Thursday, June 21, 2012

GNI Digital Freedoms Report

I attended the launch of the Global Network Initiative (GNI) report Digital Freedoms in International Law: Practical Steps to Protect Human Rights Online at the Free Word Centre in London yesterday. The executive summary gives an overview:
"With around 2.3 billion users, the Internet has become part of the daily lives of a significant percentage of the global population, including for political debate and activism. While states are responsible for protecting human rights online under international law, companies responsible for Internet infrastructure, products and services can play an important supporting role. Companies also have a legal and corporate social responsibility to support legitimate law enforcement agency actions to reduce online criminal activity such as fraud, child exploitation and terrorism. They sometimes face ethical and moral dilemmas when such actions may facilitate violations of human rights. In this report we suggest practical measures that governments, corporations and other stakeholders can take to protect freedom of expression, privacy, and related rights in globally networked digital technologies. These are built on a detailed analysis of international law, three workshops in London, Washington DC and Delhi, and extensive interviews with government, civil society and corporate actors. "

David Sullivan (Policy and Communications Director, Global Network Initiative)welcomed everyone explaining the GNI "is a multi-stakeholder group of companies, civil society organizations (including human rights and press freedom groups), investors and academics, who have created a collaborative approach to protect and advance freedom of expression and privacy in the ICT sector. GNI provides resources for ICT companies to help them address difficult issues related to freedom of expression and privacy that they may face anywhere in the world. GNI has created a framework of principles and a confidential, collaborative approach to working through challenges of corporate responsibility in the ICT sector." GNI want multi-stakeholder scrutiny of policy proposals surrounding the internet.

Kirsty Hughes, the Chief Executive of Index on Censorship, opened with the tale of the Azerbaijani blogger who had been jailed and tortured and continually harassed since his release. Azerbaijan government representatives even heckled and yelled at him as he spoke at the OSCE Internet Freedom conference in Dublin earlier this week.  The opportunity for expression facilitated by modern technology, she said, is brilliant compared to just 20 years ago.  But the downside is that the technology facilitates surveillance.

The Google transparency report 2012 reports that Google had few takedown requests from China. Is that good news or are China so good at censorship  they don't need Google's help? The volume of takedown requests increased drastically in India (49%) and the US (103%). There are huge concerns from the big ISPs about this.  Ms Hughes rounded off by saying Index on Censorship are committed to doing a lot more about internet censorship issues.

The first panel of the day was chaired by Ms Hughes and included Richard Allan (Director of Policy EMEA, Facebook), Stephen Deadman (Group Privacy Officer and Head of Legal, Vodafone) and Douwe Korff (Professor of International Law, London Metropolitan University).  Mr Deadman was invited to speak first to address the question of who has access to our communications.  He looks after privacy and security at Vodaphone and noted the law enforcement and human rights issues have increased by an order of magnitude over the past 10 years. Telecommunications companies (telcos) have come together to express their concern about pressures from various governments to disclose data undermining human rights.  Ten have recently published a set of principles around human rights in their sector.

For telcos surveillance is a fact of life. It is the nature of their business. The level of support provided to law enforcement authorities is on an industrial scale.  That affects the way they have to manage law enforcement. Working with law enforcement is not rare.  It is very common. So the processes have to ensure that cooperation happens in a legitimate way. However the technology has changed hugely whilst there has been very little change in how telcos provide support for law enforcement.  The Communications Data Bill, he hopes, will lead to an enlightening public debate on this.

There are two key issues for Vodaphone:

1. How can surveillance powers be adapted to the modern world in legitimate, proportionate and necessary ways?
2. How do telcos operate in markets where even basic human rights do not exist?

Richard Allan from Facebook followed. His answer to the question of who controls access to your communications is you. "The default mode is you control access to your communications." (Ahem) Operators have a moral (ahem) and legal obligation to ensure that control is meaningful.  The challenge is that governments want to override your control of your data.  Data retention is the evil twin of data protection. (That got a laugh.  You could tell he'd learned his script and was practiced at delivering it.)

Override powers are in law and companies have to abide by them if they want to operate in that jurisdiction. And the government will not leave you alone if you are as big as Facebook.  Richard Allan then asked what do we want as citizens? He wants informed consent and accountability.  So called "informed consent", imho, is a meaningless concept in the context of companies like Facebook since their users have no idea of what exactly it is they are giving away. However he followed through with the informed consent and accountability line and explained what he thought it meant - clear what the override powers are, when they are being used and what they are being used for (aka transparency); and he wants to give his consent to these things only through the judicial process.  He also wants to have to give consent (aka have his say in) to what society considers banned speech.    He also wants the authorities to be held accountable.  If commerce knew the rules were clear and governments accountable that would make their life much easier.

