[governance] RE: [bestbits] PRISM - is it about the territorial location of data or its legal ownership

Benedek, Wolfgang (wolfgang.benedek@uni-graz.at) wolfgang.benedek at uni-graz.at
Wed Jun 26 02:34:52 EDT 2013 

In this context I suggest a look at the recent guide by the EU Commission:
ICT Sector Guide on Implementing the UN Guiding Principles on Business and
Human Rights.

Kind regards

Wolfgang

Univ.-Prof. Dr. Wolfgang Benedek
Institute for International Law and International Relations
University of Graz
Universitätsstraße 15, A4
A-8010 Graz
Tel.: +43/316/380/3411
Fax: +43/316/380/9455






Am 25.06.13 17:59 schrieb "Andrew Puddephatt" unter
<Andrew at gp-digital.org>:

>Just welcoming Parminder¹s focus on companies here.  I feel that the
>current situation is an opportunity to push the companies a lot more
>rigorously than we have been able to do so far.   I like the idea of
>global norms and principles and I wonder if anyone has done any detailed
>work on this in relation to security/surveillance and jurisdictional
>questions ­ specifically the role of global companies rooted in one
>jurisdiction (principally the US I would guess?).    I note that some
>German MPs are calling for US companies to establish a German cloud
>distinct and separate from US jurisdiction..
>
>I think we can strategically link the two issues that Parminder has
>flagged up ­ we can reinforce the push for norms and principles pointing
>out this is a way for country¹s to escape the US orbit ­ as long as we
>can avoid the danger of breaking the internet into separate national
>infrastructures ­ which is where the norms and principles need to be
>carefully defined.   Is this something we can discuss online and then
>discuss in person at Bali?
>
>Looking at the GNI principle on privacy it says:
>
>
>Privacy is a human right and guarantor of human dignity. Privacy is
>important to maintaining personal security, protecting identity and
>promoting freedom of expression in the digital age.
>
>Everyone should be free from illegal or arbitrary interference with the
>right to privacy and should have the right to the protection of the law
>against such interference or attacks.
>
>The right to privacy should not be restricted by governments, except in
>narrowly defined circumstances based on internationally recognized laws
>and standards. These restrictions should be consistent with international
>human rights laws and standards, the rule of law and be necessary and
>proportionate for the relevant purpose.
>
>Participating companies will employ protections with respect to personal
>information in all countries where they operate in order to protect the
>privacy rights of users.
>
>Participating companies will respect and protect the privacy rights of
>users when confronted with government demands, laws or regulations that
>compromise privacy in a manner inconsistent with internationally
>recognized laws and standards.
>
>Is this something to build upon?   The final clause is interesting ­ it
>implies that signatory companies will respect privacy even when asked to
>comply with laws that breach internationally recognized laws and
>standards which I assume everyone thinks that FISA does?
>
>
>
>
>Andrew Puddephatt | GLOBAL PARTNERS DIGITAL
>Executive Director
>Development House, 56­64 Leonard Street, London EC2A 4LT
>T: +44 (0)20 7549 0336 | M: +44 (0)771 339 9597 | Skype: andrewpuddephatt
>gp-digital.org
>
>From: bestbits-request at lists.bestbits.net
>[mailto:bestbits-request at lists.bestbits.net] On Behalf Of parminder
>Sent: 25 June 2013 09:25
>To: bestbits at lists.bestbits.net; governance at lists.igcaucus.org
>Subject: Re: [bestbits] PRISM - is it about the territorial location of
>data or its legal ownership
>
>
>This is how I think it works overall - the digital imperialist
>system..... Global Internet companies - mostly US based -  know that much
>of their operations worldwide legally are on slippery grounds.... They
>find it safest to hang on to the apron strings of the one superpower in
>the world today, the US... They know that the US establishement is their
>best political and legal cover.  The US of course finds so much military,
>political, economic, social and cultural capital in being the team
>leader... It is an absolutely win win... That is what PRISM plus has been
>about. And this is what most global (non) Internet governance has been
>about - with the due role of the civil society often spoken of here.
>
>Incidentally, it was only a few days before these disclosures that Julian
>Assange spoke of "technocratic
>imperialism<http://www.nytimes.com/2013/06/02/opinion/sunday/the-banality-
>of-googles-dont-be-evil.html?pagewanted=all&_r=0>" led by the US-Google
>combine... How quite to the point he was... Although so many of us are so
>eager to let the big companies off the hook with respect to the recent
>episodes.
>
>What got to be done now? If we indeed are eager to do something, two
>things (1) do everything to decentralise the global Internet's
>architecture, and (2) get on with putting in place global norms,
>principles, rules and where needed treaties that will govern our
>collective Internet behaviour, and provide us with our rights and
>responsibilities vis a vis the global Internet.
>
>But if there are other possible prescriptions, one is all ears.
>
>parminder
>
>On Tuesday 25 June 2013 01:04 PM, parminder wrote:
>
>On Monday 24 June 2013 08:18 PM, Katitza Rodriguez wrote:
>Only answering one of the questions on jurisdictional issues: The answer
>is somewhat complex
>
>if data is hosted in the US by US companies (or hosted in the US by
>companies based overseas), the government has taken the position that it
>is subject to U.S. legal processes, including National Security Letters,
