Are some companies ‘yes men’ when foreign governments ask for user data?

Once you start looking at which countries are requesting data from US companies, the next obvious (and critical) question is: how do companies respond to those requests? This is largely a matter of company discretion because the Electronic Communications Privacy Act does not apply to requests for user data from foreign governments. Without laws governing this important issue, foreign users are reliant on due diligence and good will by individual companies. This ad hoc approach means that different companies can have quite different compliance rates for the same countries. Continue reading Are some companies ‘yes men’ when foreign governments ask for user data?

Which countries’ law enforcement are data hungry?

One of the trends from the industry-wide transparency report that’s worth looking at more closely is which countries are making requests for user data, to which companies, and on what scale.  This post will break down these statistics and suggest some of the trends behind the numbers. Continue reading Which countries’ law enforcement are data hungry?

International data privacy: what we need is an industry transparency report

Cross-posted from https://cyberlaw.stanford.edu/blog/2014/05/international-data-privacy-what-we-need-industry-transparency-report 

GoogleYahoo!, MicrosoftTwitterAppleDropboxLinkedIn, and Pinterest all publish transparency reports.  WordPress is the latest company to join the party, recently publishing their first transparency report.   However, it’s difficult to see trends and anomalies when the information is scattered across multiple individual company reports.  In order to get a comprehensive view of what is happening, we need to pull all of these fragments into a comprehensive picture.  We need an internet industry-wide transparency report.

To create a kind of hacked industry transparency report, I have consolidated the July-December 2013 transparency data from the main internet companies.  There is such a wealth of information to pore over and slice and dice in different ways that I will separate the analysis into a series of blog entries.  My interest is the international aspect, so I will focus on requests from foreign law enforcement.  This post will outline some of the key themes emerging from my comparison. Continue reading International data privacy: what we need is an industry transparency report

One heck of a timely UN report on government surveillance of communications

If it had happened on House of Cards, you’d have enjoyed the theater of it, but figured that the writers had taken some artistic license in the timing.  I mean, it just doesn’t happen in real life that the UN releases a report on the dangers of government surveillance on the internet immediately before the news breaks that the US Government has been conducting internet surveillance of previously unimagined proportions.  Critics could unkindly say this is because the UN is never ahead of the game, but in this case, you have to hand it to Frank La Rue – he has clearly authored an exceptionally timely report: Continue reading One heck of a timely UN report on government surveillance of communications

What is the greatest risk to online rights – government, companies or anarchy?

Nick Merrill is building an internet service provider called Calyx. Calyx will be designed to encrypt user’s data in such a way that it’ll be inaccessible to anyone but that user. Which means that if the government asks for your browser history or emails, Calyx will be technologically unable to hand them over.’.

When I stumbled across this, I was horrified.  As a civil servant and government lawyer, I bridled at the blatant attempt to undermine the criminal justice process.  But then I read on and watched videos of Nick Merrill telling his story of fighting a national security letter requiring him to disclose details about one of the clients of his ISP company.  It is quite compelling to hear of his 6 year battle for recognition of his entitlement to speak with his attorney and his right to tell others that he was issued with a national security letter.  So Nick Merrell’s encrypted ISP project started to sound less like paranoia and more like a rational reaction.

Just this week, I read that at the recent Black Hat Conference, when the room full of internet and security professionals was asked who they trusted less, Google or the government, the majority raised their hands for Google.  This surprised me, given the deeply ingrained distrust of big government and led me to wonder whether we were sliding into a situation in which the public will not trust anyone with regulation of online activities.  Is the web to become a wild west of anarchy because we are too afraid to trust anyone with any form of monitoring or enforcement? Continue reading What is the greatest risk to online rights – government, companies or anarchy?

Going beyond the guidelines – legal and moral responsibilities on ICT companies

YouTube this week introduced a face-blurring tool to protect activists from being recognised by their online activities.  Human rights groups will no doubt welcome the initiative as it comes in response to calls from groups such as Witness.  Some web companies demonstrate a commitment to not only reducing the negative human rights impacts of their activities, but also to actively improving the positive impacts that they may have.  The uptake of some of the voluntary guidelines on corporate social responsibility and human rights demonstrates a willingness to go beyond the minimum requirements.  But what responsibilities do tech companies really owe to users in other countries?  Is this solely a question of moral responsibility and ethics, or is there a legal obligation?  And should moral responsibility be reflected in a legally-binding regime? Continue reading Going beyond the guidelines – legal and moral responsibilities on ICT companies

Guide to the guidelines – human rights, business and the ICT sector

Complex and interesting areas of international legal policy can be difficult to navigate.  Once an issue gains a profile in policy circles, everyone with an interest in the topic rushes to develop guidelines to help others navigate the area.  While the issue of human rights and web companies is still comparatively new, there are guidelines from the field of corporate social responsibility that can be drawn upon.  ICT-specific guidelines are also mushrooming at the moment.  In light of this, I thought it timely to develop a quick guide to the guidelines.

There is an abundance of material on corporate social responsibility, with some of it approaching human rights more broadly and some creating sector specific guidance.  I will outline a couple of the key general CSR guideline initiatives and the guidelines that are specific to the ICT sector.  Once you start delving into specific issues such as environmental sustainability, fair trade or bribery or markets with particular vulnerabilities such as conflict zones, you find a whole host of additional stakeholders and reference materials.  Some notable examples include the OECD Risk Awareness Tool for Weak Governance Zones, the ILO Tripartite Declaration of Principles concerning Multinational Enterprises and Social Policy and the Extractive Industries Transparency Initiative. Continue reading Guide to the guidelines – human rights, business and the ICT sector