Internet Surveillance in Korea

Communications Surveillance in Korea[1]

PARK Kyung Sin (“K.S.”), Professor, Korea University Law School

In Korea of 2011, a total population of about 50 million, the law enforcement wiretapped 7,167 phones; seized communication metadata[2] for 37.3 million communication facilities (phone numbers, email addresses or other accounts); and seized the subscriber-identifying information for 5.84 million facilities.[3] That is just for one year.

Per capita, the number of phones wiretapped in Korea was about 9.5 times the U.S. including the ones issued by Foreign Intelligence Surveillance Court (2,732[4] + 1,789[5]= 4,521) and about 800 times Japan (25)[6] in the same period. As we shall see, comparison on other methods of communication surveillance fares not much better.

Although the laws are in place and do require, as other developed countries do, an enhanced court approval for wiretapping[7] and the rejection rate for wiretapping applications is about 4%[8], a way higher than the U.S. courts’ rejection rate of 0.03%[9], the sheer volume of communications surveillance conducted by the Korean government needs a lengthy explanation. This report on the country’s surveillance on private telecommunications attempts to provide exactly that. This paper also covers the interplay between the surveillance and the civil society’s response.

Communication Metadata: Korean PRISM?

a. The reason for “37 million”: “cell tower dump”

As to transactional metadata, the law requires a certificate of “need to investigate” approved by court[10], just as the U.S. law requires ,[11] for the law enforcement acquisition but the sting of the numbers is exactly in that law: 37 million people, more than half the total population of Korea, “needed to be investigated” in one year?

Admittedly, the reason for the large number is that the Korean police conduct the type of massive indiscriminate surveillance, which intercepts the metadata of a huge number of communications among unidentified people and analyzed the big data to identify targets for deeper investigations as follows: The metadata are usually equivalent to the ‘pen register/trap and trace’ data in the U.S. investigative parlance, which include most importantly the phone numbers/IP addresses called from and calling to a specific phone number/IP address. In Korea, instead of requesting metadata on communications originating or terminating at a certain phone number, the Korean police cleverly requested the metadata on a specific cell tower and obtained the called/calling phone numbers for all the calls going through that cell tower. It is not clear whether they also obtained the phone numbers of the phones that made ‘sleep mode’ calls to the cell towers as the U.S. does. It is this “cell tower investigation” that accounts for 98.6% of communication metadata obtained, leaving only 235,716 requests to be individual-targeted.[12] In other words, 4,616 cell tower searches were conducted in 2011 and each cell tower produced about 7 to 8,000 phone numbers,[13] explaining the whooping 37 million phone numbers.

b. Unconstitutionality of Mass Surveillance

Why would the police do the cell tower search? There are times that the only way for the police to find suspects is to interrogate all people who were at the supposed crime scene. At that time, the police acquire the metadata on all the calls going through all the cell towers covering the area (several thousands of phone calls each hour per cell tower in metropolitan areas) and then narrow down to a smaller number of the phone numbers of which the owners exhibited pertinent communicative or locational behavior, e.g., made multiple phone calls to the known phone numbers or remained in the area for sufficiently long time as evidenced by the calls made there.

Some believe that cell tower dump, as long as it acquires geolocation information though most likely at the cell-site level and therefore unable to pinpoint someone in private places, still requires a “warrant”[14] as opposed to the low-level court order applicable to historical call records but I will not go into that argument. The question remains, even if it can be issued under the lower standard, whether it can be issued as to such a large number of people, most of whom except one person are innocent people.

Now, it may be a comfort to some that these metadata requests are not done out of stigmatizing suspicions on some phone users as probable criminals. However, the bottom line is that the police still treat you and all other innocent people as probable criminals. The fact of infringement is constant and its implications far-reaching regardless of the law enforcement’s intent as long as your communicative behavior is revealed to them. The cell tower investigation is none other than suspicion-less dragnet surveillance of people around certain area for the simple reason that they are there – exactly the reason that NSA’s mass surveillance is being criticized by both the UN Office of High Commissioner and the UN Special Rapporteur on Promotion and Protection of Human Rights and Fundamental Freedoms While Countering Terrorism[15] and the reason that indiscriminate retention of DNA data has been called foul by the European Human Rights Court.[16] American Civil Liberties Union argued persuasively in an amicus brief submitted against a government’s application for a 4.5-hour-long cell tower dump planned for New York’s Manhattan area in 2014:[17]

[T]he intentional targeting of large numbers of non-suspects is inherently unreasonable under the Fourth Amendment and raises the concerns animating the longstanding prohibition on “general warrants. . . Allowing the government to obtain tower-dump data risks sanctioning the sort of “general warrant” that the Fourth Amendment’s framers so reviled. See Stanford v. Texas, 379 U.S. 476, 481–82 (1965). As the Ninth Circuit observed, requests by “law enforcement for broad authorization to examine electronic records . . . creates a serious risk that every warrant for electronic information will become, in effect, a general warrant, rendering the Fourth Amendment irrelevant.” United States v. Comprehensive Drug Testing, Inc., 621 F.3d 1162, 1176 (9th Cir. 2010) (en banc) (per curiam); accord United States v. Galpin, 720 F.3d 436, 447 (2d Cir. 2013). Surely, a reported gunshot in a residential neighborhood would not allow nonconsensual searches of every home in a several-block radius in hopes of identifying a suspect. Likewise, a theft in Times Square would not permit frisks and bag searches of every person walking along Broadway. Dragnet searches are no more permissible when carried out using electronic means; a claim by the government that a criminal suspect whose email address it does not know sent a potentially incriminating email on a particular day would never authorize it to ask Google or Yahoo to produce a catalogue of every email sent from a New York City internet protocol address on that day.

