In my own country, Yemen, as well as many Arab states, there is certainly a greater desire to protect bloggers from being imprisoned, Facebook pages of activists from being taken down, and online dissidents from being targeted. The priorities may be different in Western democratic states where the right to speak is protected and hence, the main concern to them would be their privacy.
As citizens of countries under authoritarian rule, we’re still at the very beginning of the process of forming democracies and are hoping that governments won’t take the excuse of protecting privacy as a means of hiding ‘state secrets’ and confront the increasing calls for transparency, openness and free speech.

There is no question that protecting individual privacy from the prying eyes of the state, ISPs and other powerful actors deserves our engagement. In fact, blatant surveillance could also be viewed as one form of censorship as it often leads to self-censorship, which limits citizens’ ability to speak freely. Such surveillance practices could be limited through policy changes and technological innovations.

But if we are to discuss how to eliminate surveillance altogether, then we will need deep pockets, stamina, resources and time because stealthy surveillance practices are more difficult to identify, counter and negate. If we focus all our energy in that domain, what else do we leave for other issues such as censorship?

The bottom line is that we ought to consider ourselves in a battle for all human rights and those include the right to privacy as well as the right to free speech. Let’s not compromise one right in favor of the other.
With the debate around surveillance, my hope is that we keep at least one eye on the struggle to combat censorship and work to uphold people’s right to democratic participation in this digital world.

We owe it to those nations that have yet to catch up to the democratic world and who have been struggling for decades to achieve some level of free speech. Yes, surveillance matters, but for us in the developing world, it does not matter to the extent of distracting us from building our democratic systems and expanding people’s rights to free speech.

About Walid Al-Saqaf

Walid Al-Saqaf is a researcher in journalism, new media, and Internet studies, and has an academic background in computer engineering. Upon obtaining his master’s degree in global journalism, he was appointed as the director of the Global Journalism masters program at Örebro University, where he was studying Internet censorship with an emphasis on the Arab world. Among his projects is Alkasir for Internet Censorship Mapping and Circumvention, a platform used by users in many countries—including Syria and Iran—to access blocked websites. He is also a TED and ICANN fellow and is involved in research with the Web Foundation’s Web Index and Open Data Barometer. Walid is finalizing his doctoral dissertation on Internet censorship in the Arab world and is expected to defend his thesis in 2014. He is a member of the He is a member of the Cyber Stewards Network.

Given the growing internet penetration rates over the last few years throughout a diverse set of developing countries (also known as the ‘Global South’), different issues are arising in regards to the expansion of traditional “real life” activities to cyberspace, including commerce, education, and mass media.

Crime does not constitute an exception for these practices and there are certainly lots of undesirable behavior that can originate on the Internet. These actions should be punished in order to prevent such antisocial conduct.

Some antivirus and Internet security companies along with cyber security consultants are regularly talking to the press and other industries about the increased security risks associated with the Internet and the need to legislate for new criminal offenses related to cybercrime.

However, regulating cybercrime can seriously affect our ability to exercise fundamental rights such as freedom of expression, privacy or access to knowledge.

Anti-hacking laws can lead us to cases such as Aaron Swartz’s, where he was about to face a trial and the possibility of prison time because of a mass download of scholarly papers, some of them already in the public domain. Identity theft regulations can lead authorities to prosecute social network parody accounts or other legitimate exercises of the right to freedom of expression. Cybersecurity and state secrecy laws can lead to the prosecution of whistleblowers whose contribution to the public interest tends to outweigh any possible damage.

However, as I already suggested, some companies and consultants have an economic interest in documenting and presenting distorted cybercrime numbers. They are not alone. Many banks and other industries are pushing for stricter and wider cybercrime laws, since this allows them to alleviate the burden of keeping their clients’ data and assets safe from intrusions.

The lack of reliable data on many developing countries is also a major issue when dealing with cybercrime policy. There is a need for reliable statistics on the exact damage of these crimes in order to be able to review or create cybercrime policy from a solid standpoint.

That is where civil society, such as NGOs, research centers and think tanks have the responsibility to get involved in the discussion, to ensure that decisions being made are in line with fundamental rights, and with a solid empirical base. In Derechos Digitales, with the help of the Cyber Stewards Network, we have been mapping criminal laws while also collecting and processing data on cybercrime prosecution and conviction rates to come forward with data driven analysis of these regulations.

Fostering human rights in cyberspace is an increasingly difficult task, considering all economic and political interests that are entering the debate. In that context, collecting and having reliable data to inform public policy decisions is becoming increasingly important to maintain a free and open internet, where the exercise of fundamental rights is at its center, and not a mere commodity to be traded with other private interests.

About Francisco Javier Vera Hott

Francisco Javier Vera Hott is a Chilean lawyer. He works on human rights and regulation issues in Chile and Latin America, and does policy and advocacy work with ONG Derechos Digitales, where he is the Director of Projects; and with Access, where he is the senior policy analyst for Latin America. Among his main interests are copyright, data protection and cybercrime. He is a member of the Cyber Stewards Network.

