04 Nov 13 | Digital Freedom, News and features
We can partially blame gerrymandering for the current gridlock in the U.S. Congress. By shaping the electoral map to create politically safe spaces, we have generated a fractious body that often clashes rather than collaborates, limiting our chances of resolving the country’s toughest challenges. Unfortunately, revelations about the global reach of American security surveillance programs under the National Security Agency (NSA) are leading some to propose what amounts to gerrymandering for the internet in order to route around NSA spying. This will shackle the internet, inherently change its technical infrastructure, throttle innovation, and likely lead to far more dangerous privacy violations around the globe.
Nations are rightly upset that the communications of their citizens are swept up in the National Security Agency’s pervasive surveillance dragnet. There is no question the United States has overreached and violated human rights in its collection of communications information on innocent people around the globe; however, the solution to this problem should not, and truly cannot, be data localization mandates that restrict data storage and flow.
The calls for greater localization of data are not new, but the recent efforts of Brazil’s President, Dilma Rouseff, to protect Brazilians from NSA spying reflected the view of many countries suddenly faced with a new threat to the privacy of the communications of their citizens. Rouseff has been an advocate for internet freedom, so undoubtedly her proposal is well intentioned, though the potential unintended repercussions are alarming.
First, it’s important to consider the technical reasons why data location requirements are a really bad idea. The Internet developed in a widely organic manner, creating a network that allowed data to flow from all corners of the world – regardless of political boundaries, residing everywhere and nowhere at the same time. This has helped increase the resilience of the internet and it has promoted significant efficiencies in data flow. As is, the network routes around damage, and data can be wherever it best makes sense and take an optimal route for delivery.
Data localization mandates would turn the internet on its head. Instead of a unified internet, we would have a fractured internet that may or may not work seamlessly. We would instead see districts of communications that cater to specific needs and interests – essentially we would see Internet gerrymandering at its finest. Countries and regions would develop localized regulations and rules for the internet to benefit them in theory, and would certainly aim to disadvantage competitors. The potential for serious winners and losers is huge. Certainly the hope for an internet that promotes global equality would be lost.
Data localization may only be a first step. Countries seeking to keep data out of the United States or that want to exert more control over the internet may also mandate restrictions on how data flows and how it is routed. This is not far-fetched. Countries such as Russia, the United Arab Emirates, and China have already proposed this at last year’s World Conference on International Telecommunications.
As internet traffic begins to demand more bandwidth, especially as we witness more real-time multimedia applications, efficient routing is essential to advance new internet services. High capacity applications like Apple’s FaceTime may slow to the painful crawl reminiscent of the dial-up days of the internet.
This only begins to illustrate the challenges internet innovators would face, but big established players like Facebook, Google and Microsoft, would potentially have the resources to abide by localization mandates – of course, only if the business case supports working in particular locales. Some countries with local storage rules may be bypassed altogether. For small or emerging businesses, data localization requirements would be a greater challenge. It would build barriers to markets and shut off channels for innovation. Few emerging businesses could afford to locate servers in every new market, and if local data server requirements become ubiquitous, it will be businesses in emerging markets that are most disadvantaged. The reality for developing nations is that protectionist measures such as data localization will further isolate local business from the global market, depriving them of the advantages for growth that are provided by the borderless internet.
Most important though, is the potential for fundamental harm to human rights due to data localization mandates. We recognize that this is a difficult argument to accept in the wake of the revelations about NSA surveillance, but data localization requirements are a double-edged sword. It is important to remember that human rights and civil liberties groups have long been opposed to data localization requirements because if used inappropriately, such requirements can become powerful tools of control, intimidation and oppression.
When companies were under intense criticism for turning over the data of Chinese activists to China, internet freedom activists were united in theirs calls to keep user data out of the country. When Yahoo! entered the Vietnamese market, it placed its servers out of the country in order to better protect the rights of its Vietnamese users. And the dust up between the governments of the United Arab Emirates, Saudi Arabia, India, and Indonesia, among others, demanding local servers for storage of BlackBerry messages in order to ensure legal accountability and meet national security concerns, was met with widespread condemnation. Now with democratic governments such as Brazil and some in Europe touting data localization as a response to American surveillance revelations, these oppressive regimes have new, albeit inadvertent, allies. While some countries will in fact store, use and protect data responsibly, the validation of data localization will unquestionably lead to many regimes abusing it to silence critics and spy on citizens. Beyond this, data server localization requirements are unlikely to prevent the NSA from accessing the data. U.S. companies and those with a U.S. presence will be compelled to meet NSA orders, and there appear to be NSA access points around the world.
