<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Dear Andrew<br>
<br>
Have been following the conversation with interest. The point
Parminder raises about the responsibilities of companies in ensuring
that human rights in the fullest sense of the term are not
jeopardised at the deepest levels of the internet's architecture is
one that indeed needs attention. However, the conversation so far is
proceeding as if no work at all has been done around human rights
norms and principles for the internet. This is not the case. A lot
of work has been done, indeed stretching back many year into the
WSIS period. If we choose to forget or ignore what came before we
are all doomed to repeat past mistakes (as a great sage once
remarked)! <br>
<br>
With the Bali IGF as a venue for meeting and moving forward I do
think it is important to note that the Charter of Human Rights and
Principles already goes a *long* way in defining these 'global' (I
use the term advisedly) norms and principles carefully. The reason
for the cautious approach in 2010-2011 when the IRP Coalition was
drafting this current version was precisely in order to be precise
and coherent. Many people on all these lists were involved in this
process and can share the credit for what has been achieved. The
cautiousness then, criticised at the time, has paid off in
retrospect. <br>
<br>
As a wide-ranging Charter of human rights and principles focusing on
the online environment, then picked up by Frank La Rue thanks to the
work of the then IRP Coalition Chairs, Lisa Horner and Dixie Hawtin
in turn, based on the UDHR and its successors it was, and is not
intended to be a prescriptive, or one-size-fits-all document. What
was intended and to my mind has been achieved is rather a baseline,
inspirational framing for the work that is now emerging around
specific cases and situations such as privacy, freedom of expression
and so on that have been thrown into relief by the events around
PRISM. The IRP Charter is also careful to include the responsibility
of companies as integral to these emerging norms. Events have
underscored that the IRP Charter was a project worth engaging in and
for that the 'we' on these lists did achieve something quite
remarkable. <br>
<br>
Moving the IRP Charter up a level is a focus for two workshops at
least in Bali, and the IRP Meeting there I would like to propose
that these are very suitable places to continue these discussions,
online and of course in person. The Best Bits meeting prior to the
IGF is in this respect a great way to get started as the next stage
of the IRP Charter in substantive terms gets underway i.e.
addressing the weaker parts of the current Beta version
(<a class="moz-txt-link-freetext" href="http://internetrightsandprinciples.org/site/charter/">http://internetrightsandprinciples.org/site/charter/</a>) and widen
awareness amongst the human rights community and inter-govn
organizations. A huge step in the latter has already been achieved
in recent weeks and I would like to add these moves to the work
being done through Best Bits. <br>
<br>
Finally, on principles seeing as this focus is also on the IGF
agenda, here too the IRP Charter developed precursor models (such as
the APC Bill of Rights, the Marco Civil principles too) the IRP Ten
Principles are intended as an educational, outreach version of the
actual Charter. So here the work being initiated around Internet
Goverance Principles (however defined) is something the IRP
coalition supports implicitly. <br>
<br>
The only question I am getting from members is about how better to
work together, which is why the current Charter goes quite some way
in establishing the sort of framework that is being advocated here.
No need to reinvent the wheel in other words! <br>
<br>
best<br>
MF<br>
<br>
<div class="moz-cite-prefix">On 25/06/2013 17:59, Andrew Puddephatt
wrote:<br>
</div>
<blockquote
cite="mid:F605C05AD40650428A0434B4926B399CBD570C05AD@COLO-MB-CLUSTER.ethical.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Lucida Sans Unicode";
panose-1:2 11 6 2 3 5 4 2 2 4;}
@font-face
{font-family:inherit;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.highlight
{mso-style-name:highlight;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-family:"Calibri","sans-serif";color:#0070C0">Just
welcoming Parminder’s focus on companies here. I feel that
the current situation is an opportunity to push the
companies a lot more rigorously than we have been able to do
so far. I like the idea of global norms and principles and
I wonder if anyone has done any detailed work on this in
relation to security/surveillance and jurisdictional
questions – specifically the role of global companies rooted
in one jurisdiction (principally the US I would guess?).
