Perfection as the enemy of the good: Weakening surveillance reform

Last week saw a flurry of legislative to-and-fro on the Hill as the US House of Representatives pondered the passage of legislation aimed at ending bulk-collection by the US National Security Agency.  The USA Freedom Act, or HR. 3361, was passed on Thursday in a 303-121 vote, and was hailed by The New York Times as “a rare moment of bipartisan agreement between the White House and Congress on a major national security issue”.  Congressman Glenn ‘GT’ Thompson (R-Pa.) tweeted that he was the proud cosponsor of a bill “that passed uniting and strengthening America by ending eavesdropping/online monitoring.”

It was perhaps inevitable that compromise between the intelligence and judiciary committees would see various blows against the bill in terms of scope and effect.  When legislators want to posture about change while asserting the status quo, ambiguity proves their steadfast friend.  After all, with the term “freedom” in the bill, something was bound to give.

Students of the bill would have noted that its main author, Rep. Jim Sensenbrenner (R-Wi.), was also behind HR. 3162, known more popularly as the USA Patriot Act.  Most roads in the US surveillance establishment tend to lead to that roughly drafted and applied piece of legislation, a mechanism that gave the NSA the broadest, and most ineffective of mandates, in eavesdropping.

Then came salutatory remarks made about the bill from Rep. Mike Rogers[2], who extolled its virtues on the House floor even as he attacked the Obama administration for not being firm enough in holding against advocates of surveillance reform.  There is a notable signature change between commending “a responsible legislative solution to address concerns about the bulk telephone metadata program” and being “held hostage by the actions of traitors who leak classified information that puts our troops in the field at risk or those who fear-monger and spread mistruth to further their misguided agenda.”

Even as Edward Snowden’s ghost hung heavy over the Hill like a moralising Banquo, Rogers was pointing a vengeful finger in his direction.  There would, after all, have been no need for the USA Freedom Act, no need for this display of lawmaking, but for the actions of the intelligence sub-contractor. Privacy advocates would again raise their eyebrows at Rogers’s remarks about the now infamous Section 215 telephone metadata program under the Patriot Act, which had been “the subject of intense, and often inaccurate, criticism. The bulk telephone metadata program is legal, overseen, and effective at saving American lives.”

Such assertions are remarkable, more so for the fact that both the Privacy and Civil Liberties Oversight Board and the internal White House review panel, found little evidence of effectiveness in the program.  “Section 215 of the USA Patriot Act,” claimed the PCLOB, “does not provide an adequate basis to support this program.”  Any data obtained was thin and obtained at unwarranted cost.

Critics of the bill such as Centre for Democracy and Technology President Nuala O’Connor expressed concern at the chipping moves.  “This legislation was designed to prohibit bulk collection, but has been made so weak that it fails to adequately protect against mass, untargeted collection of Americans’ private information.”  In O’Connor’s view, “The bill now offers only mild reform and goes against the overwhelming support for definitively ending bulk collection.”

Not so, claimed an anonymous House GOP aide.   “The amended bill successfully addresses the concerns that were raised about NSA surveillance, ends bulk collections and increases transparency.”  Victory in small steps would seem to have impressed the aide. “We view it as a victory for privacy, and while we would like to have had a stronger bill, we shouldn’t let the perfect being the enemy of the good.”

Various members of the House disagreed.  Rep. Zoe Lofgren (D-Calif.) noted that the bill had received a severe pruning by the time it reached the House floor, having a change “that seems to open the door to bulk collection again.”  Others connected with co-sponsoring initial versions of the bill, among them Rep. Jared Polis (D-Colo.) and Rep. Justin Amash (R-Mich.) also refused to vote for the compromise.

What, then, is the basis of the gripe?  For one, the language “specific selection term”, which would cover what the NSA can intercept, is incorrigibly vague.  The definition offers the unsatisfactory “term used to uniquely describe a person, entity or account.”  What, in this sense, is an entity for the purpose of the legislation?  The tip of the iceberg is already problematic enough without venturing down into the murkier depths of interpretation.

