Last week, I attended the 31st International Conference of Data Protection and Privacy Commissioners in Madrid. Government data privacy officials representing 46 countries were there, as well as hundreds of lawyers, corporate privacy officers and advocates from around the globe.

There were plenary sessions and panels on every possible privacy issue but at the center of much of the discussion were the complex and seemingly unanswerable questions about global data flows in an era of cloud computing: What is the right way to protect privacy in an Internet cloud where data flows don’t respect borders? When consumers from around the world place their data in a social networking site based in the United States, which data protection laws should apply? Who should be accountable for data privacy and security when data is collected by one entity and then stored with cloud providers offering storage, processing and software as a service? When those cloud providers move data from server to server, often in multiple jurisdictions, which data protection rules apply and which country may assert jurisdiction over the data when other substantive legal questions arise?
(more…)

Late Thursday evening, European lawmakers agreed on language in the Telecoms Package that is supposed to safeguard the fundamental rights to freedom of expression and access to information online as governments seek harsher penalties to address IP infringement. France recently approved a graduated response (or “three strikes�) law that would cut off Internet access for repeat copyright infringers. The UK is debating a similar proposal.

Civil liberties advocates first introduced “Amendment 138� in 2008 to protect Internet access as an exercise of the right to freedom of expression in the face of these graduated response proposals. In its original conception, the amendment required member states to provide strong legal and procedural safeguards where states or private parties impose Internet access restrictions for alleged repeat offenders. Few are happy with the final negotiated text, which retreats from this position:

(more…)

CDT and other advocates sent a letter to President Obama today once again urging greater transparency as the US negotiates a new Anti-Counterfeiting Trade Agreement (ACTA). While the administration has permitted some advocates (including my colleague David Sohn) to review the US-authored Internet portion of the current draft under strict non-disclosure rules, such limited access does not allow for full analyses of the agreement and its implications (even by other CDT staff members, much less the broader public interest community). Some leaks have surfaced which suggest that ACTA could require DMCA-style notice-and-takedown and anti-circumvention laws, or even graduated-response obligations on ISPs (see coverage here and here). The fact remains, though, that we don’t know what we don’t know, and a full discussion of whatever obligations ACTA would impose is impossible unless the Obama administration draws back the curtain on the drafting and negotiations. Any proposal that could lead to the denial of people’s Internet access—even if they have violated copyright law—would raise very serious constitutional problems under our First Amendment, and should not be even considered without a broad and open public discussion.

Last week, the Guardian lauded users on Twitter and other user-generated content sites for the role they played in breaking through an extraordinary gag order imposed on the Guardian by a British court. The editor of the Guardian and the Twitterati claimed a remarkable victory for free speech and the free press.

At issue were documents obtained by the Guardian associated with a major class-action settlement involving a multinational corporation and the 400 tons of petrochemical waste its contractor dumped in the Ivory Coast, sickening thousands. Last month, a British court enjoined the Guardian not only from releasing the document, but also, in a Kafkaesque twist, from reporting that it had been gagged at all. Things came to a head when a member of Parliament asked a question about the documents, bringing into play a longstanding tradition that whatever is said in Parliament is fair game for public reporting. The Guardian tauntingly alluded to the Member’s question and the press gag, setting off a firestorm of activity on Twitter, blogs, SideWiki, Wikileaks, and Wikipedia that uncovered the documents and the gag order in under an hour.

This story from across the pond is just the latest in a growing number of examples of how web 2.0 platforms can enable the exercise of rights vital to a healthy democracy and a free society: This summer we saw how protesters and journalists in Iran and Xinjiang used Twitter and other web 2.0 platforms to get their message out to the rest of the world. And earlier this month, Leslie Harris wrote about the use of Twitter during the G20 protests in Pittsburgh—an unmistakable exercise of the right to speak, assemble, and petition—and the trampling of the First Amendment and core civil liberties that followed.

It is undeniable that free speech and human rights advocates have found one more tool to help their cause. To echo Leslie’s warning about the G20 protester’s arrest, however, the west must be vigilant in ensuring these tools continue to expand free expression within our borders, or else risk losing our moral footing when the next “Twitter revolution� comes.

Did Yahoo! turn over user data from 200,000 Yahoo! Iran email accounts to Iranian authorities in exchange for the unblocking of Yahoo.com? Not likely.