When talking about the growing dangers of mass surveillance as a result of technological advances, I’m frequently met with apprehensive stares. There’s a certain look that says, “Uh-oh, this poor conspiracy theorist, railing against the powers that be.” You see, being paranoid doesn’t mean they’re not out to get you.

So, I am heartened by the growing public interest in surveillance and counter-surveillance. Thanks to Edward Snowden’s courageous whistle-blowing, Lavabit’s Ladar Levison’s public fight for our privacy rights, and the infiltration of major media outlets like the New York Times by foreign actors, It is clear that paranoia is no longer just for crazies.

As we start to grasp the scope and scale of unchecked surveillance, it is important to underscore the need to understand its potential long-term consequences for human rights organizations and the development of free media. In the context of human rights documentation and journalistic work, the implications of technically advanced surveillance can be tremendous.

Human rights defenders and journalists work in environments where resources are scarce and adversaries have the upper hand. Throughout history, they have found creative and innovative ways to confront social injustice and challenge abuses of power. Technology is increasingly playing a key role in their ability to do so, which, in part, is possible thanks to transnational solidarity. Many international organizations have spearheaded technology transfer and capacity building for those on the frontlines of the struggle for accountability, transparency, and justice. I’d argue that large-scale surveillance programs, often in cooperation with the private sector, are likely to undermine the credibility of the capacity-building and technology-transfer organizations that have long supported partners around the world. For those who live and work in the “last mile” of the telecommunications networks—that area where users interface with technology—the implications of surveillance can be catastrophic.

Thus, it is increasingly important that we are able to further document and understand the harm of surveillance, as well as to actively debate the best path forward for its mitigation and prevention, both from a technical and a policy perspective.

To that end, it is necessary to support methodologically sound research—by organizations such as Citizen Lab, Human Rights Watch, Privacy International, and Electronic Frontier Foundation—as it can shape the public debate and promote policy change that respects and protects our rights in the digital age.

Perhaps because of the media’s emphasis on the harm to individual privacy and the notion of individual rights, the significance of surveillance to the collective aspects of our lives is often underappreciated. In terms of human rights work, this results in diminishing of trust between organizations. At Benetech, we experience the difficulties this poses for our efforts to promote free and open human rights technology in the Global South. While our partners and collaborators trust our individual commitment to the advancement of human rights, they are increasingly wary of our potential linkage to a massive spying network.

We need an immediate action to counter the effects of surveillance. As I prepare for the Cyber Dialogue conference—where an influential mix of global leaders from government, civil society, academia, and the private sector will discuss the likely implications of surveillance for rights, security, and openness—I’d like to invite you to follow the conversation as the right to privacy is not only yours and mine, but ours.

About Enrique Piracés

Enrique Piracés is the Vice President of the Human Rights Program at Benetech, a nonprofit technology company that provides open technology for the advancement and promotion of global human rights. Follow him on Twitter: @epiraces

I have had my fair share of threats and intimidation for several years now for the simple fact that I write and blog politics about a country embroiled in what might as well be a civil war. Like a growing number of Asian countries, my country has cooked up a rather draconian cyber law, one in which the state has the ultimate upper hand in deciding what a “cyber crime” looks like. A long and growing list of people have been convicted of crimes so technical some of the convicted didn’t even know how to commit them.

But I’m no activist. I’m just curious and I do speak out every once in a while because I’d like to believe there is still freedom of expression in the country in which I so much love. Yet, years of authoritarian rule and political repression have stripped away even the most fundamental civic rights. Self-censorship is second nature to most of us, but knowing where “the line” is has become more and more difficult in the current volatile political situation. It’s not because of the vague cyber laws or the erratic behavior of the cyber officials, although that’s part of it, but it’s because of the growing “cyber army” of average Internet users out to get one another.

A smart state, like mine, recognizes its own limitations in controlling the cyberspace. While state institutions are created to lay down the ground rules for what is an appropriate behaviour online, the real “monitoring” is done by average net users who volunteer their time to safeguard the cyberspace. The state exploited the current political crisis by co-opting those who share their political beliefs and turning them into their very own cyber army. These cyber warriors are not paid, nor are they officials of the state, like the 50 Cent Party. They are just ordinary people, who go online to scour the Internet for “suspected cyber criminals” and submit their names to the authorities. Some prefer witch hunting: naming and shaming others online for not agreeing with the state-sanctioned cyber behavior. Cyber controls by the state can be most effective when its own people turn against one another.

When I turn on my computer, I’m not worried about getting an email from the Cyber Crime Police. After all, I have never crossed the line. But I’m afraid of the cyber witch hunters, who are out to get me just because I don’t think like them.

About Aim Sinpeng

Aim Sinpeng is a postdoctoral fellow in the department of political science at McGill University. Dr. Sinpeng’s research focuses on digital politics in Asia, particularly cyber movements and Internet public policy.

The Internet is a unique public global good. It enables unprecedented numbers of people to share information and ideas, exercise democratic control over governing institutions and participate in the production of economic, social and cultural value. A large part of human activity today is enhanced by, and sometimes only possible through, the Internet.