Note in the Facebook worldview the real evil twin is government and the good twin is commerce. It was a subtle message, slickly delivered. Yet I didn't get that from Vodaphone's Stephen Deadman.  Mr Deadman was direct in stating clearly that surveillance is in the operations dna of telcos, that support for law enforcement is provided on an industrial scale and that the regulations need to catch up with the technology via an open informed public debate. He didn't try to blame the evil government bogeyman but insisted we need to adopt proportionate, legitimate and necessary surveillance powers for the modern world.

Professor Korff came next and launched into his task with some passion.  Technology is evolving he said.  In the old days the amount of data gathered was relatively limited. Now installing a surveillance black box generates a vast amount of data.  This is fundamentally dangerous.

The way the surveillance technology is built varies. These systems need ongoing continuous maintenance and support.  The amount of data is huge and the UK government are being disingenuous or clueless if they think they are only going to gather minimal data through the provisions outlined in the Communications Data Bill (CDB).  Peter Sommer eloquently explained at the recent Scrambling for Safety conference that communications and content data cannot be separately simply in the way the government believes.

If CDB goes ahead in the UK, Prof Korff believes, we will all effectively be tagged like criminals are now.

The international law surrounding all this is really complicated. During the Arab spring in Tunisia, Egypt and other places states of emergency were declared by respective governments and normal laws suspended. Terrorism falls between peacetime and emergency but government authorities want to operate as they would in a state of emergency.  Different jurisdictions have different perspectives on speech.  In parts of Europe it is against the law to deny the holocaust.  In the US the first amendment gives people a constitutional right to do so.  It's difficult to apply conflicting laws across borders.

When researching the report they looked at the emergency standards in international law and the Ruggie principles. Ruggie focused on companies breaching human rights. In the GNI report they wanted to focus on states forcing companies to undermine human rights.

Index on Censorship CEO Kirsty Hughes then posed the question: When is it a company's obligation to challenge the law?

Stephen Deadman of Vodaphone, in fairness, again didn't attempt to duck the question.  He suggested it depended on the context.  He argued that companies cannot engage in civil disobedience if they have a physical presence in a particular market. But they do have an obligation to push back in whatever way makes sense in that market.  Sometimes this has a positive outcome.  They were under pressure from the Egyptian government to spam people with state sponsored messages.  Vodaphone pushed back and said no.  The government could have forced the issue but chose not to. The practical reason companies like Vodaphone cannot go any further than this, he insisted, was that it could have serious consequences for employees on the ground in those countries where human right abuses are rife.  Local Vodaphone employees have rights too and the company has an obligation not to put them in danger.

He was then asked if Vodphone would decide to go into or withdraw from a market on the basis of a specific country's human rights record.  Disappointingly here he retreated into the standard PR response mode.  For Vodaphone, human rights is one of the factors they consider but the key question is whether the people in that market would be better off with them, a company that respects human rights, than without. He could not and would not give a guarantee that they would refuse to go into a country on human rights grounds.

The Facebook response to when is it a company's obligation to challenge the law was a pleading - Facebook don't have a choice; when you're as big as Facebook nasty governments won't leave you alone.  The cure is to get a global regulatory framework that is the same for everyone.  Part of that framework is in place in the cybercrime convention.

Douwe Korff then suggested if there was no rule of law in a country it was not a very stable place to invest.  One of the recommendations in the GNI report is a single point of contact in each country for communications data access requests to companies.  Part of the problem for companies getting established in new countries is the multiple levels of corruption and many corrupt officials demanding data from telcos for example.  It's therefore a good idea to get agreement eg through UK ambassadors at high level what/who the single point of contact for surveillance data requests would come from.  Then if low level officials demand data they get referred to the higher authority.  It facilitates transparency of the process.

Stephen Deadman responded Vodaphone have taken this approach in a number of markets. It is easier for the company and the central government gets the benefit of monitoring these processes centrally too.

