[governance] RE: [bestbits] PRISM - is it about the territorial location of data or its legal ownership

Jovan Kurbalija jovank at diplomacy.edu
Wed Jun 26 13:32:22 EDT 2013


Thank you Wolfgang for this pointer to the EU's ICT Sector Guide. The
process of drafting the ICT Guide had another particularly useful aspect.
The ICT Guide was done in parallel to guides to two other business
sectors<http://ec.europa.eu/enterprise/policies/sustainable-business/corporate-social-responsibility/human-rights/>
(employment
and recruitment agencies,  and oil and gas companies). There was a good
balance between cross-fertilisation among the three areas, and the
uniqueness of each area. For me, the level of commonality among the three
business areas (ICT sector, employment/recruitment and oil/gas) was higher
than I expected.

Another initiative that may have relevance in the future, especially in the
case of the 'securitisation' of the Internet space, is the Montreaux
document on private military and security
companies<http://www.dcaf.ch/Project/Raising-Awareness-of-the-Montreux-Document-on-PMSCs>.


Regards, Jovan

*Jovan Kurbalija, Phd*

Director, DiploFoundation
*
Note: *If you have been waiting for a reply from me, this might explain my
tardiness. <http://www.diplomacy.edu/blog/are-you-e-polite-0> Thank you for
your patience!* **Upcoming online courses at Diplo:  *Master in
Contemporary Diplomacy (with Internet Governance
option)<http://www.diplomacy.edu/courses/MAPGD>
*l* Humanitarian Diplomacy <http://www.diplomacy.edu/courses/humanitarian> *
l** *Capacity Development <http://www.diplomacy.edu/courses/capacity>* l** *
*Multilateral Diplomacy <http://www.diplomacy.edu/courses/multilateral> **l*
* **Infrastructure and Critical Internet
Resources<http://www.diplomacy.edu/courses/IGCBP-Adv-Infrastructure>
**l** **Complete Catalogue of Online Courses<http://www.diplomacy.edu/courses/>
*


**


On Wed, Jun 26, 2013 at 8:34 AM, Benedek, Wolfgang (
wolfgang.benedek at uni-graz.at) <wolfgang.benedek at uni-graz.at> wrote:

