ICANN’s New Domains Mean New Internet Freedom Concerns

Proposals within ICANN on how to manage new generic top-level domains are drawing concerns on privacy and free expression. Image credit Charles Mok via Flickr (CC BY-NC-SA 2.0).

When supporters of a group of right wing Colombian militants didn’t like a website that criticized their activities in 2001, they sent a threat to the home address of activist Anriette Esterhuysen, using the public Whois database that compiles the name, address, email and phone number of everyone with registered to manage a domain name for a website. This particular website was hosted by a member of the Association for Progressive Communications (APC) advocacy group, and had a domain name ending with APC.org.

“Because my home address was listed on the home address for http://www.APC.org, I got a letter saying ‘I know where you live, I know where your house is, and I’m going to come and kill you and your family,’” said Esterhuysen, executive director of the APC. “Prior to that it never really occurred to me about the risks surrounding Whois.”

One organization decides what information goes into that global Whois database: the Internet Corporation for Assigned Names and Numbers (ICANN), a San Diego-based non-profit that coordinates the global system of web addresses known as the domain name system, or as techies call it, “the DNS.” As the divide between our physical lives and our online activity shrinks everyday, and as the world’s dependence on the Internet grows, ICANN is expanding the global DNS and revising some of its underlying rules governing who is allowed to own what domain names under what conditions, and what is known about website owners by whom.

At such a critical time in the Internet’s development it is vitally important that Internet users’ privacy and free expression rights not be overshadowed by other considerations that serve corporate and government interests.

The DNS is the digital directory that tells your computer where to go when you type in address such as “slate.com” – and makes sure that computers all over the world end up in the same place when they type in the same address. The Whois database was created by ICANN to publicly keep track of what website names are registered to whom worldwide. That Whois information can make free speech on a website very dangerous for domain name holders such as Esterhuysen, members of minorities, political activists, religious communities and for anybody seeking to protect their right to political anonymity or keep their email off a spammer’s target list.

Formed in 1998 with the blessing of the U.S. Department of Commerce, which controls the root servers for the DNS, ICANN’s rules and policies are developed by a multi-layered system of committees and councils who debate rules governing not only who gets to own a domain name, but also the technical use of domains, and what names are trademarked and off limits for new applicants.

ICANN’s policy-making model is described as “multi-stakeholder”: committees and councils represent diverse sectors, including governments, corporations, technologists and noncommercial representatives such as civil society groups interested in human rights. However this system is far from perfect because Western governments and corporate lawyers have a large stake in the organization’s foundation and still exert the most influence. Intellectual property interests assign full-time staff to ICANN committees, while non-profit civil society groups representing non-commercial interests generally rely on volunteers to travel the world for agency meetings, although few can afford the travel costs.

While ICANN’s system needs a lot of work to make sure that all “stakeholders” have an equal voice, the alternatives are much worse. Imagine if the Internet were regulated only by governments, in a system where they did not share information about meetings or give a vote to business and human rights communities. That is the possible alternative to ICANN that could emerge out of the December World Conference on Telecommunications [WCIT], when 193 Member States of the United Nations’ International Telecommunications Union (ITU) will gather in Dubai to discuss whether, and how, to regulate the Internet.

The ITU currently regulates telephones and satellite orbits, and gives every Member State one vote. As it prepares for the WCIT the United Nations group has been criticized by non-governmental organizations, human rights groups, companies, and many Western governments for sharing little of its plans. However leaked memos on a site called WCITLeaks.org revealed some proposals by nations such as Russia and China that press for the group to assume regulatory powers over the Internet. If such recommendations were approved then repressive nations could use the ITU to expand their control over networks to advance their surveillance and censorship agendas.

While the ICANN system is more inclusive and transparent than a UN-controlled Internet governance system would be, governments can still exert influence that could endanger privacy rights. Trademark interests such as the World Intellectual Property Organization (WIPO) and law enforcement agencies backed by government representatives within ICANN are pushing to tighten accuracy checks of the Whois database by amending a document called the Registrar Accreditation Agreement (RAA), which a company must sign if it wants to become a domain name “registrar:” an organization like GoDaddy or BlueHost that sells domain names. The requested amendments, available here, call for domain registrars to retain user data for two years, and to cancel the domain names if the registered user does not promptly verify their account information every year by phone and email.

However public interest advocates argue that if ICANN decides to make Whois verification more “accurate,” it would not only put a user’s privacy at risk but could also be very costly to implement and enforce, said Milton Mueller, currently a professor at Syracuse University’s School of Information Studies.

“The new costs would fall on registrars and end users, not the trademark owners and law enforcement agencies who want it,” said Mueller, whose writings about ICANN’s governance structure include the books “Ruling the Root” and “Networks and States.”

Other criticism of the potential misuse of the Whois database came from the Article 29 Working Party of the European Union, which wrote to ICANN calling proposals for stricter identification of domain name registration on Whois “excessive and therefore unlawful.”

Decisions on the Whois changes championed by governments and law enforcement agencies could be ready in time for ICANN’s next meeting in Toronto in October, when Lebanese-born Fadi Chehade will join the organization as its new chief executive officer, with interim CEO Akram Atallah serving as chief operating officer. While recognizing concerns from non-commercial groups that they have less decision-making influence, Atallah said he was confident civil liberties advocates have the same chance to voice concerns in ICANN as law enforcement and trademark lawyers.

“It’s important for you realize that the fact that you’re hearing about these things means the ICANN multi-stakeholder model is working,” Atallah said. “If you say [Internet governance] is only about government then you are forgetting about a lot of other interests. If you say it’s only civil society then you are forgetting about business interests.”

If users want to apply for a domain name privately they can pay a domain registrar to enter that company’s information on the Whois registry instead of a user’s personal data. But that information could still be made accessible to groups such as government entities depending on that company’s terms of service.

“The Whois is a big issue that we are looking at from all sides, and we are trying to work with some of the entities that can represent civil liberties,” Atallah said. “At the end of the day the process involves everybody, and it’s not limited to the law enforcement.”

New demands for increased identification come in part because of the expansion of generic top-level domains (gTLDs). Approximately 1,930 applicants are seeking rights to new domains, and up to 1,000 gTLDs could be approved early as March 2013, Atallah said.  It would be up to individual gTLD operators to determine how quickly new domains would be available on the market.

Web searches will be redefined forever soon as .com websites will be joined by proposed gTLDs such as “.book” and “.click.” Small businesses could launch with new domains such as “buynewwriters.book” and artists could compete with larger websites such as YouTube with domains such as “awesomevideos.click.”

The creation of all that digital real estate puts pressure on ICANN to respect free expression by giving the owners of new domains a chance to defend their claim against a trademark infringement challenge that could take away their website address. Trademark interests fought against expanding gTLDs for years because it could dilute the uniqueness of their catchy trademarked domain names with new websites that sound similar- or better.

Companies often file intellectual property complaints, using challenges including claims that a newer website is “confusingly similar” to theirs. For instance, Google used that case in a failed challenge to remove an existing user’s claim to www.oogle.com. Seeking to avoid other similar-sounding domain names and lay claim to other domains, Google applied for the rights to 101 new gTLDs , including “.google,” “.soy” and “.lol.”

This unprecedented growth of the domain name system poses risks for privacy and free expression in separate but related ways. Along with the privacy concerns related to expanding Whois that could give governments another resource to gather data about cybercrime and on “persons of interest,” more rigorous identification of domain name holders on Whois could speed up trademark infringement disputes and make defending against challenges more difficult.

Some of the more creative new gTLDs proposed such as .gripe and .gay could grow into a new social network for lifestyles and opinions, but could also upend trademark enforcement as we know it and put ICANN’s free expression commitment to the test, Mueller said.

