A fine balance: ensuring rights online and State security demands

In 2014, the information and communication technology company Microsoft entered into a legal battle with the United States Government. The company challenged a search warrant to access, as part of a drugs related investigation, one of its customer’s emails hosted on a server in Dublin, Ireland.

“People do not use technologies they don’t trust or understand… and earning that trust is crucial to Microsoft,” said Bernard Shen during a discussion hosted at the UN Forum on Business and Human Rights in Geneva.

Shen explained that his company had a major concern: if such a warrant were to prevail, what would happen if other countries were to issue an order to Microsoft to turn over customer emails in the United States?

The company has been calling for Governments to create a new international legal framework for them to access data. “Such a framework should ensure that Governments seek information in other participating countries only pursuant to legal rules and due process, and a cornerstone of such an international framework should be respect for human rights and individual privacy,” Shen added.

Whereas in parts of the world private companies have been able to challenge State privacy intrusions, private companies have also assisted Governments acquiring mass surveillance technology, said Nighat Dad of the Digital Rights Foundation. Such technology may be used “to enforce blanket censorship and network shut-downs in the name of national security”.

The Edward Snowden revelations on mass surveillance by the US National Security Administration swung the pendulum in one direction, but the recent terror attacks attributed to ISIL have once again shifted the balance, said Stephen Lowe from the United Kingdom Foreign and Commonwealth Office. “The pendulum has swung back again, like an instinctive response by Governments to the fears of their citizens,” he said.

Since 2013, following recommendations from three independent reviews, the UK has created guidance for the cyber export industry to allow them to do due diligence on risk when exporting technology overseas. The Government has also put in place measures when it was the one providing that technology.

“Above all, this is an area where confrontation is least helpful and where we need to have a contract of trust between Government and citizens about what is necessary and what is appropriate, how do we keep citizens safe and how do we keep their data safe,” he said.

Privacy International’s Tomaso Falchetta, pointed out that the technology sold by telecommunications companies was being used by some Governments to target political opponents, journalists and lawyers, to crackdown on dissent and harass human rights defenders. Ultimately, tech companies had to evaluate the human rights implications of their trade with national intelligence agencies.

“The surveillance industry must take its responsibilities to respect human rights in accordance with the UN Guiding Principles on Business and Human Rights through various measures: developing policy commitment, carrying out due diligence on potential customers, and carrying out periodic reviews of States’ use of the technology they provide,” he recommended.

The Ranking Digital Rights Index which was launched recently by the New American Foundation examined 16 of the world’s biggest companies that provide consumers basic connectivity through the internet and mobile devices.

“We wanted to see what evidence of policy commitment the companies were showing in terms of human rights impact assessment; if there were meaningful grievance and remedy mechanisms related to how the company’s business affects users’ freedom of expression and privacy; and if the company disclosed its practices,” Rebecca MacKinnon said.

The top scoring company was awarded a D grading. “This is a diagnostics test, it’s not a certification. We’re not saying that the companies that got the top scores are necessarily the best,” she said. “[Users] need to understand how their data is being collected, how it is being used, with whom it is shared. This needs to be communicated to the users not just the regulators, and companies need to be transparent on content restriction and sharing of user data with third parties.”

2 December 2015