Edit: Ecuador’s free software association has published an open letter to the President and the national assembly opposing this new law. You can read the letter (in Spanish) here, and sign it by emailing email@example.com
Ecuador’s new Penal Code is being debated this week in the National Assembly. The bill is enormous, but because the debate period it is so short (a few days), and voting is this week, I’d like to highlight a very specific set of articles which I find hugely problematic.
At a time when the world is discussing how best to protect our personal privacy from massive online spying care of the United States and the like, Ecuador is asking its telecom internet providers and telecom resellers (such as the Internet cafés where millions without home internet access go online) to collect massive amounts of user data and store it indefinitely.
Here is my translation of the proposed new laws. Art 485.2 refers to telecom-service resellers like Internet cafés, but also anyone who provides an internet or voice connection “for free”, meant to refer to those who offer public wifi zones (restaurants, mall food courts, bus stops like the new wifi zones at Metrovía stations in Guayaquil, etc). But technically, any individual who lends their internet connection to another party must register user data on that third party. The new laws, as written:
Art. 485.- Conservation of data and registries. The conservation of data will be guided by the following rules:
1.Telecommunications service providers and distributors should keep data on their clients or users, as established by a contract, and conserve the integrity of all data regarding phone numbers, static and dynamic IP addresses, as well as the traffic over a connection, access to transactions and information about the wireless communication connections that are made and the connection path for a minimum of six months, to aid with relevant investigations. The same precepts will be followed for the interception of communications.
2. Rate-payers of telecommunications services who share or distribute their data connection or voice line to third parties, either as a commercial service or freely, must store data related to the third party in a physical register and conserve data about the user, date and start and end times of connection, for at least six months, by installing security video cameras, to facilitate any corresponding investigation.
4. Judges, upon request of a district attorney, can compel reports on the data that is registered, archives, including electronic. The breach of this requirement, the forgery of the report delivered to law enforcement, or the concealment of the data will result in penal responsibility if the infraction is considered a crime.