I note that some German MPs are calling for US companies to
establish a German cloud distinct and separate from US
jurisdiction..<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri","sans-serif";color:#0070C0"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri","sans-serif";color:#0070C0">I
think we can strategically link the two issues that
Parminder has flagged up – </span><span
style="font-family:"Calibri","sans-serif";color:#0070C0">we
can reinforce the</span><span
style="font-family:"Calibri","sans-serif";color:#0070C0">
</span><span
style="font-family:"Calibri","sans-serif";color:#0070C0">push
for norms and principles pointing out this is a way for
country’s to escape the US orbit – as long as we can avoid
the danger of breaking the internet into separate national
infrastructures – which is where the norms and principles
need to be carefully defined. Is this something we can
discuss online and then discuss in person at Bali?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri","sans-serif";color:#0070C0"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri","sans-serif";color:#0070C0">Looking
at the GNI principle on privacy it says:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri","sans-serif";color:#0070C0"><o:p> </o:p></span></p>
<p style="margin-left:30.0pt;background:white"><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#333333">Privacy
is a human right and guarantor of human dignity. Privacy is
important to maintaining personal security, protecting
identity and promoting freedom of expression in the digital
age.<br>
<br>
Everyone should be free from illegal or arbitrary
interference with the right to privacy and should have the
right to the protection of the law against such interference
or attacks.<br>
<br>
The right to privacy should not be restricted by
governments, except in narrowly defined circumstances based
on internationally recognized laws and standards. These
restrictions should be consistent with international human
rights laws and standards, the rule of law and be necessary
and proportionate for the relevant purpose.<br>
<br>
<span class="highlight">Participating companies will employ
protections with respect to personal information in all
countries where they operate in order to protect the
privacy rights of users.</span><o:p></o:p></span></p>
<p style="margin-left:30.0pt;background:white;orphans:
auto;text-align:start;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px"><span class="highlight"><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#333333">Participating
companies will respect and protect the privacy rights of
users when confronted with government demands, laws or
regulations that compromise privacy in a manner
inconsistent with internationally recognized laws and
standards.<o:p></o:p></span></span></p>
<p style="background:white"><span class="highlight"><span
style="font-family:"Calibri","sans-serif";color:#0070C0">Is
this something to build upon? The final clause is
interesting – it implies that signatory companies will
respect privacy even when asked to comply with laws that
breach internationally recognized laws and standards which
I assume everyone thinks that FISA does?</span></span><span
style="font-family:"Calibri","sans-serif";color:#0070C0"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Calibri","sans-serif";color:#0070C0"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"
style="margin-top:7.0pt;line-height:115%;text-autospace:none"><b><span
style="font-size:11.0pt;line-height:115%;font-family:"Arial","sans-serif";color:#253741;mso-fareast-language:EN-US">Andrew
Puddephatt</span></b><b><span
style="font-size:11.0pt;line-height:115%;font-family:"Arial","sans-serif";mso-fareast-language:EN-US">
</span></b><span
style="font-size:11.0pt;line-height:115%;font-family:"Arial","sans-serif";mso-fareast-language:EN-US">|
</span><b><span
style="font-size:11.0pt;line-height:115%;font-family:"Arial","sans-serif";color:#253741;mso-fareast-language:EN-US">GLOBAL
PARTNERS</span></b><span
style="font-size:11.0pt;line-height:115%;font-family:"Arial","sans-serif";color:#253741;mso-fareast-language:EN-US">
DIGITAL<o:p></o:p></span></p>
<p class="MsoNormal"
style="line-height:115%;text-autospace:none"><span
style="font-size:10.0pt;line-height:115%;font-family:"Arial","sans-serif";color:#253741;mso-fareast-language:EN-US">Executive
Director</span><span
style="font-size:11.0pt;line-height:115%;font-family:"Arial","sans-serif";color:#FF2126;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="line-height:115%;text-autospace:none"><span
style="font-size:10.0pt;line-height:115%;font-family:"Arial","sans-serif";color:#7F7F7F;mso-fareast-language:EN-US">Development
House, 56–64 Leonard Street, London EC2A 4LT<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#7F7F7F">T:
+44 (0)20 7549 0336 | M: +44 (0)771 339 9597 | Skype:
andrewpuddephatt</span><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#7F7F7F"><br>
<b>gp-digital.org</b><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US"> <a class="moz-txt-link-abbreviated" href="mailto:bestbits-request@lists.bestbits.net">bestbits-request@lists.bestbits.net</a>
[<a class="moz-txt-link-freetext" href="mailto:bestbits-request@lists.bestbits.net">mailto:bestbits-request@lists.bestbits.net</a>] <b>On
Behalf Of </b>parminder<br>
<b>Sent:</b> 25 June 2013 09:25<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:bestbits@lists.bestbits.net">bestbits@lists.bestbits.net</a>;
<a class="moz-txt-link-abbreviated" href="mailto:governance@lists.igcaucus.org">governance@lists.igcaucus.org</a><br>
<b>Subject:</b> Re: [bestbits] PRISM - is it about the
territorial location of data or its legal ownership<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<span
style="font-family:"Verdana","sans-serif"">This
is how I think it works overall - the digital imperialist
system..... Global Internet companies - mostly US based -
know that much of their operations worldwide legally are on
slippery grounds.... They find it safest to hang on to the
apron strings of the one superpower in the world today, the
US... They know that the US establishement is their best
political and legal cover. The US of course finds so much
military, political, economic, social and cultural capital
in being the team leader... It is an absolutely win win...