Even more troubling in the USA Freedom Act is what it leaves out. For one thing, telephony metadata is only a portion of the surveillance loot.  Other collection programs are conspicuously absent, be it the already exposed PRISM program which covers online communications, Captivatedaudience, a program used to attain control of a computer’s microphone and record audio, Foggybottom – used to note a user’s browsing history on the net, and Gumfish, used to control a computer webcam.  (These are the choice bits – others in the NSA arsenal persist, untrammelled.)

Section 702 of the Foreign Intelligence Surveillance Amendments (FISA) Act, the provision outlining when the NSA may collect data from American citizens in various cases and how the incorrect or inadvertent collection of data is to be handled, is left untouched.  On inspection, it seems the reformist resume of the Freedom Act is rather sparse.

Ambiguities, rather than perfections, end up being the enemy of the good. Laws that are poorly drafted tend to be more than mere nuisances – they can be dangerous in cultivating complacency before the effects of power. Well as it might that the USA Freedom Act has passed, signalling a political will to deal with bulk-collection of data.  But in making that signal, Congress has also made it clear that compromise is one way of doing nothing, a form of sanctified inertia.

This article was posted on May 28, 2014 at indexoncensorship.org

Delusions of freedom: The FCC, the internet and John Kerry

US Secretary of State John Kerry (Photo: AAP Images via Demotix)

US Secretary of State John Kerry (Photo: AAP Images via Demotix)

The US Secretary of State John Kerry’s speech before the fourth annual Freedom Online Coalition conference has all the makings of anti-censorship agitprop. “The places where we face some of the greatest security challenges today are also the places where governments set up firewalls against the basic freedoms online.”

Indeed, like his predecessor, Hillary Clinton, he has taken to banging the drum of internet freedom as if it is a transforming given of modern life.  On January 21, 2010, Clinton made the remark at America’s “interactive museum of news” otherwise called Newseum, that “information freedom supports the peace and security that provide a foundation for global progress.”

As the Belarussian writer and researcher Evgeny Morozov put so eloquently in The Net Delusion, such sentiments promote two delusionary sentiments, the first being cyber-utopianism itself, and the second, being that all problems of the modern world must somehow be tied to matters of the internet.

The philanthropist and high-tech investor Esther Dyson exemplifies both streaks. Writing in 1997, she claimed in Release 2.0 that, “The Net offers us a chance to take charge of our own lives and to redefine our role as citizens of local communities and of a global society.”  It provides opportunities of self-governance and autonomy, “to work with fellow citizens to design rules we want to live by.”

The obvious point lacking in Dyson’s analysis is that behind every utopia is a dystopia waiting to happen.  All governments, whatever their creed, have been guilty of the same vice.

Freedom provides its own vicious subversions – the open use of Twitter and social media sites invariably allows for infiltration, trolling and forms of cyber counter-insurgency.  The simple suggestion that authoritarianism is somehow an enemy of Internet freedom is naïve in so far as it suggests a total misunderstanding as to what such regimes can, in fact, do. All states, autocratic or otherwise, have made it their business to stifle Internet freedoms. They just disagree on how best to do it.

Sounding much like the former Soviet minister of culture, Andrei Zhdanov, Kerry claimed that, “Today, we’ve learned that walls can be made of ones and zeros and the deprivation of access even to those ones and zeros, and that wall can be just as powerful in keeping us apart in a world that is so incredibly interconnected.”  This is somewhat ironic – Kerry himself is obsessed by the behaviour of authoritarian regimes and those who would police internet content, ignoring exactly what might be happening at home.

So many myths have been bound up with the Internet, it has become almost mandatory for Kerry to fall into the rather unreflective pose of technology as freedom.  Zeros and Ones do nothing to liberate a people, let alone facilitate revolution and institutional change.  This is another form of dastard cyber-utopianism – extolling a system of freedom that is merely the straw man of liberty.

