Special Report: European Dialogue On Internet Governance: Regulating Cyberspace After Prism?Published on 24 June 2013 @ 11:06 pm
By Monika Ermert for Intellectual Property Watch
Lisbon, Portugal – The surveillance affair around the US Prism programme left its mark on the 2013 European Dialogue on Internet Governance (EuroDIG) in Lisbon last week.
Legal experts at the sixth edition of the European version of the Internet Governance Forum pondered possible legal reactions, companies revealed as targets or (unwilling) partners of the programme tried to limit the damage, while Swedish ambassador Olaf Ehrenkrona admitted that state surveillance programs need to be reconsidered given the ease of mass surveillance in the era of a public internet space.
“Most of us agree,” Ehrenkrona said, “there is a need for surveillance, but in our societies, in democractic societies, it has to be done under certain conditions,” during an ad hoc workshop session on Prism, squeezed into the already packed program in Lisbon covering issues from privacy, copyright, and the fight against cybercrime. “And there is always the question of legitimacy underneath.”
Surveillance: the Trend is Big Data
Sweden also saw huge discussions when legislation was passed allowing spying on foreigners by tapping practically all internet traffic routed through Sweden. A court case against the FRA law has been pending for some time, Ehrenkrona said.While data gathered via that programme according to law was not allowed as evidence in Court cases, the Swedish diplomat agreed, that the line between law enforcement and the services was “blurred.” “It is not a bad thing to have that debate now,” Ehrenkrona said.
“The trend is big data,” said Meryem Marzouki, European Digital Rights (EDRi) activist and senior researcher with the French National Scientific Research Center (CNRS). EDRi recently sent a stern warning on plans for an addition to the Council of Europe Convention on Cybercrime that would allow easier “unilateral access by law enforcement authorities of one State to data stored on a computer system in a foreign State without the need for mutual legal assistance.” The proposal included an option to allow the transborder access done when consented by a data controller (an ISP or internet platform provider for example).
Obviously unimpressed by the Prism debate, Pedro Verdelho from the Cybercrime Office within the Portugese Prosecutor General’s Office requested a “flexibilization” of cross-border data-sharing between law enforcement. “The current system of international cooperation is not suitable any more,” he said in a session that discussed issues of sovereignty. The sharing of intelligence, including from the NSA Prism programme, was welcomed by some EU government officials last week, for example from Germany’s minister of the interior.
At the EuroDIG Verdehlho’s comment was greeted with a strong reaction. “If you would apply the existing regulation for the online world in the offline world, nobody would leave their house anymore,” criticised Michael Rotert, president of eco, the German industry association for the internet economy. “Do you need a passport when you go to the market to buy a salad? Does anyone open your letters sent to you and note and store everything for six months? No!”
The Prism workshop specifically looked at possible reactions to unchecked surveillance and redress for citizens. “One Council of Europe member state could file a complaint against another challenging lacking protection of fundamental rights for its citizens,” Prism workshop organiser Matthias Kettemann said, proposing Sweden could take the United Kingdom to the European Court of Human Rights.
The UK has been bashed over its Prism-equivalent Tempora, managed by the Government Communications Headquarters (GCHQ). Yet Ambassador Ehrenkrona waved such an idea aside, given Sweden’s own activities. The UK was not represented at the government level during EuroDIG.
The experts of the Council of Europe (CoE) Directorate General for Human Rights and Rule of Law pointed to commitments to which the 47 CoE members have agreed, not the least a declaration to consider the risk of tracking and state surveillance, passed just amidst the ongoing Prism/Tempora scandal. The declaration “warns against overly broad surveillance of citizens that can challenge their privacy and have a chilling effect on their freedom of expression and freedom of the media,” according to Jan Kleijssen, CoE director of Information Society and Action against Crime, Directorate General Human Rights and Rule of Law.
A call to establish a binding “additional protocol to protect private life, as guaranteed in Article 8 of the ECHR, brought into line with modern communication and interception methods,” went unheard after the September 11 attacks in New York and Washington, said Jan Malinowski, head of Information Society Department at the CoE. The call was made by a committee of the European Parliament that did a thorough investigation of the global communications surveillance programme of the US, UK, Canada, Australia and New Zealand, named Echelon.
Complaints by individuals as well as requests for access to data stored about them also would be possible, said CoE lawyer Sophie Kwasny, though no short-term affair, especially when it comes to cross-border requests.
“Citizens of an EU member state would address their request to their data protection authorities,” Kwasny said. They in turn would forward them on to the data protection authorities of the state that presumably had tapped on the citizens’ communications. Kwasny said it had worked that way in one instance with regard to the Swedish surveillance programme, even if the amount of information retrieved about stored personal data usually is limited to a “yes” or “no” when it comes to intelligence services.
Putting into practice principles CoE and EU member states signed up to is tough, said Rikke Frank Jorgensen, campaigner from the Danish Institute on Human Rights. It is hard to judge, for example, if the collection and retention of data is proportionate, “because you judge against a black box.” Jorgensen also said that “redress” for citizens even in the European Union (not to mention the United States) is far from well established.
Companies Upset Over Lost Trust
Jorgensen challenged Erika Mann, head of Facebook’s Brussels office, with regard to the company’s commitment to Irish data protection law. Challenging the company which has been reported to be one of the Prism sources is difficult for an individual living outside of Ireland where the company has its EU headquarters. “Would you be prepared to undergo a human rights assessment in the framework of the Global Network Initiative?” Jorgensen asked, to no reply. Mann told Intellectual Property Watch later that she could not answer this question on the spot.