That is what PRISM plus has been about. And this is what
most global (non) Internet governance has been about - with
the due role of the civil society often spoken of here. <br>
<br>
Incidentally, it was only a few days before these
disclosures that Julian Assange spoke of "<a
moz-do-not-send="true"
href="http://www.nytimes.com/2013/06/02/opinion/sunday/the-banality-of-googles-dont-be-evil.html?pagewanted=all&_r=0">technocratic
imperialism</a>" led by the US-Google combine... How quite
to the point he was... Although so many of us are so eager
to let the big companies off the hook with respect to the
recent episodes. <br>
<br>
What got to be done now? If we indeed are eager to do
something, two things (1) do everything to decentralise the
global Internet's architecture, and (2) get on with putting
in place global norms, principles, rules and where needed
treaties that will govern our collective Internet behaviour,
and provide us with our rights and responsibilities vis a
vis the global Internet.<br>
<br>
But if there are other possible prescriptions, one is all
ears.<br>
<br>
parminder<br>
<br>
</span><o:p></o:p></p>
<div>
<p class="MsoNormal">On Tuesday 25 June 2013 01:04 PM,
parminder wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Monday 24 June 2013 08:18 PM,
Katitza Rodriguez wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Only answering one of the questions
on jurisdictional issues: The answer is somewhat complex<br>
<br>
<span style="font-size:10.5pt;font-family:"Lucida
Sans Unicode","sans-serif"">if data is
hosted in the US by US companies (or hosted in the US
by companies based overseas), the government has taken
the position that it is subject to U.S. legal
processes, including National Security Letters,
2703(d) Orders, Orders under section 215 of the
Patriot Act and regular warrants and subpoenas,
regardless of where the user is located.</span><br>
<br>
<span style="font-size:10.5pt;font-family:"Lucida
Sans Unicode","sans-serif"">The legal
standard for production of information by a third
party, including cloud computing services under US
civil (</span><a moz-do-not-send="true"
href="http://www.law.cornell.edu/rules/frcp/rule_45"><span
style="font-size:10.5pt;font-family:"inherit","serif";border:none
windowtext 1.0pt;padding:0cm;text-decoration:none">http://www.law.cornell.edu/rules/frcp/rule_45</span></a><span
style="font-size:10.5pt;font-family:"Lucida Sans
Unicode","sans-serif"">) and criminal (</span><a
moz-do-not-send="true"
href="http://www.law.cornell.edu/rules/frcrmp/rule_16"><span
style="font-size:10.5pt;font-family:"inherit","serif";border:none
windowtext 1.0pt;padding:0cm;text-decoration:none">http://www.law.cornell.edu/rules/frcrmp/rule_16</span></a><span
style="font-size:10.5pt;font-family:"Lucida Sans
Unicode","sans-serif"">) law is whether
the information is under the "possession, custody or
control" of a party that is subject to US
jurisdiction. It doesn’t matter where the information
is physically stored, where the company is
headquartered or, importantly, where the person whose
information is sought is located. The issue for users
is whether the US has jurisdiction over the cloud
computing service they use, and whether the cloud
computing service has “possession, custody or control”
of their data, wherever it rests physically. For
example, one could imagine a situation in which a
large US-based company was loosely related to a
subsidiary overseas, but did not have “possession,
custody, or control” of the data held by the
subsidiary and thus the data wasn’t subject to US
jurisdiction.</span><o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><br>
Interesting, although maybe somewhat obvious! So, even if an
European sends a email (gmail) to another European, and the
transit and storage of the content never in fact reaches US
borders, Google would still be obliged to hand over the
contents to US officials under PRISM...... Can a country
claim that Google broke its law in the process, a law
perhaps as serious as espionage, whereby the hypothesized
European to European email could have carried classified
information! Here, Google, on instructions of US authorities
would have actually transported a piece of classified - or
otherwise illegal to access - information from beyond US
borders into US borders. <br>
<br>
What about US telcos working in other countries, say in
India. AT&T (through a majority held JV) claims to be
the largest enterprise service provider in India. And we
know AT & T has been a somewhat over enthusiastic
partner in US's global espionage (for instance see <a
moz-do-not-send="true"
href="http://www.techdirt.com/articles/20100121/1418107862.shtml">here</a>
)... Would all the information that AT & T has the
"possession. custody and control" of in India in this matter
