Hiperderecho's surveillance accountability campaign in Peru (2013–ongoing)

Hiperderecho's sustained surveillance accountability campaign is Peru's principal civil-society effort to document, challenge, and publicise the legal and technical infrastructure through which state and corporate actors surveil civil society in Peru. Anchored on the country's founding digital-rights non-profit, the campaign runs two parallel tracks: an ISP accountability track — the ¿Quién Defiende Tus Datos? annual series evaluating Peruvian telecommunications companies against privacy-protection criteria — and a state-surveillance accountability track — legislative opposition, the #LeyStalker campaign, the Ciudadanía Bajo Ataque documentation project, and the 2025 Vigilados en secreto systematic legal analysis. Through both tracks, Hiperderecho has built the evidentiary and public-advocacy record that positions it as the authoritative counterpart to Peruvian ISPs, the state intelligence apparatus, and increasingly the UN Human Rights system on questions of surveillance, digital repression, and the rights of human rights defenders in the digital age.

Founding context — Peru's 2013 cybercrime law

The campaign's founding axis is Peru's Law 30096, the cybercrime law passed by Congress in five hours without meaningful public debate or civil-society consultation — a bill introduced by the government that displaced a long-debated justice commission proposal and moved through the floor in a single closed session. Access Now and Hiperderecho publicly opposed the law, pointing to provisions that criminalised legitimate online expression, prohibited the creation of databases from public information in direct contradiction with Peru's own access-to-information legislation, and left surveillance-enabling gaps around telephone interceptions. Hiperderecho was founded in 2013 as part of this response and has treated the cybercrime law and its reform as a continuous advocacy obligation since.

¿Quién Defiende Tus Datos? — ISP accountability series (2015–ongoing)

The campaign's most institutionally durable instrument is the ¿Quién Defiende Tus Datos? (Who Defends Your Data?) annual ISP accountability series, launched on November 19, 2015 in collaboration with the Electronic Frontier Foundation. The series adapts EFF's "Who Has Your Back?" methodology to the Peruvian telecommunications market: it evaluates the country's major ISPs and telephone companies against criteria covering privacy policy, judicial warrant requirements before handing user data to authorities, user notification of government data requests, transparency reporting on those requests, and public commitment to user rights. The 2015 first edition evaluated four ISPs and found that none received a star in the transparency or user-notification categories — no company published how many government data requests it received, and none committed to notifying users of such requests at the earliest moment permitted by law.

The 2019 second edition expanded the scope to six ISPs (Movistar, Claro, Bitel, Entel, Olo, Inkacel) and found meaningful progress: Movistar earned recognition for publishing annual transparency reports detailing the number and type of government data requests it received and its internal compliance procedures, and Movistar, Bitel, and Claro received credit for warrant requirements on content data. But the 2019 assessment also named a persisting structural gap: no company publicly advocated for user privacy before courts or legislators, and none committed to notifying customers of government requests at the earliest permitted moment — the two criteria that would transform ISPs from passive compliance actors into active defenders of user rights. The 2020 third edition found stronger overall ISP commitments but persistent carrier-to-carrier imbalances. The 2022 fourth edition documented that two of Peru's top ISPs had improved transparency practices while two competitors lagged, characterising the sector as one of structurally imbalanced and inconsistent commitment to user rights. The series has produced the only sustained civil-society audit of Peruvian ISPs' user-privacy practices, making Hiperderecho the principal accountability counterpart in the annual EFF-coordinated Latin American review cycle.

The #LeyStalker campaign — opposing mass surveillance without judicial oversight (2015)

The campaign's most publicly visible single confrontation with the Peruvian state is the #LeyStalker mobilisation of July–August 2015. The Humala administration issued a presidential decree enabling the National Police to access cell-phone location data without a court authorization — a shift the Electronic Frontier Foundation characterised as moving "from surveillance of communications records based on individualized suspicion to the mass untargeted collection of communications data of ordinary, non-suspect people." The same decree required ISPs and telephone companies to retain communications and location metadata for three years. The location data the decree opened to warrantless police access reveals sensitive information — religious, medical, sexual, and political associations — and created specific risks for journalist source protection: civil-society critics explicitly invoked Peru's traumatic history under the Fujimori-era spy chief Vladimiro Montesinos as the reference point for what unchecked state location surveillance produces in the Peruvian context.

Hiperderecho and civil society mobilised quickly. The hashtag #LeyStalker trended nationally on Twitter, forced the issue onto newspaper front pages, and placed the decree on Peru's national political agenda — even generating a public statement of concern from Archbishop Juan Luis Cipriani. Hiperderecho's then-director Miguel Morachimo named congressional repeal or constitutional review as the available remedies. The #LeyStalker campaign is the corpus's first documented instance of a Latin American digital-rights organisation mobilising a national social-media campaign that placed a state surveillance measure under sustained public scrutiny.

Documenting digital attacks on civil society — Ciudadanía Bajo Ataque

Beyond legislative opposition, Hiperderecho has maintained Ciudadanía Bajo Ataque (Citizenship Under Attack), a documentation project that records aggressions against journalists, activists, and other citizens by state and private actors using digital tools, and tracks the legal norms and measures that seek to limit their freedoms. The project serves as a public accountability record for the digital attack surface that civil society faces from Peru's security apparatus — the National Police, the National Intelligence Directorate (DINI), and their telecommunications access infrastructure.