Representatives of Google went on the offensive about their involvement in Prism. The representatives of the platform giant were eager to present their version of how they complied with US Patriot Act and FISA requests. Marco Pancini from Google’s policy team in Brussels, in a special session on cybersecurity, reiterated: “There is no backdoor or drop box or a way for law enforcement to access the Google information without using the due process of the law.“
At the same time Ross LaJeunesse, global head of free expression and international relations at Google, announced the company would take the US authorities to court to challenge the secrecy of FISA requests in particular. Service providers have not been allowed to publish about these requests.
The company addressed the loss of trust from the surveillance scandal. Pancini said, “Once the trust is gone towards governments and to the online service provider, it is gone. And frankly speaking, the Prism issue is for sure something that we are facing as a reasonable concern. But if you look at the reaction of US and European citizens vis-a-vis the US government, it is not exactly what governments should be, as a way to have a fruitful relationship with our citizens.“
Who Can Serve the Global Public Interest?
The role of governments vis-a-vis other stakeholders in serving the public interest in the digital world was considered in one special session that showed there is some doubt that governments can do it alone. “The global public interest is not just a sum of all national interests,” said Markus Kummer, former Swiss diplomat, one of the fathers of the global Internet Governance Forum and now vice president for public policy at the Internet Society (ISOC). Instead of a “room full of diplomats,” it is best to turn “to the people,” according to Kummer. Diplomats currently would have a hard time agreeing on an international consensus on internet governance (as well as other cross-border issues).
The internet is a place where governments cannot just “decide things” and make them happen, said Robert van Hoesel, from the Young Creators Project, one of the unruly crowd of youngsters that challenged traditional protection of minors on the net and presented some of its own messages. The Youngsters have continuously come back to the EuroDIG and IGF events to do what one might call reverse education to governments.
Internet Corporation for Assigned Names and Numbers (ICANN) President and CEO Fadi Chehade ventured a “horizontal way to solve problems,” instead of top-down or bottom-up approaches. Chehadi promoted the ICANN as “the closest thing we have to a true multi-stakeholder model. It is messy, it takes time, it’s not always pretty,” he said, and it needs to be further internationalised and scaled, but it would ensure that not one government or one stakeholder group controlled or governed the internet.
While one EU government official told Intellectual Property Watch that multi-stakeholder governance might also be an option for big internet platforms, Thomas Schneider, Swiss member of the ICANN Governance Advisory Committee (GAC) warned against imbalances from ICANN’s consultation procedures. ICANN recently for the first time allowed other stakeholders to comment on a GAC communiqué – containing additional obligations with regards to ICANN’s planned new top-level domains.
The call for government regulation of the internet in Lisbon came from the most unlikely person: European Parliament Pirate Party member Amelia Andersdotter. “Yes, governments should regulate,” she said. They should lay down the principles they want to see govern the technical architecture. “We should, for example, ban the integration of legal intercept interfaces in telecommunication systems, as they can be used to violate fundamental freedom elsewhere,” she told Intellectual Property Watch. In addition, the embedding of digital rights management in the new HTML5 web standard should be prevented, the latter once more illustrating the difficulty of different legal systems that might ask for contradictory principles.
With regard to data protection and privacy, even EuroDIG did not have a lot of success in fencing off overbroad surveillance – and it might not have really pushed for it, critics say. The European Commission put cloud computing – a trust issue – on the agenda of the EU-US Transatlantic Trade and Investment Partnership, according to Linda Corugedo Steneberg, director, DG Communications Networks, Content and Technologies at the European Commission. An international discussion has to take place on Prism, German Liberal politician Jimmy Schulz said. Yet Schulz recommended users to protect themselves by encryption and other security measures, as it is the best people can do in the near term at least.
Intellectual Property Rights, Net Neutrality
Meanwhile, a workshop and a panel focussed on the need for copyright reform, where again global reform looks like something long-term.
A reform debate is underway in Europe, according to Carlos Romero, subdirector general of “Contenidos de la Sociedad de la Información” from the Spanish government. The Spanish government, similar to other EU member states and the EU, is discussing changes. The Spanish government wants to clarify the private copy regime in general, adjust the system to technological change, especially in education and research, and reform the system of collecting societies. Finally, enforcement would be driven against those making money from illegal content, he said. Despite the reform promises, panel members listed issues.
Ben White from the British Library pointed out that what actually regulated the academic space is not copyright anymore, but contracts. By 2020, 80 percent of scholarly work will be electronic and therefore will have to be licensed. Given that a plethora of different terms and conditions will apply, lawful access will be very difficult, if not impossible to organise. Sara Kelly, executive director at Coadec (The Coalition For A Digital Economy), warned against problems from higher barriers and more complex IPRs for small and medium enterprises and data-driven innovation.
Pancini from Google said this is a competition issue for Europe. If Europe is putting the old technological development in the field of big data, there is the risk it will go in the wrong direction, he said. Google on the other hand was bashed on the copyright front, again, for its Google news services. Both the European Publishers Council and the International Federation of Reproduction Rights Organisations criticised Google and a “winner takes it all” trend.
A considerable discussion also took place on the issue of net neutrality, for which some EU member states have passed a law (Netherlands, Slovenia), or are discussing it (Luxembourg, Germany), while the EU Commission is also working on an EU-wide clarification.
The EuroDIG 2014 will take place in Berlin.
Monika Ermert may be reached at firstname.lastname@example.org.
Categories: Features, Subscribers, Access to Knowledge, Copyright Policy, English, ITU/ICANN, Information and Communications Technology/ Broadcasting, Trademarks/Geographical Indications/Domains, US Policy