At this point there was a question from the audience prefaced with an accusation that neither Vodaphone nor Facebook are transparent about the number of requests they receive. There is a bizarre situation in some countries where you may only find out your data have been mined when you're in the dock.  In many countries there are no prohibitions on telling data subjects data has been requested by the government authorities.  Why do Vodaphone and Facebook not tell users about surveillance requests and how many geolocation  requests are they getting in the UK.

Stephen Deadman explicitly refuted the suggestion that Vodaphone have the freedom to share this information with users in many countries.  He also said it should be for governments to provide the information right across the whole market rather than individual operators disclosing.

Richard Allan said Facebook are looking at Google's transparency report and wondering if they could do something similar. But in terms of "tipping off" (my hackles were raised slightly by that) Facebook do their own assessment of the law enforcement requests for information; and tipping off is not appropriate in most cases e.g. child abuse investigation.  More cases Facebook get are legitimate investigations.  Typically totalitarian regimes don't make data requests from Facebook.  Newspapers protect sources.  Facebook and Vodaphone are not newspapers.  Facebook primarily view it as a safety issue.  Cooperating with law enforcement is a big part of that.  Safety and security are the overriding objectives.

Stephen Deadman then forcefully pointed out that Vodaphone get very little background on law enforcement requests for information.  They get a request form and follow a process.  Vodaphone is not in a position to assess the case from an investigative, criminal or legal process perspective and should not be.  It is not part of Vodaphone's remit to investigate or prosecute crimes.  They must, however, ensure due process is followed with respect to the information they supply to law enforcement.  But their capacity to say to law enforcement that they are overstepping the mark is non existent.  Vodaphone, however, get radically different types of data requests to companies like Facebook or Google.

Douwe Korff jumped in at this point and I could tell I wasn't alone in taking offence at Richard Allan's "tipping off" phrase. All this, he said, is a dialogue in secret behind your back.  On publishing the data on numbers of requests he doesn't trust government.  By all means they should publish their statistics but the telcos should too and then we can compare the two sets of data and find the holes. Companies should minimise and push back against government overreaching every time.  He doesn't believe Facebook have the competence to assess criminal cases and whether information requests are legitimate.  Companies should know the legal setup of any country they get into and with the help of academics and civil society etc facilitate understanding through transparency.  He objected strenuously to Facebook's "tipping off" language too.

Eric King of Privacy International asked for clarification of Vodaphone's interpretation of the Regulation of Investigatory Powers Act (RIPA).  His own understanding was that the RIPA default is that telcos are not gagged if they get a data access request.  He also wanted to know what degree of human supervision happens in these industrial scale law enforcement cooperations.

Stephen Deadman said Vodaphone do have oversight and review processes.  Most cases have some kind of review, some are automated.  Vodaphone doesn't have a legal opinion that says that it cannot disclose data requests under RIPA.  In other countries so prohibitions do apply.  Going down the route of transparency is something he accepts is a good idea in principle.  It does have a number of operational, cost and other practicality issues to consider though.

Mr Deadman did also, later in proceedings, say that advanced markets are the best at surveillance - this is a simple emergent feature of the different levels of technical competence.

Prof Korff then pointed out that black boxes are dangerous technology because they are indiscriminate.  The only control on them is the good behaviour or good intentions of the agencies that operate them. Without transparency no one is watching the watchmen.

There followed rather long PR statement on behalf of Facebook from Richard Allan.  All about ow Facebook what to make the world more open, how they are getting increasingly transparent, how they are much and unfairly maligned for not warning people enough, how a stazi type control system would not work and how Facebook has a network of activists showing people how to use Facebook safely.

There was a question from a member of  the House of Lords on how long the panel members thought it would be before the surveillance technology became useless except for catching stupid crooks.

Prof Korff: the circumvention technology arms race will continue and ordinary people will become more educated about the dangers online.

Richard Allan:  That is the rationale for the Communications Data Bill - technology is changing so fast the government need to keep up and they claim they can only do so with sweeping powers.  So we have to be careful with that kind of argument. They argue the more difficult it is the more data they want.

Vodaphone's Stephen Deadman agreed - the Bill is the response to that fear. He wonders if we have really looked at this holistically?  We need a debate as to what surveillance is legitimate, proportionate and necessary.

Kirsty Hughes' final question then was how worried should we be about the Communications Data Bill?

Prof Korff - "Very worried"

Richard Allan - "On a scale of 1 to 10, 11!"

Stephen Deadman - "Concerned."

That rounded off the first panel of the day.  I'll stick another note here on the second panel as, when and if time allows

No comments: