It has become clear in the past year that pervasive surveillance is a threat to all users of the Internet everywhere. A little over a year ago, a series of revelations began to emerge about widespread surveillance by government national security agencies that sent shockwaves across the Internet ecosystem.
The world got an initial glimpse of the scope and scale of these programs on 5 June 2013 with the first leaks from Edward Snowden.
The fact that governments use surveillance tools was not a surprise. It was the scope and scale of these online surveillance programs that has been a wake-up call for the international community.
Early on, the Internet Society expressed deep concerns about online surveillance, noting:
“This kind of collection of user information is at odds with the commitments that governments around the world have made with respect to protection of personal data and other human rights.”
Further, we highlighted the need for an open global dialogue on online privacy and security. Also, last year, the Internet Society Board of Trustees endorsed the International Principles on the Application of Human Rights to Communications Surveillance from the civil society-led “Necessary and Proportionate” initiative and emphasized the importance of proportionality, due process, legality, and transparent judicial oversight.
At its Vancouver meeting in November 2013, the Internet Engineering Task Force (IETF) declared that pervasive monitoring represents an attack on the Internet. This was followed by the adoption of RFC 7258: “Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.”
In this blog post, we identify some of the responses in the policy landscape. In a companion piece, on our Internet Technology Matters blog, we examine some of the responses from the technical community.
Policy responses and new challenges
We see a range of responses emerging, including:
- Statements of principles
- Data localization policies
- Traffic re-routing policies
- Legal proceedings
- Assertion of jurisdiction
- Diplomatic pressure
All over the world and across stakeholder groups, Internet users, political figures and even industry leaders have proactively voiced their deep concerns, calling for pervasive surveillance to stop. Notably, in December 2013, the UN General Assembly adopted a resolution: The right to privacy in the digital age, following an impassioned speech at the UN General Assembly in September by Brazilian President Dilma Rousseff where she expressed outrage at the mass surveillance and set out key principles for the Internet. The UN resolution, among other things, requests the UN High Commissioner for Human Rights to present a report on “the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale”.
In Europe, during the past 12 months there has been a wave of activity in response to online surveillance. For instance, groups within the European community issued statements of principles (e.g. the Council of Europe Declaration of Ministers on Risks to Fundamental Rights stemming from Digital Tracking and other Surveillance Technologies), and commenced proceedings in the European Court of Human Rights that received the rare “priority” designation by the Court. Further, the European Parliament called for the end of the US-EU Safe Harbor agreement and there was talk of establishing a European communications network (“a Schengen-Net”). Significantly, in this context, the European Court of Justice recently ruled that the EU Data Retention Directive is invalid.
In the Asia-Pacific region, Thailand, Indonesia and Malaysia have reportedly condemned the U.S. surveillance programs, with the latter two calling for ASEAN countries to unite against spying. In some parts of the world, notably the Caribbean region, countries that were already considering increasing their capacity to exchange regional traffic via the establishment of IXPs, have hastened their work in light of the revelations that their international traffic may be subject to external surveillance.
While we see a range of positive policy actions to counter online surveillance activities and to protect citizens, such as through strong statements of principle, we also see instances worldwide where governments appear emboldened by the revelations to engage in online monitoring and invest heavily in major cyber defense technologies.
Data localization proposals combined with calls for intergovernmental action to ensure national cybersecurity have also raised concerns across the Internet that this global network-of-networks could be carved up along national boundaries.
There was strong resonance in Latin America on the issue of Internet surveillance. The Presidents of Argentina, Bolivia, Brazil, Uruguay and Venezuela have signed a joint Mercosur Declaration condemning the surveillance episode. Moreover, Brazil, under President Rousseff’s leadership, convened a Global Multistakeholder Meeting on the Future of Internet Governance, (NETmundial), 23-24 April 2014. The meeting adopted the Netmundial Multistakeholder Declaration, a non-binding document that served as an exercise of achieving common ground among all stakeholders regarding Internet Governance. It also clearly mentions the right to privacy, including:
“Not being subject to arbitrary or unlawful surveillance, collection, treatment and use of personal data. The right to the protection of the law against such interference should be ensured.
Procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, including mass surveillance, interception and collection, should be reviewed, with a view to upholding the right to privacy by ensuring the full and effective implementation of all obligations under international human rights law.”
The Internet Society, for its part, is working with the policy community to tease out good and bad policy responses to this pervasive monitoring environment (e.g. by engaging in policy debates, and convening multistakeholder dialogue on data localization and traffic re-routing proposals[1]). We are also involved in the OECD’s work on implementation of the Revised Privacy Guidelines, in the Council of Europe’s modernization of the data protection convention (Convention 108) and in APEC, on the implementation of the Cross Border Privacy Rules system. These three frameworks prescribe principles for transborder flows of personal data, an essential foundation for a trusted global interoperable Internet. Further, in our contribution to the Office of the High Commissioner for Human Rights for its consultation in light of the UN Resolution, and in other fora, we are advocating for an ethical approach to data collection and handling, especially in the context of national security.
What’s next?
Despite the extraordinary growth of the Internet, revelations regarding surveillance within the past 12 months underscore the importance of remaining watchful in our support of an open, global and trusted Internet – we must not take it for granted.
The Internet has flourished and expanded because it is open, resilient, interconnected, and interdependent. It’s an ecosystem based on collaboration and shared responsibility from all stakeholders, including governments, technical community, civil society, private sector, and academia, among others.
Important progress is already being made within and across stakeholder communities on a variety of technical and policy initiatives that share the common goals of:
- Striving to protect Internet users’ communications from unwarranted monitoring and interception; and
- Restoring trust in the Internet, its technologies, applications, and services.
And yet, there is no absolute answer to prevent massive surveillance. The only way to make the Internet more secure, more resilient, more robust, and with more privacy is through all of us working collaboratively to make it that way. It’s time for us all to do our part to make the Internet stronger.