In response to ACLU’s argument, Magistrate Judge James C. Francis V ruled[18]:

I will. . require the Government to submit an amended application that (1) provides more specific justification for the time period for which the records will be gathered and (2) outlines a protocol to address how the Government will handle the private information of innocent third parties whose data is retrieved. See In re S.D. Tex. Application, 930 F. Supp. 2d at 702 (“[I]n order to receive such data, the Government at a minimum should have a protocol to address how to handle this sensitive private information.”); see also In the Matters of the Search of Cellular Telephone Towers, 945 F. Supp 2d 769, 771 (S.D. Tex. 2013) (issuing warrant for cell tower records but requiring, among other things, that “any and all original records and copies . . determined not to be relevant to the . investigation” be returned to cell service providers)

Also, another Magistrate Judge Brian Owsley ruled on a 2-hour long cell tower dump application for one hour before and after a crime as follows:[19]

Finally, there is no discussion about what the Government intends to do with all of the data related to innocent people who are not the target of the criminal investigation. In one criminal investigation, the Government received the names, cell phone numbers, and subscriber data of 179 innocent individuals. See United States v. Soto, No. 3:09CR200 (D.Conn. May 18, 2010) (Memorandum in Support of Motion to Suppress). Although the use of a court-sanctioned cell tower dump invariably leads to such information being provided to the Government, in order to receive such data, the Government at a minimum should have a protocol to address how to handle this sensitive private information. Although this issue was raised at the hearing, the Government has not addressed it to date. This failure to address the privacy rights for the Fourth Amendment concerns of these innocent subscribers whose information will be compromised as a request of the cell tower dump is another factor warranting the denial of the application

A pitfall of mass surveillance is that it is a search for a suspect when people usually expect surveillance to take place on a suspect that the police already have. Furthermore, it can even be a search for a crime, not for a suspect. In fact, NSA was not looking for suspects in a discrete crime that took place: it was looking for people who may commit or may have committed crimes that NSA does not know about. Using that standard, all people naturally have become potential targets.

Also, an argument can be made that the privacy interest of these phone records are not so great given that the police do not know whose phone records they are getting. It is true that privacy cannot be infringed when we know whose privacy is being infringed. However, it just does not work because other laws make sure that the authorities can reveal the identities easily – very easily, as we shall discuss later.

c. Comparison to the U.S.

For comparison, in 2012, about 9,000 ‘cell tower dumps’ were conducted by the federal and state governments of the U.S.[20] Per capita, 4,616 cell tower searches conducted by the Korean government in 2011 is about 3 times more than all the American authorities did in 2012, per capita.

Now, the main stay of communication data is not cell tower dumps. Almost all communication metadata requests are the requests targeting individuals: records of the calls incoming and outgoing to and from single facilities. As said before, in 2011, the Korean authorities conducted 235,716 individual-targeting acquisitions of communication metadata, which tracked 1 to 3 devices each.

In the U.S., the data on federal authorities’ pen register/trace and trap device shows about 90,000 for the year 2011[21], but excludes NSA and other state agencies and also excludes historical (or retrospective) records of incoming and outgoing calls. What may be more reliable are the reports of the mobile carriers themselves[22] as exposed by Senator Markey in 2012 and 2013[23], which show that the carriers received voluminous metadata orders. In AT&T’s 2012 report[24], taking out the content data and the subscriber identifying information from the stated total of 297,500, leaves 135,300 requests. Verizon’s 2012 report,[25] again taking out from the stated total of 270,000 the content data and the subpoenas self-proclaimed to be typically requesting the subscriber-identifying information, leaves about 110,000 requests. In Sprint’s 2012 report[26], adding up the categories belonging to communication metadata leads to about 148,000 requests. T-Mobile reports[27] a total of 297,350 data requests for the year of 2012 but only indicates about 3,000 wiretaps and is therefore impossible to extract the number only of communication metadata. Assuming about 150,000 for T-Mobile, since the Big Fours cover 90% of the mobile subscribers (see Figure 1), we can estimate the communication metadata requests for the entire U.S. to be about 500-600K.

To wrap up, we can estimate Korea’s non-cell-tower-dump communication metadata requests in 2011 to be more than twice the number for the U.S. mobile carriers for 2012, per capita. The U.S. mobile carriers’ reports do not include the numbers for Internet companies such as Google but the number for non-content data requests is minimal[28] probably due to the technical difficulty of separating the content from the non-content without risking manually viewing the content.

2. Subscriber Identities

a. Warrantless acquisition of subscriber identities

One of the arguments supporting the constitutionality of cell tower dump is the fact that people’s metadata are acquired in the unidentified state. However, in Korea, the law enforcement can very easily find out who the phone users are as shown by the annual stats on subscriber data acquisition: about 6 million each year (see above for 2011figures). The law enforcement cannot say things like ‘indiscriminate mass surveillance is not privacy-infringing because we do not know whose metadata we are obtaining’ because they can easily find out by simply sending faxes or emails to the telcos or portals under Article 83 Paragraph 3 of the Telecommunications Business Act. [29]

Subscriber data disclosure is itself privacy-infringing because it destroys the people’s right to communicate each other anonymously. Whoever writes anything on the Internet can have his identity revealed to the law enforcement and expose him/herself to the risk of persecution and retaliation.

Now, in Korea, 90% of subscriber data disclosure is on phone users (the remaining 10% on the web application id’s)[30] and it is awkward to talk about right to anonymous communication in the context of phone conversations because usually the phone conversations take place among the people who know each other. However, it is one thing that they know each other but whether their identities are known to the law enforcement is quite another. Two people should have the right to anonymous communication with respect to the law enforcement or any other third party. Another way of putting it is that each person should be able to communicate with one another without revealing his/her identity to anyone except the person he or she is communicating with.

However, what makes Korea stand out is the disproportionate number of request for subscriber data. There is no clearing house for all the administrative subpoenas issued to telcos and portals in the U.S. but we can benefit from “Transparency Reports” that the U.S. majors have begun to publish. Verizon’s new Transparency Report shows 320,000 user data requests[31] in 2013 in which 164,184 administrative subpoenas were included. Assuming that the law enforcement will use the least involved procedure to obtain the subscriber data, we can safely decide that all administrative subpoenas were for the subscriber data. (Although we do not know how many were rejected, my guess extrapolated from Korean companies’ behavior is that most requests were filled.) Given the roughly 30% market share of Verizon[32], we can extrapolate that number to the national total of roughly 500,000 for the U.S. (It is difficult to use the same method we used for communication metadata, namely adding up the numbers from the Senator Markey reports for 2012 because only Verizon (135,000) and AT&T (129,300) give the numbers for what probably accounts for the subscriber-identifying data. Extrapolating on the basis of their combined market share of 60% gives us also a rough national total of about 400,000 for 2012) . Now, that is just for the telcos. Google and the likes also get the user identifying data requests. Google’s Transparency Report for 2013 (the first year that subpoenas were reports about 27,000 “subpoenas”, 84% of which were granted[33], and given Google’s 20% market share in the e-mail market[34], we can extrapolate to the national total of about 100,000 for the U.S. Adding up the telcos’ and the portals, we get 600,000 for the U.S.