> In this context I suggest a look at the recent guide by the EU Commission:
> ICT Sector Guide on Implementing the UN Guiding Principles on Business and
> Human Rights.
>
> Kind regards
>
> Wolfgang
>
> Univ.-Prof. Dr. Wolfgang Benedek
> Institute for International Law and International Relations
> University of Graz
> Universitätsstraße 15, A4
> A-8010 Graz
> Tel.: +43/316/380/3411
> Fax: +43/316/380/9455
>
>
>
>
>
>
> Am 25.06.13 17:59 schrieb "Andrew Puddephatt" unter
> <Andrew at gp-digital.org>:
>
> >Just welcoming Parminder¹s focus on companies here.  I feel that the
> >current situation is an opportunity to push the companies a lot more
> >rigorously than we have been able to do so far.   I like the idea of
> >global norms and principles and I wonder if anyone has done any detailed
> >work on this in relation to security/surveillance and jurisdictional
> >questions ­ specifically the role of global companies rooted in one
> >jurisdiction (principally the US I would guess?).    I note that some
> >German MPs are calling for US companies to establish a German cloud
> >distinct and separate from US jurisdiction..
> >
> >I think we can strategically link the two issues that Parminder has
> >flagged up ­ we can reinforce the push for norms and principles pointing
> >out this is a way for country¹s to escape the US orbit ­ as long as we
> >can avoid the danger of breaking the internet into separate national
> >infrastructures ­ which is where the norms and principles need to be
> >carefully defined.   Is this something we can discuss online and then
> >discuss in person at Bali?
> >
> >Looking at the GNI principle on privacy it says:
> >
> >
> >Privacy is a human right and guarantor of human dignity. Privacy is
> >important to maintaining personal security, protecting identity and
> >promoting freedom of expression in the digital age.
> >
> >Everyone should be free from illegal or arbitrary interference with the
> >right to privacy and should have the right to the protection of the law
> >against such interference or attacks.
> >
> >The right to privacy should not be restricted by governments, except in
> >narrowly defined circumstances based on internationally recognized laws
> >and standards. These restrictions should be consistent with international
> >human rights laws and standards, the rule of law and be necessary and
> >proportionate for the relevant purpose.
> >
> >Participating companies will employ protections with respect to personal
> >information in all countries where they operate in order to protect the
> >privacy rights of users.
> >
> >Participating companies will respect and protect the privacy rights of
> >users when confronted with government demands, laws or regulations that
> >compromise privacy in a manner inconsistent with internationally
> >recognized laws and standards.
> >
> >Is this something to build upon?   The final clause is interesting ­ it
> >implies that signatory companies will respect privacy even when asked to
> >comply with laws that breach internationally recognized laws and
> >standards which I assume everyone thinks that FISA does?
> >
> >
> >
> >
> >Andrew Puddephatt | GLOBAL PARTNERS DIGITAL
> >Executive Director
> >Development House, 56­64 Leonard Street, London EC2A 4LT
> >T: +44 (0)20 7549 0336 | M: +44 (0)771 339 9597 | Skype: andrewpuddephatt
> >gp-digital.org
> >
> >From: bestbits-request at lists.bestbits.net
> >[mailto:bestbits-request at lists.bestbits.net] On Behalf Of parminder
> >Sent: 25 June 2013 09:25
> >To: bestbits at lists.bestbits.net; governance at lists.igcaucus.org
> >Subject: Re: [bestbits] PRISM - is it about the territorial location of
> >data or its legal ownership
> >
> >
> >This is how I think it works overall - the digital imperialist
> >system..... Global Internet companies - mostly US based -  know that much
> >of their operations worldwide legally are on slippery grounds.... They
> >find it safest to hang on to the apron strings of the one superpower in
> >the world today, the US... They know that the US establishement is their
> >best political and legal cover.  The US of course finds so much military,
> >political, economic, social and cultural capital in being the team
> >leader... It is an absolutely win win... That is what PRISM plus has been
> >about. And this is what most global (non) Internet governance has been
> >about - with the due role of the civil society often spoken of here.
> >
> >Incidentally, it was only a few days before these disclosures that Julian
> >Assange spoke of "technocratic
> >imperialism<
> http://www.nytimes.com/2013/06/02/opinion/sunday/the-banality-
> >of-googles-dont-be-evil.html?pagewanted=all&_r=0>" led by the US-Google
> >combine... How quite to the point he was... Although so many of us are so
> >eager to let the big companies off the hook with respect to the recent
> >episodes.
> >
> >What got to be done now? If we indeed are eager to do something, two
> >things (1) do everything to decentralise the global Internet's
> >architecture, and (2) get on with putting in place global norms,
> >principles, rules and where needed treaties that will govern our
> >collective Internet behaviour, and provide us with our rights and
> >responsibilities vis a vis the global Internet.
> >
> >But if there are other possible prescriptions, one is all ears.
> >
> >parminder
> >
> >On Tuesday 25 June 2013 01:04 PM, parminder wrote:
> >
> >On Monday 24 June 2013 08:18 PM, Katitza Rodriguez wrote:
> >Only answering one of the questions on jurisdictional issues: The answer
> >is somewhat complex
> >
> >if data is hosted in the US by US companies (or hosted in the US by
> >companies based overseas), the government has taken the position that it
> >is subject to U.S. legal processes, including National Security Letters,
> >2703(d) Orders, Orders under section 215 of the Patriot Act and regular
> >warrants and subpoenas, regardless of where the user is located.
> >
> >The legal standard for production of information by a third party,
> >including cloud computing services under US civil
> >(http://www.law.cornell.edu/rules/frcp/rule_45) and criminal
> >(http://www.law.cornell.edu/rules/frcrmp/rule_16) law is whether the