 The Internet’s resilience owes to its distributed nature and management by multiple actors throughout the globe in a collaborative manner. Its creative power stems from the openness it offers to everyone to experiment and try new ideas. Its growth in usage is based on users’ trust that Internet will deliver public service value with minimal risks.

Concerns about mass surveillance, increased censorship and the emergence of dominant industry players capable of shaping the rules of use for millions and even billions of people have undermined trust in the Internet.

Mass surveillance has triggered discussions on new ways to guarantee privacy, freedom of expression, free flows of information on the Internet and what action needs to be taken at an international level. Recently, the media reported about a proposal by German Chancellor Merkel regarding the creation of a European network in order to ensure data protection. The idea of enhancing independent Internet connections with other counties has been proposed by the Brazilian President Dilma Rouseff. The EU-Brazil Summit in February 2014 covered among others topics such as investment in ICT infrastructures (fibre-optic submarine cable linking EU and Brazil) and referred to the creation of EU-Brazil Dialogue on International Cyber-Policy to address issues of the right to freedom of expression and privacy.

Naturally, discussions have extended to fundamental questions with regard to the roles of key state and non-state players in the way Internet is run and have triggered different initiatives to examine the present models of governance of the Internet. Brazil is organising the Global Multistakeholder Meeting on the Future of Internet Governance in Sao Paulo 23-24 April 2014 (NetMundial) to discuss Internet governance principles. Strategic thinking on legitimacy in the governance of the Internet, protection of human rights, norms on state conduct and cybercrime cooperation is also taking place at the Global Commission on Internet Governance chaired by Sweden’s Foreign Minister Mr Carl Bildt.

The Council of Europe is playing an active role in these developments. The Secretary General of our Organisation participates in the ICANN’s High Level Panel on the Future of Global International Cooperation. Recently, the Parliamentary Assembly of the Council of Europe called for the launching without delay of a Council of Europe “White Paper on “Democracy, politics and the Internet”, to serve as a major Council of Europe contribution to the global reflection on Internet governance. The Council of Europe recently submitted its contribution to NetMundial which focuses on our Internet governance principles endorsed by the Committee of Ministers.

Some days ago, Sir Tim Berners-Lee, one of the key figures in the development of the Internet, said that in order to address surveillance we need a set of values, “something like a Magna Carta for the World Wide Web”.

Time has indeed come to consider how to effectively guarantee human rights and fundamental freedoms in Internet governance as well as universal accessibility, security, transparency and openness. The multi-stakeholder dialogue which took place over the last decade has greatly contributed to enhancing knowledge and shaping common positions on how to build consensus on this goal. The proposed “Magna Carta” could be an international agreement, possibly a framework Convention, and would be a major step to protect the abovementioned values, just as international legal instruments have proven indispensable to protect human rights and freedoms in general.

The aim of such a Convention would not be to enable individual states to regulate or control the Internet, but to codify a collective set of standards, based on existing best practice, and agreed through a multi-stakeholder dialogue. As in human rights Law, by committing to such a Convention, governments would provide a collective system of guarantees, and accept to be held to account.

The Council of Europe would offer an appropriate framework to facilitate a more thorough discussion on this. In recent years, the Council of Europe has carried out its continent-wide mandate to protect and enhance human rights, democracy and the rule of law also as regards the Internet. Our 47 member states have developed a series of Conventions, open to all states, to protect people against cybercrime, combat the sexual exploitation and abuse of children, fight counterfeit medicine, as well as the protection of personal data. We have also developed a range of political principles, policy standards, practical tools and opportunities for multi-stakeholder co-operation, which are helping governments, the private sector and civil society to protect and respect and uphold the values of our Organisation. A comprehensive guide to human rights for Internet users is scheduled for adoption in April.

The Council of Europe has been an active participant in the Internet governance processes since the first World Summit on Information Society in 2003. Its position has always been based on the need to secure the full implementation of the European Convention on Human Rights and on the principle of “doing no harm” to the Internet’s functioning. The Council of Europe has repeatedly affirmed its support for the multistakeholder dialogue as a guiding principle for internet governance.

About Jan Kleijssen

Jan Kleijssen joined the Council of Europe in 1983 as a lawyer with the European Commission of Human Rights. Having served as director of the Secretary General’s Private Office and as the special adviser to the president of the Parliamentary Assembly, he is currently the director of Information Society and Action Against Crime, Directorate General Human Rights and Rule of Law, of the Council of Europe. This Directorate carries out standard-setting, monitoring and co-operation activities on a wide variety of issues, including: Freedom of expression, Data protection, Internet governance and Cybercrime. He has had numerous papers published, the most recent being “Una Internet Centrada en los Derechos Humanos y en las Personas: La Perspectiva del Consejo de Europa” in Nueva Revista (2013) and “Protecting Internet Freedom: A Pressing Challenge” in Synergy Magazine (2012).

Last month I, along with a series of academic researchers and civil liberties organizations, asked Canada’s leading Telecommunications Services Providers (TSPs) to disclose how, why, and how often they provide telecommunications information pertaining to their subscribers to state agencies. We received responses from ten of sixteen companies a little over a month later. Many of the companies steadfastly refused to provide any information beyond assertions that they protected Canadians’ privacy, that they were largely prohibited from providing any specific information because of national security or confidentiality of investigative techniques reasons, and that the signatories to the letter would be better suited contacting the government directly.