“For example, a proposed ‘.sucks’ domain would be interesting, it touches on one of the longstanding sore points of the trademark owners,” Mueller said. “It would allow legitimately registered domains to be used for criticism or ‘.gripe sites’– and this domain has been targeted by trademark owners even though the law makes it clear that domain names are a form of expression and that a legitimate noncommercial gripe site has the right to use the name of the company it is griping about in the domain.”

While WIPO and law enforcement agencies push for stricter identification on WhoIs to speed up trademark disputes, negotiations on Whois requirements include how much information is needed for user verification. Chief issues concerned with privacy on Whois include specifying what kind of data is retained in Whois records and whether home addresses or phone numbers are needed when emails might suffice, said Kathy Kleiman, an Internet lawyer at the communications law firm of Fletcher, Heald & Hildreth. Negotiating a verification response time long enough for users to assert their domain ownership would also protect free expression rights.

“Your email could get lost, you might not speak English and you might need a translator or a lawyer to respond effectively,” said Kleiman, who was a member of the group of people that founded ICANN in 1998.

Serving as the vice chair of ICANN’s Whois Policy Review Team, Kleiman helped issue a final report in May with recommendations on how Whois data should be shared and when requests for personal data should be relayed to a user.

“Overall, our goal on the Whois Review Team was contactibility – that the domain name registrant should be contactable by email or telephone, their choice,” Kleiman said. “There is no reason you have to reveal my home address when someone wants to buy a domain name. Feel free to relay all that information to me.”

As ICANN plans an unprecedented expansion of the Web, Atallah said the group is aiming to be more inclusive of its stakeholders by reaching out to areas of the developing world such as Africa. October’s meeting in Toronto will announce a new campaign for outreach in Africa, a continent that only filed 17 requests for gTLDs out of the 1,930 applicants, Atallah said.

“I think within the ICANN system it’s not how much you are represented as much as how vocal are you. If you do the work and you present your case and you participate in the forums and everything, you will be heard.” Atallah said. “Our hope is that ICANN will be an international organization that will serve the needs of all the countries equally, and more importantly will serve every stakeholder equally.”

For that hope to succeed ICANN will have to expand the advantage it has over the ITU by restructuring to involve more non-commercial groups and human rights advocates, said Alex Gakuru, who represents Africa on the Non-Commercial Users Constituency group of ICANN’s Generic Names Supporting Organization. Developing nations with less business representation than Western countries at the nonprofit also need a greater voice, or Gakuru said politicians in Africa might favor the ITU, which would give one vote each to small nations and tech superpowers such as the United States.

“Increasingly, civil society is not being treated as an equal partner in ICANN, not being given an equal seat at the decision-making table because of the heavy commercialization of the multi-stakeholder model’s policy making,” Gakuru said. “Both models have their shortcomings, but ITU is worse. We need a new, third model with open access where people meet as equal partners.”

With most of the Internet’s growth now taking place in the developing world, finding a way to make sure that the rights and interests of all stakeholders are taken into account will not be easy. The United Nations is not the place to govern the Internet. Yet it is unclear whether ICANN can evolve in a way that is acceptable to all stakeholders, or whether a new organization will ultimately be necessary.

Congress Presses Chinese Telecoms On Spying Accusations

Chinese telecom ZTE has been linked with surveillance in repressive nations. Photo credit Blogee.net via Flickr.

China-based telecommunications companies Huawei Technologies and ZTE Technologies both seek to expand their business in the United States, but Congress has concerns about the cyber-security implications as well as doubts about their commitment to digital rights.

During a hearing of the House Intelligence Committee on Sept. 13, the companies gave little detail beyond general denials when questioned about surveillance on behalf of the Chinese government or connections with repressive regimes such as Iran.

The committee was concerned that the companies’ networking equipment could potentially help the Chinese military or other Chinese government intelligence agencies poach research and other sensitive data from computer systems and mobile networks.

When questioned by committee members the representatives of both telecoms repeated assertions they had not broken any laws in­ the nations where they conduct business, presenting themselves as servants of their shareholders, and maintaining they would never spy on behalf of the Chinese government.

Committee members displayed visible signs of frustration and pressed unsuccessfully for more detailed answers about both companies’ strategies and connections with the Communist Party of China, even though Ranking Member C.A. Dutch Ruppersberger (D-Md.) and other committee members went to China in July seeking similar information.

“I’m a little disappointed in the hearing that they weren’t more forthright in their answers,” said House Intelligence Committee Chairman Mike Rogers (R-Mich.). “There was a lot of repetitiveness, a lot of denial, a lot of ‘this would never happen here.’”

The committee has investigated ZTE and Huawei since November 2011, and Rogers said reports will be completed soon with recommendations on the extent to which the firms should operate in the U.S. Depending on those recommendations Rogers did not rule out legislation to block Huawei and ZTE for certain types of technology sales in the U.S. A precedent was set by Congress in 2008, when it voted to halt a proposed $2.2 billion partnership between Bain Capital and Huawei to buy networking equipment manufacturer 3Com Corp, because of fears that Huawei’s partial control over an American technology company could compromise national security.

“Congress can do a lot of things and it will be up to us to try to determine what best protects our telecommunications infrastructure if we believe there is a threat to both personal business and government information that flows over those networks,” Rogers said.

China is a major technology market for countries unable to buy from the companies in the United States or other Western nations, due to embargoes or reputations for human rights violations. As huge marketers of surveillance technology such as deep-packet inspection technology (DPI), which reads and classifies data as it passes through a network, ZTE was accused of aiding repressive regimes to track, alter or block data using DPI.

This summer the FBI launched an investigation in response to media reports that surveillance equipment sales from ZTE to the Telecommunication Company of Iran included not only its own equipment but also U.S.-made networking equipment, in violation of U.S. sanctions.

Other clients of ZTE have included the surveillance state of former Libyan dictator Moammar Gadhafi. ZTE is also building a $45 million information technology park in Ethiopia, where the government has a record of censoring websites containing information critical of the government.

Senior vice president of ZTE Corporation Zhu Jinyun said his company would not obey any order from the Chinese government t0 compromise U.S. cybersecurity and steal confidential information from U.S. business or government networks. Zhu also denied that his company destroyed documents that were related to an investigation that ZTE resold U.S.-made equipment to Iran despite U.S. trade sanctions against that nation,

“ZTE would never engage in any of the harmful behaviors that you listed,” Zhu said. “As a global and multinational company we abide by all the local laws and regulations of the jurisdictions in which we operate. Like you we condemn those activities.”

Huawei seeks a larger role in the US, as indicated by their presence at tech conventions. Photo credit Interop Events via Flickr.

Although Huawei is not facing allegations of violating U.S. trade sanctions such as those leveled at ZTE, Huawei does have a history of selling to Iran. Despite announcements they would scale back sales to the Islamic Republic, recent reports from U.S. security researchers indicate Huawei surveillance technology is a major component of Iran’s plans for a self-contained national Internet.

Another point of suspicion leveled at Huawei founder Ren Zhengfei is his time serving in China’s People’s Liberation Army (PLA). This is one reason the committee requested a list of current and former staff members in both ZTE and Huawei who had served in the PLA.

Denying accusations that Huawei software installs malicious surveillance code , Charles Ding, corporate senior vice president of Huawei, said there were no such secret backdoors that could allow Chinese government to poach intellectual property. Responding to questions about the presence of the Communist Party of China in his company, Ding said having a communist party committee on the company board is also a legal requirement of China.

“In Huawei, however, I have not seen the party committees participating in any business management or decision making,” Ding said.

While importing tech equipment from a China-based company arouses suspicion from some governments, barring Huawei from bidding on commercial contracts has been criticized as an unprofitable move that is also ineffective for security. Ross Anderson, a professor of security engineering at Cambridge University, stated in The Economist that the approach creates a false sense of security because nearly every telecommunications company buys tech gear from that nation. Linking Huawei with Chinese intelligence has also been cited as a double standard because of the relationships other telecoms have with their governments. For instance, the National Security Agency (NSA) sits on the board of U.S.-based Motorola Solutions.