In sum, the Korean law enforcement’s acquisition of subscriber data in 2011, all warrantless, is more than 10 times the U.S. of 2012 in absolute terms and 60 times the U.S. per capita.

b. Unconstitutionality of Warrantless Acquisition of Subscriber Data

The international outlook is not very good, though. The U.S. law is not very different and is even worse because it mandates (as opposed to just allowing) the carriers to provide the information warrantlessly and administrative subpoena includes even historical outgoing call records.[35] UK[36], Germany[37] and France[38] do not require a warrant for accessing the subscriber data, either.

However, the tide is turning. In a highly relevant article, Prof. Jeffrey Skopek proposes the concept of “reasonable expectation of anonymity” as a privacy norm to be observed,[39], and I believe it applies very well to subscriber data disclosures. Most relevantly, he puts:

[T]he structural features of our world that are capable of maintaining the secrecy of “personal information” are not limited to those that hid the information. . . they can be also features that hide what makes that information personal. . .if the action took place online, relevant factors might include whether the actor used a pseudonym, whether pseudonym was connected to other traits, such as an IP address, and whether that IP address was connected to the actor’s name.

In April 2014, the Canadian Supreme Court also struck down the police acquisition of subscriber information done under a data protection law that allowed the authorities’ access to subscriber information[40], reasoning:

[P]articularly important in the context of Internet usage is the understanding of privacy as anonymity. The identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information. Subscriber information, by tending to link particular kinds of information to identifiable individuals may implicate privacy interests relating to an individual’s identity as the source, possessor or user of that information. Some degree of anonymity is a feature of much Internet activity and depending on the totality of the circumstances, anonymity may be the foundation of a privacy interest that engages constitutional protection against unreasonable search and seizure. In this case, the police request to link a given IP address to subscriber information was in effect a request to link a specific person to specific online activities. This sort of request engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities, activities which have been recognized in other circumstances as engaging significant privacy interests. . . The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.

Also, the National Human Rights Commission of Korea in April 2014 recommended that the subscriber identity data be made available only upon warrant(http://bit.ly/1NG9k71).

Finally, post-Snowden, Brazil explicitly imposed the requirement of judicial approval for the police’s access to subscriber-identifying information( LAW No. 12.965, APRIL 23RD, 2014 Article 10 Section 1). Even before Snowden, Chile has for long required court approval for such access( https://s3.amazonaws.com/access.3cdn.net/a0ea423a1607c836a3_aqm6iyi2u.pdf). In October 2015, California also passed the California ECPA that explictly required warrant for the identifying information of the parties to electronic communications.( https://www.eff.org/cases/californias-electronic-communications-privacy-act-calecpa).

c. Civil Society’s Response and Recent Changes

Civil society fought back. PSPD Law Center[41] filed a constitutional challenge against Telecommunications Business Act Article 83(3) for violation of the “warrant” doctrine set forth in the Korean Constitution. The Constitutional Court dismissed the constitutional challenge in August 2012 stating that the provision merely allows the operators to make the disclosure and does not require them to do so, and therefore there is no “state action” involved in what the Court believed to be “voluntary acts of the telecommunications operator.”[42] This is a very unrealistic assessment, given the de facto dominion over portals in a very paternalistic society.

Nonetheless, upon hearing this, the PSPD Law Center promptly filed a damages suit against the operator of the largest portal of the country, www.naver.com, for making such “voluntary” disclosure on a high profile case. In this case, a netizen re-posted on his NAVER blog a Youtube video clip[43] of the then cultural minister allegedly trying to publicly hug the international figure skating star Yuna Kim in a congratulatory welcome on her recent victory, only to be cooled off by Kim, and the police pressured by conservative politicians actually subpoenaed the netizen for interrogation apparently in an investigation for defamation![44] It was through Article 83(3) communication data request that the police obtained the identity and contact information of that netizen. After losing in the court of first instance, the netizen won a damage award of about US$500 in the High Court for Seoul District, which announced[45]:

The defendant (portal), in accordance with its Terms of Use, must endeavor to protect its members’ personal data and has an obligation, in principle, not to disclose externally the members’ personal data without prior consent. . .

The Terms of Use makes an exception “where such disclosure is pursuant to laws and regulations or requested by investigative agencies pursuant to procedure and method set forth in laws regulations. . .

However, the provision cannot read “ALL ‘requests’ by investigative agencies without exception shall be granted” or the plaintiff(user) is actually or constructively informed of such reading. All the application for the data request stated for ‘Reasons for Request and Relationship to User” was the defamation statute and that the user is a suspect. . .

The defendant does not need to conduct an inquiry tantamount to that of judicial review but the defendant is a telecommunications operator and a comprehensive Internet information provider and therefore has acquired substantive public status due to the nature of its services. The ‘community’ services such as the cafés are by nature based on right to anonymous speech, and therefore the defendant unlike other private parties should have proper self-control mechanism in responding to the law enforcement’s personal data requests. The defendant therefore has at least a duty to build capacities to protect the users’ data and a duty to deliberate and decide upon whether and to what extent to make the disclosure after comprehensively factoring in the degree of illegality, the magnitude and urgency of the matter, etc., in balancing competing interests.

Although the decision was promptly appealed to the Supreme Court is continued to date as this report goes to press, the repercussions were still great exactly for the very reason that so many data disclosures have been made already. As said before, about 500-600K data disclosures were being made by the portals each year. If we multiply that by US$500, the Internet industry faces an astronomic amount of damages. Within 2 weeks, all major portals and top internet content and application providers in Korea including NAVER announced that they will altogether stop complying with Article 83(3) data requests.[46] The telcos, covering 90% of subscriber identity disclosures are still not budging.