Less directly, I’ve heard from a series of high-profile figures in Canada’s telecommunications industry and national security community. Some figures in the telecommunications industry expressed concern about Canadians’ privacy but indicated that they lacked the time, inclination, resources, or sufficient buy-in to ascertain what they could do to render their companies’ practices more transparent. TELUS is on record as stating they would “request the Government to clarify and limit the scope of current confidentiality requirements and to consider measures to facilitate greater transparency.” Members of the national security community worried about enhancing Canadians’ trust in what they do, but remained uncertain about what they could specifically recommend to their peers. Almost all the people I’ve spoken with have indicated that they would appreciate some kind of practical ‘here’s what could be done’ document that they could use to develop an internal business case for an expanded transparency regime.

This post offers some guidance for how companies can improve their transparency practices, along with why particular proposals should be adopted. Specifically, I identify three things that companies do in the order of least to most challenging tasks. They could disclose data retention periods, make their lawful access handbooks available to the public, and produce full-bodied transparency reports. Critically, the first two of these proposals would just require publicizing documentation that Canada’s TSPs already retain. After outlining all three proposals, I conclude by explaining why corporate transparency needs to be complemented by government accountability.

Disclosure of Data Retention Periods

Canadians rely on their telecommunications providers for many facets of their daily lives. They place phone call, listen to voicemails, send text messages, find their location using GPS and proximity to wifi access points and cellular towers, browse the Web and access Internet services more generally, and are engaged in ongoing business relationships with their wired and wireless TSPs. As a result of these transactions, TSPs are in a situation to know an awful lot about Canadians, though few Canadians outside of select TSP employees are fully aware of just how much is known or retained about Canadians’ telecommunications activities. I propose that TSPs should expand who is aware of retention periods to include all Canadians.

Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), corporations are expected to limit use, disclosure, and retention of personal information (Principle 5) and be open about their practices and policies “relating to the management of personal information” (Principle 8). Moreover, upon request “an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.” Combined, these principles lay down a powerful rationale for why companies should proactively outline the length of time that they retain subscribers’ telecommunications information: because their subscribers can already ask about retention periods related to their own personal information, and once asked the companies are legally expected to provide a definitive response. All companies that responded to our letters indicated strong support of Canada’s privacy laws: it shouldn’t be too much for them to demonstrate this by actually adhering to PIPEDA’s core principles.

Beyond demonstrating their compliance to the full spirit and intention of PIPEDA, TSPs might be motivated to publish their retention periods to avoid the more hostile press responses that might follow from subscribers en masse asking about TSPs’ retention periods. By outlining how long data is retained companies can explain and justify, on their own terms, why they retain data for as long as they do. Thus, they might explain that the retention of SMS messages or extensive call logs is to identify fraud, or that retained mobile location information captured by cell towers is used for capital investment analysis. If, however, retention periods are only unearthed following subscribers exercising their rights then any subsequent coverage of corporate data retention periods might be less positive and more challenging for TSPs to shape.

Publish Government Access Handbooks

Law enforcement agencies will sometimes turn to TSPs in the course of an investigation. Companies in the United States and Canada alike have, in turn, developed policies that inform how corporate officers will respond to these agencies’ requests. In the United States more and more companies are proactively publishing their law enforcement access handbooks for a pair of reasons: first, because disclosing the information prevents journalists from turning an errantly disclosed guide into an embarrassing story or article; second, because publishing these handbooks proves to the public that there is a routine and diligent process for handling government requests.

Canadian companies already have processes and policies to respond to state agencies’ requests. Bell Canada, in particular, has led the way to standardize voluntary requests for subscriber data while also establishing an internal group that exclusively deals with lawful access requests. Other companies, privately, admit to also having policies to respond to governmental requests. A good government access handbook would include the following kinds of information:

• How is a data request served to the company? Can a request be emailed, faxed, or must it be mailed or couriered?
• What kinds of data requests can be made (e.g. voluntary, formal requests, emergency requests)? What are the requirements to fill each kind of request; is specific information required of the requesting party before the company can process a voluntary, versus formal, versus emergency request for data? Does the company distinguish between public and non-public information about its subscribers or subscribers’ activities and, if so, how?
• What information must be included when making a data request for a particular subscriber’s information? Are different kinds of information required for different kinds of requests (e.g. phone numbers for some requests, email addresses for others, and IP addresses for yet other kinds of requests)?
• What contact information must a government authority provide in order to submit a request? Are badge numbers, agency phone numbers or email addresses, or mailing information required?
• What information might be disclosed in relation to the request-types the company identified in (2)? Such disclosures might be categorized according to voluntary, formal, or emergency requests, or based on specific kinds of requests the company has received in the past.
• Does the company notify its customers after their data is requested by, or disclosed to, a state agency? And if normal practice is to notify members, under what conditions does the company waive this policy?
• How does the company respond to international requests for information? Are there particular policies or practices that must be met before the company will disclose information to foreign government agencies?
• What should a government agency do if it has an emergency/exigent request for data? Is there a specific company form that must be filled out before the company can fulfil such a request?
• How long does it take the company to respond to each type of request? Are there limitations to the company’s capacity to respond to requests? Are there ways of accelerating disclosure periods?
• Is there a cost incurred by a government agency when the company responds to a data disclosure request? Are such costs incurred regardless of whether pertinent information is found in the company’s databases? What are the costs that government agencies can expect to incur?