not be considered fair game to access by the US...... All
this looks like a sliding progression to me. Where are the
limits, who lays the rules in this global space.... <br>
<br>
parminder <br>
<br>
<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
On 6/24/13 5:28 AM, parminder wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi All<br>
<br>
There was some demand on the bestbits list that we still
need to ask a lot of questions from the involved companies
in terms of the recent PRISM plus disclosures. We are
being too soft on them. I refuse to believe that
everything they did was forced upon on them. Apart from
the fact that there are <a moz-do-not-send="true"
href="http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html">news
reports</a> that US based tech companies regularly share
data with US gov for different kinds of favours in return,
or even simply motivated by nationalistic feeling, we
should not forget that many of these companies have strong
political agenda which are closely associated with that of
the US gov. You must all know about '<a
moz-do-not-send="true"
href="http://en.wikipedia.org/wiki/Google_Ideas">Google
Ideas</a>', its revolving doors with US gov's security
apparatus, and its own aggressive <a
moz-do-not-send="true"
href="http://www.informationclearinghouse.info/article34535.htm">regime
change ideas</a>. Facebook also is known to 'like' some
things, say in MENA region, and not other things in the
same region.....<br>
<br>
<span
style="font-family:"Verdana","sans-serif"">Firstly,
one would want to know </span>whether the obligations
to share data with US government extended only to such
data that is actually located in, or flows, through, the
US. Or, does it extend to all data within the legal
control/ ownership of these companies wherever it may
reside. (I think, certainly hope, it must be the former,
but still I want to be absolutely sure, and hear directly
from these companies.)<br>
<br>
Now, if the obligation was to share only such data that
actually resided in servers inside the US, why did these
companies, in face of what was obviously very broad and
intrusive demands for sharing data about non US citizens,
not simply locate much of such data outside the US. For
instance, it could pick up the top 10 countries, the data
of whose citizens was repeatedly sought by US authorities,
and shift all their data to servers in other countries
that made no such demand? Now, we know that many of the
involved companies have set up near fictitious companies
headquartered in strange places for the purpose of tax
avoidance/ evasion. Why could they not do for the sake of
protecting human rights, well, lets only say, the trust,
of non US citizens/ consumers, what they so very
efficiently did for enhancing their bottom-lines? <br>
<br>
Are there any such plan even now? While I can understand
that there can be some laws to force a company to hold the
data of citizens of a country within its border, there
isnt any law which can force these companies to hold
foreign data within a country's borders... Or would any
such act perceived to be too unfriendly an act by the US
gov?<br>
<br>
<br>
I am sure others may have other questions to ask these
companies.....<br>
<br>
parminder <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Katitza Rodriguez<o:p></o:p></pre>
<pre>International Rights Director<o:p></o:p></pre>
<pre>Electronic Frontier Foundation<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:katitza@eff.org">katitza@eff.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:katitza@datos-personales.org">katitza@datos-personales.org</a> (personal email)<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Please support EFF - Working to protect your digital rights and freedom of speech since 1990<o:p></o:p></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Dr Marianne Franklin
Reader
Convener: Global Media & Transnational Communications Program
Co-Chair Internet Rights & Principles Coalition (UN IGF)
Goldsmiths, University of London
Dept. of Media & Communications
New Cross, London SE14 6NW
Tel: +44 20 7919 7072
<a class="moz-txt-link-rfc2396E" href="mailto:m.i.franklin@gold.ac.uk"><m.i.franklin@gold.ac.uk></a>
@GloComm
<a class="moz-txt-link-freetext" href="https://twitter.com/GloComm">https://twitter.com/GloComm</a>
<a class="moz-txt-link-freetext" href="http://www.gold.ac.uk/media-communications/staff/franklin/">http://www.gold.ac.uk/media-communications/staff/franklin/</a>
<a class="moz-txt-link-freetext" href="https://www.gold.ac.uk/pg/ma-global-media-transnational-communications/">https://www.gold.ac.uk/pg/ma-global-media-transnational-communications/</a>
<a class="moz-txt-link-abbreviated" href="http://www.internetrightsandprinciples.org">www.internetrightsandprinciples.org</a>
@netrights</pre>
</body>
</html>