More audits, reviews and inspections should be expected of every technology vendor, according to a written statement from Ding.

“Since cybersecurity is a global issue that the whole industry has to face, governments and the whole industry should work together to improve cybersecurity,” Ding stated.

Huawei also published a recent report on its operations in an attempt to counter claims that it enables the Chinese government to steal information from networks. These efforts have not convinced Congress, and Rogers said questions directed at Huawei during the investigation received poor responses, and sometimes no responses at all.

“If software is provided by companies we cannot trust we must constantly wonder whether they are being used for us or against us,” Rogers said.

Australia recently blocked Huawei from seeking certain contracts in their country because of the company’s alleged backdoors. Huawei was also accused of illegally copying source code used in switches and routers in a failed 2003 patent lawsuit by Cisco Systems. Another lawsuit by Motorola in 2008 accused Huawei of stealing trade secrets.

If the companies wish to do business in the US, Ruppersberger said the two companies must be clear about any financial or legal liabilities they have with the Chinese government.

“What happens if you are ordered by their government to give information using their equipment?”  Ruppersberger asked.

Internet Governance Forum USA Plans Global Strategy

Terry Kramer, U.S. ambassador to the World Conference on International Telecommunications.

Experts from business, civil society, academia, government and the tech sector gathered last week for the Internet Governance Forum USA in Washington, D.C., to discuss how to keep the Internet free and open.

For video clips of all speakers, workshops and panels, click here to watch video taken by the Elon University School of Communications. Also see the home page of  IGF-USA for the full schedule which included panels on copyright, cybersecurity, the Internet in emergency management and the growth of the domain name system.

The US conference was a domestic rehearsal for the global IGF meeting slated for November in Baku, Azerbaijan. This will be the seventh meeting of the multi-stakeholder group, which was formed in 2006 as a United Nations-facilitated platform to address issues about the global Internet.

Along with the Baku conference, the upcoming World Conference on International Telecommunications (WCIT) cast a shadow over the conference debates on the future of the Internet. Deputy Assistant Secretary of State Philip Verveer opened the conference addressing concerns that Member States of the United Nations’ International Telecommunications Union (ITU) might use the WCIT meet in December to grab regulatory power of the Internet alongside satellites and telephones. The United States advocates continuing the existing model of Internet oversight by multi-stakeholder non-governmental institutions, such as the California-based nonprofit International Corporation of Assigned Names and Numbers (ICANN).

“This may be the appearance of an entirely defensive agenda, but in fact it promotes and protects what continues to be one of the most dynamic mechanisms for economic growth, social inclusion, political expression and cultural advancement in the history of the world,” Verveer said. “It essentially seeks to maintain space for the combination of digital technology, cellular architecture and wireless communication to continue to advance.”

U.S. Ambassador to the WCIT Terry Kramer, who will lead the U.S. delegation to the December meeting, said he is attending numerous telecommunications meets around the globe to rally support for the existing multi-stakeholder model. The former president of Vodafone North America pointed to mobile networks as a source of increasing access to the Internet in developing countries, and key to discussing what environment will create success in the telecom and the Internet space. Developing countries will be key voices at the one-Member State, one-vote WCIT, with the ability to support or defeat motions that could effectively extend national agendas for Internet regulation into the global regulatory arena. Other stake-holders, such as civil society, industry, and the global technical community, have no vote at WCIT.

“A multi-stakeholder model is the only effective model that will work,” Kramer said. “The Internet is too vibrant, too

Chart of the multi-stakeholder Internet ecosystem. Image courtesy of Internet Society.

active, too global to have any organization try and control it and make decisions.”

Along with policy debates the IGF-USA included panels about to cloud computing, domain names and secure routing. The technical standards aspect of Internet governance has been “wildly successful,” said John Curran, president and CEO of the American Registry for Internet Numbers, who called for the multi-stakeholder dialogue to distinguish how social policy and technology are connected.

“We need to figure out the right engagement process that lets the Internet continue to evolve and continue to respond to needs, [while] at the same time bringing in the governance, the society issues to be considered,” Curran said.

The United States government has more liberal expectations for Internet freedom and Internet governance than some other nations such as Russia and China, whose regulatory proposals would effectively use the ITU to regulate the global Internet. Because of this the ITU has been criticized for its one-nation, one-vote process. While an open letter sent by members of civil society groups recently pressured ITU Secretary General Hamadoun Touré to encourage WCIT process transparency, the ITU is unlikely to ever become a fully multi-stakeholder organization, said Larry Strickling, administrator of the National Telecommunications and Information Administration.
“By its constitution it is beholden only to its Member States and that is unlikely ever to change,”  Strickling said.

Threats to the open Internet come not only from governments, but also from telecommunications companies that control service access and have vast user bases for their websites. Even Google, which is praised for its transparency reports and its motto “don’t be evil,” has potential to unbalance the free Internet. The massive company is becoming more massive by bidding on hundreds of new domains created by ICANN, and by expanding applications that affects every aspect of networked society. Google’s March 1 consolidation of the privacy polices of its nearly 70 products reflects its ability to make a vast impact without public input, according to Marc Rotenberg, executive director of the Electronic Privacy Information Center.

“The concern about Google’s dominance over the Internet is not going away. I think it is the number one threat to Internet freedom,” Rotenberg said.

That discussion on the far-reaching impact of corporate and government power over the Internet needs to happen at a street level and not just within the “traveling circus” of the Internet policy experts who attend events such as the IGF, said Rebecca MacKinnon, author of  “Consent of the Networked: The Worldwide Struggle For Internet Freedom.” Revisiting a theme discussed in her book, MacKinnon said the world is at a moment similar to the drafting of the Magna Carta, with which Medieval English nobles declared a king should not have absolute power. In the same way that document took years to inspire true democratic institutions, MacKinnon said citizens of the growing “digital commons” need to take a first step and start thinking of themselves as citizens of a global network who deserve digital rights.

“We don’t have a very good way of ensuring that power exercised on the Internet and across the Internet is held accountable,” MacKinnon said. “Obviously we need a multi-stakeholder model, but I think we are in a very, very early stage of figuring out how to make that work. Figuring out how to ensure that Internet governance going forward really does reflect the rights and interests of everybody using the network; that enables the possibility for all affected stakeholders to participate, if they want to.”

Former CIA, DHS Officials Want to Remove Wiretap Restrictions on Cybersecurity

Bipartisan Policy Center Cybersecurity Task Force members are, from left, Mort Zuckerman, Michael Hayden and Stewart Baker.

A new report drafted by a think tank group including former heads of the national security agencies recommends loosening privacy laws to allow companies to monitor users for cybersecurity threats.

The goal of the Bipartisan Policy Center’s “Public-Private Information Sharing” report launched on July 19 is to encourage companies to share information with the government about cybersecurity by removing legal liability fears. The report is available for download here. The think-tank’s Cybersecurity Task Force reported that loosening the Wiretap Act, and the Electronic Communictations Privacy Act which amended it, would allow companies to monitor for threats to their networks more effectively.

“Currently cyber information sharing is conducted under an outdated legal framework that frankly was designed for the telephone, rather than packets of data traveling over the Net to various devices,” said Michael Hayden, former director of the Central Intelligence Agency and co-chair of the Bipartisan Policy Center’s Cyber Security Task Force.

More than 50,000 hacks against private and government networks were reported from October 2011 through February 2012, according to the Department of Homeland Security. Companies sometimes do not report data breaches for fear of damaging their reputations or fear of legal reprisal for not going through proper procedure. New legislation would ease a corporate culture unhappy with this status quo, said Bryan Cunningham, former deputy legal advisor to the national security advisor.