Any guide that responded to the above questions would clarify to state agencies, corporate customers, and service subscribers alike what procedures and policies are in place to respond to government requests for subscriber-related telecommunications data. Many of Canada’s telecommunications companies have pre-existing policies and handbooks that are meant to standardize government access to the company’s data. By publicizing the corporate handbook customers will better understand how the company complies with both social norms (e.g. voluntary disclosure of subscriber data in specific cases) and legal requirements (e.g. a warrant or other court order is required to access certain kinds of telecommunications information). Revealing how these companies operate would also exhibit their commitment to the PIPEDA principle of openness because subscribers would better understand how the company manages customer and customer-related information.

Develop a Transparency Report

Transparency reports are being adopted by American and international telecommunications companies. Companies such as AT&T, Verizon, Sonic.net, and Telstra already publish such reports, and Vodafone is slated to soon begin issuing transparency reports. In addition to traditional wireline and wireless companies, ‘Internet-first’ companies like Google, Dropbox, Facebook, LinkedIn, and others also publish reports that identify why and how often state agencies request access to telecommunications data pertaining to companies’ subscribers. In most of the companies’ cases, their reports have either evolved, or are expected to evolve, as they refine their internal reporting mechanisms and as courts or governments expand the range and specificity of data that can be publicly disclosed. Ideally, any transparency report includes information that helps people who read the report to understand the conditions attached to third-parties accessing the data in question.

In terms of specific data disclosed, a Canadian transparency report might be divided between federal and non-federal agency requests for subscriber-related information. A company might also have a separate table that identified attempts by to access telecommunications data as part of civil cases. Table 1 gives an example of what kind of information a Canadian TSP transparency report might include.

 Table 1: Federal Requests

Table 1: Federal Requests (Cont’d)

Below the table, a company could then discuss or explain:

• Kinds of reasons for not responding to state agencies’ requests for information.
• Why there might be variation between the number of requests versus the number of accounts that are affected.
• Whether the company notified customers following a government request for information.
• Descriptions of the kinds of data requests, and the conditions that must generally be met before the company discloses such data.

Tables similar to Table One, with similar discussions or explanations following the table, could be developed for provincial agencies requests for information, as well as for requests for data emerging from civil cases.

The transparency report could also include information about how long the company chooses to retain a variety of data-types (which would be derived from the first proposal I offered, the publication of data retention periods). Moreover, a rationale might be provided to describe whether and, if so why, data retention periods had changed since the last transparency report was issued. Table Two gives an example of how data retention periods might be publicized.

 Table 2: Data Retention Periods

There is room for further growth of these kinds of transparency reports. Details about whether non-Canadian organizations sought (and received) access to telecommunications data, how many requests were issued on national security grounds, the numbers of inappropriate requests made, costs of fulfilling requests, average times to respond to requests, and full range of data fields associated with different record-types could also be included in a maximally robust transparency report. Nevertheless, even absent this expanded range of information, the more limited data noted in tables one and two would help to clarify the extent to which telecommunications companies provide information to Canadian state agencies.

Corporate Transparency is Not Enough

To be clear, companies are not presently under a legal obligation to publicly publish their data retention periods, publish lawful access handbooks, or produce transparency reports. However, challenges or questions put to various federal institutions might ultimately compel companies to more holistically explain how they manage their customers’ personal information and, in the process, incite or compel companies to provide the information denoted at least the first two proposals I’ve outlined. The point of each of these proposals, ultimately, is to help consumers better understand how their personal information is safeguarded and handled; at this point, consumers simply do not understand even the most basic contours of how such data is managed.

Increased corporate transparency is not, however, a panacea to understanding the full range of state agencies’ surveillance practices. Whereas corporate transparency offers a degree of insight into existing government practices the core value is empowering individuals to understand how and why their personal data is managed. To this end, government accountability is also needed: government agencies should be expected to produce yearly reports to their respective legislative bodies (Parliament or provincial Legislative Assemblies) that identify the extent to which they are requesting, and receiving access to, Canadians’ telecommunications records. In subsequent work, I will propose some ways that governments can also improve their accountability to the Canadian public concerning government access to telecommunications data.

Ultimately, Canadians are reliant on TSPs to conduct a significant amounts of their daily lives. And companies are already obligated to either disclose some data to subscribers upon request (e.g. retention periods) and maintain internal records concerning business practice-related policies (e.g. government access handbooks). Following through on public commitments to Canadians’ privacy, and working to adhere to industry best practices, should also compel Canadian TSPs to develop transparency reports voluntarily, rather than waiting for damaging information to harm their brands and thus incite the development of such reports. Canadian TSPs have the opportunity to demonstrate they are genuinely concerned about Canadians’ privacy. It’s long past time for them to act.

