Internet Freedom Starts at Home

"An electronic curtain has fallen around Iran," U.S. President Barack Obama warned in a recent video message marking the Persian New Year. Government censorship and surveillance, he said, make it more difficult for Iranians to "access the information that they want," denying "the rest of the world the benefit of interacting with the Iranian people."

Implied though not explicit in Obama’s remarks was the idea that if Iran’s Internet were freer and more open, Iran’s relationship with the world generally — and the United States in particular — would be different. Cases like Iran are the main driver of Washington’s bipartisan consensus around the idea that a free and open global Internet is in the United States’ strategic interest.

Yet more than two years after Secretary of State Hillary Clinton gave her first speech declaring "Internet freedom" to be a major component of U.S. foreign policy, it turns out that many of the most sophisticated tools used to suppress online free speech and dissent around the world are actually Made in the USA. American corporations are major suppliers of software and hardware used by all sorts of governments to carry out censorship and surveillance — and not just dictatorships. Inconveniently, governments around the democratic world are pushing to expand their own censorship and surveillance powers as they struggle to address genuine problems related to cybercrime, cyberwar, child protection, and intellectual property.

Even more inconveniently, the U.S. government is the biggest and most powerful customer of American-made surveillance technology, shaping the development of those technologies as well as the business practices and norms for public-private collaboration around them. As long as the U.S. government continues to support the development of a surveillance-technology industry that clearly lacks concern for the human rights and civil liberties implications of its business — even rewarding secretive and publicly unaccountable behavior by these companies — the world’s dictators will remain well supplied by a robust global industry.

American-made technology has turned up around the Middle East and North Africa over the past year — from Syria to Bahrain to Saudi Arabia, from pre-revolutionary Tunisia to Egypt — in contexts that leave no doubt that the software and hardware in question were being used to censor dissenting speech and track activists. While much of this technology is considered "dual use" because it can be used to defend computer networks against cyberattack as well as to censor and monitor political speech, some members of Congress are seeking to prevent its use for political repression. To that end, the Global Online Freedom Act (GOFA), which passed through the House of Representatives Subcommittee on Africa, Global Health, and Human Rights last week, takes aim not only at U.S.-headquartered companies but also overseas companies funded by U.S. capital markets.

As GOFA’s sponsor, Rep. Chris Smith of New Jersey, bluntly put it, repressive regimes in Iran, China, and Syria "are transforming the Internet into a ‘weapon of mass surveillance.’" The bill has been kicking around Congress in various forms since 2006 after Yahoo handed over dissidents’ email account information to the Chinese authorities and other companies including Cisco, Microsoft, and Google came under fire for aiding Chinese political censorship to varying degrees. While its specifics have changed over the years, the current version contains three main elements:

1. It requires the State Department to create a list of "Internet-restricting countries."

2. It requires that all companies listed on U.S. stock exchanges disclose to the Securities and Exchange Commission what procedures and practices they have put in place to protect the free expression and privacy rights of users in "Internet-restricting" countries.

3. It revises U.S. export control laws to forbid the export of censorship and surveillance technology to "Internet-restricting countries."

GOFA has received ringing endorsements from a number of human rights groups as well as from Yahoo — which, after a few years of humiliation in Congress and the media over its mistakes in China, has made a public commitment to human rights. The second part of the bill, focused on corporate transparency, is modeled after sections 1502 and 1504 of the recently passed Dodd-Frank Act, which requires conflict-minerals and extractive-revenue disclosure. It is based on the premise that at least some investors care about the human rights responsibilities of U.S.-listed businesses. More broadly, the idea is that just as companies are expected to commit to basic environmental, labor, and human rights standards when it comes to their operations in the physical world, investors, consumers, and government regulators should expect similar commitments to users’ and customers’ rights to digital free expression and privacy when using the Internet and mobile devices.

Companies that join the Global Network Initiative (GNI), a multi-stakeholder organization through which Internet and telecommunications companies work with human rights groups, socially responsible investors, and academics to uphold core principles on free expression, privacy, and human rights, would receive "safe harbor" from this requirement. So far only five companies have joined the GNI: Google, Microsoft, Yahoo, Websense, and Evoca. (Full disclosure: I am on the GNI’s board of directors.) It is possible that the bill will be an incentive for more companies to join the GNI even if it fails to pass.

Some free speech groups, however, have stopped short of a full-on endorsement of the bill. The Center for Democracy and Technology, while supportive of its general aims, cautions that GOFA needs refining in order to prevent unintended restrictions on the sale of badly needed technology to activists and NGOs working in authoritarian countries. Existing laws already fail to get the balance right: The Electronic Frontier Foundation is campaigning to reform current trade sanctions that are preventing opposition activists in countries like Syria from accessing U.S. companies’ software and communications tools. The digital freedom group Access shares these concerns and also worries that the State Department’s list of "Internet-restricting countries" will become politicized, potentially absolving companies that assist U.S. allies in censoring and monitoring political dissent.