“Businesses have a real problem with the lack of certainty and the many, many different standards that they have to comply with,” Powell said. “Even if the standard became more restrictive, I think most businesses would say a clear standard is better than the mess that we have now.”

Monitoring of a network is permitted under the Wiretap Act and the ECPA if an Internet service provider (ISP) is tracking its own network, not the end user, if the provider has reasonable cause to suspect its property rights are being violated and can link such activity to a device. During any permitted data interception the ISP cannot act as the law enforcement’s agent and any monitoring must be narrowly focused. The report states:

“Relevant statutes should be amended to clarify that consent from an individual or company is sufficient for such monitoring, which can include consent by an information technology service on behalf of its users.”

If ISPs had clearer authority to monitor networks then Web companies could protect their users with real-time intelligence about hacks and malware, argued Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security.

“I think there is a business there, I would pay for that,” Baker said. “We’ve all gotten to the point where trying to protect ourselves is a daunting prospect.”

The Wiretap Act and ECPA allows authority for 12 state laws to require consent by both parties involved in any data inspection before the inspection can take place, which the report states “gives cyber attackers a veto on whether their packets are inspected for malicious content.” A total of 46 states and the District of Columbia have data breach notification laws in place to protect consumer rights and privacy.

In an effort to streamline threat information sharing Hayden called for a national law for data breach notification. The Obama administration proposed such a law as part of a May 2011 cybersecurity report, which is available for download here.

“Congress should also provide a safe harbor for companies when there is no actual risk for consumers having their data misused,” Hayden said, referring to a component of the Obama administration proposal.

Subpoena requirements for cyber threat information sharing is another bit of red tape the report states should be cut in the name of security. The report suggests keeping the civil liberties and privacy intentions of existing laws without recommending how to narrowly edit along those lines. The report states:

“With the right privacy and civil liberties protections in place, there is no valid reason for cyber threat information not to be shared with the federal government, and a subpoena requirement can often thwart information sharing to identify and stop cyber attacks underway.”

Along with removing limits on cybersecurity the report recommends making information sharing on digital threats a two-way street. As an incentive to share cybersecurity threat information with the government companies would in receive in return information relevant to the hacks, the report states.

Less sensitive government cybersecurity information should also be regularly disclosed, Hayden said, adding that a more open process would be improved by requiring more personnel to have security clearances in critical infrastructure industries such as emergency services, energy, IT, banking, health care and communications.

Another recommendation by the report would clarify the president’s ability to declare a cybersecurity emergency and call on Congress to take action to protect against an attack. Baker alluded to controversies about executive power over the Internet in a national security emergency, such as the possibility of an “Internet kill switch,” also held by ousted Egyptian President Hosni Mubarak. Discussions about the president’s power in a cybersecurity emergency are better to have now that after an attack, Baker said.

“It doesn’t advance civil liberties to say ‘Mr. President you have a choice between wringing your hands on the sidelines and declaring martial law,’” Baker said.

These recommendations come at a time when a key component of cybersecurity bills currently before Congress is whether to require companies to share information with government agencies about digital threats. After pressure from advocacy groups such as the Center for Democracy and Technology and other members of Congress, a revised Cybersecurity Act of 2012 was released on Sunday by its co-sponsors Sen. Joe Lieberman (I-Conn.) and Sen. Susan Collins (R-Maine). Several privacy advocates such as the American Civil Liberties Union supported the amendments as an improvement, but the ACLU and the CDT reminded Internet freedom activists to remain vigilant on privacy concerns ahead of a Senate vote.

While Congress debates different versions of the bills the Cybersecurity Task Force is convinced its recommendations balance privacy and security concerns. However international human rights groups argue that repressive countries that conduct widespread censorship or surveillance online often defend their actions by stating their actions conform with the policies of other democratic countries.

Hayden also pointed out that cybersecurity threats are used as an argument by developing nations to change existing Internet governance models so they can assume more control of their nations’ networks, which could threaten Internet freedom by instituting new restrictions on use in those nations.

“If we fail at our task, this argument gets some more traction,” he said.

Senate Tags Facebook on Facial Recognition Privacy

Sen. Al Franken (D-Minn.) displays Facebook screens about tagging settings, which do not mention facial recognition use. Photo credit Tom Risen

More than 300 million photos are uploaded to Facebook every day. Concerned about the privacy risks of the website’s facial recognition software, Sen. Al Franken (D-Minn.) pressured a Facebook executive to be more transparent about the website’s facial recognition software during a July 17 Senate hearing of the Senate Judiciary Subcommittee on Privacy, Technology and the Law.

The social network’s Tag Suggestions feature is a default facial recognition option for Facebook’s 900 million users, some of whom might be unaware of the technology’s potential misuse for privacy invasion by stalkers, companies or repressive governments. Facebook began testing Tag Suggestions in the US in December 2010, before expanding its use to users in most countries in June 2011, according to the Facebook Blog.

The feature has been disabled and under maintenance for several weeks, according to Facebook’s Manager of Privacy and Public Policy Rob Sherman, who would not specify when the feature would be reactivated. While the feature is disabled, Franken said Facebook has an opportunity to make modifications and establish a best practice for other social networks.

“Facebook allows people to use Tag Suggestions only on close friends, but I still think Facebook could do more to explain to its users how it uses facial recognition and to give them better choices about whether or not to participate in tag suggestions,” Franken said.

Facebook does not currently allow users under age 13 onto the social network, and users between 13 and 17 must opt in to Tag Suggestions, said Sherman.

“There have been some studies that have come out recently that have suggested that children despite our efforts are gaining access to Facebook, in many cases with the assistance of their parents,” said Sherman, alluding to research by a team led by social media researcher Danah Boyd about underage users creating accounts by lying about their ages. “One of the things that has been suggested is that we provide tool to parents to manage their children’s access to Facebook. We are in the process of thinking about those really important issues.”

People choose to be on Facebook and they select their online friends, so the feature accesses photos data already available to that friends network, Sherman said in his testimony, which defended Tag Suggestions as having “easy to use” privacy options.

“Individual control is the hallmark of Facebook’s Tag Suggestions feature,” Sherman said. “It gives people the ability to know their photos are posted on Facebook and to exercise control over them if they want to do so.”

Disputing Sherman’s claim that Tag Suggestions was transparent about facial recognition, Franken displayed screens offered to users inquiring about Tag Suggestions in their privacy settings.

“Nowhere on the screen where it reads ‘click to learn more’ do you see facial recognition, or anything that describes facial recognition,” Franken said, pointing to a screenshot. “Those words are elsewhere in your help center, but now you have to go through six different screens to get there. I’m not sure that’s ‘easy to use.’”

Facebook’s manager of privacy was unprepared for the question about scrolling through the privacy settings, saying he had “not done that.”

“I’m one of many people who work on privacy,” Sherman said.

Because of Facebook’s popularity for photos it has the largest, most connected facial recognition database. Companies such as Google and Apple also provide facial recognition applications for their smartphone users, said Electronic Frontier Foundation Staff Attorney Jennifer Lynch. Other panelists alluded to scenes from the movie “Minority Report,” about a not-so-distant future when public biometrics scanners unlock doors, access electronics and announce purchases when someone enters a store. Lynch said private companies are already using facial recognition databases for consumer convenience and security.

“[Facial recognition] creates threats to free expression and freedom of association that are not evident in other biometrics,” Lynch said.

This technology is made more invasive through widespread use of cell phone cameras, which can filter through photos of protest crowds or strangers at bars. A widespread face print database Lynch mentioned was Facebook’s recent acquisition Face.com, an Israeli-based facial recognition platform, which in March stated it had collected 31 billion face images.