Data localization is a proposed solution that is distracting from the important work needed to improve the Internet’s core infrastructural elements to make it more secure, resilient and accessible to all. This work includes expanding the number of routes, such as more undersea cables and fiber runs, and exchange points, so that much more of the world has convenient and fast Internet access. If less data is routed through the U.S., let it be for the right reason: that it makes the Internet stronger and more accessible for people worldwide. We also need to work to develop better Internet standards that provide usable privacy and security by default, and encourage broad adoption.
Protecting privacy rights in an era of transborder surveillance won’t be solved by ring fencing the Internet. It requires countries, including the U.S., to commit to the exceedingly tough work of coming to the negotiating table to work out agreements that set standards on surveillance practices and provide protections for the rights of privacy and free expression for people. Germany and France have just called for just such an agreement with the U.S. This is the right way forward.
In the U.S., we must reform our surveillance laws, adopt a warrant requirement for stored email and other digital data, and implement a consumer privacy law. The standards for government access to online data in all countries must likewise be raised. These measures are of course much more difficult in the short run that than data localization requirements, but they are forward-looking, long-term solutions that can advance a free and open internet that benefits us all.
Joseph Lorenzo Hall, Chief Technologist at Center for Democracy and Technology, co-authored this piece with Leslie Harris.
This article was originally posted on 4 Nov 2013 at indexoncensorship.org
25 Oct 13 | Digital Freedom
Last year’s Internet Governance Forum in Baku, Azerbaijan proved controversial due to the choice of host. This year’s event, in Bali, Indonesia was bound to be contentious, after Edward Snowden’s leaks on the US’s PRISM programme. PRISM and TEMPORA (the UK system of mass surveillance) were a lightening rod for general discontent from activists who feel an increasing sense of ill ease over the state of internet freedom. Many of the sessions were bad-tempered affairs with civil society rounding on the perceived complacency of government officials from democracies who refused to state their opposition to mass state surveillance in clear enough terms.
At an event hosted by the Global Network Initiative, Index on Censorship, andPakistan’s Centre for Social and Policy Analysis, a US government official was heckled by the audience when he attempted to justify PRISM as an anti-terrorism measure. Of particular concern for delegates was a sense that PRISM is now being used by less democratic and authoritarian states to justify their own surveillance systems. The Chinese were quick to point out the ‘double standards’ of the US at this workshop, following it with appalling doublespeak to gloss over their poor domestic record on human rights violations. A point I challenged them on in no uncertain terms.
Participants in the workshop from across the globe from Pakistan to South Africa stated their concern that a race to the bottom is beginning with new surveillance capacities being debated in countries such as Russia, New Zealand and the UK. Other areas of concern at the workshop included the increasing use of filters at ISP level (in particular in Indonesia where a significant number of ISPs are adopting filtering) and the pressure now felt by Telcos from states who are imposing burdensome requirements to filter content. One worrying prospect is that the ITU will succumb to a push to ensure Telcos do not distribute ‘blasphemous’ content which could lead to the full Balkanisation of the internet.
Although the outlook is bleak, civil society is pushing back at corporations and governments. Bytes for All in Pakistan has done impressive work in chronicling censored online content. A number of coalitions strengthened at the IGF with closer co-operation between international NGOs to take on mass state surveillance. This weekend, a number of US NGOs will rally in Washington DC against the PRISM programme with thousands expected to take to the streets. Index on Censorship’s #DontSpyOnMe petition of 7,000 signatures was this week sent to Lithuanian President Dalia Grybauskaitė, who currently hold the Presidency of the Council of the EU, and Herman van Rompuy, President of the European Council. The EU heeded our calls to discuss mass surveillance at the Council of Ministers meeting – a big success. The pressure on corporations is being felt too, Telcos came under particular fire for their willingness to install surveillance equipment in their networks. Yet, many are beginning to speak publicly over the pressures they feel from states and the need for transparency so their users are at least aware of the surveillance they may be subject to and so can adjust their behaviour accordingly. Meanwhile, Google launched new tools to illustrate the threats the internet faces. The Digital Attack Map is a realtime website displays DDOS attacks and where they originate from – useful in tracking attacks on civil society websites from state-run or criminal botnets. Google also launched a project to provide free, secure web hosting for internet activists under attack.
