The European Digital Rights initiative (EDRi) is an association of thirty-four digital civil rights organisations from nineteen European countries. It focuses on protecting and promoting civil rights in the digital world, in particular with regard to the rule of law, privacy, and freedom of communication. One of EDRi’s biggest challenges is that digital rights issues are increasingly interlinked. It is impossible to focus on one or two priority issues and not worry about related policy areas. We either work on everything, or risk our work and citizens’ rights being undermined.
This is most obvious in the case of “net neutrality”, which is most commonly defined as the principle that internet users can connect to any other point in the network using equipment of their choice. In a neutral net, users can create, access and use any content, service and application, without discrimination, restriction or limitation imposed by those who run the infrastructure. Internet access providers enable us to communicate, browse the web, or transfer files over the Internet; to make our own websites globally available and to use services such as e-mail, social media or internet telephony. Everybody, in whatever role, and all organisations, of whatever size and kind, is able to participate globally. Everybody is able to access services and to offer services. The Internet is a world without borders (almost).
Nowadays, however, the biggest of these access providers have the technology, the resources and the motivation to start building barriers and borders where previously there were none. The ramifications for privacy and freedom of communication are exponentially larger than one would imagine at first sight. The battle for the openness of the internet is about freedom of communication, effective law enforcement, security, predictability and the rule of law.
Freedom of communication
A range of international legal instruments for the protection of fundamental rights aims to guarantee freedom of communication. This freedom is seen as the right to receive information, but also to impart information, in other words to express one’s views to others. The freedom of information is guaranteed in Article 19 of the International Covenant on Civil and Political Rights, Article 10 of the European Convention on Human Rights, and Article 11 of the European Union Charter of Fundamental Rights. It is also defended in national constitutions, such as the US Constitution, whose first amendment is a world-renowned protection for freedom of expression.
These instruments are binding only on states, for the simple reason that, up until recently, it was only states that were in a position to restrict freedom of communication, such as through censorship and licensing of broadcasters. However, now that our “public space”, the place where we carry out daily tasks, our social interaction and our political campaigning, is a virtual “space” that we access through copper wires and fibre-optic cables, our freedom of communication is placed in the hands of internet access providers, online social networks, and so on.
The more a state can persuade online companies, such as internet access providers, to “voluntarily” restrict access to unwelcome or potentially illegal online content, the more they can circumvent their international or constitutional obligations not to restrict freedom of communication. As long as this was not in the business interest of internet companies, the danger was limited, because the industry resisted such pressure. However this resistance has now gone. Today, internet access providers are actively demanding the right to provide restricted services that block, restrict or promote certain online content. This is due to a range of factors.
On the one hand, technologies are increasingly available that make it easier to identify and restrict or promote access to certain content. This is particularly interesting from the perspective of large internet access providers. If you can restrict or facilitate access to a customer base of ten million, you can use this power to coerce online companies into paying for this access. Having seen online services like Facebook and Google use their customer base as an asset, Internet access providers now want to do the same. In addition, internet access providers are investing in online film, TV and music businesses, providing them with further incentives to block, restrict or promote certain content.
The change in the priorities of internet access providers means that they are vastly more manipulable by governments that are seeking to impose restrictions on freedom of communication that would be difficult or impossible to impose by law. Access providers are very open to demands that they should “voluntarily” block or restrict access to particular online content. This allows politicians to abdicate responsibility for taking meaningful action against serious crime in the online environment, such as the availability of child abuse pictures and videos. Once blocking is imposed for serious crime, it can be extended for less proportionate and legitimate aims, such as copyright enforcement. Whatever the question, the answer is: “Why don’t the access providers block this content?” Access providers welcome the “normalisation” of interference with access to content, since it creates a world where they decide who the winners and losers are in the online marketplace.
In order to be able to block content, it is obviously useful to have a clear insight into the communications travelling over networks. The more insight an internet access provider has into the content of communications travelling over their networks, the more effectively they can block the content they want to block. Blocking measures range from highly inaccurate IP address blocking and highly ineffective DNS blocking, to more invasive and targeted measures, for example the use of “deep packet inspection” to obtain more insight into the content of each packet of data travelling over the network.
An undemocratic and ineffective policy
Part of the reason for international law to require restrictions to be based on law and to be necessary and proportionate to the public policy objective being addressed, is that this requires a degree of public debate. It also permits restrictions to be challenged before domestic and, sometimes, international courts. Restrictions based on ad hoc arrangements with internet access providers circumvent public debate, impact assessments and review procedures. This is why both Sweden and the United Kingdom, for example, have national “voluntary” blocking procedures for online child abuse material.