Kerry and his colleagues, in truth, are all about regulation and the velvet glove of policing. They decry efforts to control the net in Venezuela, Russia and China, the traditional bogeymen of cyber-freedoms, but prove happy with puritanical measures that police inappropriate content or regulate traffic via private enterprise.

The recent move by the US Federal Communications Commission (FCC) to initiate what it terms a “net neutrality” plan is even more indicative of the scope of control being exerted by the powers that be.  Initiated by its chairman, Tom Wheeler, the proposal came about in response to failed efforts by his predecessor, Julius Genachowski, to defend net neutrality.

More than 100 technology companies, including Facebook Inc, Google Inc, and Amazon.com Inc, have expressed concerns about the proposal that regulates the way Internet providers manage traffic.  They have urged the FCC to “take the necessary steps to ensure that the Internet remains an open platform for speech and commerce.”

The cardinal warning here is that any suggestion that finds home with the label “open” is bound to be only slightly ajar, if not closed altogether.  The Wheeler plan, which purports to be an “open Internet” idea, imports commercial reasonableness into the management of the web. In other words, companies responsible for content would be able to purchase greater speeds on the Internet from broadband providers, within the bounds of commercial prudence.

The consequence of such a superficially liberal plan is that the Internet will be carved up, a case of managing traffic on the “fast lanes” via such companies as Verizon Communications or Comcast Corp, leaving others to languish in their use.  The green light to discriminatory deals is being suggested.  Even one FCC commissioner, Jessica Rosenworcel, felt that, “Rushing headlong into a rulemaking next week fails to respect the public response to his [Wheeler’s] proposal.”

An internal revolt in the FCC may well be on the cards.  But what is an even more striking note is that internet freedom will be dealt a blow, not only by the orthodox authoritarians, but by closet regulators with their fingers on the switch.

Brian Merchant, writing for Motherboard is certainly right to note the fallacious binary embraced by Kerry: “Democracies with private internet service providers, good.  Autocrats who block Twitter, or say that the CIA invented the internet, bad.”

This article was posted on May 14, 2014 at indexoncensorship.org

Liberalising internet governance: ICANN and the role of governments

shutterstock_internet_160953614

 “ICANN’s mission is stewardship and operational stability, not the defence of its existence or the preservation of the status quo.”

Stuart Lynn, ICANN President, Feb 2002

There has been much debate this month among internet circles about the future of the Internet Corporation for Assigned Names and Numbers (ICANN).  Much of this was discussed at the NETmundial meeting in Sao Paolo, a suitable venue given Brazil’s desire to throw its weight behind reforming such bodies as ICANN.  Reforms are on the cards, but no one seems to be clear what exactly these will do to the way the internet is used. Sentiments of doom and gloom mix with utopian forecasts of freedom.

The NETmundial Multistakeolder Statement doesn’t reveal much, other than paying lip service to various principles (freedom of expression and association, privacy) and charting the roughest of roadmaps for future directions on Internet governance. Aspiration, be it in terms of transparency, accountability and collaboration, is key.

ICANN was incorporated in California on September 18, 1998.  Its creation was heralded as a loosening of the grip by US authorities on the operational side of the Internet, tasking a company to take over administrative duties.  ICANN plays a leading role in dealing with the distribution of IP addresses and the management of the Domain Name System (DNS).

As far back as February 2002, the organisation’s president, Stuart Lynn, saw the need for reforms of the body.  Reforms had to “replace ICANN’s unstable institutional foundations with an effective public-private ownership, rooted in the private sector but with the active backing and participation of national governments.”  Tensions of management are fundamental – keeping an eye on “high-level elements of the Internet’s naming and address allocation systems” while avoiding intrusions that would stifle “creativity and innovation”.  That tension has never been resolved.