A now terminated iPhone application using the software of Face.com, called KLIK, allowed people to look up the names of friends on social networks by taking a photo of a person. A hack uncovered by security researcher Ashkan Soltani allowed users to access non-public photos of person they just met using this photo camera application.

“Americans should also be concerned about the sense of sharing of biometric data that is already occurring at government and private sector level,” Lynch said. “[Facial recognition] can allow government surveillance and tracking on a level that has not before been possible.”

On the other hand, representatives from the National Sheriffs’ Association and from the Federal Bureau of Investigation testified that government use of facial recognition has benefits for crime solving and security. The FBI has a database of 12.8 million photos and plans to expand a pilot project to nationwide use by 2014, stated FBI Deputy Assistant Director Jerome Pender. The U.S. government agency does not, however, use photos from social networking services.

“Only mug shots are used to populate the criminal repository,” Pender said. “Query photos and photos obtained from social networking sites, surveillance cameras and similar sources are not used to populate the national repository.”

Facebook has a disclosure policy available here for law enforcement and governments seeking information from the social network, which requests subpoena for a criminal investigation. Facebook’s Data Use Policy also retains and uses data to serve advertisements. The social network does not share facial recognition templates with third parties, according to Facebook’s manager of privacy and public policy, who said he was unaware of the website having granted requests for the facial recognition templates to any third party or law enforcement agency.

“That reflects the fact that the templates we have would not be useful outside of our service,” Sherman said. “I think there are other technologies law enforcement might use.”

Acknowledging the possibility that the law has not evolved quickly enough to address privacy rights from facial recognition in a public sphere in order to protect Americans’ First Amendment right for free expression and the Fourth Amendment protection from illegal search and seizure, Lynch said Congress should enact new laws to ensure that citizens’ civil liberties are protected as companies deploy this rapidly-evolving technology.

“Though facial recognition implicates important First Amendment and Fourth Amendment values, it’s unclear whether the Constitution will protect against the challenges it presents. Without legal protections in place it could be relatively easy for the government or private companies to amass a database of images of all Americans,” Lynch said. “Congress could use statutes like the Wiretap Act or the Video Privacy Protection Act as models for this legislation.”

Also pointing to the Wiretap Act as a potential foundation for facial recognition laws, Franken said the interpretation of privacy in the social media sphere should be at the center of such legislation.

“[People’s] expectation may be that these pictures they share with their friends are private,” Franken said. “Obviously the founders of our country never conceived of the telephone, so when the Supreme Court decided that wiretapping required some kind of warrant, they had to go on ‘what were people’s expectations?’”

Copyright Driving US Internet Freedom Debate

A logo supporting Internet freedom by Free Press via Flickr. (CC BY-NC-SA 2.0)

A recent United Nations resolution affirming that human rights extend to the Internet is the result of more than a decade of efforts by international civil society groups and coalitions seeking international commitments on Internet rights. Yet that international process had little connection to recent advocacy in the United States, which split from copyright protests into net neutrality debates.

The resolution introduced in the United Nations Human Rights Council (UNHCR), available here, received support from 85 co-sponsor nations including the United States, India, and France. The document called for “promotion, protection and enjoyment of human rights on the Internet,” and affirmed that governments have the same obligation to protect these rights online as they do offline. It was purposefully brief to accommodate the more divisive socio-economic debates on Internet freedom.

Copyright is a wedge issue as nations debate the merits of the Anti-Counterfeiting Trade Agreement (ACTA), negotiate the Trans-Pacific Partnership (TPP) agreement, as France and Germany disagree on file hosting websites, India is requesting more political content censorship and the US Congress may enact intellectual property restrictions similar to the  Stop Online Piracy Act (SOPA) via a proposed Intellectual Property Attache Act.

American civil society groups agree that Internet freedom is a good thing, but differ with each other about the appropriate relationships and roles of government and business. The Declaration of Internet Freedom co-published by advocacy group Free Press commemorating the Fourth of July voiced five principles of expansion, openness, access, innovation and privacy, to serve as a foundation for Internet policy making.

According to Free Press Internet Campaign Director Josh Levy, drafting of the document began in January to build on the momentum of protests by a broad range groups against the proposed copyright restrictions of the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA).  The declaration was coincidentally released the same week as the UNHCR resolution and was likewise intentionally brief, Levy said.

“It was written from the beginning to be a continuation of a grassroots movement,” Levy said. “I put out on the table early on, ‘we are not all going to agree on policy here, but we need to find a way to agree on some sort of high level statement of principles.’”

Even so, many other US-based and focused groups could not agree with that document’s underlying policy principles. Seeking more comprehensive policy language, free market technology think-tank TechFreedom released its own Declaration of Internet freedom. The TechFreedom declaration emphasizes that governments should play a minimal role regulating networks and companies. TechFreedom’s President Berin Szoka said his group declined an invitation to sign the Free Press document two weeks ahead of the July 3 release, inspiring his group to write their own version for the same publication day.

“We can work together sometimes but that doesn’t mean we look at Internet policy the same way,” Szoka said. “I’m not even sure a declaration of Internet freedom is a great idea. The term has become so abstract.”

TechFreedom and Free Press collaborated on opposition to SOPA, but have different opinions issues related to government regulation, including net neutrality and government regulation of corporate data retention and privacy practices. Szoka’s perspective of Internet freedom explicitly opposes government regulation of telecommunications companies on such issues and calls for a “layered approach” toward the tech industry using existing policy.

Other SOPA opponents Sen. Rand Paul (R-Ky.) and his father Rep. Ron Paul (R-Texas) published a Libertarian approach for Internet freedom that week through Rep. Paul’s nonprofit Campaign for Liberty. Seeking a more defined approach than a foundation of principles, the “Technology Revolution” manifesto criticizes what they call “Internet collectivist” attempts to hijack the term Internet freedom and use it to disingenuously push for “the destruction of property rights.” The document is available here and reads:

“The collectivist-industrial complex seeks to undermine free markets and property rights, replacing them with ‘benevolent’ government control and a vision of “free” that quickly evolves from ‘free speech’ to ‘free stuff.’”

The shorter Free Press declaration started debate among bloggers about how to define Internet freedom and the usefulness of the document, but it received the most support – domestic and international – of the three US declarations. On the declaration’s signatory page, where multinational supporters include groups such as the Indian-based Centre for Internet and Society and individuals such as Rep. Darrell Issa (R-CA).

“The Declaration of Internet Freedom is a grassroots effort meant to sustain the grassroots momentum of more than 13 million regular Internet users who took action to stop SOPA and PIPA, and who have awoken to the threats to the future of the open Internet,” Levy said. “More than 1,500 organizations from around the world have signed it since it was launched two weeks ago, along with more than 50,000 Free Press activists.”

International groups focused on the needs of Internet users in the developing world have other priorities. Anriette Esterhuysen, executive director of the South Africa-based Association for Progressive Communications (APC), believes copyright and other socio-economic aspects of the issue need more attention. She credits the recent UN human rights resolution to a 2011 report on Internet free expression by Frank La Rue, UN special rapporteur for free expression, and argues that a revision of APC’s 2001 Internet Rights Charter would address more debates related to economic justice issues that in the developing world are particularly tied to human rights.

“There is a need to come up with some kind of charter that focuses not just on political freedoms, but on socio-economic perspectives,” Esterhuysen said. “About free, unrestricted access to the Internet and the extent to which intellectual property laws do not start to define how people can use it.”

Article 19 of the United Nations’ Declaration of Human Rights, which focuses on the right to freedom of expression, was a cornerstone for the APC charter in 2001. The APC’s goal was to translate the UN document to the Internet as a framework for civil society, said Esterhuysen. Another cornerstone was the People’s Communication Charter drafted in 1999 by media activist group Voices 21, a charter focused on socio-economic concerns which applied diversity rights to mass media as a whole without specifying the risks of the Internet.