Last week, Richard Koman over at ZDNet reported this exact allegation; ZDNet quickly retracted the post in full within the day, given the unreliability of the source and the alarming disregard of basic journalistic best practices. A quick inquiry with Yahoo! (or even a simple search of Yahoo!’s website) would have revealed critical factual errors in the underlying report, which should have raised red flags as to its reliability. (To start, Yahoo! has no Iranian website or base of operations in Malaysia.) And these steps should have been taken before such a serious accusation was lobbed into the public sphere, to be reposted and prejudged.

Commentary on the state of online journalism aside, such wildly false accusations distract from the many real challenges to Internet freedom emerging all over the world: censorship and intimidation are on the rise and Internet freedom advocates are fighting off filtering mandates left and right. Questions of ethical corporate behavior in the ICT space can be thorny and complex. Exhortations directed at tech companies to “do the right thing� are only as effective as our collective understanding of the human rights challenges they actually face. At risk of stating the obvious, we must take care to understand the exact nature of government demands and how companies are responding in order to develop appropriate and effective strategies to address both.
(more…)

Last week, China’s Minister of Industry and Information Technology announced that pre-installation of the Green Dam/Youth Escort filtering software on computers sold in China would no longer be mandatory. Officials had previously only delayed implementation of the program. You can find a translation of the press statement here.

However, the software will still be installed in schools, Internet cafes, and other public venues. And, of course, Chinese authorities still maintain extensive filtering mechanisms and other strategies to block access to information online.

Green Dam is only the latest skirmish in the ongoing struggle over control of information in an increasingly networked China. We can make several observations and draw several lessons here to inform the efforts of stakeholders and advocates working to expand the space for expression online.

First, this incident highlights China’s increasing adoption of child safety rhetoric as a pretext (at least in part) for politically motivated censorship. Second, Green Dam draws attention to the growing market for third-party filtering software among governments in countries looking to implement pervasive systems of censorship. A variety of types of transactions with such governments raise dicey ethical issues for ICT companies. Companies must grapple with these issues in an affirmative way or risk complicity with human rights violations.
(more…)

Check out the guest blog post written by CDT’s Leslie Harris and John Morris for IndexonCensorship.org discussing the recent Nokia boycott in Iran and telecommunications companies doing business with oppressive international regimes:

Some Nokia customers in Iran are attempting to organise a boycott of the wake of charges that the company assisted the government in tapping cell phones and interfering with text messages during the recent political protests.

While a boycott may encourage Nokia to rethink how it does business in difficult markets, switching cell phone providers is unlikely to provide Iranians with more protection against government snooping. Indeed, wiretapping capability is not unique to Nokia Siemens Network, the independent joint venture providing equipment and service in Iran. Those capabilities date back to a governmental mandate imposed by none other than the US Government itself. Fifteen years ago, the US Congress — at the request of the FBI — mandated that telephone networks, and the equipment manufacturers that build their equipment, MUST build flexible wiretapping capability into the equipment. That law, the “Communications Assistance for Law Enforcement Act� (CALEA), led to similar mandates around the world. A few years ago, the FBI came back and successfully demanded the CALEA wiretapping mandates be extended to some Internet services.

To read post in it’s entirety, click here.

You can also let Leslie know what you think about the post by sending her a message on her brand new Twitter feed by following @Leslie_Harris.

In March of this year, a Belgian court entered judgment in a criminal case against Yahoo! and fined the company for refusing to hand over user data to Belgian law enforcement authorities under Belgian law.

The catch? Yahoo! has no subsidiary, employees or localized website in Belgium. The request — sent via email by a Belgian prosecutor to Yahoo!’s U.S. offices — was for user data held in the U.S. and associated with Yahoo! Mail accounts. Yahoo! Mail users sign up for this service under an agreement governed by U.S. law. The prosecutor did not allege that the specific Mail accounts were actually used by Belgian residents. Instead, the prosecutor’s sole theory for jurisdiction over Yahoo! Inc., and user data held by the company in the U.S., seems to be that Belgian residents can access Yahoo! services through the global Internet.

The court agreed: It found that the availability of Yahoo! Mail to Belgian residents, combined with what it believed to be the use of Mail in connection with criminal purposes within Belgium, was sufficient to find that Yahoo! Inc. has a commercial presence in Belgium. Therefore, Yahoo! was subject to Belgian laws, and thus in violation of a telecommunications statute that compelled disclosure of the requested data.

The implications of this ruling are profound and far-reaching. Following the court’s logic would subject user data associated with any service generally available online to the jurisdiction of all countries. It would also subject all companies that offer services generally available on the global Internet to the laws of all jurisdictions, potentially exposing individual employees to a variety of criminal sanctions.

