Colin M. Maclay
It has been less than a decade since Shi Tao was sentenced to a decade of hard labor by a Chinese court using data from his Yahoo! email account, Michael Anti's blog was deleted based on an informal law enforcement request to a Microsoft joint venture, and Google removed search results in accordance with Chinese law. These developments, which garnered significant public and private attention and concern, formed part of the inspiration to create the Global Network Initiative (GNI), a multi-stakeholder effort to protect and advance online expression and privacy through principles, implementation guidelines, and external accountability measures.
Bringing together companies, rights advocates, investors, and academics to collectively defend against government overreach and advance international human rights standards, GNI aspired to responsible company decision making, collaborative learning, and policy engagement. It promised a valuable complement to legislative solutions, which have made little progress and face challenges not only of jurisdiction, but also in responding to the dynamic nature of technology, companies, users, and governments. Rather than expecting compliance with existing laws, however, true success depended in part on companies actually pushing back against government requests for personal information or content removal—first by mitigating risks, but also by resisting demands by law enforcement in some cases, something no other multi-stakeholder initiative had attempted.
Since the GNI’s inception, technology has helped topple governments, connectedness and online activity have skyrocketed, and concerns about privacy and freedom of expression have unfurled and deepened. Pressures on and expectations of companies have increased, and attention to their situation has broadened and mounted. Company reactions have varied, including start-ups embracing and established companies adopting expression and privacy issues as part of their identity (Twitter, Google, Yahoo!), joining GNI (Facebook, LinkedIn), denying any role (Cisco), or even closing their doors (Lavabit, Silent Circle). GNI has become more established and completed its first full round of external company assessments, increased substantially in number and diversity of participants, and is directing significant attention to policy engagement. Notably, it has also generated a significant strain of unofficial problem solving through its robust network.
The most recent revelations about widespread warrantless state surveillance with insufficient oversight have added new dimensions to the conversation, calling the activities of robust democracies into question and increasing concerns about the role of the companies that are core to connectivity, physical infrastructure, access to knowledge, collaborative and social networking platforms, and access to user information. The limitations of standard regulatory models for this inherently trans-jurisdictional medium have been further exposed, demonstrating that extending national legal requirements across borders is hard, whether trying to protect civil liberties in other jurisdictions or to enforce domestic laws on foreign platforms. The result of this regulatory patchwork is that security agencies can gather data that would be otherwise legally inaccessible to them.
The limitations to transparency around government collection of user information and constraints on what companies can disclose exacerbate the challenges to policymakers, users, and advocates to developing an empirical understanding of government and company behavior. In addition to encouraging more transparency, GNI has endeavored to compensate for this gap through third-party expert assessments of company processes and their actual practices. The Snowden revelations have added to the challenge of National Security Letters (which include a gag order), sowing frustration and distrust among allies (actual and potential), even as companies and civil society seem to need each other more than ever. Indeed, EFF left GNI in October 2013 citing the inability to carry out a full and honest dialogue given the government constraints on company reporting, an indictment of the legal regime rather than the private sector. In an otherwise forthcoming setting, there is an elephant in the room.
Once the concern of a select (or paranoid) few, privacy is now at the forefront for mainstream users and diverse civil society organizations. Companies are finally improving their own security practices and rethinking—and changing—data collection, transmission, and storage practices. Cloud and other online providers are facing the daunting business implications of user distrust, and governments are exploring nationalization of cloud services, which could either protect their citizens or expose them to even greater risk. Recognizing the fundamental nature of the threat at hand, disparate groups are also working collaboratively for policy reform in coalitions like We Need to Know, which illustrates a range of shared priorities and underscores the benefit of ongoing collaboration across communities. As governments feud (with each other and their citizens) and explore extreme measures (such as the new cloud platform proposal in Brazil), and legislators hold hearings on all sides of the issues, the importance of coalitions is clear. Some feel a palpable risk for Balkanization of the Internet.
While the trajectory of these developments is uncertain, there can be no doubt that that online privacy and free expression are very much at risk globally. NSA and FISA maybe the acronyms of the moment, but other governments are likely to be implicated or to imitate this behavior. Invasive surveillance capabilities are becoming more available and affordable, suggesting wider use and increased oversight challenges (plus a host of non-government surveillance concerns). We are more connected, live more of our lives online, and live them in increasingly interconnected ways, massively increasing the amount and value of information potentially available to prying eyes—and the importance of dealing with that data responsibly from collection to storage, transmission, and disclosure.
In the past, many of the companies who paid the greatest attention to these issues seemed to have been prompted by painful lessons (the telcos remain largely immune to learning, however). Other civic actors blamed the companies for the shortcomings, fairly and not, with incomplete understanding of the issues. It now seems that most parties increasingly understand the dynamic and daunting nature of the challenge before us and the fact that we will continue to need a variety of resources to navigate this terrain, from the law to multi-stakeholder groups like GNI, and technology solutions alongside user norms. From the Internet’s inception, bottom-up, multi-sector, participatory standards bodies have played an important role in promoting a robust and vibrant Internet, and, while imperfect, they remain an important part of the tapestry. GNI is a promising approach to developing global standards, advancing good practice, and solving concrete problems around online expression and privacy. With its organizational foundation laid, GNI can (and must) now embody more of that “Internetty” spirit, collaboratively, creatively, and practically taking on these challenges and helping to sustainably protect these human rights, the businesses built atop them, and their potential support for social progress. This is important because everyone can agree that we all need the help in these trying times.