“There was a debate between civil society groups who thought the Internet required new rights, and those who felt that new rights were dangerous,” Esterhuysen said. “Those in favor of Article 19 felt that if you messed with existing rights frameworks you could risk losing what you’ve got.”

Part of the desire for new rights came from concerns held by people in developing countries in Latin America that existing rights frameworks could be used as a tool of economic globalization favoring the West, Esterhuysen said. This left APC with the task of compromising both sides of the debate for its 2001 charter.

“Our charter had a very developing country sensibility from the outset,” Esterhuysen said. “We were the first people to emphasize affordable access. It’s not a right, but it is an enabler of rights.”

As the Internet grew APC made minor updates to it charter in 2006 to keep pace with the growth of the technology. Several publications about Internet freedom between 2001 and 2006 also built on foundations. For instance, the World Summit on the Information Society (WSIS) released a declaration of principles during its first meeting in December 2003, but debates on political repression and Internet governance led to the formation of the United Nations Internet Governance Forum (IGF) in 2006.

Along with forming the multi-stakeholder IGF, the individuals and organizations whose advocacy helped create the organization spent several years expanding a discussion about a new document on digital freedoms as the Internet Rights and Principles Dynamic Coalition (IRP). During this lengthy process Esterhuysen said the IRP coalition coordinated with APC as part of a conscious decision by her group to let others try to define Internet rights.

“We felt that other people were coming up with ways of saying things that we had said in more concise ways,” Esterhuysen said. “We kind of decided to go open source with our charter and wait to see what other people came up with.”

Starting in 2008 members of business, civil society and government contributed to an Internet Rights and Principles Charter, which launched in 2010 and became open for consultation. After receiving input about the charter IRP published 10 Internet Rights and Principles in 2011 to summarize the 20-page document, stated an email from Marianne Franklin, a member of the IRP Dynamic Coalition’s Steering Committee at the Internet Governance Forum.

“The IRP coalition, charter, and principles emerged from a sustained international and multi-stakeholder effort over several years,” Franklin stated. “It draws on the [UN Universal Declaration of Human Rights] as well as several precursor and parallel initiatives from civil society participants at the WSIS meetings that preceded the IGF.”

The principles were distilled from the charter to keep it applicable to developing technology and simpler for campaign messages, said Brett Solomon, executive director of digital freedom advocacy group Access. Having been involved with both the Free Press declaration and the distillation of the IRP charter into 10 principles, Solomon said the strength of the Free Press declaration comes from its simple principles. While the IRP Principles have been translated into more than 20 languages, the Declaration of Internet Freedom is gaining more attention because it has a public page to sign support.

“One thing that’s very good about the [Declaration of Internet Freedom] is that it has broad signing from users, companies and organizations,” Solomon said. “The [10 Internet Rights and Principles] are very human rights focused, which may make it more difficult for companies to sign onto it. Having said that I don’t think there was any request or opportunity for anyone to sign onto it.”

Grassroots opposition to SOPA and PIPA is a major opportunity to expand the existing discussion on global Internet freedom among everyday users said Dixie Hawtin, project manager for freedom of expression and digital communications at the UK-based Global Partners & Associates which helped draft the IRP charter.

“It would be good to get them out on the street the way they did with SOPA and the [Anti-Counterfeiting Trade Agreement (ACTA)], rather than the field of activists already involved in this field,” Hawtin said.

The IRP charter remains a work in progress, and includes debates about whether the rights to free expression and the right to privacy could solve socio-economic issues, such as the right to health and the right to education, Hawtin said. Because Internet freedom could encompass issues including free expression, privacy and consumer rights, Hawtin said a range of initiatives are discussing if it would be possible, or desirable, to coordinate on how to implement different charters among companies and governments.

If there are too many voices on Internet freedom the issue could become confused due to “charter overload,” as Hawtin addressed in the 2011 issue of Global Information Society Watch.

“My own feeling is that we need to move towards an IGF-level statement of principles for Internet governance, as the only multi-stakeholder and global forum,” Hawtin said. “[There is] a recognition that wider civil society actually cares about these issues, and that it was possible to launch a widespread campaign, at least in the US, over something which could seem as dry as internet governance.”

While America’s homegrown Internet freedom dialogue emerged independent of IGF debates, Levy said building on anti-SOPA consensus could help pressure governments to give Internet users a role in policy making.

“This is not meant to come out of nowhere and to exist in a vacuum. The work to define what Internet freedom is and to define our rights as individuals using the Internet continues,” Levy said. “It is all part of a collaborative process, which is why we are so heavy on the public participation aspect.”

Wikimania and Tech@State

Wikimania 2012 meets July 12-15 in Washington, D.C.

Free knowledge for all is the goal for attendees of Wikimania 2012 conference, who will share solutions to improve online  information access from July 12-15 in Washington, D.C..

The gathering organized by the Wikimedia Foundation, which oversees the 285 international versions of the online encyclopedia, has gathered a crowd of Wikipedia editors, civil society members and technologists to discuss the future of the Wikipedia open knowledge mission. Registrants from more than 87 countries are attending.

The US State Department’s concurrent Tech@State conference from July 12-13 focuses on government efforts to make data more accessible with help from Wiki projects such as WikiData, designed to provide citizens with central access to data in the way Wikimedia Commons does for multimedia files.

The panel speeches for Tech@State will livestream on the website’s video archive.

On Twitter, follow  #wikimania  or  @wikimania2012.

Also follow Tech@State with #techatstate  or  @techATstate 

Secretary of State Hillary Clinton wrote a letter commending Wikimania 2012 organizer for highlighting the need to expand free data on global networks, which her letter stated was a key part of her 21st Century Statecraft diplomacy that uses new communications technology.

“The world is more connected than ever before, but there is still much work to be done to fully capitalize on the potential of this interconnection,” Clinton stated. “There are many people who are disenfranchised because they lack access to information; there are others whose contributions would make our collective knowledge richer, but they face risks and difficulties in doing so.”

Wikipedia Founder Jimmy Wales

Wikipedia Founder Jimmy Wales reviewed 2012 as a big year when the website went dark in January to protest the Stop Online Piracy Act (SOPA) and Protect Intellectual Property Act (PIPA) bills to censor Internet websites in the US.

“I will continue personally to speak out against that kind of Balkanization of the Internet, that kind of impulse to begin closing borders and things like that,” Wales said. “I think it’s unhealthy for the planet, it’s unhealthy for free culture, and so forth.”

The first such political strike happened last October when Wikipedia Italy went dark in protest of a “wiretapping act” that would have prosecuted Italian bloggers for content deemed defamatory by allegation, not judicial process.

“I heard about this two hours before they went black, so that’s the lovely nature of the randomness of Wikipedia,” Wales said. “I hope we don’t become a strike that doesn’t have to go on strike every six months over something. I think it should be reserved only for the most serious things that directly impact our work.”

Wikipedia in Russia went on a similar blackout strike to protest a Russian law to blacklist web content in that nation. While defending the principles of open knowledge, Wales clarified Wikipedia is a global community not dictated by his beliefs alone.

“I think we have to be very careful about our political neutrality,” Wales said. “That’s something we need to develop principles around so that when we [black out the site in protest] we know we are doing the right thing and we know we have the full support of as broad of the community as possible.”

Wikipedia continues to grow and includes articles in 112 different languages, but the information on that diverse platform is only as complete and relevant as the people who join the conversation to add, edit and debate content. Ada Initiative Founder Mary Gardiner said Wikipedia has a responsibility as “a world-changing” project to increase its efforts to seek out broader representation from women and from people in the developing world, where there is less access to networks.

According to Wikipedia’s 2010 survey of contributors and editors, approximately 33 percent of Wikipedia readers were women, and approximately 10 percent of people editing the content on those articles were women.