> >information is under the "possession, custody or control" of a party that
> >is subject to US jurisdiction. It doesn¹t matter where the information is
> >physically stored, where the company is headquartered or, importantly,
> >where the person whose information is sought is located. The issue for
> >users is whether the US has jurisdiction over the cloud computing service
> >they use, and whether the cloud computing service has ³possession,
> >custody or control² of their data, wherever it rests physically. For
> >example, one could imagine a situation in which a large US-based company
> >was loosely related to a subsidiary overseas, but did not have
> >³possession, custody, or control² of the data held by the subsidiary and
> >thus the data wasn¹t s
> > ubject to US jurisdiction.
> >
> >Interesting, although maybe somewhat obvious! So, even if an European
> >sends a email (gmail) to another European, and the transit and storage of
> >the content never in fact reaches US borders, Google would still be
> >obliged to hand over the contents to US officials under PRISM...... Can a
> >country claim that Google broke its law in the process, a law perhaps as
> >serious as espionage, whereby the hypothesized European to European email
> >could have carried classified information! Here, Google, on instructions
> >of US authorities would have actually transported a piece of classified -
> >or otherwise illegal to access - information from beyond US borders into
> >US borders.
> >
> >What about US telcos working in other countries, say in India. AT&T
> >(through a majority held JV) claims to be the largest enterprise service
> >provider in India. And we know AT & T has been a somewhat over
> >enthusiastic partner in US's global espionage (for instance see
> >here<http://www.techdirt.com/articles/20100121/1418107862.shtml> )...
> >Would all the information that AT & T has the "possession. custody and
> >control" of in India in this matter not be considered fair game to access
> >by the US...... All this looks like a sliding progression to me.  Where
> >are the limits, who lays the rules in this global space....
> >
> >parminder
> >
> >
> >
> >
> >On 6/24/13 5:28 AM, parminder wrote:
> >Hi All
> >
> >There was some demand on the bestbits list that we still need to ask a
> >lot of questions from the involved companies in terms of the recent PRISM
> >plus disclosures. We are being too soft on them. I refuse to believe that
> >everything they did was forced upon on them. Apart from the fact that
> >there are news
> >reports<
> http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap
> >-data-with-thousands-of-firms.html> that US based tech companies
> >regularly share data with US gov for different kinds of favours in
> >return, or even simply motivated by nationalistic feeling, we should not
> >forget that many of these companies have strong political agenda which
> >are closely associated with that of the US gov.   You must all know about
> >'Google Ideas<http://en.wikipedia.org/wiki/Google_Ideas>', its revolving
> >doors with US gov's security apparatus, and its own aggressive regime
> >change ideas<http://www.informationclearinghouse.info/article34535.htm>.
> >Facebook also is known to 'like' some things,
> > say in MENA region, and not other things in the same region.....
> >
> >Firstly, one would want to know whether the obligations to share data
> >with US government extended only to such data that is actually located
> >in, or flows, through, the US. Or, does it extend to all data within the
> >legal control/ ownership of these companies wherever it may reside.  (I
> >think, certainly hope, it must be the former, but still I want to be
> >absolutely sure, and hear directly from these companies.)
> >
> >Now, if the obligation was to share only such data that actually resided
> >in servers inside the US, why did these companies, in face of what was
> >obviously very broad and intrusive demands for sharing data about non US
> >citizens, not simply locate much of such data outside the US. For
> >instance, it could pick up the top 10 countries, the data of whose
> >citizens was repeatedly sought by US authorities, and shift all their
> >data to servers in other countries that made no such demand? Now, we know
> >that many of the involved companies have set up near fictitious companies
> >headquartered in strange places for the purpose of tax avoidance/
> >evasion. Why could they not do for the sake of protecting human rights,
> >well, lets only say, the trust, of non US citizens/ consumers, what they
> >so very efficiently did for enhancing their bottom-lines?
> >
> >Are there any such plan even now? While I can understand that there can
> >be some laws to force a company to hold the data of citizens of a country
> >within its border, there isnt any law which can force these companies to
> >hold foreign data within a country's borders... Or would any such act
> >perceived to be too unfriendly an act by the US gov?
> >
> >
> >I am sure others may have other questions to ask these companies.....
> >
> >parminder
> >
> >
> >
> >
> >--
> >
> >Katitza Rodriguez
> >
> >International Rights Director
> >
> >Electronic Frontier Foundation
> >
> >katitza at eff.org<mailto:katitza at eff.org>
> >
> >katitza at datos-personales.org<mailto:katitza at datos-personales.org>
> >(personal email)
> >
> >
> >
> >Please support EFF - Working to protect your digital rights and freedom
> >of speech since 1990
> >
>
>
>
> ____________________________________________________________
> You received this message as a subscriber on the list:
>      governance at lists.igcaucus.org
> To be removed from the list, visit:
>      http://www.igcaucus.org/unsubscribing
>
> For all other list information and functions, see:
>      http://lists.igcaucus.org/info/governance
> To edit your profile and to find the IGC's charter, see:
>      http://www.igcaucus.org/
>
> Translate this email: http://translate.google.com/translate_t
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/bestbits/attachments/20130626/f1fd63e7/attachment.htm>


More information about the Bestbits mailing list