About Christopher Parsons

Christopher Parson’s research, teaching, and consulting interests involve how privacy is affected by digitally mediated surveillance, and the normative implications that such surveillance has in (and on) contemporary Western political systems. He is a post-doctoral fellow at the Citizen Lab, Munk School of Global Affairs, University of Toronto, where he is examining telecommunications companies’ data retention and data disclosure policies. He is also a Privacy by Design Ambassador and a principal at Block G Privacy and Security Consulting. He has a Ph.D. in political science from the University of Victoria, where he completed a dissertation that examined the political drivers of Internet service providers’ network surveillance practices.

Berners-Lee, always outspoken, is now peddling the notion that the Web is in serious trouble of losing its soul, which in this case means its openness, to government and commercial interests. It’s time for a Magna Carta for Web users and the Web itself.

I couldn’t agree more.

Our challenge is to beat back the dangers posed to the Web by big government and big business. Both are insidious and have the power to retard its development. They have the power to turn the Web into hundreds, maybe thousands, of little fiefdoms that would destroy the inherent brilliance of Berners-Lee’s idea—an open and neutral platform for the free flow of information.

Reasonable people can debate the level of safeguarding, local and international, that is needed for the Web – but within reason, of course. Berners-Lee recognizes that. But under no circumstances should the Web become “a series of national silos,” as he was quoted as saying in The Guardian.

I agree, too.

As OSCE Representative on Freedom of the Media it is my primary objective to ensure an environment in which free media and free expression can flourish – across international boundaries. And regardless of what technology we use to disseminate the content. A Magna Carta for the Web is a step in the right direction.

About Dunja Mijatović

Dunja Mijatović is the OSCE Representative on Freedom of the Media.

Late last year, UNESCO’s 195 member states adopted a resolution on freedom of information and privacy, formally recognising the value of investigative journalism to society, and the role of privacy in ensuring that function.

“…privacy is essential to protect journalistic sources, which enable a society to benefit from investigative journalism, to strengthen good governance and the rule of law, and that such privacy should not be subject to arbitrary or unlawful interference,” the resolution reads in part.

The resolution, which represents a significant but under-recognised endorsement of investigative journalism, was brought by Brazil and adopted at UNESCO’s General Conference last November.

A proposal that UNESCO should consider a process to adopt non-binding standards or guidelines to address privacy in cyberspace was replaced with a mandate for the Organisation to complete a consultative study on privacy, free expression, access and ethics on the Internet, which will present several options to the member states in November 2015.

As part of this investigation, UNESCO’s Director of Freedom of Expression and Media Development Guy Berger is interested in hearing from editors and journalists. “UNESCO would welcome the views of editors on the free expression-privacy issue, particularly as it plays out in cyberspace,” he told WAN-IFRA in an email interview from New York.

WAN-IFRA’s Research Editor, Julie Posetti, asked Berger to explain the thinking behind the resolution.

WAN-IFRA: Why is privacy essential to the protection of journalists’ sources?

Guy Berger: Whistleblowers will fear contacting journalists if they have reason to doubt confidentiality. The effect? Less news about corruption or abuse will enter the public domain, and everyone will be information poorer. No action can be taken on problems that remain hidden. All this is why many countries have laws which shield journalists from having to reveal their sources.

WAN-IFRA: What are the potential consequences if sources’ privacy is subjected to “arbitrary or unlawful interference”?

Guy Berger: If there is no adequate protection, this has a “chilling” effect in that people do not feel safe to speak to the press. This is why it is a key journalistic ethic to shield sources from being exposed, sometimes even sustained by reporters at great personal cost and in the face of a legal process. It is especially the untoward pressures, however, which put the reputation of the profession at greatest risk.

WAN-IFRA: How difficult to navigate are the tensions surrounding the balance between freedom of expression and privacy as regards practice of journalism?

Guy Berger: Law enforcement agents may cite a legitimate interest in overriding journalists’ interests in privacy of sources, and each side may have a case. The balance has to be made with reference to the widest public interest and the longer-term effect of information flows when sources are not guaranteed confidentiality. Any court of law that weighs the issues needs to keep in mind the international standards of necessity and proportionality. In order to pursue justice based on press revelations, it is often not necessary to demand that a journalist disclose secret sources – other channels are available. In addition, only a portion of information may be needed for law enforcement authorities to do their job. So, nuance is needed when resolving tensions.

WAN-IFRA: Is there enough awareness of these issues among editors and journalists broadly? Why should they be concerned and active on these issues?

Guy Berger: People in the media are very aware of these issues all the time. They know full well that their claims to source privacy are not so much individual rights as an attribute of their community of professional practice. The privacy is essential to them (in) their public service role. Most journalists know well that the general privacy of ordinary citizens should be respected – i.e. none would argue that there was public interest justification in the UK phone-hacking cases. At the same time, an investigative journalist will know that anyone’s claims to privacy are a sham if the intention is to conceal ills like theft, pollution, illegal money laundering or domestic abuse.