Ada Initiative Founder Mary Gardiner says Wikipedia could gain more interest by increasing its existing outreach for more diverse editors.

Continuing to allow people to identify with their subculture when they join the larger Wikipedia community. The website should also actively do outreach and plan events for groups of women and other specific identities to build their interest in Wikipedia. Once content editing is carried out by more diverse demographics such as women, more women will find that content useful and will become more involved as readers or editors, Gardiner said.

To this end, one organization focused on increasing the participation and status of women in open technology and culture is the nonprofit Ada Initiative, named after Countess Ada Lovelace. She is credited as one of the founders of computer programming theory and daughter of British literary icon Lord Byron.

“People’s minority identities are often important to them and allowing them to identify as a woman who edits Wikipedia, or a person of a particular ethnicity who edits Wikipedia, or a person with a geographic origin who  edits Wikipedia,” Gardiner said. “Allowing them to  meet other people with that same identification and be proud of it is actually a major social way that you can improve their engagement with the minority group they originate from, but with Wikipedia.”

No Cold War Deterrence for an Open Internet

Atlantic Council Senior Fellow Gregory Rattray on July 10 describes the think tank’s new capstone report on cybersecurity.

A study by the Atlantic Council’s Cyberstatecraft Initiative  warns that a Cold War-style deterrence strategy for cyberspace could have a negative impact on Internet freedom and is ineffective against hackers because the digital “battlefield” is also an everyday market and global commons.

The report entitled “Addressing Cyber Instability,” slated for publication late this summer, has an executive summary available here. On July 10 a panel of experts discussed the report’s aim to encourage a more pragmatic approach to network security risks.

For cybersecurity to be more resilient, governments and individuals must accept that the Internet is structurally unstable, which makes the free and convenient Internet “a problem that we want,” said Atlantic Council Senior Fellow Gregory Rattray.

“We basically are dealing with too much of a good thing,” said Rattray, former chief security advisor to the Internet Corporation for Assigned Names and Numbers (ICANN).

Viewing the Internet as a living ecosystem instead of an engineering challenge, Greg said the goal should be how to direct its evolution through risk management. Similar to the way people are encouraged to prevent pollution, a safer cyberspace could be maintained by encouraging people to practice safe Internet practice and companies viewing security as an externality of their business, he said. Mobile banking is one example he used of companies placing competition over security concerns.

Computer viruses should similarly be viewed as a public health concern, he said, alluding to a project by the Organization for Economic Cooperation and Development to determine effective regulatory models for safer, efficient networks.

“Elsewhere in the world these messages resonate a lot more easily than competitive messages,” said Rattray, a former commander of the Operations Group of the Air Force’s Information Warfare Center. “You [could] get everything from stopping the emergence of bot nets to monitoring the current health of the system and shining the light on areas where there are problems so you can provide assistance and accountability.”

Collaboration between nations is also necessary to keep the global network secure, said Rattray. One example he mentioned was an agreement between China, Japan and South Korea on responding to a bot net attack against government computers to avoid confusion about whether a hacker group is responsible, so it would not escalate to an international conflict.

“Even the United States and the Chinese can collaborate. Bot nets are not good for either country,” Rattray said.

Because not only foreign governments have the power to disrupt networks, Rattray said greater recognition needs to be paid to what he called “the Internet underground” of hacker groups and identity thieves.

“We need to be careful that non-state actors or lesser state actors could rearchitect things like Stuxnet and pose very significant threats,” Rattray said.

The revelation that the United States created the Stuxnet virus to sabotage the equipment at Iran’s nuclear facilities is a poor international precedent for the United States to show other nations, said the Cyberstatecraft Initiative’s Director Jason Healey.

“That is a difficult norm that we have just taught the Chinese. That it is OK to strike first before there is an actual conflict,” Healey said.

Hackers adapt attack strategies rapidly, so a new generation of analysts and network administrators must develop new troubleshooting techniques to match the more open networks of cloud computing, said Kris Martel, a senior cyber security architect with Intelligent Decisions.

“Security is not this monolithic thing you can apply to every device or a person,” Martel said. “How we secure the information is not going to be necessarily all firewalls, servers and workstation endpoints.”

As the Internet grows, its future as an open, free space will be determined by new technologies that might shift the balance in cybersecurity from offense to defense, Healey said. In December the Atlantic Council published a document outlining possible ways the Internet could evolve entitled “The Five Futures of Cyber Conflict and Cooperation.”

“Look at the other domains. A machine gun all of a sudden helped make land battles way more defensible,” Healey said. “We might be one disruptive technology or methodology away from having a radically different cyberspace where freedom is incredibly difficult because everybody can do devastating attacks.”

Netizen Tech: ‘Completure’ Photojournalist App

Mark Malkoun, developer of Completure

Online photos have the power to give an issue a face, or break a story within seconds, so a new iPhone application called Completure aims to make news images verifiable and private enough to protect Netizen journalists.

Completure focuses on photos and gives users 60 characters for a title before votes and comments layer on the image as the story develops. To cut through the noise of photo blogging Lebanese developer Mark Malkoun, 26, added a voting feature to the photo application so users can vote for favorite stories. To prevent redundancy photos submitted from a specific event are grouped together.

“The idea is to create a democratized news solution where everyone can create a story in a few seconds by posting a photo and title,” Malkoun said. “We rely less on words than Twitter and make sure the pictures are taken by the iPhone to ensure these are genuine. We don’t have filters like Instagram that play with the picture. We want to keep it as authentic as possible. We have to double check for the content in different ways.”

Every user must geo-tag the location of their photo within 72 hours to ensure stories are not outdated, which also allows Completure to verify whether or not photos are doctored to further personal agendas.

“Usually, the power of a story diminishes the further you are from it geographically,” Malkoun said. “When users open the app, they can view news photos according to their location, most recent upload or what others have voted top news. Top stories are grouped by country, continent or the world as a whole.”

Every good journalist also knows how to protects their sources, so Malkoun wants public input on privacy concerns, such as tagging photo locations on GPS. If users seek some anonymity about their location they could state the photo was taken in Syria, instead of a specific city, for instance.

“This is part of the umbrella of respecting people’s liberties of anyone who wants to submit content,” Malkoun said.

Photo sharing app Completure

“So far we don’t know exactly how far some governments want to go, but we will go even further to protect people who want to submit content.”

Options to improve anonymity could include leaving out real names, but there is still a need for real names to verify sources. One solution Malkoun is considering could involve keeping real names a secret among a select few Completure staffers, who could stand by the authenticity of photos if they became major international news.

Giving Internet users a vote on content is important in countries with media that is either biased toward governments or that glosses over certain news stories, Malkoun said.

“Most big media corporations out there are imposing what the top stories should be,” Malkoun said. “You may have attempts to abuse a story from all sides. Everyone will try to game the system. Our goal is really to be unbiased and democratized. You have a difference of opinion and you see the whole story. And with the voting you see who is in favor of it and who is against it.”

The same way social media amplified efforts of people with decades-long grievances in last year’s Arab Spring uprisings, Malkoun said that communication potential fueled a tech development boom with his generation in the Middle East. For another example of post-Arab Spring innovation, check out Cryptocat, the encrypted chat room app created by fellow Lebanese programmer Nadim Kobeissi.

As Completure evolves, Malkoun said he will consider encryption for the app, along with features for video, languages besides English and use by other smart phones. To contact Malkoun, reach him on Twitter @Completure or through the Completure home page.

“Citizens are definitely understanding the impact of citizen media and communications,” Malkoun said. “Even in countries that are really not tech savvy the TV networks are talking about Facebook and Twitter more. I think there is a general belief in many Arab countries that it is social media that gave them freedom. Even those who didn’t understand the power of it before cherish it now.”

