A new and disturbing law has almost made its way through the system in Mexico, awaiting only Presidential assent. Under this law, the police would be able to use a mobile phone’s geolocation system immediately, and without a warrant, in order to find that phone (see http://humanrightsgeek.blogspot.co.uk/2012/02/la-inconstitucionalidad-de-la.html – in Spanish, but translatable, and the excellent EFF’s blog https://www.eff.org/deeplinks/2012/03/mexico-adopts-surveillance-legislation ).
The law has been brought in, as I understand, to combat kidnappings, primarily of the children of prominent and influential people – and in many ways it is a classical response to a threat, echoing the various laws that justify intrusion and surveillance to combat the threat of terrorism, from the USA PATRIOT Act downwards. The law, so far, seems to have passed through the parliamentary system without much resistance, and with huge majorities in votes. In that sense, in the eyes of the powerful at least, it seems to be very popular. And yet it sends shivers down my spine, for a number of reasons.
The first is a theoretical concern: any additional surveillance, any additional privacy-intrusive technology or law should be considered very carefully before bring brought in. When I first heard this story, it brought to mind the words of cybersecurity expert Bruce Schneier, writing in 2010: “It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers say, these systems cost too much and put us all at greater risk.”
What Scheier said about technology (which is excellent advice, though it seems to be consistently ignored) is equally – and perhaps even more perniciously – true about laws. It is very, very bad civic hygiene to enact laws that could be used to facilitate a police state. In the case of this Mexican law, the ‘police state’ analogy is much closer than in many situations. This doesn’t just make a police state a possibility – on the surface at least it provides the police with an exceptionally powerful tool, with almost no checks and balances.
The second is much more immediately and practically dangerous. As someone who works in the field of privacy and the net, I am all too aware of another story that has been coming out of Mexico over the last year or two: the way that at least four Mexican bloggers have been brutally murdered – decapitated – apparently by the drugs cartels. The bloggers try to work anonymously, but somehow the cartels locate them and kill them. Geolocation might have been used – it is hard to know – but providing another tool to the cartels would seem to put the crucial blogging community at even more risk. By putting a tool in the hands of the police, there is a more than theoretical risk that this tool will be able to be used by the cartels.
These two thoughts – one more theoretical, the other highly practical – are intrinsically linked. The practical risk is a prime example of why the theoretical consideration is important. If we build these systems, and set in place these laws, we need to consider the implications no just insofar as the technologies and laws are ‘intended’ to be used, by the ‘good guys’, but look at what might happen, how they might be used by the ‘bad guys’. Those ‘bad guys’ might be as obviously ‘bad’ as the drugs cartels in Mexico, but they might equally be governments wishing to suppress what they think of as ‘disorder’ but the participants think of as their right to free assembly, to free expression. In the UK, for example, a protest against the government plans for our health service is being planned and the police are concerned about potential disorder, wouldn’t it be nice for the police to be able to track the key organisers? The possibilities and implications are huge…
This is a key moment. If they do this in Mexico, where will it happen next? Law-makers and police forces worldwide may be watching events in Mexico with a great deal of interest.
Paul Bernal's Blog 
This post is a must-read. Please, rest of world, don’t turn away but see/listen? @PaulbernalUK
Thing is, as you put it, “the good guys” need to go thru so much bull to be able to receive a provision that may or may not arrive, and if it does, it may simply be too late, whereas “the bad guys” don’t give a royal ____ about wether it’s lawful or not. Other countries have given way to geolocation without any big turmoil, and they would offer a huge tool on “the good guys” favor, a tool that “the bad guys” are probably already using.
But in the UK the police do not need a warrant to locate a phone. Cellular location data is obtained by requests made under RIPA – no judge, but an internal process of authorisation that is eventually submitted to a telco.
GPS and WLAN data are not held by telcos or subject to RIPA … so this raises a question about how such data are obtained under the DPA from say, mobile app platforms ….
Amongst other things, how the Communications Data Bill might apply to GPS data is a somewhat debatable point… but otherwise, you’re quite right. In Mexico, however, the point was to grant real-time warrantless access to GPS feeds, rather than just held data, allowing pin-point location information as it happens.
But you are assuming LEAs in the UK do not have such access under RIPA. One of the key points here I think, and as you well argue, is the integrity of the process and those behind it.
Yes, and part of the issue is that by specifically setting it out in law makes it somehow ‘acceptable’…. I know they might well do a lot of it anyway, but legitimising it does make a difference….
The data surveillance in Pakistan is comparatively lenient and the government is trying to narrow their fingers on Data protection and more importantly ‘data access and GPS tracking’.
Smells like a bad hand up a Goats Crack.