ICT firms that operate in repressive regimes have to find a balance that respects the human rights of users and fulfills their legal obligation to respond to authorities’ lawful demands
Government interference is one of the most imminent threats to consumer data and human rights around the world. Access to large pools of consumer data facilitates repressive regimes to squelch free speech and monitor and control citizens, particularly in places where the rule of law is weak.
As Peter Micek, head of global policy and legal counsel at Access Now, puts it: “Most directly, ICT companies procure, sell, ship, install, and maintain invasive surveillance and filtering technology in countries that routinely violate human rights.”
He gives the example of Hacking Team, a Milan-based information technology company that has been criticised for selling intrusion and surveillance capabilities to governments, law enforcement agencies and corporations in countries such as Saudi Arabia, Kazakhstan, and Bahrain, though the company says it has the ability to disable its software if it is used unethically.
“Companies have been caught developing, marketing, and providing surveillance technology catered to government campaigns against minority, marginalised, or vulnerable actors such as civil rights, religious and oppressed groups,” adds Micek. These include Black Lives Matter activists in the US, Falun Gong in China, and Anglophones in French-speaking Cameroon.
Over the past two years, partial and complete internet shutdowns have increased in scope and frequency. In 2016 Access Now recorded over 50 shutdowns, more than double the 2015 figure. An internet shutdown happens when someone - usually a government - intentionally disrupts the internet or mobile apps to exert control over the flow of information, often during politically charged events such as elections or protests.
“Governments issue shutdown orders via regulatory, judicial, or even extra-legal threats to telecom companies pursuant to broad and restrictive licensing agreements and decades-old telecommunications laws,” says Micek. “Telecom companies execute them, often under gag orders, without transparency or accountability.”
Access Now recommends companies demand, at minimum, that government requests be issued in writing, signed by the proper official, and clearly state the legal basis for the request. Its Telco Action Plan advises further steps on how to prevent and mitigate requests to shut down or throttle networks, and its Telco Remedy Plan elaborates ways to redress abuses that do occur.
Transparency statements such as the Microsoft’s Global Human Rights Statement or Vodafone’s Law Enforcement Disclosure Report (LED) have become increasingly common amongst the world’s largest ICT firms, which regularly disclose government requests impacting user privacy and freedom of expression.
But finding a balance that respects both the human rights of users and a firm’s legal obligation to respond to authorities’ lawful demands is not easy.
“In countries experiencing continuing periods of significant political tension, it can be challenging,” says Fergusson. “But respect for human rights forms part of our business principles and we are committed to working to improve the societies of countries in which we operate. Human rights considerations form part of our assessment of any market into which we expand our operations.”
In dealing with demands from authorities and agencies, the British telco giant follows in-house principles covering privacy and law enforcement and freedom of expression.
“The principles really explain what we do and what we do not do,” explains Fergusson. “For example, we do not allow any form of access to customer data by any agency or authority unless we are legally obliged to do so. We do not go beyond what is required under legal due-process when responding to demands for access to customer data other than in specific safety of life emergencies, such as assisting the police with an active kidnaping situation. And we do not accept instructions from any authorities acting beyond their jurisdictional legal mandate.
“Also, we insist that all agencies and authorities comply with legal due-process, and where appropriate, we challenge the powers being used in order to minimise the impact on our customers’ right to privacy and freedom of expression. Finally, for us, it is also about honouring international human rights standards to the fullest extent possible whenever domestic law conflicts with those standards.”
Numerous guidelines and principles exist to help ICT companies navigate through this complex and ever-morphing landscape. At the forefront are the UN Guiding Principles on Business and Human Rights. Adopted in 2011, these principles rest on three pillars: the state duty to protect, the corporate responsibility to respect, and access to remedy.
Fergusson says while such principles are helpful, “what is truly valuable for our organisations is the ability to share experiences and practices with other companies and stakeholders that might be experiencing similar challenges.” She says this is happening through the Industry Dialogue’s Guiding Principles on Freedom of Expression and Privacy, which defines a common approach to be taken by operators when dealing with governments or authority requests that may impact customers’ privacy and freedom of expression, while the Global Network Initiative is a multi-stakeholder initiative to protect and advancing freedom of expression and privacy in the ICT sector.
Many companies have empowered chief information security officers, chief privacy officers, and other C-level executives with a mandate to protect the company’s digital assets, but Micek says this can sometimes be counter-productive.
“Unfortunately, these positions are more likely to assert corporate interests than represent individual users,” he says. “In certain instances, we still see breakdowns in communication within firms, where security engineers seem to become aware of active breaches of user databases long before the corporate leadership takes action to counter or mitigate the threats.”
According to Micek, cross-cutting task forces made up of engineers, lawyers, communicators, and product specialists, acting with direct board oversight, are one avenue to improve communication across teams. “Some telcos use national emergency response teams, including heads of all departments, for rapid-response, “ he says. “Humility helps, too, when confronting fast-changing technologies. Sustainability and human rights officers must actively listen, and meet operations and business chiefs where they are, rather than simply tossing the UNGPs at them.”
This is part of our big data and human rights briefing. See also:
Protecting privacy in the digital age
The transparency revolution
Barclays executive banks on blockchain
Kenyan mobile operators ‘pressured to give up data'