Global Network Initiative’s Digital Freedoms Report

Jermyn Brooks, independent chair of the Global Network Initiative, speaks on June 14 about plans for the group in 2012. Photo credit Tom Risen

The struggle for Internet freedom was at the center of world-shaking events that took place in 2011, and a new report commissioned by the nonprofit Global Network Initiative (GNI) calls for greater defense of people’s digital rights by companies as well as governments in 2012.

The GNI is a multi-stakeholder initiative that brings together companies, civil society groups, socially responsible investors and academics committed to helping the Internet and telecommunications sector uphold core principles of free expression and privacy in the course of doing business all over the world. Companies face demands from governments everywhere to remove or block content or share user information. The GNI provides a framework for companies to deal with this reality in a way that protects their users’ and customers’ rights to the maximum degree possible.

Most notably in 2011 and early 2012, the organization’s annual report (downloadable as a pdf here) describes how GNI’s three founding companies, Google, Yahoo and Microsoft, recently underwent an independent assessment process to determine whether and to what extent they have put policies and procedures on protecting free expression and privacy into place. The independent assessment completed in March was the first ever of its kind for the information and communications technology industry. During 2011 the organization also raised policy concerns about a range of government actions that harm free expression and privacy, from the Egyptian government’s Internet shutdown in early 2011 to censorship and surveillance proposals in the United Kingdom after riots broke out last summer.

On June 14 the group presented a new academic report entitled “Digital Freedoms in International Law,” which includes recommendations for companies and governments to continue the push for standards for digital liberties. Here is an excerpt of the executive summary:

With around 2.3 billion users, the Internet has become part of the daily lives of a significant percentage of the global population, including for political debate and activism. While states are responsible for protecting human rights online under international law, companies responsible for Internet infrastructure, products and services can play an important supporting role. Companies also have a legal and corporate social responsibility to support legitimate law enforcement agency actions to reduce online criminal activity such as fraud, child exploitation and terrorism. They sometimes face ethical and moral dilemmas when such actions may facilitate violations of human rights.

In this report we suggest practical measures that governments, corporations and other stakeholders can take to protect freedom of expression, privacy, and related rights in globally networked digital technologies. These are built on a detailed analysis of international law (particularly the ICCPR), three workshops in London, Washington DC and Delhi, and extensive interviews with government, civil society and corporate actors.

The initiative announced the report at the New America Foundation during the Global Network Initiative’s 2012 Learning Forum. The full report is downloadable here. One key issue raised by Ian Brown, a co-author of the report, was the challenge of managing “dual use technologies,” which could be used to build surveillance networks to stifle dissent in repressive nations, and how to define when sale of such technology should be sanctioned the way the United States restricted sales to Syria.

“By and large sanctions are only in place against countries that have already gone a very long way down the road in serious human rights violations, whilst allowing other repressive regimes to build surveillance infrastructures and surveillance infrastructures and censorship infrastructures that might be abused,” said Brown, a senior research fellow at the Oxford Internet Institute. “Sanctions politically are very hard to agree on. Understandably states have significant companies whose business interests they do not want to damage.”

The full report – which while commissioned by the GNI did not reflect the views of all GNI members – lists specific recommendations for companies, governments, non-governmental organizations and investors to better address digital freedoms, including:

  • States should be willing to engage in dispute resolutions measures to resolve conflicts over human rights compliance in the use of products sold and supported by companies from their country.
  • Investors should expect companies to follow appropriate human rights standards that are developed and implemented in a multi-stakeholder processes. The report also recommends investors should require accountability from companies through public reporting, even if certain details are held back in extremely sensitive situations.
  • Non-governmental organizations should provide information to consumers about the potential human rights risks of a product or service, and should raise awareness about the human rights responsibilities of information and technology companies.
  • Companies should collect information on legal systems and experiences in different jurisdictions with other companies, governments and non-governmental organizations. This information would help companies decide how to employ their tech services in a country to minimize the risk of human rights abuse.
  • Companies should seek judicial review of requests for user data in courts of a host country in circumstances that could violate international human right law.
  • Companies should each insist that government demands for access to data not stored within their own jurisdiction should be made only through the applicable Mutual Legal Assistance agreements. Governments should also insist requests for data held on their territory be made through Mutual Legal Assistance agreements, and that extraterritorial demands for access to data on a server in their jurisdiction would otherwise be a violation of sovereignty.

The GNI was founded in 2008 with Microsoft, Yahoo and Google as the first three member companies, and in 2011 GNI added two new member companies, along with more staff and funding to increase digital rights dialogue between tech companies and governments. Web security company Websense and online voice content company Evoca joined GNI in 2011 as its fourth and fifth corporate members. Seven other civil society groups also joined GNI in 2011.

In May Facebook joined GNI as an observer company for a one-year term. During this period to decide if they want to sign up for full membership, the company is involved in some of GNI’s learning and policy activities. Facebook will not undergo the human rights audit of its business that full members undertake. Irish top-level domain registry service Afilias Limited also joined GNI in May as the second observer-status company.

After the announcement of the report there were several panel discussions about Internet freedom challenges for companies and the way forward for GNI. Click here for video of the event.

Discussing the data protection dilemmas faced by businesses, Google’s Director of Corporate and Policy Communication Bob Boorstin said companies have an incentive to encourage a free and open Internet worldwide for personal freedoms and for economic growth. Global digital business must protect the security and privacy of users’ data while deciding how to comply with government data security policies, Boorstin said. Google’s Asian data centers are under construction in Hong Kong, Taiwan and Singapore.

“It is hard to untangle a corporation’s right to sell ads from the user’s rights to free expression. They go hand in hand,” Boorstin said. “[Another issue] that is becoming increasingly important is the location of data centers. And demands by countries around the world, that in order to provide services or products in those countries you must locate data centers in those countries.”

British journalist John Kampfner moderated the panel discussions about how companies should coordinate with governments to uphold privacy and free expression. Also on June 14 the British government announced a draft bill that would allow the government to track Internet use by accessing data from Internet Service Providers (ISPs). This was used by Kampfner as a case example of governments requesting data from tech companies on the pretext of national security concerns to the point where privacy rights could be put at risk.

“To what degree do democratic governments practice what they preach, or to what extent do the restrictions laid on the Internet, for whatever reason, usually under the guise of terrorism and antiterrorism, are sort of manna from heaven? Are they the perfect “get-out” clause?” said Kampfner, author of “Freedom for Sale: Why The World Is Trading Democracy For Security.”

Representing the Indian-based Centre for Internet & Society, which joined GNI in 2011 along with six other civil society groups, the Indian group’s Executive Director Sunil Abraham echoed a need for governments to recognize digital freedom and discourage nations from cherry-picking existing tech policy to justify political agendas.

“In India, whenever policy is formulated, the country’s policymakers always look to the West both for good ideas and bad ideas,” Abraham said.

The U.S. State Department’s Deputy Assistant Secretary for Human Rights and Labor Dan Baer said regional organizations such as the Organization of Americans States could help encourage standards for digital rights, but also called the loose interpretation of terrorism an “unavoidable challenge.”

“We should be concerned about exploiting the term not only because [it is exploited] in order to perpetrate abuses, but also because it cheapens the coin, and therefore unhelpfully broadens what is aimed at being a very focused effort to target a very real threat, which is real terrorism,” said Baer, who works with the State Department’s Bureau of Democracy.

Closing the learning forum, the Global Network Initiative’s Independent Chair Jermyn Brooks called on governments and companies to join GNI, and to coordinate with international experts to solve challenges facing digital rights.

“The information, the expertise, the experience, is there. But we need to be better at telling people that we’ve accumulated that expertise and there’s real value there,” Brooks said.


Get every new post delivered to your Inbox.

Join 1,309 other followers