Pages

Friday, July 20, 2012

GNI digital freedoms in international law report

I attended the launch of the Global Network Initiative (GNI) report Digital Freedoms in International Law: Practical Steps to Protect Human Rights Online at the Free Word Centre in London last month. In a report relating to the first panel of the day, Who controls access to our communications?, I suggested I'd stick a note here on the second panel, Exporting surveillance and censorship: is regulation an answer?, when time and space allowed. Heather Brooke chaired the panel which included joint author of the report, Ian Brown (Senior Research Fellow, Oxford Internet Institute), Eric King (Head of Research, Privacy International) and Tom Smith (Head of Export Control Organisation (ECO), Department for Business, Innovation and Skills).

Mr Smith opened proceedings explaining he takes decisions on behalf of Vince Cable on licensing the export of military and 'dual use' goods.  This involves a two stage process:
  • The first question is does it need a licence? The yes or no depends in most cases on whether it is on a control list. The control list is governed by the Wassenar arrangement agreed by 41 key countries involved in arms exports. The content of the list depends on which civilian goods have military application.  So for example if something contained cryptography it could be refused a licence.  If it is decided that the goods/services do need a licence then
  • They look at "consolidated criteria" against which all export licences issued are judged on a case-by-case basis.
The story of Creativity Software sales to Iran last year kinda hit the UK Department for Business, Innovation and Skills (BIS) out of the blue. As did later similar stories like the Italian company supplying US sourced surveillance technology to the despotic Syrian regime. BIS started looking into it and did three things.
  1. Got EU legislation in place to block supplies of this kind of tech to Syria.  Mr Smith's team worked as technical secretariat to the EU on this.
  2. The UK took the lead to put this on the table at Wassenar.  The technology at the heart of the controversy was not controlled and they wanted it to be. The have been two discussions at Wassenar. For an international arms control issue it is moving like lightning - these things can take years - but it still appears to be incredibly slow in practice.  He wants it sped up but some countries are procrastinating.  The UK are working with the US and Germany to get an international control list.  His ministers are behind this but will not back emergency unilateral legislation in the UK
  3. ECO and BIS are reaching out with various degrees of success to the companies involved in this field.
The UK is taking the lead on this but he admitted don't fully have a handle on the problem in terms of putting controls in place. The UK government, ECO and BIS have certain skills and leverage but need help.

Eric King from Privacy International was next up. Part of the process he used to research the issue was to attend trade shows for the companies involved in flogging these technologies. He discovered a web of very complicated trading dominated by US, UK and German companies.  They get together at trade shows (on surveillance and arms sales).  Their product pitches are incredible to listen to.  The rule of law, privacy, civil rights don't exist as far as these people are concerned. They act like cowboys.  The way they dress - eg black shirts, red jackets & ties - company names like Panopticon, excitable conscience-free talk about facilitating mass surveillance and countrywide interception is the order of the day.

These people are not shipping boxes off the shelf with no idea of what they are doing or who they are dealing with.  They are surveillance consultants.  They do the installation and the tech support.  A UK/German company (who I think he called Gamma?) regulate via DRM the number of intelligence agents who can use the technology; and charge by the number of people they spy on.  These companies talk openly at the trade shows and in their promotional materials about spying on political opponents and left leaning universities.

It is really important that export controls be put in place. This is the only way to deal with them. There is a phenomenal amount to be done to hold these companies to account for the terrifying human rights abuses they are perpetrating and facilitating.

Ian Brown then had the opportunity to talk about the GNI digital freedoms report. He opened by asking rhetorically is regulation necessary and then immediately answering yes. If we need it then how do we make it effective?

Some issues that the stakeholders they engaged with raised -
  • Dual use - some technologies have military and civilian applications. We cannot ban everything that can be put to nefarious uses
  • When is a device a mass surveillance device as opposed to a lawful interception device?
  • What about the context e.g use of the technology in countries without the rule of law?
  • There is very broad availability of these technologies.  So there would be little or no point in taking unilateral action in the UK on them.
  • There is a thriving second hand market in these surveillance technologies
  • Wassenar had some very sensible rules e.g. there is no point in adding certain goods to the control list because you cannot control their export
  • The EU relies on member states to enforce export controls and yet many member states do not have export controls
  • Civil society made the point that definitions have to be precise.  Too narrow and you miss important stuff.  Too broad and you hinder democracy activists who can use technology for positive ends
It is good that Wassenar is evolving.  Its purpose is to control military and dual use goods and technologies.  The GNI report recommends the definition of military and dual use be extended to cover things used to abuse human rights.

By and large cryptography control is obsolete.  Besides we want democracy activists in repressive regimes to have access to cryptography and easy to use cryptography at that.  In one Iranian case Nokia-Siemens equipment was used to find and arrest a 'dissident' activist.

The Communications Assistance for Law Enforcement Act (CALEA) in the US required back doors to be built into communications technologies to facilitate government surveillance.

Nokia-Siemens said they were not going to make any more money out of regimes like Iran.  They separated off that branch of the company. Amasys (?), a French company doing business with Libya did the same thing. They sold of that part of the company.