One of the strengths of the IGF is the broadness of the workshop programme. From the challenges felt by the disabled online, minority rights online, through to bridging the ‘digital divide’ between the rich and poor both internationally and internally within even wealthier countries, the IGF covered a significant amount of ground. Yet, one of the big challenges to the IGF is how to engage a wider section of civil society. While the IGF was better attended by delegates from South-East Asia, fewer delegates from Europe and the Middle East were visible during this IGF. This remains a challenge to the organisers, with too much interaction from those physically present at the conference and too little from the many remote participants, many of whom couldn’t afford the air fare to Bali but have much to contribute. Bridging this divide will be important in the future.
The tone of this IGF was set by the Snowden revelations. The US and other Western democracies were on the back foot, in stark contrast to their confident promotion of net freedom in Baku. Without openess, increased transparency and an end to mass surveillance it’s hard to see how they will regain their moral authority, leaving a huge vacuum at the heart of these debates. A vacuum that others – in particular China – are willing to fill. The battle to keep the multistakeholder, open internet free from top-down state interference is on-going. The IGF should give once confident advocates of net freedom serious pause for thought.
25 Oct 13 | Asia and Pacific, Digital Freedom, India, News and features
Just days before the United Nation’s led Internet Governance Forum in Indonesia, India, held its own – and first of its kind – conference on cyber governance and cyber security.
With the support of the National Security Council Secretariat of the Government of India, the two-day conference was organized by private think-tank Observer Research Foundation and industry body, Federation of Indian Chambers of Commerce and Industry, (FICCI). Speakers were from a host of countries including Estonia, Germany, Belgium, Australia, Russia, Israel, and of course, India.
It was ironic, that in a post-Snowden world, buried under allegations of the extent of the NSA’s spying, US officials were unable to attend the conference due to their government’s shutdown. Instead, other views took center stage, and India also visibly demonstrated the various positions its stakeholders take around the questions of governance and security.
Right at the kickoff, India’s Minister for Communications and Technology, Kapil Sibal, challenged the question of sovereignty and jurisdiction in cyberspace. “If there is a cyber space violation and the subject matter is India because it impacts India, then India should have jurisdiction. For example, if I have an embassy in New York, then anything that happens in that embassy is Indian territory and there applies Indian Law.”
India has, over the last few years, flirted with the idea of an UN-lead internet governance structure, and subsequently backed away from it. Minister Sibal said that India believes in “complete freedom of the internet”, however, at the same time needs to acknowledge that along with cyber freedoms come cyber gangsters, and the state and its citizens need to be protected from them.
India, with its 860 million mobile subscriptions (although, the numbers of users would be lower than this figure) is looking more and more to the internet as a delivery platform of socio-economic programs and a tool to boost the economy. That the internet can raise GDP by 10% is a much favored figure for those who promote the internet for economic reasons. The fact is that as the remaining unconnected population of India begins to acquire net connections through desktops and smart phones, the government is increasingly looking at security and surveillance over the internet as a necessary and inevitable route. This also means that the government needs to rely on industry to help them with this gigantic task.
The possible synergy between businesses and government in India was a central theme for discussion; as industry bodies asked the government to invest in training more cyber security specialists and also start moving towards uniform security standards and protocols. In fact, Indian industry most certainly wants to be relived of the financial burden of training personnel, and to an extent, investment in security R&D, and is keen to partner with the government to achieve both ends. Indian industry is often in the news because it appears almost universally under prepared for cyber attacks, both from within the country and externally. Suggestions of a government-led cyber awareness program were made as well, with calls to allocate funds for these exercises in the budget.
However, as has been the case in India, the real source of friction still lies between civil society and the government over the question of surveillance and monitoring. In a session entitled ‘Privacy and National Security’; perhaps the only India-centric panel of the entire conference, the debate became overheated. The panel consisted of a senior police officer involved in surveillance, India’s director-general of CERT (Computer Emergency Response Team), a representative from the mobile industry and a privacy expert. The government official was pushed by civil society members and journalists to explain the workings of the Central Monitoring System, still very opaque to the public, and later the official definition of privacy. He did neither. Unsurprisingly, India is yet to really define what privacy is, leading to simultaneous furor in the room and twitter (#cyfy13) about why this hasn’t been done as yet.
The sense in the room was that surveillance, while necessary to protect citizens, is only really effective when it is conducted in a targeted manner. Mass surveillance leads to self-censorship and is, in the end, counter productive. The other bone of contention was the question of identity, with the government making arguments that verifiable cyber identity is a possible solution to cyber crime. However, other participants found the issue troubling, as anonymity is necessary for a number of reasons, including as we have seen around the world, political dissent.
