10 Nov When Digital Rights and Cybercrime Collide: A Trial to Watch in Ecuador
[Deborah Brown is a senior digital rights researcher and advocate at Human Rights Watch.]
An upcoming trial in Ecuador should put technologists working in the public interest on high alert. Ola Bini, a Swedish programmer, internet activist, and human rights defender will be in a Quito court accused of trying to destabilize the government by gaining access to an information system without authorization. His trial may have profound implications for the development and use of secure digital communications, which people rely on around the world to exercise their human rights.
Our ability to communicate privately and securely online relies on security experts who develop privacy protective tools and who research digital security vulnerabilities to keep us all safe. Some of the arguments being used to support the prosecution of Bini should concern not only those working in digital security, but also anyone who relies, or should rely, on secure digital communications.
Bini has lived in Ecuador since 2013. He is primarily known for his contributions to development of secure communication technology and currently works at the Centro de Autonomía Digital, a non-profit organization based in Quito that focuses on developing open-source software to enhance people’s digital privacy, security, and anonymity.
Bini was arrested in Quito in April 2019. The Ecuadorean authorities claimed that a group of Russians and Wikileaks-connected hackers were in the country “cooperating with attempts to destabilize the government” in retaliation for the eviction of Julian Assange, the Wikileaks founder, from the Ecuadorian embassy in London and withdrawal of his asylum.
The government had granted Assange asylum in June 2012 on the basis of what it found was his credible fear of persecution, should he be extradited to the US. It later claimed that he was working with collaborators inside Ecuador to interfere with its internal affairs. No further details of this alleged sabotage plot have been revealed.
A constitutional judge ordered Bini’s release in June 2019 after he was held in pre-trial detention for 70 days. Bini cannot leave Ecuador. His devices were confiscated in connection with the investigation and the government is still holding them. After two and a half years, Bini is still awaiting his day in court. His trial was scheduled for October 21, 2021, but on October 19, 2021 it was postponed to a later date, not yet announced.
The Prosecutor’s Office charged Bini under article 234 of the Ecuadorian Criminal Code with “unauthorized access to an information system,” which criminalizes mere access to computer and telecommunications systems, regardless of intent. Bini’s lawyer told Human Rights Watch that a key piece of evidence on which the prosecution is basing its case is a photograph of a laptop screen taken from Bini’s mobile phone. The photograph is supposed to prove that he hacked the systems of Ecuador’s national communications provider (Corporación Nacional de Telecomunicaciones, CNT).
Human Rights Watch reviewed the photograph and shares the concern raised by 19 regional and international human rights and digital rights organizations that it does not indicate that Bini accessed an information system without authorization. Instead, it shows the digital trail of someone who visited a publicly accessible server — and then obeyed the server’s warnings about usage and access. In other words, Bini had discovered and connected to an open, insecure server, but when he received a warning message not to log on without authorization, he respected the warning and did not proceed.
The Electronic Frontier Foundation (EFF), which conducted a fact-finding mission to Quito concerning Bini’s case, said that Bini contacted a system administrator who had a working relationship with CNT, who replied that he would contact someone at CNT, presumably to let them know about the insecure telnet service. Such activities are fairly typical of computer security professionals as part of their work.
Due to the broad definition of unauthorized access to a computer and telecommunications system under the Ecuadorian Criminal Code, it has the potential to be applied in an unfair and disproportionate manner. Bini’s case demonstrates why it is important to clearly define the intent of cybercrime acts. Otherwise, such laws can be used to prosecute whistleblowers who may access computer systems or data to expose abuse of power, corruption, or other harms to public health, safety, or the environment.
Similarly, they may be used against security researchers, who in their efforts to disclose vulnerabilities in information systems, might access systems without permission, but with no intent to cause harm. Those activities are in the public interest, as they improve the security of society as a whole by allowing companies and the public sector to improve infrastructure and software security for the public’s benefit. Responsible disclosure of vulnerabilities is recognized as essential to cybersecurity, which is why governments are encouraged to remove obstacles such as legal frameworks that create risk for security researchers.
In Bini’s case, the evidence we reviewed does not indicate he proceeded after the warning or accessed the information system without authorization.
Another troubling aspect of this case is the way in which Bini’s use of encryption is being characterized. The screenshot shows that Bini used The Onion Router (Tor), an encrypted browser commonly used to circumvent local internet censorship or manipulation or to browse the internet anonymously. Bini tweeted after a December 2020 pre-trial hearing that a CNT lawyer suggested that his use of Tor indicated he was engaged in criminal activity— a problematic conclusion. Such logic could criminalize the activities of human rights defenders, journalists, and at-risk people around the world, in addition to undermining their security.
The human rights movement and people around the world have come to rely on technologies like Tor. Tor facilitates encrypted and anonymous internet browsing, which helps people circumvent censorship, shield their communications from surveillance by abusive regimes, and mitigates the risk of journalists and human rights defenders putting their contacts at risk of reprisal.
Human Rights Watch supports strong encryption and anonymity because they are fundamental for the protection of human rights in the digital age. Freedom of opinion, expression, and association, the press, the right to privacy, and other rights rely on the widespread availability and use of encryption and anonymity. The United Nations has recognized the importance of encryption, pseudonymization and anonymity for ensuring the enjoyment of human rights and said that governments should not interfere with their use.
As a general rule, governments should comprehensively protect encryption and anonymity. They should only adopt restrictions on a case-specific basis and in ways that meet the international standards of legality, necessity, proportionality, and legitimate aim, and require court orders.
Evidence reviewed by Human Rights Watch in Bini’s case resembles routine activities by someone with security expertise without presenting a convincing case of any malicious activity or any harm to the public. If the Ecuadoran authorities have evidence that he planned or implemented an attack on the government, they should present it.
Governments should encourage measures to promote digital security and digital literacy, not criminalize them. Conflating the work of security experts, whose knowledge human rights defenders, journalists, activists, dissidents, and ordinary people rely on to communicate safely and securely risks, with criminal activity is a dangerous escalation against digital rights defenders. Not only does it put them at risk, but it can have a profound chilling effect on the ability of people to use secure digital communications to exercise their human rights around the world.