On Mar 14, the National Telecommunications and Information Administration (NTIA), based in the US Department of Commerce, announced that its grip on ICANN would be loosened.  “The timing is right to start the transition process,” claimed Assistant Secretary of Commerce for Communications and Information, Lawrence E. Strickling.  “We look forward to ICANN convening stakeholders across the global Internet community to craft an appropriate transition plan.”

John M. Eger, Director of the Creative Economy Initiative at San Diego State University, was enthusiastic.  “The US Government’s decision to end oversight of [ICANN] represents an opportunity for US leadership creating global ‘e-government’ systems to solve international law enforcement and terrorism problems, develop global education and environmental initiatives, and in turn, start using the Internet as a platform for advancing a new foreign-policy agenda.”

Eger’s overview is counter-intuitive – to shape internet governance, to seize the day, as it were, in such areas, one has to liberalise such bodies as ICANN and lessen the grip.  Technology can be better managed and directed if the big holders release the creation.  The Internet can become both a tool of open governance if the Obama administration embraces a “multistakeholder model”. “Letting go of ICANN gives the US momentum to more aggressively breathe life into the thousand[sic] of applications, which more truly internationalise its usefulness to nations, and to the world community.”

Eger’s observations are problematic on one direct level.  US leadership in such areas has tended towards bullying and cajoling negotiating partners in accepting a supposedly universal premise in implementing its own specific policies. Nothing demonstrates that more acutely than the current secret Trans-Pacific Partnership Agreement talks.  Ostensibly geared to accelerate trade liberalisation, the leaked chapters of the document suggest that Washington is keen to impress strict, even draconian intellectual property provisions on potential signatories. What can’t be done through Congress can be smuggled in via international treaty.

The suggested relinquishing of control by the US Department of Commerce has not been deemed a wise gesture on the part of such individuals as Sweden’s minister for foreign affairs, Carl Bildt.  In relinquishing such control, internet governance would be altered, allowing other states to throw their hats in the ring.  Bildt is convinced that widening such involvement on ICANN is not “the way to go.”

Bildt’s concern is paternalistic.  Opening such doors will let in rather unsavoury characters keen on over-regulation.  “Net freedom is as fundamental as freedom of information and freedom of speech in our societies.”  Despite extolling such virtues, he has proven rather enthusiastic about dousing the flames over the NSA revelations of blanket surveillance, arguing that the Swedish FRA is, in fact, a defender of online freedoms.  Visions of governance tend to vary.

Bildt also chairs the Chatham House and Centre for International Governance and Innovation Inquiry, created to examine the Snowden legacy and state censorship of the Internet.  In a statement in January, the inquiry partners emphasised that “a number of authoritarian states are waging a campaign to exert greater state control over critical internet resources.”  They are far from the only ones.

The short of it is that governments are compulsive meddlers.  As attractive as the rhetoric of liberty and freedom might be, intrusive governance is still regarded as acceptable.  The Brazilian Minister of Communications, Paulo Bernardo, considers virtual crimes and cybersecurity as vital areas of government policy.  He did concede that “protocol standards and domain names registration can be perfectly controlled by the technical community.”

The language of Nikolai Nikiforov, Russian representative at NETmundial, proved more muscular.  “Being subject to international laws, states act as grantors of rights and freedoms for citizens, play a role in the economy, security and stability of internet infrastructure, and undertaken measures to prevent, detect and deter illegal actions in the global network.”

Governments, it seems, just can’t let go.

This article was posted on May 1, 2014 at indexoncensorship.org

Data retention and legality: The fall of the EU’s Data Retention Directive

(Photo illustration: Shutterstock)

(Photo illustration: Shutterstock)

Retaining data is the reflex of a functioning bureaucracy.  What is stored, how it is stored, and when it is disseminated, poses the great trinity of management.  These principles lurk, ostensibly at least, under an umbrella of privacy.  The European Union puts much stake in Article 8 of the European Convention on Human Rights, stressing the values of privacy that covers home, family and correspondence.  But there are also wide qualifications – interferences are warranted in the interest of national security and public safety, allowing Member States, and the EU, a degree of room to gnaw away at privacy rights.

