[governance] Re: [bestbits] PRISM - is it about the territorial location of data or its legal ownership

parminder parminder at itforchange.net
Wed Jun 26 06:24:16 EDT 2013


While building on the past is important, I think, there is also a keen 
realisation  that we are passing - and mostly, missing - a series of 
what could be 'constitutional moments' for a new Internet mediated 
society... And that the global civil society should pause, and 
retrospect. I see this from emails of Gene, Andrew, Michael, Marianne 
and others - on diverse issues, ranging from the recently concluded 
meeting of ITU WG on Internet related public policy issues to PRISM plus 
disclosures.

Let me try to pick what in my view are some 'big points' of the present 
moment... and then drill downwards. The biggest I think is that we need 
to get over that age of innocence, whereby most civil society took the 
stance that less rather than more global IG is better..... That was a 
mistake, and continues to be a mistake... Internet is big, it is global, 
it transforms everything. And the prescription of less rather than more 
- appropriate - governance of it can only serve dominant interests. We 
need to accept that - whether it is human rights, or it is 
distributional issues - we need more global IG. And since Internet 
itself is new, its global governance too will involve many new elements. 
It is, to a good measure, up to the civil society to be innovative and 
brave in this regard..... Something, unfortunately, we have consistently 
shrunk from doing...

First of all, we urgently need an appropriate focal point - and around 
it a webbed architecture - of global IG.... And that focal point I think 
should be body like the OECD's Committee on Computers, Information and 
Communication Policy, which can be attached to the UN General Assembly, 
and should be new age in its structure, form, participation avenues 
etc... And this committee should be fed in by the IGF. Everyone who 
knows about the OECD's CCICP, knows how intensively it works, and what 
quality of output it produces, and how how consultative, 
multi-stakeholder etc it is.....

We simply must create a similar focal point at the global level, right 
away..... Lets at least discuss it... I have raised this proposal 
several times, but have have no real response on why such a body at the 
global level is not appropriate, and why is it appropriate at OECD 
level.... This single step would go a long way it setting us on the 
right direction....

And then, this is the second imperative, we need to go down to some real 
work.... not just the highest level principles that have been around but 
seem not to really work... For example, Andrew quotes privacy principles 
from GNI document. Well, its provisions clearly were violated what what 
Snowden tells us... So?? Nothing happens. Right. We have provisions in 
the IRP doc as well....

What we need to do now is to move to the next serious level.... Speak 
about actual due process, guarantees for transit data. how these 
guarantees operate, and the such. We were informed recently on the IGC 
list that EU does not subject data that is merely in transit to data 
retention requirements. How this obligation can be extended to others. 
... What disclosures can and should the telecom and application 
companies share about data hosting and transit, and applicability of 
different jursidictions over the data they carry and process.... We need 
to drill down to such real issues. And that kind of thing happens only 
when there are clear focal points for policy development that exist  
(See for instance the real work that is going on right now in Marrakesh 
for writing out a new treaty guaranteeing access to printed material for 
the visually impaired).... We have on the other hand seen the kind of 
joke that the IGF has rendered itself into as a policy dialogue 
forum.... We need to take preventive action against such motivated 
obfuscations....

So, as I said, two things - (1) look for a real institutional focal 
point for global IG, where all can participate, and (2), work on real 
norms, policy frameworks, in the manner OECD's CCICP does.... I see no 
other option... but as always wiling, to hear about them, if they exist....