The responsible thing for these organisations to do would be to be transparent about what they have shipped to whom and where.

It is not the only solution to the problem - this has to be tackled on multiple fronts - but export controls can help. There is kit which should be controlled but is not, yet.

Syria and Iran are easy to demonise - they are pariah states.  But there is a spectrum.  There are numerous other countries the UK patronises that are involved in well documented human rights abuses.

There followed a series of questions from the floor.

To what extent will enforcement be pursued against companies who break the rules?

Mr Smith from ECO replied it is largely a question for the CPS on whether to prosecute. BIS pursue a number of prosecutions every year.  They win some and lose some. One of the questions the CPS ask is whether there is a legitimate defence where the company can reasonably plead ignorance of the uses to which their good would be put.

Ian Brown also responded to this question making the point that despite concerns about the effectiveness of export controls, without them all other methods of control will be circumvented. And if we relied on the reputation of companies we would not do business with arms dealers.

The next question related to the extent to which government acts as salesmen for the arms industry - to what extent is the government selling surveillance equipment. Also, hacking tools are not just used for domestic surveillance but for international spying. To what extent are concerns about spying taken into account i.e arming other countries to spy on the UK? What are the concerns about selling zero day exploits abroad?

BIS do not think the UK government are with knowledge aforethought selling surveillance equipment abroad. Do they explicitly take into account whether goods considered for licencing will be used against the UK - yes.

Would it be good if there was an international forum for the control of technology used to abuse human rights? Yes.

Are the UK government going to say they have to protect surveillance technology export in the interests of protecting the export of other technology? No.

The companies that are doing the most damage are software companies that come out of telcos. There are a clutch of these companies around Berlin run by ex- Stasi officers.

Some of these companies have decent motives and genuinely want to supply protective technology and tools to democracy activists. But there are a lot of people in the field who are glorying in dealing with despotic regimes, wreaking havoc and having a whale of a time, says Eric King of PI.

There was a question about the Communications Data Bill (CDB aka the Snoopers' Charter). Mr Smith from ECO BIS is confident that the motivation of those pushing the CDB is pure.

Specialist companies dealing in this area do not respond well to external pressure. We have to put export controls in place and sue them. A couple of recent cases have been pursued against Cisco under the US Alien Torts Act accusing them of aiding and abetting torture and imprisonment. It can be difficult to get evidence but if companies are selling stuff and don't do due diligence they should be held liable.

The final comment from the floor was that pressure should be applied to the venture capitalists funding these companies.

A concluding comment was then requested from the three panelists.

Ian Brown emphasised the point that it is principally governments who can make a difference.  Ethical consumerism would help as would ethical capitalism on the part of the companies involved in these technologies.

Tom Smith said it is difficult but important to get these technologies under control and BIS are working hard to that end.

And finally Eric King said it is really important to get export controls on this stuff.  That rounds off the notes on the second panel but I think it is worth finishing with the executive summary and recommendations from the report again. Plus a recommendation that it is essential reading for anyone with an interest in digital freedoms in international law.
"With around 2.3 billion users, the Internet has become part of the daily lives of a significant percentage of the global population, including for political debate and activism. While states are responsible for protecting human rights online under international law, companies responsible for Internet infrastructure, products and services can play an important supporting role. Companies also have a legal and corporate social responsibility to support legitimate law enforcement agency actions to reduce online criminal activity such as fraud, child exploitation and terrorism. They sometimes face ethical and moral dilemmas when such actions may facilitate violations of human rights. In this report we suggest practical measures that governments, corporations and other stakeholders can take to protect freedom of expression, privacy, and related rights in globally networked digital technologies. These are built on a detailed analysis of international law, three workshops in London, Washington DC and Delhi, and extensive interviews with government, civil society and corporate actors. "
Even if you're not a digital policy geek, the full executive summary (page 4-7) and the recommendations (p41-44) should be essential reading for everyone.

Wednesday, July 18, 2012

Commission on Bill of Rights 2nd consultation

Just appeared in my inbox are two emails from Marie Colton of the Commission on a Bill of Rights Secretariat, attached to which is a message from Sir Leigh Lewis, Chair of the Commission and a copy of the Commission’s recently published second consultation paper. The Chairman says:
"I am writing to provide you with a copy of a second consultation paper that the Commission on a Bill of Rights is making public today.

As you may be aware, the Commission was established by the UK Government in March 2011 primarily to investigate the creation of a UK Bill of Rights. Over the last 15 months, we have consulted widely on the issues which form part of our mandate. In particular, we published a discussion paper in August of last year which attracted over 900 responses. We have also met with numerous groups and individuals from around the UK and held a series of seminars to enable us to seek and receive views. Further details about our work, terms of reference and consultation programme can be found on the Commission’s website (www.justice.gov.uk/about/cbr/index.htm). Our thanks go to all those who have already contributed to our work and deliberations – whether by meeting with us, participating at one of our events, and/or submitting a response to our first discussion paper.