Vigilados en secreto — mapping Peru's surveillance architecture (September 2025)

The campaign's most systematic analytical output to date is Vigilados en secreto: normas, prácticas y silencios en el acceso a información pública sobre vigilancia, published September 16, 2025, and authored by Hiperderecho Research Director Lucía León Pacheco. The report provides the first systematic civil-society legal analysis of the architecture of state surveillance in Peru — mapping the mechanisms through which different state institutions operate surveillance with little or no citizen supervision. Its principal findings: police can access the geolocation of persons without a judicial warrant, embedded in the existing legal framework; undercover agents are permitted to operate in digital environments without transparent protocols or civilian oversight; the criteria by which information is classified as "secret" or "reserved" under national security designations are ambiguous, enabling systematic opacity about surveillance operations; and data collection through telecommunications regulator OSIPTEL reaches millions of users without sufficient accountability mechanisms. The report's most significant evidentiary anchor is the DIRIN Leaks — a disclosure that confirmed the National Police had conducted surveillance of journalists and media outlets critical of the government, establishing documented state targeting of the press rather than only documenting the legal possibility.

The report's framing places surveillance not as a necessary tradeoff between security and rights but as a national-security apparatus that has "operated with little transparency" while producing a "documented legacy" of political targeting — echoing the Montesinos-era reference frame that the #LeyStalker campaign had already activated a decade earlier. Its public demand is not for the elimination of surveillance mechanisms but for legal definition, democratic oversight, and judicial authorization as structural constraints on the architecture it maps.

The September 2025 protest cycle — bloqueo, doxeo, and terruqueo

The Vigilados en secreto analysis landed alongside Hiperderecho's real-time documentation of the September 2025 anti-pension-reform protest cycle under President Dina Boluarte. On September 20, 2025, 50 activists found their mobile phone lines fraudulently blocked at the moment of ongoing demonstrations — the blockages executed through false theft reports that exploited telecommunications companies' suspension protocols, targeting protest organisers at the moment of highest operational need. The campaign simultaneously documented two parallel forms of coordinated digital repression: doxing through recently created anonymous social-media accounts that disseminated activists' names, home addresses, family members' photographs, and personal information; and terruqueo — organised TikTok campaigns pairing images of Sendero Luminoso's imprisoned leader with accusations of terrorism against protest participants. Hiperderecho characterised the terruqueo pattern as "especially grave and dangerous" given Peru's decades of armed conflict, during which the terrorist label has historically produced lethal consequences for those to whom it was applied. The three tactics together — bloqueo, doxeo, terruqueo — represented a documented combination of operational suppression (communication blockages at protest moments), individual intimidation (personal data exposure), and delegitimisation (terrorist association) that Hiperderecho framed as a repotentiated form of digital repression integrated with Peru's existing surveillance infrastructure.

Escalation to the UN Human Rights system (2026)

The campaign's international escalation dimension gained its most formal expression in Hiperderecho's May 6, 2026 submission to the UN Office of the High Commissioner for Human Rights' global call for input on the protection of human rights defenders in the digital age. The submission names four specific mechanisms in Peru's legal and enforcement architecture as threats to defenders: warrantless geolocation access; undercover digital agents without transparent protocols; selective mobile-line suspension targeting activists during protests (documented in September 2025); and the expansion of biometric recognition technology without accountability mechanisms. Its core finding — that Peru's legal protection framework for human rights defenders has inadequately adapted to the digital context — converts the campaign's decade-plus of domestic documentation into a formal submission to the UN's global defender-protection record. The civil society restriction law passed by Peru's Congress in March 2025, which Hiperderecho publicly opposed as an instrument to suppress independent oversight of state surveillance and rights violations, forms the immediate domestic backdrop to the UN submission: the legal architecture the submission challenges now explicitly includes a law criminalising the use of international cooperation funds for rights litigation, directly targeting the campaign's own instrument.

Significance

This campaign is the corpus's entry for Peru's principal sustained civil-society effort against state and corporate surveillance — and the corpus's first Peru entry in the campaigns slice, closing the South American geographic gap beyond Brazil, Argentina, and Colombia. Its significance to the movement operates on three levels.

First, the ¿Quién Defiende Tus Datos? series is the only sustained public audit of Peruvian ISPs' user-privacy practices. Through four editions across seven years, the series has moved the baseline: the fact that Movistar now publishes annual transparency reports on government data requests — absent in 2015 — is a direct product of the accountability pressure the series generates. It is the operational template the Latin American digital-rights field has used for ISP accountability in multiple jurisdictions, with EFF and Access Now as structural partners.

Second, the state-surveillance accountability track has produced the only systematic public legal map of Peru's surveillance architecture — in Vigilados en secreto — and the most detailed public documentation of the specific digital repression tactics deployed against civil society during Peruvian protest cycles. The DIRIN Leaks anchor in the report places government surveillance of the press on the verified factual record in a way that political denials cannot easily displace.

Third, the campaign's arc — from founding opposition to cybercrime legislation through ISP accountability, #LeyStalker, Ciudadanía Bajo Ataque, the 2025 surveillance mapping, and the 2026 UN submission — traces how a country-level digital-rights organisation builds from domestic legislative opposition into systematic documentation and international escalation as the legal-reform channel becomes constrained. The March 2025 civil society restriction law is the most recent instance of that channel being constrained: the same Congress that passed the 2013 cybercrime law now moves to restrict the litigation and advocacy work Hiperderecho has built to challenge it. The UN submission is Hiperderecho's most legible current response to that constraint.