Age of surveillance

Investigative journalists are also increasingly aware of state-sponsored breaches of privacy in the age of surveillance. The author commissioned by The Guardian to write a book about the Edward Snowden case, Luke Harding, revealed last week that he had watched paragraphs of his work disappear from his computer screen before his eyes. “I wrote that Snowden’s revelations had damaged US tech companies and their bottom line. Something odd happened,” he reported. “The paragraph I had just written began to self-delete. The cursor moved rapidly from the left, gobbling text. I watched my words vanish. When I tried to close my OpenOffice file the keyboard began flashing and bleeping.”

Meantime, the UN hosted an international expert seminar on the Right to Privacy in the Digital Age in Geneva yesterday, during which UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Frank La Rue, called for a special United Nations mandate for protecting the right to privacy. ”I  believe that privacy is such a clear and distinct right…that it would merit to have a rapporteur on its own,” La Rue said. “If we pitch national security against human rights, we’ll end up losing both,” he added.

This seminar followed the historic adoption of the UN’s Right to Privacy in the Digital Age resolution last December, which recognises the need to uphold people’s offline privacy rights online as well.

About Guy Berger

Guy Berger is UNESCO’s director for Freedom of Expression and Media Development, based in Paris.

Surprisingly, it appears that it is Russia rather than China—the established world authority on Internet censorship—leading this offensive on the Internet. Given Russia’s successful experiments in censorship and surveillance, we must pay attention to the country’s role in discussions on global Internet regulation.

Evidence of Russia’s exceptional role in challenging the rules of Internet governance includes two recent success stories. First, Russia’s country-wide Internet filtering system has proven to be highly effective in dealing with global online platforms and services. And second, as a result of Russia’s exemplary surveillance state, the Sochi Olympics were secure, calm, and controlled despite their proximity to the North Caucasus and the plans of many groups to stage protests during the event.

Remarkably, the approach used by the Kremlin in both cases was not what one might have expected. In November 2012, when Internet filtering was introduced in Russia, national telecom operators and Internet service providers rushed to buy deep packet inspection technology. Experts believed that this technology would be the principal tool used to censor content on global platforms. Instead, the authorities turned toward much more direct measures.

Since then, thousands of websites have been banned, ranging from those containing text taken from William Powell’s Anarchist Cookbook to the YouTube hit “Dumb Ways to Die.” Institutions that provide public access to the Internet—schools, libraries, Internet cafés, and even post offices—were raided by authorities to ensure that computers had been updated to prevent access to banned websites. The authorities did not hesitate to block entire services, and this had an effect on Internet giants. Now, it takes just a few hours to have Google, Facebook, and Twitter remove content deemed harmful by the Russian authorities. The success of this straightforward approach encouraged the Kremlin when it faced its biggest security challenge of the last seven years, the Sochi Winter Olympic Games.

In 2013, Citizen Lab, Privacy International, and Agentura.Ru launched a joint project focused on investigating surveillance measures deployed in Sochi in preparation for the Olympics. We expected these measures to be substantial, given the country’s poor human rights record and the legacy of Soviet Union’s security agency, the KGB, which maintained totalitarian control over its citizens. In fact, the Russian secret service openly expressed their admiration of the security measures at the 1980 Moscow Olympic Games, which were boycotted by most Western countries.

Our research found that the surveillance measures imposed in Sochi were exceptional in many ways. This includes the installation of 11,000 CCTV cameras, total communications interception, and the use of surveillance drones and blimps. In fact they were so impressive that Sochi’s electronic surveillance system has put Russia’s intelligence agencies in the spotlight of international media, propelling the Russian Federal Security Service (FSB) and SORM (Russia’s system of lawful interception on communications) into the global debate over surveillance alongside the NSA, GCHQ, and the “Five Eyes” alliance. For example, on January 22, 2014, just a few months after The Guardian published our Sochi research, I was asked to provide testimony before the Committee of Civil Liberties, Justice and Home Affairs of the European Parliament on SORM as part of the European Parliament’s investigation into mass surveillance of European citizens by US and British intelligence agencies.

What struck me most was that many of the surveillance measures taken at Sochi were introduced almost openly. A headline on the pro-Kremlin Voice of Russia website aimed at English-­speaking audiences expressed it best: “Don’t be scared of phone tapping during Sochi. It’s for your own safety.” Indeed, the authorities seemed to flaunt their electronic eavesdropping capabilities.

The explanation that I offer is that these measures were meant to send a message. Many activists appeared to be openly monitored, their apartments visited by police, and in the case of the punk protest group Pussy Riot, followed by dozens of policemen, plainclothes agents and the Cossacks, a group of predominantly East Slavic people who are members of democratic, semi-military communities, predominantly located in Ukraine and in Southern Russia.

Meanwhile, most journalists who covered the small number of protests in Sochi were acutely aware that their contact with locals was absolutely known to security agencies. A prime ministerial decree made sure of that. Three months before the Sochi opening ceremony, a system of metadata collection on participants of the Games was decreed, and journalists were mentioned twice in the document. The goal was to impose self-censorship on journalists. This strategy was only partly successful since many global media outlets produced stories about the extensive surveillance and security measures in Sochi. Nevertheless, the general success of the Games convinced the Kremlin that a straightforward approach when it comes to surveillance as a means of pressure might be very effective. The key word here is pressure—whether it is aimed at journalists, activist groups, or global online platforms.