Finally, panelists discussed how best to inculcate a multistakeholder approach when legislating the internet. It was pointed out more than once that the internet was a product of private enterprise, made on open standards and principles, but now governments are attempting to control this resource. However, while public calls for multistakeholderism were made for many reasons; human rights, protection of privacy and even to benefit business in the long run (as they would not risk being caught up in lengthy court cases in the future if they took civil society on board from the start), there was still an elephant in the room. Offline, many official participants wondered why Chatham House Rules were not observed, or why there were no closed-door meetings only for government officials. It was clear that much of the weighty – and honest – discussions still don’t involve the public. Perhaps not where the question of governance is, but certainly when the question of security is.
Ultimately, there are two broad outcomes of this conference. The first is that India has indicated its willingness to start shouldering discussions to do with the global cyberspace. The other is, as India’s National Security Advisor put it, — ““India has a national cybersecurity policy not a national cybersecurity strategy.” This is certainly a start to building a consensus for that strategy.
This article was posted at indexoncensorship.org on 25 Oct 2013.
22 Oct 13 | Events
A workshop exploring the social and economic implications of national-level ICT legislation and regulation and looking into the impact of international telecom practices on human rights.
In partnership with Pakistan’s Centre for Social and Policy Analysis and the Global Network Initiative, an international selection of panelists present the particular issues at play in their own regional settings, including the nationalization and/or monopolization of telecom regimes, content filtering and take downs, and communications surveillance.
Including:
Ross LaJeunesse, Google, UNITED STATES
Seth Bouvier, US State Department, UNITED STATES
Zahid Jamil, CSPA, PAKISTAN
Claudio Ruiz, Derechos Digitales, CHILE
Donny Bu, ICT Watch, INDONESIA
Lisa Brunner, GNI, UNITED STATES
Mike Harris, Index on Censorship, UNITED KINGDOM
@IndexEvents – #IGF2013 #indexatigf
When: Thursday 24th October
Where: Internet Governance Forum 2013, Bali
24 Sep 13 | Campaigns, Press Releases
Nearly 40 free speech groups from across the world are calling on the European Union to take a stand against mass surveillance by the US and other governments. The groups have joined a petition organised by Index on Censorship, which has already been signed by over 3,000 people. Celebrities, artists, activists and politicians who have supported the petition include writer and actor Stephen Fry, activists Bianca Jagger and Peter Tatchell, writer AL Kennedy, artist Anish Kapoor, blogger Cory Doctorow and Icelandic politician Kolbrún Halldórsdóttir.
Actor and writer Stephen Fry said:
‘Privacy and freedom from state intrusion is important for everyone. You can’t just scream “terrorism” and use it as an excuse for Orwellian snooping.’
Chief Executive of Index on Censorship Kirsty Hughes said:
‘A few of Europe’s leaders have voiced their concerns about the NSA’s activities but none have acted. We are demanding all EU leaders condemn mass surveillance and commit to joint action stop it. People from around the world are signing this petition because mass surveillance invades their privacy and threatens their right to free speech.’
As well as calling for Europe’s leaders to put on the record their opposition to mass surveillance, the petition demands that mass surveillance is on the agenda at the next European Council Summit in October.
The petition is at: http://chn.ge/1c2L7Ty and is being promoted on social media with the hashtag #dontspyonme
The petition is supported by Index on Censorship, Amnesty International, English PEN, Article 19, Privacy International, Open Rights Group, Liberty UK, Reporters Without Borders, European Federation of Journalists, International Federation of Journalists, PEN International, PEN Canada, PEN Portugal, Electronic Frontier Foundation, PEN Emergency Fund, Canadian Journalists for Free Expression, National Union of Somali Journalists, Bahrain Centre for Human Rights, Catalan PEN, Centre for Independent Journalism (CIJ) – Malaysia, Belarusian Human Rights House, South East European Network for Professionalization of Media, International Partnership for Human Rights, Russian PEN Centre, Association of European Journalists, Foundation for the Development of Democratic Initiatives – Poland, Independent Journalism Center – Moldova, Alliance of Independent Journalists – Indonesia, PEN Quebec, Fundacja Panoptykon – Poland, International Media Support, Human Rights Monitoring Institute – Lithuania, Warsaw Branch, Association of Polish Journalists, The Steering Committee of the Civil Society Forum of the Eastern Partnership, South African Centre of PEN International, Estonian Human Rights Centre, Vikes Foundation, Finland
For further information, please contact [email protected]