That entitlement to privacy has gradually diminished in favour of the “security” limb of Article 8.  The surveillance narrative is shaping privacy as a necessarily circumscribed right.  The realm of monitoring and surveillance is being extended.  Technologies have proliferated; laws have remained, if not stagnant, then ineffective.

Unfortunately for those occasionally oblivious drafters of rules in Brussels, the judges of the Court of Justice of the EU did not take kindly to the Data Retention Directive, which requires telecommunications and internet providers to retain traffic and location data.  That is not all – the directive itself also retains data identifying the user or subscriber, a true stab against privacy proponents keen on principles of anonymising users.

The objective of the DRD, like so many matters concerned with bureaucratic ordering, is procedural: to harmonise regimes of data retention across various member states.  More specifically, Directive 2006/24/EC of the European Parliament and of the Council of March 15 2006 deals with “retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks”.

Other courts have expressed concern with the directive, which propelled the hearings to the ECJ.  These arose from separate complaints in Ireland and Austria over measures taken by citizens and parties against the authorities.  The Irish case began with a challenge by Digital Rights Ireland in 2006. The Austrian legal challenge was pushed by the Kärntner Landesregierung (Government of the Province of Carinthia) and numerous other concerned parties to annul the local legislation incorporating the directive into Austrian law.

The Constitutional Court of Austria and the High Court of Ireland shook their judicial fingers with rigour against it – the judges were not pleased.  The disquiet continued to their brethren on the ECJ, which proceeded to make its stance on the scope of the retention law clear by declaring it invalid.  EU officials should have seen it coming – in December last year, the Advocate General of the ECJ was already of the opinion that the DRD constituted “a serious interference with the privacy of those individuals” and a “permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives.”

The defensive stance taken by the authorities is so old it is gathering dust.  Technology changes, but government rationales never do.  Invariably, it is two pronged. The ever pressing concerns of security forms the first.  The second: that such behaviour does not violate privacy – at least disproportionately. You will find these principles operating in tandem in each defence on the part of authorities keen to justify extensive data retention.  Such intrusive measures have as their object the gathering of information, rather than the gathering of useful data. The usefulness is almost never evaluated as a criterion of extending the law.  Instinct, not evidence, is what counts.

The rationale of the first premise is simple enough: information, or data, is needed to fight the shady forces of crime and terrorism.  Better data retention practices equates to more solid defence against threats to public security.  The ECJ acknowledged the reason as cogent enough – that data retention “genuinely satisfies an objective of general interest, namely, the fight against serious crime and, ultimately, serious security.” The authorities were also keen to emphasise that such a regime of retention was not “such as to adversely affect the essence of the fundamental rights to respect for private life and to the protection of private data.”

In dismissing the main arguments of the authorities, the points of the court are clear.  In retaining the data, it is possible to “know the identity of the person with whom a subscriber or registered user has communicated and by what means”.  Identification of the time of the communication and place form which that communication took place is also possible.  Finally, the “frequency of the communications of the subscriber or registered user with certain persons during a given period” is also disclosed.  Taken as a whole set, these composites provide “very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.”  Former Stasi employees would be swooning.

The judgment provides a relentless battering of a directive that should never left the drafter’s desk. “The Court takes the view that, by requiring retention of those data and by allowing competent national authorities to access those data, the directive interfered in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.”

The laws of privacy tend to focus on specificity and limits.  If there is to be interference, it should be proportionate. The directive had failed at the most vital hurdle – if privacy is to be interfered with, do so in even measure with minimal interference.  The DRD had, in effect “exceeded the limits imposed by compliance with the principle of proportionality.”  The decision is unlikely to kill off regimes of massive data retention – it will simply have to make those favouring surveillance over privacy more cunning.

This article was posted on April 9, 2014 at indexoncensorship.org