parminder



On Wednesday 26 June 2013 02:45 PM, Andrew Puddephatt wrote:
>
> Entirely agree Marianne – this seems  a sensible way of proceeding
>
> *Andrew Puddephatt***| *GLOBAL PARTNERS*DIGITAL
>
> Executive Director
>
> Development House, 56–64 Leonard Street, London EC2A 4LT
>
> T: +44 (0)20 7549 0336 | M: +44 (0)771 339 9597 | Skype: andrewpuddephatt
> *gp-digital.org*
>
> *From:*Marianne Franklin [mailto:m.i.franklin at gold.ac.uk]
> *Sent:* 26 June 2013 08:30
> *To:* Andrew Puddephatt
> *Cc:* 'parminder'; bestbits at lists.bestbits.net; 
> governance at lists.igcaucus.org; irp at lists.internetrightsandprinciples.org
> *Subject:* Re: [bestbits] PRISM - is it about the territorial location 
> of data or its legal ownership
>
> Dear Andrew
>
> Have been following the conversation with interest. The point 
> Parminder raises about the responsibilities of companies in ensuring 
> that human rights in the fullest sense of the term are not jeopardised 
> at the deepest levels of the internet's architecture is one that 
> indeed needs attention. However, the conversation so far is proceeding 
> as if no work at all has been done around human rights norms and 
> principles for the internet. This is not the case. A lot of work has 
> been done, indeed stretching back many year into the WSIS period. If 
> we choose to forget or ignore what came before we are all doomed to 
> repeat past mistakes (as a great sage once remarked)!
>
> With the Bali IGF as a venue for meeting and moving forward I do think 
> it is important to note that the Charter of Human Rights and 
> Principles already goes a *long* way in defining these 'global' (I use 
> the term advisedly) norms and principles carefully. The reason for the 
> cautious approach in 2010-2011 when the IRP Coalition was drafting 
> this current version was precisely in order to be precise and 
> coherent. Many people on all these lists were involved in this process 
> and can share the credit for what has been achieved. The cautiousness 
> then, criticised at the time, has paid off in retrospect.
>
> As a wide-ranging Charter of human rights and principles focusing on 
> the online environment, then picked up by Frank La Rue thanks to the 
> work of the then IRP Coalition Chairs, Lisa Horner and Dixie Hawtin in 
> turn, based on the UDHR and its successors it was, and is not intended 
> to be a prescriptive, or one-size-fits-all document. What was intended 
> and to my mind has been achieved is rather a baseline, inspirational 
> framing for the work that is now emerging around specific cases and 
> situations such as privacy, freedom of expression and so on that have 
> been thrown into relief by the events around PRISM. The IRP Charter is 
> also careful to include the responsibility of companies as integral to 
> these emerging norms. Events have underscored that the IRP Charter was 
> a project worth engaging in and for that the 'we' on these lists did 
> achieve something quite remarkable.
>
> Moving the IRP Charter up a level is a focus for two workshops at 
> least in Bali, and the IRP Meeting there I would like to propose that 
> these are very suitable places to continue these discussions, online 
> and of course in person. The Best Bits meeting prior to the IGF is in 
> this respect a great way to get started as the next stage of the IRP 
> Charter in substantive terms gets underway i.e. addressing the weaker 
> parts of the current Beta version 
> (http://internetrightsandprinciples.org/site/charter/) and widen 
> awareness amongst the human rights community and inter-govn 
> organizations. A huge step in the latter has already been achieved in 
> recent weeks and I would like to add these moves to the work being 
> done through Best Bits.
>
> Finally, on principles seeing as this focus is also on the IGF agenda, 
> here too the IRP Charter developed precursor models (such as the APC 
> Bill of Rights, the Marco Civil principles too) the IRP Ten Principles 
> are intended as an educational, outreach version of the actual 
> Charter. So here the work being initiated around Internet Goverance 
> Principles (however defined) is something the IRP coalition supports 
> implicitly.
>
> The only question I am getting from members is about how better to 
> work together, which is why the current Charter goes quite some way in 
> establishing the sort of framework that is being advocated here. No 
> need to reinvent the wheel in other words!
>
> best
> MF
>
> On 25/06/2013 17:59, Andrew Puddephatt wrote:
>
>     Just welcoming Parminder’s focus on companies here.  I feel that
>     the current situation is an opportunity to push the companies a
>     lot more rigorously than we have been able to do so far.   I like
>     the idea of global norms and principles and I wonder if anyone has
>     done any detailed work on this in relation to
>     security/surveillance and jurisdictional questions – specifically
>     the role of global companies rooted in one jurisdiction
>     (principally the US I would guess?).    I note that some German
>     MPs are calling for US companies to establish a German cloud
>     distinct and separate from US jurisdiction..
>
>     I think we can strategically link the two issues that Parminder
>     has flagged up – we can reinforce the push for norms and
>     principles pointing out this is a way for country’s to escape the
>     US orbit – as long as we can avoid the danger of breaking the
>     internet into separate national infrastructures – which is where
>     the norms and principles need to be carefully defined.   Is this
>     something we can discuss online and then discuss in person at Bali?
>
>     Looking at the GNI principle on privacy it says:
>
>     Privacy is a human right and guarantor of human dignity. Privacy
>     is important to maintaining personal security, protecting identity
>     and promoting freedom of expression in the digital age.
>