In both countries, the measures were introduced as a result of public pressure from the respective governments, as well as the (strangely compelling) threat of legislation, in the case of the UK. It is difficult to understand why online child abuse is somehow so trivial as not to need laws or a credible evidence base for action, and so important that law can be broken to achieve whatever it is that the blocking is supposed to achieve. The interesting thing is that, in the approximately ten years since blocking was first proposed in these two countries, nobody has every actually explained precisely what it is for. Is it to stop deliberate access? If so, it is unlikely to succeed, since blocking is easy to circumvent. In any event, it should be fairly obvious that the public web is not the place that criminals will be sharing illegal material. Is it to stop accidental access? If so, why has nobody produced evidence that accidental access actually happens? Worse still, what are the potential negative effects? Has blocking made investigation more difficult? Has the semblance of action removed political pressure on the UK and Swedish governments to take real action internationally to deal with a real crime?
Two statements from the UK government suggest that this may indeed be the case. Six months after the first blacklist was produced, the then UK Home Office minister Bill Rammell was asked in a parliamentary question which countries had been sent requests for the removal of child pornography websites and how many requests had been agreed upon. The response was that “no such requests have been made by the Foreign and Commonwealth office”. Almost exactly ten years later, in October 2014, the UK’s National Crime Agency confirmed that there was no interest in prosecuting all of the individuals that it had identified as accessing images of serious crimes held on international servers. According to the BBC, 660 people had been arrested from a total of between 20,000 and 30,000 people that had been identified.
In other words, a policy introduced in 2004 without any empirical foundation or analysis has not, in the ten years it has been running, been subject to any review process, despite there being clear evidence of counterproductive effects – both for the policy objective being addressed and for the wider economy. Hard to believe, yet not untypical for the serious crimes that governments argue should be addressed by private companies.
Taking the blocking of child abuse as an example, none of the parties involved have a particular concern in addressing the public policy at stake – fighting online child abuse. From the perspective of governments that seek to be re-elected, it is easy enough to set themselves up as the voice of reason with simplistic demands, arguing that, as the internet companies provide access to the content, they should “do more” to stop people accessing illegal content. The demands buy some cheap headlines and buys another round of cheap headlines when industry agrees to undertake the blocking in question. Blocking is always done under the banner of “self-regulation”, even though there is no regulation and the entities that are being policed are the customers of the access providers, not the access providers themselves. It is not “self” and it is not “regulation”.
For the larger access providers, child abuse is not the problem so much as preventing bad publicity or generating good publicity (while gaining whatever other benefits that are available). As indicated above, they are quite happy to “normalise” the concept that they should be interfering in private traffic flows. The smaller access providers, on the other hand, do not have a large enough customer base to make money out of restricting access to their users. They also know that blocking does not actually work as a mechanism to fight illegal or unwelcome content. As a result, small access providers have frequently resisted blocking, while larger providers have adopted the measure more readily.
Policy debates in 2014 have been heavily shaped by the Snowden revelations. There is far more awareness of online privacy and security now than before. We have learned how almost every possible digital security mechanism has been undermined by “back doors” designed and implemented by agencies that are meant to keep us safe. Self-defence mechanisms such as encryption have been attacked ferociously – and often shamelessly – by security agencies. Apple, for example, was subjected to some of the most absurd and disgraceful public pressure ever seen, as a result of its device and communication encryption. The US Deputy Attorney General James Cole, for example, reportedly claimed that Apple’s encryption would “one day result in the death of a child”.
Internet access providers see the money that can be made by companies like Google that profile their users and sell this knowledge to advertisers. A non-neutral internet, where the access provider has the ability to track what its users are doing online, creates the enticing opportunity to be paid three times for the same service. Firstly, the access provider would be paid, as always, by their customers for access to the internet. Secondly, they would be paid by online companies for privileged access to those same customers. Thirdly, the access provider would be paid by advertising companies to monitor their customers’ activities and support targeted advertising.
This holy grail of gaining access to the targeted advertising market has proven very difficult. For instance, experimentation with the “Phorm” online tracking service by British Telecom led to legal action by the European Commission against the United Kingdom. Phorm, which offers internet access providers what it describes as a “Privacy-First technology [that] enables them to monetise their data and become significant players in the $140 billion global online advertising market” has offices in Singapore, London, Istanbul, Beijing and Shanghai – all of which are in jurisdictions with extensive and legally questionable internet blocking schemes.
This vision of getting paid three times for providing one service suddenly starts to crumble when more and more people start protecting their privacy and security by encrypting their communications. Suddenly, it is less easy to filter traffic, to sell access to your customers and to profile them. Consequently, there exists a huge and well-funded new lobby with a strong business interest in fighting against our right to defend our privacy and our information security.