The bill’s drafters have further created problems for themselves by combining export controls and transparency requirements in one piece of legislation that applies to the same list of "Internet-restricting" countries. Export controls by nature target a list of countries that, due to U.S. trade and diplomatic interests and political lobbying by companies, is inevitably a relatively short list focused on the worst offenders. Thus the export control section of the bill will create pressure on the State Department to keep the list of "Internet-restricting" countries as short as possible.

Yet the bill’s transparency requirements will lose much of their force and meaning unless they target corporate-government collaboration in a much wider range of countries where governments attempt to abuse censorship and surveillance powers. Consider, for example, India, the world’s largest democracy — which is unlikely to be placed on a State Department "Internet-restricting countries" list making it subject to sanctions — but where the government is making increasingly aggressive demands of Internet companies to censor content and hand over user information. Or Britain, where civil liberties groups are in an uproar over plans by Prime Minister David Cameron’s government to introduce a law enabling the government to monitor calls, emails, texts, and website visits of everyone in the country without a court order or warrant. Under GOFA, companies are unlikely to be held responsible for assisting these democratically elected governments in abusing their censorship and surveillance powers.

In congressional testimony last December, I argued that the section of GOFA requiring companies to adopt and disclose measures to protect Internet users’ free expression and privacy rights should be based on a universal standard, not just the State Department’s whim. The Global Network Initiative, for example, applies a global standard to corporate-government interactions. Why? Because the initiative’s members — who include a range of civil liberties groups, human rights organizations, socially responsible investors, and academics — cannot come up with a single country where the abuse of free expression and privacy by government and corporations is not a genuine concern.

All companies doing business everywhere — including in the United States — should commit to uphold and defend the free expression and privacy rights of their users for the same reasons we expect other types of companies agree to respect the health and safety of the people who purchase and consume their products. Companies should be required to demonstrate that commitment by reporting publicly not only on how they gather and retain user information, but also how and under what circumstances they share that information with governments as well as other companies. Only then can people have a clear sense of how power is being exercised over their digital lives and know whom to hold accountable when that power is abused.

But GOFA, by targeting corporate sales and government relationships in the worst-case countries while skirting the much more inconvenient question of how companies facilitate government abuse of surveillance and censorship powers in democracies and close U.S. allies, completely sidesteps the root of the problem: the main market drivers whose demand for surveillance technology is actually shaping and funding the development of these technologies.

Make no mistake: American tech companies are up to their eyeballs in bad behavior. Despite industry and government efforts to keep the media in the dark about a traveling trade show for surveillance technology known as the "Wiretappers’ Ball," recent media reports have revealed the extent to which American corporate innovations in surveillance technology are driven by U.S. government demand. And the U.S. government is by far those companies’ biggest customer.

According to the Washington Post, at last year’s trade show just outside Washington in Northern Virginia, 35 federal agencies as well as representatives from state and local law enforcement mixed with representatives of 43 countries. Despite the Obama administration’s proclaimed commitment to Internet freedom, the executive branch of the U.S. government makes no effort to be honest or transparent with the American public about the types of surveillance technologies it is sourcing and purchasing, what capabilities these technologies have, or which other governments are purchasing these technologies.

What this means for American democracy — let alone for the democratic aspirations of people anywhere else — became abundantly clear this past Sunday, April 1, when the New York Times reported on a detailed investigation by the American Civil Liberties Union that uncovered widespread use of cell-phone tracking technology by police departments around the country in non-emergency situations without court orders or warrants.

Meanwhile, as GOFA moves forward, Congress is considering several cybersecurity bills that would authorize Internet service providers and other companies not only to monitor private communications passing over their networks, but also to share private communications with the National Security Agency and other federal entities or with any other agency of the federal government designated by the Department of Homeland Security — and with less due process and judicial oversight than ever before. While acknowledging that cybersecurity is a legitimate goal, groups focused on the defense and protection of Internet users’ rights, including the Center for Democracy and Technology and the Electronic Frontier Foundation, have expressed deep-seated concerns about the extent to which these bills open the door even wider for civil liberties violations.

GOFA’s supporters argue that one has to start somewhere and that focusing on the relationship between U.S. companies and authoritarian dictatorships is the best way to obtain bipartisan consensus to pass legislation. That is no doubt true. But if the American people continue to allow the U.S. government and American industry to forge increasingly unaccountable and opaque relationships around the exchange and use of citizens’ private information, the damage will extend well beyond American democracy and civil liberties. The business norms and technological innovations born of such opaque and unaccountable relationships will keep dictators supplied with handy tools for decades to come.