3. Overbroadness

To recap, the number for subscriber data disclosures is high, i.e., about 60 times the U.S. per capita; wiretapping takes place 9.5 times more per capita than the U.S.; and also acquisition of non-content metadata (excluding cell-tower dumps) is at least more than 2 times the U.S. when the laws are pretty much the same as the U.S. As to the number of search and seizure of electronic mails, there is no reliable data either in Korea or any other country.[47] However, it is not just the number of surveillances but the broadness of each surveillance measure that has become a major problem.

As to the search and seizure of stored information such as e-mail, a progressive candidate in July 2008 local Educational District head election was seized 7 years of worth of his email in an investigation on his election campaigning that spanned less than a couple of months.[48] Also, the 6 television producers were also subjected to search and seizure of 7 months worth of all their emails in defamation investigation for their reports critical of a government policy on American beef import[49], and about 20 union leaders of a broadcasting union were seized 9 months worth of their emails in investigations on their strike launched to block the appointment of the then President Lee Myung Bak’s crony as the broadcasting company’s CEO[50].

These revelations, concentrated in earlier half of 2009, actually caused a phenomenon called “cyber-asylum” among people who left domestic services for foreign services outside the reach of Korean warrants,[51] such as G-mail. The phenomenon was accelerated by Google’s decision to delocalize Youtube’s uploading function in April 2009 in an apparent protest to the real name law, which reminded people that domestic emails are easily trackable to their authors due to domestic email providers’ policy of obtaining the users’ real names together with resident registration numbers upon enrollment.[52] Also in response to the first case, PSPD Law Center filed a suit against the Prosecutors’ Office and won an about US$7,000 damage award for overbroad execution of the warrant, which limited itself to “information related to the election campaigning” and therefore could not be conceivably cover all of the 7 years’ emails.[53] The court opined “given the time spanned by election campaigning, the search should have been limited even at most less than a one (1) year period before the election date.”

As to wiretap, in 2010, the Constitutional Court reviewed one National Security Law investigation that involved 14 consecutive extensions of a wiretapping warrant (2 months the maximum period each extension, adding up to 30 months), upon a lawsuit filed by Jinbo Net. In an unprecedented advance beyond an international norm, the Court struck down the provision that allowed renewal[54] without any limitation on the total period or the total number of renewals when, for instance, American ECPA does not set such limit on extension.[55] The reasoning was more surprising: “we need a statutory limit because it will be difficult for judges to refuse extensions”, however, without really explaining why. This defeatist confession is more worrying than the result is encouraging. We see a judge split between the lack of the “concrete awareness” of pervasive surveillance, probably due to the poor notifications regime, and the sense of obligation to respond to the huge numbers and long periods of surveillance, helplessly looking to the legislature for help in doing what is actually in his or her power.

4. User Notifications

There seems to be a procedural element that contributes the scope and volume of surveillance described above. Under the constitutional principle of due process, when a state violates upon a private individual’s right, whether by surveillance or other actions, the state at minimum must notify the individual that the state is doing so.[56] That the police have a warrant does not mean that the warrant can be executed surreptitiously. The police cannot steal something just because they have a warrant on it. The person searched should know the fact that his premise is being searched. Korean surveillance laws are indeed very weak on user notifications across the board.

a. Wiretap and communication data notifications: 30days after Indictment?

The wiretap and communication metadata provisions require notification to be given to the target, as the U.S. law does, but only 30 days after a decision on whether to indict has been made by the prosecutors.[57] (Japan requires the notice to be given 30 days after the wiretap is done,[58] just as the U.S. requires the notice to be given 90 days after the wiretap is done.[59]) This means that, if an investigation continues for and ends in 2 years with a decision on indictment, one will have lived as if nothing had happened for that 2 years. People not indicted will not make an issue of what happened long ago. Most indicted people receive the notifications only after they have been indicted and sometimes find out that they had been wiretapped only at the trial when the prosecutors present the wiretap transcript as evidence! By then, the fact of privacy breach becomes not very important as people become entrenched in fighting on guilt/no guilt. One may say “justice delayed is justice forgotten.”

What is even worse, even such notice can be deferred not by judges but by the heads of the local prosecutors’ office[60], in complete contravention of the warrant doctrine.

b. Notification to the E-Mail Users[61]

The problem of lack of notification for ordinary search and seizure of electronic mails has yet another dimension. Currently, notification for search and seizure of electronic transmissions is governed by the similar provision as the ones governing wiretapping, i.e., 30 days after the indictment decision.[62]

However, Korean laws on ordinary search and seizure are very strict, and for good reason: suspects are to be notified IN ADVANCE of execution of a search and seizure warrant[63], and the delay in notification just for search and seizure of emails is not justified. Delayed notification for wiretap is justified by the fact that the contents of phone communications are usually not recorded, so the investigators have to listen in on the conversation real-time, i.e., as communications are taking place. In such situation, if the parties to the communication are notified of the fact that they are being eavesdropped, the whole project of eavesdropping will be frustrated. However, there is no such justification for stored communications such as emails,[64] seizure of which should be notified as soon as possible to the email accountholders just as seizure of my notebook will necessitate contemporaneous presentation of a warrant to me.

However, as the notification is delayed post the indictment decision, the searched person often finds out that the emails have been seized as late as when the prosecutors present them as evidence against him in court! In response to a pertinent suit filed by PSPD Law Center in October 2010[65], the court, however, approved the delaying practice by ruling that search and seizure of emails qualifies under an “urgency” exception to prior notification requirement because the person notified may erase the emails.[66]

Such judgment turns a blind eye to the technically immovable fact that erasing emails on one’s email account works in the way of cutting off the connection between the e-mail account and the data, which will remain on the server for an indefinite amount of time until the server’s hard disk slot is ‘written over’ the hard disk accepts more data. Also, it ignores the possibility that, since the law requires notification in advance only of execution of the warrant, the investigators can take preemptive measures such as requesting the email service provider to shut off the suspect’s access to the account, before executing a properly-notified warrant.