During the so-called “Crypto-wars” in the early part of the last decade, the US government fought against the right of the public to protect their data through encryption. Ultimately, the rights of the public appeared to win out. However, the Snowden revelations have show that that secret efforts to undermine and weaken encryption technologies have undermined our security and our privacy. Now that this information has come to light, we are seeing the beginning of a “Crypto-wars II” where, again, the battle is between the demands of governments to gain access to all the content they wish, and the rights of individuals to defend their own personal space and their own security.
The difference is that this time, governments can rely on the support of internet access providers. Should we be surprised, then, that governments appear keen to deliver the non-neutrality that the access providers want, and that the non-neutrality measures that are proposed entail arbitrary policing by the access providers? The European Commission, despite claiming and re-claiming its fundamental determination to break down the barriers in the European “digital single market”, has been tripping over itself to ensure that internet access providers have the ability to provide discriminatory, non-neutral internet access services.
In the Commission’s proposed Telecommunications Single Market Regulation, this net neutrality/surveillance trade-off is most clear in a provision on voluntary law enforcement by internet access providers. The Charter of Fundamental Rights of the EU is clear that any restrictions on freedoms (such as privacy or freedom of communication) are only permissible “if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others” (Art. 52). The European Commission’s proposed telecommunications regulation directly contradicts this, explaining that “reasonable traffic management” includes restrictions imposed “to implement a court order or to prevent or impede serious crime” (emphasis added).
This takes us back full circle. The internet is a public space that is privately owned, while the international legal framework has failed to catch up and maintain the level of legal protections necessary to ensure our privacy and freedom of communication in that space. In other words, governments have the means to circumvent their legal obligations, with internet access providers as willing partners. Changes in technology and markets mean that big (often international and multinational) companies have clear business and public relations interests to facilitate this circumvention of the law.
Fixing the legal framework
Legal frameworks are notoriously slow to adapt to change and neither governments nor large companies see any particular need to provide citizens with the legal certainty that would prevent arbitrary interferences by companies acting in concert with governments.
Indeed, if we look at many of the policy documents adopted by governments in recent years, there appears to be a harmonised effort to redefine the international legal framework through custom rather than through new law. International texts also demonstrate a clear, but subtle, drift away from the rule of law to unpredictable ad hoc policing by private companies for ostensibly public policy reasons. In June 2011, the OECD adopted a Communiqué on Internet Policy-Making that withdrew support of due process of law to a nebulous concept of law enforcement by private companies. It foresaw “lawful steps to address and deter infringement, and accord full respect to user and stakeholder rights and fair process”. The proposed Anti-Counterfeiting Trade Agreement (ACTA), which was finalised in April 2011, similarly proposed “cooperative efforts within the business community to effectively address trademark and copyright or related rights infringement while preserving legitimate competition and, consistent with that Party’s law, preserving fundamental principles such as freedom of expression, fair process, and privacy”.
This wider framework suggests that the European Commission’s wording on intermediaries preventing and impeding serious crime outside the rule of law is not an accident, but part of a broader strategy. This context also gives a very sinister undertone to a draft Council of Europe document on net neutrality that argued that intermediaries “may also take action to prevent access to, or the dissemination of, unlawful or harmful content, for example through self-regulatory systems in co-operation with public authorities”. This is in direct and obvious contradiction with the European Convention on Human Rights, which says that such restrictions may only be imposed if prescribed by law and necessary in a democratic society. Similarly, the document suggests that the privacy aspects of any such intervention should be checked against existing privacy legislation. However, European Court case law is clear that this is not enough – any such action need to be governed by a specific law.
All is not lost, however. There are signs of a fight-back. On 30 June 2014, the UN Human Rights Commissioner published a paper entitled “The right to privacy in the digital age”, where she warned of “increasingly formalised” shift of law enforcement measures into private hands. Similarly, in December 2014, in an even more direct statement, the Council of Europe Human Rights Commissioner demanded greater legal clarity and better behaviour from Council of Europe Member States: “Member states should stop relying on private companies that control the Internet and the wider digital environment to impose restrictions that are in violation of the state’s human rights obligations. To that end, more guidance is needed on the circumstances in which actions or omissions of private companies that infringe human rights entail the responsibility of the state.”
In conclusion, we can see that it is not enough to work on privacy legislation in order to protect privacy. It is not enough to work on encryption to defend the right of individuals to protect their privacy and data security with encryption. Net neutrality is far more than a dull issue of telecommunications regulation: if we lose net neutrality, we also undermine our privacy; we undermine the fight to defend the rule of law on the internet; we undermine our right to use encryption and we undermine our freedom to receive and impart information.
EDRi works for that not to happen and to raise public awareness. Our net neutrality campaign page is at http://savetheinternet.eu. Booklets on privatised law enforcement, net neutrality, how the internet works and privacy can be downloaded from https://edri.org/papers.