With less than six months to go until we must report, our Commission is now at a significant stage in its work. In particular, we have to decide whether or not to recommend a UK Bill of Rights and, if so, what form and content any such Bill might have. We have therefore decided to publish a second consultation paper to provide a further opportunity for you to tell us your views on a number of the key issues covered by our terms of reference and I am very pleased to attach a copy. If you responded to our first consultation last summer or have otherwise already conveyed your views to us, you do not need to repeat what you have already said which we have already taken very carefully into account. We would, however, very much like to hear from you again both on the further questions set out in this paper or if your views have developed or changed since you first responded. Equally, if you did not respond to our first consultation, that is no bar whatsoever to giving us your views now which we would greatly welcome.  

The deadline for responding to the consultation paper is 30 September 2012.

We greatly look forward to hearing your views.

Yours sincerely,

Sir Leigh Lewis KCB
Chair"
In the thick of a multitude of battles with zombie bureaucrats over entirely unrelated matters, I did draft and send a response to the original consultation in August last year. I realised, sadly after submitting, that my clumsy legal terminological inexactitudes and inadvertent misuse of legal and constitutional terms probably led to my submission being filed under whatever euphemism the Commission were then using for 'clueless'. It was a classic example of importance of not writing at the margins of your time and sending off (what you, at least, consider to be) significant papers, in a hurry, without first giving them your full attention and running the draft past informed friends and colleagues.

The questions in this second consultation are as below.
"Q1: What do you think would be the advantages or disadvantages of a UK Bill of Rights? Do you think that there are alternatives to either our existing arrangements or to a UK Bill of Rights that would achieve the same benefits? If you think that there are disadvantages to a UK Bill of Rights, do you think that the benefits outweigh them? Whether or not you favour a UK Bill of Rights, do you think that the Human Rights Act ought to be retained or repealed?
Q2: In considering the arguments for and against a UK Bill of Rights, to what extent do you believe that the European Convention on Human Rights should or should not remain incorporated into our domestic law?
Q3: If there were to be a UK Bill of Rights, should it replace or sit alongside the Human Rights Act 1998?
Q4: Should the rights and freedoms in any UK Bill of Rights be expressed in the same or different language from that currently used in the Human Rights Act and the European Convention on Human Rights? If different, in what ways should the rights and freedoms be differently expressed?
Q5: What advantages or disadvantages do you think there would be, if any, if the rights and freedoms in any UK Bill of Rights were expressed in different language from that used in the European Convention on Human Rights and the Human Rights Act 1998?
Q6: Do you think any UK Bill of Rights should include additional rights and, if so, which? Do you have views on the possible wording of such additional rights as you believe should be included in any UK Bill of Rights?
Q7: What in your view would be the advantages, disadvantages or challenges of the inclusion of such additional rights?
Q8: Should any UK Bill of Rights seek to give guidance to our courts on the balance to be struck between qualified and competing Convention rights? If so, in what way?
Q9: Presuming any UK Bill of Rights contained a duty on public authorities similar to that in section 6 of the Human Rights Act 1998, is there a need to amend the definition of ‘public authority’? If so, how?
Q10: Should there be a role for responsibilities in any UK Bill of Rights? If so, in which of the ways set out above might it be included?
Q11: Should the duty on courts to take relevant Strasbourg case law ‘into account’ be maintained or modified? If modified, how and with what aim?
Q12: Should any UK Bill of Rights seek to change the balance currently set out under the Human Rights Act between the courts and Parliament?
Q13: To what extent should current constitutional and political circumstances in Northern Ireland, Scotland, Wales and/or the UK as a whole be a factor in deciding whether (i) to maintain existing arrangements on the protection of human rights in the UK, or (ii) to introduce a UK Bill of Rights in some form?
Q14: What are your views on the possible models outlined in paragraphs 80-81 above for a UK Bill of Rights?
Q15: Do you have any other views on whether, and if so, how any UK Bill of Rights should be formulated to take account of the position in Northern Ireland, Scotland or Wales?"
 Paragraphs 80-81 referred to in Q14 are as follows:
"80.
One possible model for a UK Bill of Rights in this context is a Bill that might sit alongside the existing Human Rights Act and contain substantially similar provisions and rights to those currently found in Schedule 1 to the Act. Under this model these rights might apply UK wide but be exercisable in respect of reserved matters only. Such an instrument might also include a separate chapter containing rights that applied only to England, as
well as a statement that acknowledged the competence of the Northern Ireland Assembly, the Scottish Parliament and the National Assembly for Wales to enact legislation conferring additional rights to meet the particular needs of those countries. Any additional rights passed by the devolved legislatures would, by virtue of the existing devolution statutes, relate to devolved matters only. In the view of some such a model might simply reflect what already happens in practice in respect of rights protection under the devolution statutes.8
81.
Another possible model might be a UK Bill of Rights that contained additional rights in respect of Northern Ireland, Scotland and Wales but which would not enter into force in respect of those countries without the consent of the respective devolved legislature."
I would highly encourage engagement with the consultation. I wouldn't put it past the political digerati to stoke up some public mischief using the possible Bill of Rights and Human Rights Act as political footballs, in order to divert attention from their endless woes and pathological ineptitude. So the importance of this Commission cannot be overstated.