The court’s decision also contravenes National Human Rights Commission’s August 19, 2010 Recommendation that specifically required prior notification for email search and seizure and allowed post-execution notification only in exceptional situations.[67] As a result of these efforts, the law has been amended in July 2011 to require immediate notification to “data subjects” upon seizure of the data storage device.[68] However, e-mail account holders are still not notified of search and seizure[69] because the new provision on the data storage device is applied only to the seizure aiming at the device itself whereas email search and seizure aims at a certain email account, a technologically defunct distinction.

c. User’s Right to Know about Subscriber Data Disclosure

As to subscriber data, there is no requirement of notification by the government naturally because the official line is, as the Constitutional Court held, that the disclosure is being made “voluntarily” by the service providers.

Well, if the service providers are doing it voluntarily, are they notifying the users? Wiretap and pen register data provisions will, of course, come with gag orders on the service providers[70] since the government itself needs to control notifications but there is no gag orders (or need for such) applicable to the subscriber data disclosure done ‘voluntarily’ by the service providers. Korean service providers are not. What is even more disturbing, the telcos are not telling the customers whether such disclosure has been made when there is no law gagging them from doing so, at least until January of 2015.

In the wake of the October 2012 High Court decision holding a major portal liable for complying with subscriber data request, the telecoms, responsible for 90% of 6 million subscriber data disclosure in Korea 2011, have responded quite differently from Internet companies. The telecoms insisted on continuing to comply with Article 83 (3) requests. What was the source of their confidence in face of liability of an astronomic scale?: The telecoms refused to disclose to their customers whether the Article 83 (3) data disclosures have been made when the customers asked, which meant that the victims could not file the suit because they could not know whether they were victims. In April 2013, PSPD filed another suit[71] forcing the telcos to reveal the subscriber data that they have disclosed to the police under Article 83(3) and won that lawsuit in 2014 but without damages. Then, after it has been appealed by the telcos, the intermediary appellate court of that case came down on January 19, 2015 with a winning judgment this time with damages of $2-300 for each of the plaintiffs, which means a potential liability of 1 to 1.5 billion U.S. dollars if they further refuse to respond to users’ requests! Right now, PSPD and Open Net have launched a campaign “Ask Your Telcos” to make sure that the telcos comply.

We are here talking about notification upon request which is really not a notification at all but a stronger right to know about one’s own data security status, similar to a right to check one’s own bank account balance, based on general data protection principles. The major portals have disclosed upon a subscriber’s request whether his or her information has been disclosed to the police. However, no company, portal or telco, has yet to announce a policy of voluntarily notifying their subscribers of Article 83(3) disclosures.

This is important because as long as the courts see these disclosures as voluntary, the only way to protect the users’ rights is for the companies to adopt such policy voluntarily.

d. Significance of User Notifications

From the unusual frequency and breadth of communications surveillance in Korea, we can only conclude that judges and prosecutors do not feel much resistance in applying for and granting wiretaps, and communication metadata, and this mindset is extended to the law enforcement agencies that issue user identification requests, which do not involve the warrant process. One of the reasons for this mindset, I believe, is the general lack of awareness of the volume and threat of surveillance being conducted. This is a unique danger associated with surveillance because many forms of surveillance take place secretly. If the general populace do not know whether they are under surveillance and therefore do not verbalize and convey their fears thereof, judges approving it will not realize what they are doing to the people being put under that surveillance and are likely to be not so careful in weighing the users’ privacy.

Now, one way to address this lack of awareness is the publication of ‘transparency reports’ both by the government and the companies, and the other way is to enhance user notifications. Despite the huge number of people actually surveillanced, only a very small number of people actually do receive those notices due to the poor notification laws. For instance, none of the 37 million people caught in cell tower dumps in 2011 were notified. Because the notifications are in order only after the underlying investigation is concluded upon an indictment/no indictment decision, they fall through the cracks such personnel change or simple negligence. According to one MP CHUNG Chung-Rae’s report on October 19, 2014, only 38% of the people due notifications actually received notifications since 2011 (http://transparency.or.kr/news/960). Lack of notification results in the moral hazards of approval-issuing judges, whose attitude is unlikely to change until they run into close friends or families who have been overbroadly searched and seized or wiretapped and acquire a “real-life understanding” of what it feels like being under surveillance.

4. Conclusion

In Korea, both the breadth and frequency of communications surveillance is worrisome e.g., the number for subscriber data disclosures about 60 times per capita that of the U.S.; wiretapping 9.5 times; acquisition of individualized non-content metadata at least more than 2 times; cell tower dumps about 3 times, resulting in the anecdotes of searching and seizing 7-year-worth of emails for a local school board election investigation, and renewing a wiretap for 14 times over several years. Cell tower dumps and warrantless subscriber data disclosure are the major contributors to the overbroad surveillance landscape, and their constitutionality must be strictly examined, which will then inform the similar discourses in the U.S., and other countries. However, what sets Korea apart is the lack of notifications to the person being surveillanced where notifications delayed to 30 days after making indictment decisions have become meaningless and there is no notification at all for the subscriber data disclosures. Failing notifications disables any public discourse on how or where to balance the law enforcement needs and people’s privacy, eviscerating the judiciary’s power to control the surveillance. Civil society in Korea such as PSPD Law Center, Jinbo Net, and Open Net have run litigation campaigns to restrict the scope of email search and seizure, subscriber data disclosure, and wiretap renewals, and also to protect people’s right to be notified of or know about disclosures of their own data to the law enforcement, with some success but with a long way ahead.

[1] This paper was presented at Asian Pacific Regional Internet Governance Forum held in Delhi in August 2014 and supported by Open Net. For related arguments in Korean language, please see “A U.S.-Korea Comparison on Electronic Communications Privacy and Related Laws”, Anam Law Review, Vol. 29, pages 119-160 (2009) http://m.riss.kr/search/detail/DetailView.do?p_mat_type=1a0202e37d52c72d&control_no=b3679d4ad0090623ffe0bdc3ef48d419 (korean)

[2] Communication metadata are the information about a communication which includes the identifying information of the communicating devices, and the time and duration of the communication, which does not include the content of the communication.