>2703(d) Orders, Orders under section 215 of the Patriot Act and regular
>warrants and subpoenas, regardless of where the user is located.
>
>The legal standard for production of information by a third party,
>including cloud computing services under US civil
>(http://www.law.cornell.edu/rules/frcp/rule_45) and criminal
>(http://www.law.cornell.edu/rules/frcrmp/rule_16) law is whether the
>information is under the "possession, custody or control" of a party that
>is subject to US jurisdiction. It doesn¹t matter where the information is
>physically stored, where the company is headquartered or, importantly,
>where the person whose information is sought is located. The issue for
>users is whether the US has jurisdiction over the cloud computing service
>they use, and whether the cloud computing service has ³possession,
>custody or control² of their data, wherever it rests physically. For
>example, one could imagine a situation in which a large US-based company
>was loosely related to a subsidiary overseas, but did not have
>³possession, custody, or control² of the data held by the subsidiary and
>thus the data wasn¹t s
> ubject to US jurisdiction.
>
>Interesting, although maybe somewhat obvious! So, even if an European
>sends a email (gmail) to another European, and the transit and storage of
>the content never in fact reaches US borders, Google would still be
>obliged to hand over the contents to US officials under PRISM...... Can a
>country claim that Google broke its law in the process, a law perhaps as
>serious as espionage, whereby the hypothesized European to European email
>could have carried classified information! Here, Google, on instructions
>of US authorities would have actually transported a piece of classified -
>or otherwise illegal to access - information from beyond US borders into
>US borders.
>
>What about US telcos working in other countries, say in India. AT&T
>(through a majority held JV) claims to be the largest enterprise service
>provider in India. And we know AT & T has been a somewhat over
>enthusiastic partner in US's global espionage (for instance see
>here<http://www.techdirt.com/articles/20100121/1418107862.shtml> )...
>Would all the information that AT & T has the "possession. custody and
>control" of in India in this matter not be considered fair game to access
>by the US...... All this looks like a sliding progression to me.  Where
>are the limits, who lays the rules in this global space....
>
>parminder
>
>
>
>
>On 6/24/13 5:28 AM, parminder wrote:
>Hi All
>
>There was some demand on the bestbits list that we still need to ask a
>lot of questions from the involved companies in terms of the recent PRISM
>plus disclosures. We are being too soft on them. I refuse to believe that
>everything they did was forced upon on them. Apart from the fact that
>there are news 
>reports<http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap
>-data-with-thousands-of-firms.html> that US based tech companies
>regularly share data with US gov for different kinds of favours in
>return, or even simply motivated by nationalistic feeling, we should not
>forget that many of these companies have strong political agenda which
>are closely associated with that of the US gov.   You must all know about
>'Google Ideas<http://en.wikipedia.org/wiki/Google_Ideas>', its revolving
>doors with US gov's security apparatus, and its own aggressive regime
>change ideas<http://www.informationclearinghouse.info/article34535.htm>.
>Facebook also is known to 'like' some things,
> say in MENA region, and not other things in the same region.....
>
>Firstly, one would want to know whether the obligations to share data
>with US government extended only to such data that is actually located
>in, or flows, through, the US. Or, does it extend to all data within the
>legal control/ ownership of these companies wherever it may reside.  (I
>think, certainly hope, it must be the former, but still I want to be
>absolutely sure, and hear directly from these companies.)
>
>Now, if the obligation was to share only such data that actually resided
>in servers inside the US, why did these companies, in face of what was
>obviously very broad and intrusive demands for sharing data about non US
>citizens, not simply locate much of such data outside the US. For
>instance, it could pick up the top 10 countries, the data of whose
>citizens was repeatedly sought by US authorities, and shift all their
>data to servers in other countries that made no such demand? Now, we know
>that many of the involved companies have set up near fictitious companies
>headquartered in strange places for the purpose of tax avoidance/
>evasion. Why could they not do for the sake of protecting human rights,
>well, lets only say, the trust, of non US citizens/ consumers, what they
>so very efficiently did for enhancing their bottom-lines?
>
>Are there any such plan even now? While I can understand that there can
>be some laws to force a company to hold the data of citizens of a country
>within its border, there isnt any law which can force these companies to
>hold foreign data within a country's borders... Or would any such act
>perceived to be too unfriendly an act by the US gov?
>
>
>I am sure others may have other questions to ask these companies.....
>
>parminder
>
>
>
>
>--
>
>Katitza Rodriguez
>
>International Rights Director
>
>Electronic Frontier Foundation
>
>katitza at eff.org<mailto:katitza at eff.org>
>
>katitza at datos-personales.org<mailto:katitza at datos-personales.org>
>(personal email)
>
>
>
>Please support EFF - Working to protect your digital rights and freedom
>of speech since 1990
>


-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list