Digital surveillance is often sold as protection.

The pitch is familiar: public security is under pressure, threats are harder to track, and agencies need modern tools to keep up. In some cases, that is true. States do need lawful ways to investigate serious threats. The problem starts when surveillance becomes vague, routine, secretive, and weakly controlled.

At that point, the tool stops looking like protection and starts becoming part of the threat model.

That is the core warning in a new guide from the Electronic Frontier Foundation, Tackling Arbitrary Digital Surveillance in the Americas. The guide compiles privacy, data protection, and access-to-information guarantees from the Inter-American Human Rights System and turns them into concrete recommendations for governments trying to contain surveillance abuse.

The issue is not surveillance technology by itself

The serious version of this debate is not that every investigative tool should disappear. That is not realistic, and it is not the right target.

The problem is arbitrary power.

When public security, intelligence, or law enforcement agencies can deploy digital surveillance without clear rules, narrow purposes, independent approval, records, oversight, notification, and remedies, the system becomes structurally unsafe. It invites abuse even before any individual actor behaves badly.

That is the systems-design lesson here. Surveillance architecture is not just code, vendors, databases, devices, and network access. It is also law, governance, auditability, institutional incentives, and accountability.

A powerful tool without a control plane is not mature infrastructure. It is a liability.

EFF’s checklist is practical

EFF’s guide calls for governments to implement clear and precise legal frameworks that define surveillance powers and limits. It also calls for legitimate aims, necessity and proportionality analysis, prior judicial authorization, detailed records of surveillance operations, independent civilian oversight, notification rights, and remedies for victims.

That list matters because it moves the conversation away from vague trust.

Trust us is not a control. National security is not a blank check. Public order is not a reason to erase every boundary. If surveillance is necessary, the state should be able to explain what authority it is using, what target it is pursuing, why the measure is necessary, why less invasive options are not enough, who approved it, how it is recorded, who audits it, and what happens when it is abused.

Those are not decorative constraints. They are the difference between lawful capability and institutionalized intrusion.

Normalization is the danger

The most important word in EFF’s framing is normalization.

Abuses do not always arrive as obvious exceptions. They become ordinary through repetition. A tool is introduced for serious crimes. Then it expands to public-order cases. Then it becomes available to more agencies. Then the records are incomplete. Then oversight is underfunded. Then the public has no way to know whether the system is being used properly.

Eventually, the surveillance layer feels permanent.

That is the danger of treating digital surveillance as a default administrative function. Once the infrastructure exists, agencies find reasons to use it. Once vendors build around it, markets form. Once data flows normalize, turning them off becomes politically and operationally harder.

The best time to create hard limits is before the system becomes invisible.

Rights are part of the architecture

Digital rights are often talked about as external limits on technology. That is too weak.

Rights should be treated as part of the architecture. A system that can monitor people at scale should be designed around legal boundaries, audit trails, deletion rules, access controls, reporting duties, and consequences for misuse. Otherwise, the institution is relying on culture and discretion where it should have enforceable structure.

This is especially important for surveillance because the people affected often do not know they were targeted. If there is no notice, no access to information, no independent review, and no remedy, the abuse can remain hidden long after the harm is done.

That is a bad feedback loop. Systems improve when errors are visible. Arbitrary surveillance systems hide their own errors.

Security without accountability is brittle

EFF’s guide argues that states adopting these safeguards can build more resilient, rights-respecting security architectures. That is the useful frame.

Accountability is not a softness layer added after security. It is part of security. Institutions that operate without meaningful constraints create distrust, legal exposure, operational abuse, and political instability. They may gain short-term power, but they weaken the legitimacy that durable security depends on.

That matters for technology policy because surveillance tools are getting cheaper, more capable, and easier to integrate. Device hacking, location tracking, biometric systems, data brokers, communications monitoring, AI-assisted analysis, and cross-agency databases all raise the same question: who watches the watchers, and what happens when they break the rules?

A serious state should be able to answer that question.

The useful standard

The standard should be simple: surveillance powers must be specific, necessary, proportionate, authorized, recorded, independently overseen, and contestable after the fact when doing so no longer compromises a legitimate investigation.

That is not anti-security. It is how security earns legitimacy.

The alternative is a permanent gray zone where agencies use powerful tools under weak law, victims have no remedy, and the public is asked to accept surveillance as the cost of safety.

That is not modern governance. It is technical capacity outrunning institutional discipline.

EFF’s guide is useful because it brings the conversation back to concrete controls. The question is not whether governments can buy or build surveillance technology. They can. The question is whether they can operate it under rules strong enough to prevent the tool from becoming an abuse engine.

Surveillance power needs limits because power scales. Digital power scales faster.

Sources