Anti-Terrorism Act Poses Familiar Risk of “Voluntary Disclosure” – Warrantless Request on Subscriber Data Now Extends to Contents of Communications

The Anti-Terrorism Act aims to punish or investigate the members of the UN-designated terrorist organizations or those having committed or suspicious of having committed preparation, conspiracy, advocacy for terrorism. Despite the legitimate purpose, Open Net Korea demands amending one poison pill that creates the risk of warrantless wiretapping and surveillance by National Intelligence Service (NIS) on ALL people, not just terrorist suspected terrorists.

Article 9(3) states that NIS Chief can request personal information and geo-location information of a terrorist suspect including sensitive information and fails to state any procedural requirement or restriction on the scope of data, which means that no third party supervision is to be done and that the accessed data can include communication content or any other confidentially held data.

Although the provision merely authorizes NIS to request such data and does not explicitly require the communication service providers to fill such request, its overwhelming impact can be easily predicted from the public’s experience with other seemingly ‘voluntary disclosure’ provisions. Article 83(3) of Telecommunications Act and Article 199(2) Criminal Procedure Act are such provisions authorizing voluntary disclosure by the telecom service operators and the public agencies but such provision resulted in more than 10 million people’s identification data being disclosed every year in the country of more than 50 million people in the years 2012-2014! (MP CHOI Wonsik’s Press Relese, August 27, 2015) Because there is no third party supervision or judicial supervision, the investigative authorities make data requests without any restraint, and the public and private agencies tamed under state paternalism fill all those requests as if they are mandatory orders or warrants. This is why Open Net is arguing that, although Article 9(3) is supposed to be applied only to suspected terrorists, it is likely to be expanded to people with no or little suspicion: There is no supervision on requesting and the companies are ready to fill all the requests.

What is even more diabolical, unlike the two other provisions limited to telecom subscriber identification data or sector-specific data, the Anti-Terrorism Act provision covers ALL personal data. Although Article 9(1) states that all data collection will be done through the existing laws requiring judicial supervision, it refers only to the mandatory surveillance. Article 9(3) can be said to have created a bypass that we at Open Net predict will become hugely popular.

Article 9(4) goes further, authorizing NIS to “track suspected terrorists” without any time, place, manner restriction (not even the run-of-the-mill delegation to enforcement decrees), which can easily include the controversial RCS-type hacking.

It is accepted that other countries’ counter-terrorism laws to lower the guard of probable cause for terrorism investigations but the Korean one goes too far. Even the NSA Prism, revealed by Edward Snowden, was conducted under a court approval (FISA)! Also, the Korean NIS has two authorities not usually held by other outbound intelligence agencies: cyber-psychological warfare and data security administration for ALL government agencies. It is these powers that respectively allowed NIS to engage in public opinion manipulation campaign during 2012 Presidential Election, and to disarm all the security software firms in Korea and thereby be able to engage in the hacking-type surveillance using RCS without being detected.

Please read the Korean original here.