>     Everyone should be free from illegal or arbitrary interference
>     with the right to privacy and should have the right to the
>     protection of the law against such interference or attacks.
>
>     The right to privacy should not be restricted by governments,
>     except in narrowly defined circumstances based on internationally
>     recognized laws and standards. These restrictions should be
>     consistent with international human rights laws and standards, the
>     rule of law and be necessary and proportionate for the relevant
>     purpose.
>
>     Participating companies will employ protections with respect to
>     personal information in all countries where they operate in order
>     to protect the privacy rights of users.
>
>     Participating companies will respect and protect the privacy
>     rights of users when confronted with government demands, laws or
>     regulations that compromise privacy in a manner inconsistent with
>     internationally recognized laws and standards.
>
>     Is this something to build upon?   The final clause is interesting
>     – it implies that signatory companies will respect privacy even
>     when asked to comply with laws that breach internationally
>     recognized laws and standards which I assume everyone thinks that
>     FISA does?
>
>     *Andrew Puddephatt***| *GLOBAL PARTNERS*DIGITAL
>
>     Executive Director
>
>     Development House, 56–64 Leonard Street, London EC2A 4LT
>
>     T: +44 (0)20 7549 0336 | M: +44 (0)771 339 9597 | Skype:
>     andrewpuddephatt
>     *gp-digital.org*
>
>     *From:*bestbits-request at lists.bestbits.net
>     <mailto:bestbits-request at lists.bestbits.net>
>     [mailto:bestbits-request at lists.bestbits.net] *On Behalf Of *parminder
>     *Sent:* 25 June 2013 09:25
>     *To:* bestbits at lists.bestbits.net
>     <mailto:bestbits at lists.bestbits.net>;
>     governance at lists.igcaucus.org <mailto:governance at lists.igcaucus.org>
>     *Subject:* Re: [bestbits] PRISM - is it about the territorial
>     location of data or its legal ownership
>
>
>     This is how I think it works overall - the digital imperialist
>     system..... Global Internet companies - mostly US based - know
>     that much of their operations worldwide legally are on slippery
>     grounds.... They find it safest to hang on to the apron strings of
>     the one superpower in the world today, the US... They know that
>     the US establishement is their best political and legal cover. 
>     The US of course finds so much military, political, economic,
>     social and cultural capital in being the team leader... It is an
>     absolutely win win... That is what PRISM plus has been about. And
>     this is what most global (non) Internet governance has been about
>     - with the due role of the civil society often spoken of here.
>
>     Incidentally, it was only a few days before these disclosures that
>     Julian Assange spoke of "technocratic imperialism
>     <http://www.nytimes.com/2013/06/02/opinion/sunday/the-banality-of-googles-dont-be-evil.html?pagewanted=all&_r=0>"
>     led by the US-Google combine... How quite to the point he was...
>     Although so many of us are so eager to let the big companies off
>     the hook with respect to the recent episodes.
>
>     What got to be done now? If we indeed are eager to do something,
>     two things (1) do everything to decentralise the global Internet's
>     architecture, and (2) get on with putting in place global norms,
>     principles, rules and where needed treaties that will govern our
>     collective Internet behaviour, and provide us with our rights and
>     responsibilities vis a vis the global Internet.
>
>     But if there are other possible prescriptions, one is all ears.
>
>     parminder
>
>
>     On Tuesday 25 June 2013 01:04 PM, parminder wrote:
>
>         On Monday 24 June 2013 08:18 PM, Katitza Rodriguez wrote:
>
>             Only answering one of the questions on jurisdictional
>             issues: The answer is somewhat complex
>
>             if data is hosted in the US by US companies (or hosted in
>             the US by companies based overseas), the government has
>             taken the position that it is subject to U.S. legal
>             processes, including National Security Letters, 2703(d)
>             Orders, Orders under section 215 of the Patriot Act and
>             regular warrants and subpoenas, regardless of where the
>             user is located.
>
>             The legal standard for production of information by a
>             third party, including cloud computing services under US
>             civil (http://www.law.cornell.edu/rules/frcp/rule_45) and
>             criminal (http://www.law.cornell.edu/rules/frcrmp/rule_16) law
>             is whether the information is under the "possession,
>             custody or control" of a party that is subject to US
>             jurisdiction. It doesn’t matter where the information is
>             physically stored, where the company is headquartered or,
>             importantly, where the person whose information is sought
>             is located. The issue for users is whether the US has
>             jurisdiction over the cloud computing service they use,
>             and whether the cloud computing service has “possession,
>             custody or control” of their data, wherever it rests
>             physically. For example, one could imagine a situation in
>             which a large US-based company was loosely related to a
>             subsidiary overseas, but did not have “possession,
>             custody, or control” of the data held by the subsidiary
>             and thus the data wasn’t subject to US jurisdiction.
>
>
>         Interesting, although maybe somewhat obvious! So, even if an
>         European sends a email (gmail) to another European, and the
>         transit and storage of the content never in fact reaches US