[3]http://old.kcc.go.kr/user.do?mode=view&page=P05030000&dc=K04030000&boardId=1042&boardSeq=35108

[4] http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx summarized here http://epic.org/privacy/wiretap/

[5] Issued under Foreign Intelligence Surveillance Act http://epic.org/privacy/wiretap/stats/fisa_stats.html

[6] http://www.asahi.com/articles/ASG263RKWG26UTIL00D.html

[7] Protection of Communication Secrets Act http://elaw.klri.re.kr/eng_service/lawPrint.do?hseq=21696

Article 5 (Requirements for Permission of Communication-Restricting Measures for Criminal

Investigation)

(1) The communication-restricting measures shall be allowed only when there is a substantial reason to suspect that a crime under each of the following subparagraphs is being planned or committed or has been committed, and it is difficult to prevent the committing of the crime, arrest the criminal or collect the evidence through other measures: <Amended by Act No. 5454, Dec. 13, 1997; Act No. 6146, Jan. 12, 2000; Act No. 6546, Dec. 29, 2001; Act No. 8733, Dec. 21, 2007>

[8] http://www.mediatoday.co.kr/news/articleView.html?idxno=112807

[9] Tim Cushing, “US Courts’ Wiretap Report Shows Wiretaps are for Drugs and Warrants are rejected only 0.03% of Times”, July 7, 2014 https://www.techdirt.com/articles/20140703/10502127773/us-courts-wiretap-report-shows-wiretaps-are-drugs-law-enforcement-warrants-rejected-only-03-time.shtml

[10] Protection of Communication Secrets Act, Article 13 (Procedures for Provision of Communication Confirmation Data for Criminal Investigation)

(1) Any prosecutor or any judicial police officer may, when he deems it necessary to conduct any investigation or to execute any punishment, ask any operator of the telecommunications business under the Telecommunications Business Act (hereinafter referred to as the “operator of telecommunications business”) for the perusal or the provision of the communication confirmation data (hereinafter referred to as the “provision of the communication confirmation data”).(2) Any prosecutor or any judicial police officer shall, when he asks for the provision of the communication confirmation data under paragraph (1), obtain permission therefor from the competent district court (including a general military court; hereinafter the same shall apply) or branch court with a document in which the reason for such asking, the relation with the relevant subscriber, and the scope of necessary data are entered: Provided, That if the urgent grounds exist that make it impossible to obtain permission from the competent district court or branch court, he shall obtain permission immediately after asking for the. . .

[11] 18 U.S. Code § 3123 (for prospective transactional data) and 18 U.S. Code §§ 2703 (c), (d) (for stored information on the communications that already have taken place, which include ‘retrospective’ transactional data). The standards differ, depending on whether prospective (“if the court finds that the attorney for the Government has certified to the court that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation”) or retrospective ( when the Government offers “specific and articulable facts showing that there are reasonable grounds to believe that the . . . records . . . sought are relevant and material to an ongoing criminal investigation.”)

[12] National Human Rights Commission of Korea, Recommendation on Telecommunications Act’s Communications Data and Protection of Communications Privacy Act’s Communications Metadata, April 9, 2014.

[13] Id.

[14] In the Matter of the Application of the UNITED STATES of America for an ORDER PURSUANT TO 18 U.S.C. § 2703(D) Directing Providers to Provide Historical Cell Site Locations Records, 930 F.Supp.2d 698 (S.D. Tex. 2012); The Hon. Brian L. Owsley, The Fourth Amendment Implications of the Government’s Use of Cell Tower Dumps in Its Electronic Surveillance, 16 U. Pa. J. Const. L. 1, 17–23 (2013).

[15] Office of the UN High Commissioner for Human Rights, A/HRC/27/37 “The Right to Privacy in the Digital Age” (June 30, 2014): “Mass or “bulk” surveillance programmes may thus be deemed to be arbitrary, even if they serve a legitimate aim and have been adopted on the basis of an accessible legal regime. In other words, it will not be enough that the measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the haystack, relative to the harm threatened; namely, whether the measure is necessary and proportionate.”; available at http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf

Report of the Special Rapporteur on the Promotion and Protection of Human Rights and Fundamental Freedoms While Countering Terrorism, A/69/397, September 23, 2014 : “[Mass surveillance] amounts to a systematic interference with the right to respect for the privacy of communications,. . .it is incompatible with existing concepts of privacy for States to collect all communications or metadata all the time indiscriminately.” Available at http://daccess-dds-ny.un.org/doc/UNDOC/GEN/N14/545/19/PDF/N1454519.pdf?OpenElement

[16] S and Marper v. United Kingdom (2009) 48 EHRR 50

[17] American Civil Liberties Union, Amicus Brief, Government Application for Historical Cell Site Data from Cell Towers in the Vicinity of One Location During 4.5 hours, May 20, 2014, available at https://www.aclu.org/sites/default/files/assets/5.20.2014_aclu_tower_dump_brief_to_m.j._francis.pdf

[18] In the Matter of the APPLICATION OF THE UNITED STATES OF AMERICA FOR AN ORDER PURSUANT TO 18 U.S.C. §§ 2703(C) and 2703(D) DIRECTING AT & T, SPRINT/NEXTEL, T–MOBILE, METRO PCS and VERIZON WIRELESS to Disclose Cell TowerLog Information, — F.Supp.2d —-, 2014 WL 4388397 (S.D.N.Y.) available at https://www.aclu.org/sites/default/files/assets/sdny_-_mj_francis_-_tower_dump_order.pdf

[19] In the Matter of the Application of the UNITED STATES of America for an ORDER PURSUANT TO 18 U.S.C. § 2703(D) Directing Providers to Provide Historical Cell Site Locations Records, 930 F.Supp.2d 698 (S.D. Tex. 2012);

[20] http://www.washingtonpost.com/world/national-security/agencies-collected-data-on-americans-cellphone-use-in-thousands-of-tower-dumps/2013/12/08/20549190-5e80-11e3-be07-006c776266ed_story.html

[21] See http://www.justice.gov/criminal/foia/elect-read-room.html for other years. http://www.justice.gov/criminal/foia/docs/2011penreg-anlrpt.pdf

[22] http://www.markey.senate.gov/news/press-releases/for-second-year-in-a-row-markey-investigation-reveals-more-than-one-million-requests-by-law-enforcement-for-americans-mobile-phone-data; http://www.markey.senate.gov/news/press-releases/markey-law-enforcement-collecting-information-on-millions-of-americans-from-mobile-phone-carriers