Before the Snowden revelations, Western countries constantly rebuffed the Kremlin’s ideas of implementing national sovereignty on the Internet, most spectacularly at the International Telecommunications Union’s December 2012 meeting in Dubai. This is no longer the case.  Like the Russian government, which is currently using the Snowden disclosures to justify bringing global online platforms and services under Russian jurisdiction, many countries are beginning to support the concept of national sovereignty in cyberspace. The first was Brazil when its communications minister, commenting on the Snowden’s revelations, said that local ISPs could be required to store data on servers within the country, adding that local control over data was a “matter of national sovereignty.” In October 2013, Germany’s Deutsche Telekom declared that it wanted to create a national Internet to protect Germany from privacy infringements. And in February 2014, German Chancellor Angela Merkel announced that she would talk to French President Francois Hollande about building a European network to avoid data passing through US servers.

Some changes in Internet regulation seem inevitable. But as countries struggle to find a solution, one should keep in mind that Russia has already provided a cohesive, detailed and well thought out blueprint for turning the Internet into a collection of national intranets.

About Andrei Soldatov

Andrei Soldatov is an investigative journalist and an editor of Agentura.Ru, an information hub on intelligence agencies.

Following the Snowden leaks, a “change it” chorus of displeasure emerged regarding the National Security Agency’s activity, both inside and outside the United States. Angela Merkel has been a particularly harsh critic of the NSA’s activities, allegedly declaring to President Obama, “This is like the Stasi,” after hearing that her personal cell phone was monitored. Although some decry Merkel for being naïve, she is also the first chancellor of the reunited Germany to be raised in the former East. As an ally of the United States, Merkel believes Germany’s leaders to be exempt from the US surveillance dragnet.

Those upset by the Snowden revelations have formulated a thesis on what they believe is necessary to address the behavior of the US government and the NSA. This set of voices retains relevance due to the continuing release of stories based upon the massive number of documents purloined by Snowden before his travel to Hong Kong and Moscow.

Most critics of the NSA’s activities ask for them to stop. But beyond that, there are those who ask whether the way in which the Internet is governed should be called into question, which is not at all a bad thing, but rather a possible sign that cyberspace is growing up. For nearly a decade, critics of the current Internet governance model, managed by the Internet Corporation for Assigned Names and Numbers (ICANN) of Marina del Rey California, have pushed for an alternative governance mechanism. My colleague Moshe Vardi, editor of the Communications of the Association for Computing Machinery stated in December, “We can no longer trust the US government to be the ‘Internet hegemon.’” He may have a point, but not so argues ICANN.

A member of the ICANN board of directors, George Sadowsky, offered the following response to the Internet hegemony argument:

Vardi’s repetition of spurious and incorrect claims, often made for political reasons by other countries, gives credence to ignorance while illustrating the extent to which a knee-jerk reaction generated by Edward Snowden’s recent disclosures concerning the National Security Agency’s surveillance of personal communications worldwide has been unthinkingly adopted by otherwise presumably sensible individuals.

Sadowsky’s tone, in stating how wrong my otherwise ostensibly sensible colleague must be, is exactly the sort that reminds me to revisit the Hegelian Dialectics some consider a useful path to understanding argument. His refutation of Vardi’s claims is simple—that he is wrong and has fallen victim to a visceral reaction that is short sighted.

Beyond Internet governance, there remains an important discussion on just how much intelligence activity should be undertaken by democratic governments in cyberspace. Nuanced was John Schindler’s initial take on the Snowden revelations, back in June 2013.

The historical truth, of course, is that states have been performing espionage as long as there have been anything like states; it’s not called the Second Oldest Profession for nothing. States have regarded espionage—running and catching spies, intercepting other states’ messages while protecting your own—as core state business for millennia, long before anybody thought states should provide education, pensions, health care, or even police. Espionage is not going away anytime soon.

This exemplifies an important (and to me, more valid) “get real” counter-argument. But Schindler also cites NSA whistleblower Bill Binney, a gifted mathematician who resigned in protest over domestic collection. So even among this “get real” set, there is still a very real concern over the potential for overreach and violation of civil liberties in intelligence activities in cyberspace. The President’s Review Group on Intelligence and Communications Technologies made important points here.

Some of those items were directly addressed in President Obama’s speech regarding the intelligence community at the US Department of Justice, others weren’t. Essentially, the President asserted that he would continue to collect widely from cyberspace, but promised more oversight. As a leader preoccupied with the issue of almost any terror event being his potential political undoing (see Benghazi), there is no room to give up capability, whatever the privacy and civil liberties concern.

Ultimately, it is upon the citizens of democratic societies whose governments engage in cyberspace intelligence to push for more oversight and change. Furthermore, any policy fix is trumped by the reality that it is most likely the best option to enable more technological innovation in protection of privacy and liberty on the Internet. There is likely no satisfying top down fix for the post-Snowden world, but there may well be many bottom-up efforts that can achieve measurable results.

About Chris Bronk

Chris Bronk is a fellow at Rice University’s Baker Institute.