>         borders, Google would still be obliged to hand over the
>         contents to US officials under PRISM...... Can a country claim
>         that Google broke its law in the process, a law perhaps as
>         serious as espionage, whereby the hypothesized European to
>         European email could have carried classified information!
>         Here, Google, on instructions of US authorities would have
>         actually transported a piece of classified - or otherwise
>         illegal to access - information from beyond US borders into US
>         borders.
>
>         What about US telcos working in other countries, say in India.
>         AT&T (through a majority held JV) claims to be the largest
>         enterprise service provider in India. And we know AT & T has
>         been a somewhat over enthusiastic partner in US's global
>         espionage (for instance see here
>         <http://www.techdirt.com/articles/20100121/1418107862.shtml>
>         )... Would all the information that AT & T has the
>         "possession. custody and control" of in India in this matter
>         not be considered fair game to access by the US...... All this
>         looks like a sliding progression to me. Where are the limits,
>         who lays the rules in this global space....
>
>         parminder
>
>
>
>
>
>         On 6/24/13 5:28 AM, parminder wrote:
>
>             Hi All
>
>             There was some demand on the bestbits list that we still
>             need to ask a lot of questions from the involved companies
>             in terms of the recent PRISM plus disclosures. We are
>             being too soft on them. I refuse to believe that
>             everything they did was forced upon on them. Apart from
>             the fact that there are news reports
>             <http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html>
>             that US based tech companies regularly share data with US
>             gov for different kinds of favours in return, or even
>             simply motivated by nationalistic feeling, we should not
>             forget that many of these companies have strong political
>             agenda which are closely associated with that of the US
>             gov.   You must all know about 'Google Ideas
>             <http://en.wikipedia.org/wiki/Google_Ideas>', its
>             revolving doors with US gov's security apparatus, and its
>             own aggressive regime change ideas
>             <http://www.informationclearinghouse.info/article34535.htm>.
>             Facebook also is known to 'like' some things, say in MENA
>             region, and not other things in the same region.....
>
>             Firstly, one would want to know whether the obligations to
>             share data with US government extended only to such data
>             that is actually located in, or flows, through, the US.
>             Or, does it extend to all data within the legal control/
>             ownership of these companies wherever it may reside.  (I
>             think, certainly hope, it must be the former, but still I
>             want to be absolutely sure, and hear directly from these
>             companies.)
>
>             Now, if the obligation was to share only such data that
>             actually resided in servers inside the US, why did these
>             companies, in face of what was obviously very broad and
>             intrusive demands for sharing data about non US citizens,
>             not simply locate much of such data outside the US. For
>             instance, it could pick up the top 10 countries, the data
>             of whose citizens was repeatedly sought by US authorities,
>             and shift all their data to servers in other countries
>             that made no such demand? Now, we know that many of the
>             involved companies have set up near fictitious companies
>             headquartered in strange places for the purpose of tax
>             avoidance/ evasion. Why could they not do for the sake of
>             protecting human rights, well, lets only say, the trust,
>             of non US citizens/ consumers, what they so very
>             efficiently did for enhancing their bottom-lines?
>
>             Are there any such plan even now? While I can understand
>             that there can be some laws to force a company to hold the
>             data of citizens of a country within its border, there
>             isnt any law which can force these companies to hold
>             foreign data within a country's borders... Or would any
>             such act perceived to be too unfriendly an act by the US gov?
>
>
>             I am sure others may have other questions to ask these
>             companies.....
>
>             parminder
>
>
>
>
>
>         -- 
>
>         Katitza Rodriguez
>
>         International Rights Director
>
>         Electronic Frontier Foundation
>
>         katitza at eff.org  <mailto:katitza at eff.org>
>
>         katitza at datos-personales.org  <mailto:katitza at datos-personales.org>  (personal email)
>
>           
>
>         Please support EFF - Working to protect your digital rights and freedom of speech since 1990
>
>
>
> -- 
> Dr Marianne Franklin
> Reader
> Convener: Global Media & Transnational Communications Program
> Co-Chair Internet Rights & Principles Coalition (UN IGF)
> Goldsmiths, University of London
> Dept. of Media & Communications
> New Cross, London SE14 6NW
> Tel: +44 20 7919 7072
> <m.i.franklin at gold.ac.uk>  <mailto:m.i.franklin at gold.ac.uk>
> @GloComm
> https://twitter.com/GloComm
> http://www.gold.ac.uk/media-communications/staff/franklin/
> https://www.gold.ac.uk/pg/ma-global-media-transnational-communications/
> www.internetrightsandprinciples.org  <http://www.internetrightsandprinciples.org>
> @netrights

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20130626/9407b5ef/attachment.htm>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list