The U.S. government should be paying close attention here: To understand how problematic this ruling is, we need only imagine how the governments of China, Iran, Vietnam or other repressive regime of your choice may decide that the precedent set here is one well worth following. Such actions undermine Belgium’s moral authority since, after all, it would only be hypocritical for Western democracies to criticize such radically overbroad assertions of jurisdiction by other nations.

In addition, it is important to note that the U.S. and Belgium have a Mutual Legal Assistance Treaty (MLAT) in place, which allows Belgian law enforcement authorities to request production of this user data through diplomatic channels. Belgian authorities have refused to pursue this option, despite outreach from the Department of Justice and Yahoo! to facilitate the process. This disregard for treaty agreements, carefully negotiated between states, undermines such legitimate law enforcement cooperation efforts. If a court in Belgium or any other state is able to assert jurisdiction over user information or U.S. companies and citizens themselves based merely on web presence and availability of a service in that state, then why bother with an MLAT at all?

Companies should be paying close attention here, too: it isn’t difficult to imagine how lax jurisdictional requirements on the global Internet could invite all sorts of abuse. Competitors, governments, or other bad actors could concoct weak legal claims under local law to get a hold of proprietary information or trade secrets; nothing seems to limit this possibility under the Belgian prosecutor’s theory.

Yahoo! has caught a lot of flak over the past few years about how the company and its affiliates should protect user data when a government demands it. Importantly, this firestorm of public criticism has pushed Yahoo! to think about corporate responsibility more critically, particularly in markets where rule of law is weak and suppression of dissent online is common: what responsibility do Internet companies owe to their users, whose human rights and basic freedoms may be put at risk if user data is handed over to authorities? In response, Yahoo! has committed to implementing certain policies about how it responds to government requests, including a requirement that requests must come through appropriate and official channels.

In the present case, Yahoo! has done right by its users. The company asked law enforcement officials to follow established diplomatic and legal processes in order to gain access to user information. It also enlisted the support of its home government to facilitate the process. In return, Belgian authorities have flouted an existing MLAT agreement, slapped Yahoo! with a fine, and set a dangerous precedent that potentially imperils the privacy of all Internet users and invites abuse by bad actors.

Yahoo! is currently appealing this decision. Let’s file this one under: no good deed goes unpunished.

Chinese authorities today delayed implementation of the much-disparaged Green Dam-Youth Escort filtering mandate, just one day before the July 1 implementation deadline.

Since the Green Dam directive was made public, we have learned that the filtering software does not work as proposed or publicized, may create serious security vulnerabilities, may contain stolen code, and likely violates China’s WTO obligations. The filter targets far more than sexually explicit material and is capable of shutting down a variety of applications when politically sensitive keywords are triggered. Independent analysis has also revealed that security flaws in the software could make millions of PC users in China vulnerable to a variety of malicious attacks
(more…)

An article in the Washington Post today outlines how some senior U.S. officials are leaning on trade issues to pressure China on its recent mandate that all computers sold in that country must come pre-installed with Web-filtering software.

Computer experts that have examined the Chinese developed Web-filtering software have found a laundry list of problems, from security holes to questions about the breadth of the filtering process. U.S. computer makers are rightly concerned about having to pre-install a piece of virtually unknown and untested software that could damage their product on every machine sold into China.

In letters to the Chinese government, both the U.S. Trade Representative Ron Kirk and Commerce Secretary Gary Locke linked China’s mandate to install the web filtering software, known as “Green Dam,” to U.S. trade policy.

USTR Kirk is quoted in the Post piece saying the Chinese demand “poses a serious barrier to trade.”

We have long held the position that there is an important role for Congress to play in ensuring that Internet freedom be fully incorporated into U.S. human rights and foreign policy and that it is a central focus of diplomacy, trade and foreign aid. However, there is considerable “policy incoherence” between the U.S. positions on human rights and its policies on trade and aid.

A good example of this “policy incoherence” is giving “most favored nation” trade status to countries such as China and Vietnam, both with poor human rights records that relentlessly pursue state-sponsored campaigns of Internet surveillance and censorship.

If Internet freedom is to be given a high priority in foreign policy and trade, as we believe it should (Secretary Locke and USTR Kirk’s statement to China are encouraging steps), then it will be critical for the U.S. to have the political will to take on its current culture of “policy incoherence” and deliver a message that doesn’t reprimand with one hand and reward with the other.