[23] http://www.nytimes.com/2012/07/09/us/cell-carriers-see-uptick-in-requests-to-aid-surveillance.html?pagewanted=all&_r=2&; http://www.wired.com/2012/07/mobile-data-transparency/all/; http://www.wired.com/2012/07/massive-phone-surveillance/

[24] http://www.markey.senate.gov/imo/media/doc/2013-10-03_ATT_re_Carrier.pdf

[25] http://www.markey.senate.gov/imo/media/doc/2013-12-09_VZ_CarrierResponse.pdf

[26] http://www.markey.senate.gov/documents/2013-12-09_Sprint_CarrierResponse.pdf

[27] http://www.markey.senate.gov/imo/media/doc/2013-12-09_Tmobile_CarrierResponse.pdf

[28] http://www.google.com/transparencyreport/userdatarequests/US/. Please see the numbers for “Pen Register Orders”.

[29] Telecommunications Business Act Article 83 (1) No one shall infringe or disclose the secrecy of communications processed by a telecommunications operator.

(2) No one currently or previously employed in telecommunications business shall not disclose another’s secret learned about communications during his or her employment.

(3) A telecommunication operator may comply with the requests for the following information (“Communication Data Request”, hereinafter), made by courts, prosecutors, investigative agency heads, and intelligence agency heads for the purpose of trials, investigations, execution of sentencing, and intelligence gathering aimed to prevent harms to national security

name of the user
resident registration number of the user
address of the user
id of the user (the symbols identifying the legitimate users of a computer system or a communication network
dates of enrollment or termination of the user

(4) Communication data requests shall be made in writing that states the reasons for the request, the relationship to the relevant user, and the scope of the data requested (“application for data requests”). In event of emergency that prohibits such writing, the request can be made without writing but shall be followed up with writing when such emergency is dissipated.

(5) A telecommunications operator shall retain in accordance with Enforcement Decree a log of all communication data requests and the related applications complied with pursuant to paragraphs 3 and 4.

(6) Twice every year, a telecommunications operator shall report to the Ministry of Science, ICT and Future Planning the status of compliance with communication data requests. The Ministry may audit such report and inspect the status of the log set forth in paragraph 5.

(7) A telecommunications operator shall inform the head of the central administrative agency that the applicant of communication data requests belongs to, the contents of the log set forth in paragraph 5. [omitted]

(8) A telecommunications operator shall install and maintain a specialized body handling the user’s secrecy of communications. The body’s function and structure shall be set forth in Enforcement Decree.

Available at https://elaw.klri.re.kr/eng_service/lawPrint.do?hseq=22114

[30]http://old.kcc.go.kr/user.do?mode=view&page=P05030000&dc=K04030000&boardId=1042&boardSeq=35108

[31] http://transparency.verizon.com/us-data

[32] http://money.cnn.com/2011/03/23/technology/sprint_verizon/

[33] http://www.google.com/transparencyreport/userdatarequests/US/

[34] http://emailblog.eu/2014/01/27/2013-email-client-market-share-infographic/

[35] U.S. Code, Title 18 Section 2703 (c) Records concerning electronic communication service or remote computing service.–(1) A governmental entity may require a provider of electronic communication service or remote computing service to disclose a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications) only when the governmental entity–. [omitted].

(E) seeks information under paragraph (2).

(2) A provider of electronic communication service or remote computing service shall disclose to a governmental entity the–

(A) name;

(B) address;

(C) local and long distance telephone connection records, or records of session times and durations;

(D) length of service (including start date) and types of service utilized;

(E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and

(F) means and source of payment for such service (including any credit card or bank account number),

of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena or any means available under paragraph (1).

(3) A governmental entity receiving records or information under this subsection is not required to provide notice to a subscriber or customer.

[36] UK Regulation of Investigatory Powers Act 2000, Article 23

[37] Federal Electronic Communications Act, Article 113 (1)

[38] Code des Postes et Communications Électroniques, Article L34-1 through L34-6

[39] Jeffrey M. Skopek, “Reasonable Expectations of Anonymity”, 101 Virginia Law Review ____ (forthcoming May 2015).

[40] R. v. Spencer, 2014 SCC 43, June 13, 2014

[41] This author had the fortune of serving as Executive Director of PSPD Law Center at the time and directing most of the public interest lawsuits described in this paper. Some of the lawsuits were continued to be worked on jointly by Open Net, www.opennetkorea.org, which this author served as the founding director and the litigation director.

[42] 2012.8.23 2010Hun-ma439

[43] http://www.youtube.com/watch?v=X5OOD72-MzA

[44][44] http://www.koreatimes.co.kr/www/news/nation/2010/03/117_62548.html

[45] October 18, 2012, Seoul High Court 2011Na19012 (Chief Judge Kim Sang-Jun)

[46] http://www.hani.co.kr/arti/economy/economy_general/558613.html

[47] It is difficult for courts or governments to create separate statistics for that category of surveillance because, once the mails reached their destinations, they become stationary objects subject to the normal search and seizure process applicable to non-data items.

[48] Hankyoreh Newspaper, April 23, 2009 http://www.hani.co.kr/arti/society/society_general/351489.html

[49] Hankyoreh Newspaper, 2009.6.19; http://www.hani.co.kr/arti/society/society_general/361387.html

[50] Asia Economy, 2009.7.1: http://www.asiae.co.kr/news/view.htm?idxno=2009070121394542118&sp=EC.

[51] http://www.hani.co.kr/popups/print.hani?ksn=351553

[52] Email services are not subjected to the identity verification requirement but the domestic portals, in order to minimize inconvenience and costs involved in requesting the identity information multiple times, often request ALL the identity information upon enrollment if any part of their services is subject to the identity verification requirement, an abhorrent trend continued to date.

