risk. By putting a tool in the hands of the police, there is a more than theoretical risk that this tool will be able to be used by the cartels.
These two thoughts – one more theoretical, the other highly practical – are intrinsically linked. The practical risk is a prime example of why the theoretical consideration is important. If we build these systems, and set in place these laws, we need to consider the implications no just insofar as the technologies and laws are ‘intended’ to be used, by the ‘good guys’, but look at what might happen, how they might be used by the ‘bad guys’. Those ‘bad guys’ might be as obviously ‘bad’ as the drugs cartels in Mexico, but they might equally be governments wishing to suppress what they think of as ‘disorder’ but the participants think of as their right to free assembly, to free expression. In the UK, for example, a protest against the government plans for our health service is being planned and the police are concerned about potential disorder, wouldn’t it be nice for the police to be able to track the key organisers? The possibilities and implications are huge…
This is a key moment. If they do this in Mexico, where will it happen next? Law-makers and police forces worldwide may be watching events in Mexico with a great deal of interest.