[53]Seoul Civil Court, July 5, 2013, 2012나4678 http://article.joins.com/news/article/article.asp?total_id=9296605&ctg=1211 (Korean)

[54] Protection of Communication Secrets Act

Article 6 (Procedures for Authorization of Communication-Restricting Measures for Criminal

Investigation) (7) The period of communication-restricting measures shall not exceed 2 months and in the event that the objective of the communication-restricting measures is attained during the period, such communication-restricting measures shall be immediately discontinued: Provided, That if the requirements for permission under Article 5 (1) are still valid, a request for extending the period of communication-restricting measures pursuant to paragraphs (1) and (2) may be filed, within the limit of 2 months and such request shall be appended by material establishing a prima facie case. <Amended by Act No. 6546, Dec. 29, 2001>

[55] 29 U.S. Code 2518 (5)

[56] Goldberg v. Kelly, 397 U.S. 254 (1970)

[57] Telecommunication Privacy Act, Article 9-2.

[58] https://www.privacyinternational.org/reports/japan/ii-surveillance-policy#footnote2_9sjbf1z

http://www.thefreelibrary.com/Wiretapping+law+used+to+arrest+9+in+drugs+case.-a086465138

[59] Electronic Communications Privacy Act, Section 2518. Procedure for interception of wire, oral, or electronic communications

. . .

(8) . . .(d) Within a reasonable time but not later than ninety days after the filing of an application for an order of approval under section 2518(7)(b) which is denied or the termination of the period of an order or extensions thereof, the issuing or denying judge shall cause to be served, on the persons named in the order or the application, and such other parties to intercepted communications as the judge may determine in his discretion that is in the interest of justice, an inventory which shall include notice of. . .

[60] Protection of Communication Secrets Act , Article 9-2 (Notice on Execution of Communication-Restricting Measures)

(4) Notwithstanding the provisions of paragraphs (1) through (3), in the event that the grounds falling under each of the following subparagraphs accrue, the notice may be deferred until such grounds cease to exist:

When the notice of the communication-restricting measures is seriously feared to endanger the national security and disrupt the public safety and order; and
When the notice of the communication-restricting measures is feared to result in dangers to lives and bodies of people.

(5) Any prosecutor or any judicial police officer shall, when he intends to defer the notice in accordance with paragraph (4), obtain approval therefor from the head of the District Public Prosecutor’s Office after filing an application therefor, accompanied by the material establishing a prima facie case, with the District Prosecutor’s Office: Provided, That in the event any public prosecutor or any military judicial police officer intends to defer the notice in accordance with paragraph (4), he shall obtain approval therefor from a senior prosecutor of the competent Public Prosecutor’s Office after filing an application therefor, accompanied by the material establishing a prima facie case, with such Public Prosecutor’s Office.

[61] Much of the contents hereinafter are taken from my article here. http://m.riss.kr/search/detail/DetailView.do?p_mat_type=1a0202e37d52c72d&control_no=9fc791290fb78355ffe0bdc3ef48d419 http://ils.inha.ac.kr/board_laborlaw/View.aspx?Mode=download&BoardID=&Seq=20637&FileSeq=2931 (PDF)

[62] Protection of Communication Secrets Act , Article 9-2

[63] Criminal Procedure Act https://elaw.klri.re.kr/kor_service/lawPrint.do?hseq=22535

Article 121 (Execution of Warrant and Presence of Parties)

A public prosecutor, the defendant or his defense counsel may be present when a warrant of seizure or of search is being executed.

Article 122 (Execution of Warrant and Notice of Presence)

In cases where a warrant of seizure or of search is to be executed, the persons listed in the preceding Article shall be notified of the date and place of execution in advance: Provided, That this shall not apply to the case where a person prescribed in the preceding Article, clearly expresses his will in advance to the court that he does not desire to be present or to the case of urgency.

Article 219 (Mutatis Mutandis Applicable Provisions)

The provisions of Articles 106, 107, 109 through 112, 114, 115 (1) (main sentence) and (2), 118 through 135,140, 141, 333 (2) and 486 shall apply mutatis mutandis to seizure, search or inspection of evidence by a public prosecutor or judicial police officer as prescribed in the provisions of this Chapter (Suspects):

[64] The same is true for pen register data but we will talk about that in another time since this problem of not distinguishing real-time pen register data and retroactive data seems ubiquitous in other countries.

[65] http://news.mt.co.kr/mtview.php?no=2010101217112370754

[66] July 5, 2013 Seoul District Court 2012나46780(certiorari denied by the Supreme Court)

[67] http://www.humanrights.go.kr/03_sub/body02_2.jsp You can find the relevant documentation by putting in “전자우편” in the search window on this page.

[68] Criminal Procedure Act, Article 106 (Seizure) (1) When it is necessary, a court may seize any articles which, it believes, is related to the defendant’s case and may be used as evidence, or liable to confiscation: Provided, That the same shall not apply to the cases where there exist other provisions in Acts. <Amended 2011.7.18>

(2) A court may designate articles to be seized and order the owner, possessor, or custodian thereof to produce such articles.

(3) In case the object of seizure is computer disk and other similar data storage devices, the court shall receive in printouts or duplicates only the part of data storage that it has specified: Provided, That in case the court may seize the data storage device such printing or copying of specific scope is impossible or is significantly insufficient for achieving the purpose of seizure,

(4) The court shall notify the data subject as defined by Article 2 Item 3 of the Personal Data Protection Act immediately that it has received the data according to paragraph 3. <Newly enacted 2011.7.18>

[69] http://m.mediatoday.co.kr/articleView.html?idxno=114043

[70] Protection of Communication Secrets Act, Article 11 (Obligation to Keep Secrets)

(1) Any public official or any former public official who has been engaged in the permission, execution, notice and preparation of various documents, etc. in connection with the communication-restricting measures shall be prohibited from disclosing or leaking matters concerning the communication-restricting measures he has learned while performing his duties.

(2) Any employee or any former employee of any communications institution shall be prohibited from disclosing or leaking matters concerning the communication-restricting measures.

(3) Any person other than those of paragraphs (1) and (2) shall be prohibited from disclosing or leaking what he has learned in connection with the communication-restricting measures except that his knowledge is used according to the provisions of this Act.

(4) Matters necessary to keep secret procedures for granting permission, whether to grant permission, the contents of permission, etc. for the communication-restricting measures by the court shall be prescribed by the rules of the Supreme Court.

[This Article Wholly Amended by Act No. 6546, Dec. 29, 2001]

[71] http://www.gobalnews.com/news/articleView.html?idxno=2240 (Korean)