Government Plans to Fight Internet Terrorism Create More Questions Than Answers, Critics Say
Statements by EU and U.K. officials about boosting online anti-terrorism efforts following the Charlie Hebdo massacre in Paris are short on details, said tech companies, ISPs and civil society groups. In a Jan. 11 joint statement, various European justice and home affairs ministers backed a "partnership of the major Internet providers" to enable swift reporting and takedown of materials aimed at inciting hatred and terror. Afterward, British Prime Minister David Cameron said restrictions on the use of encryption in online messaging services are needed to fight terrorism. But it's unclear whether and how any of these proposals would work, stakeholders said. Cameron will reportedly ask President Barack Obama when they meet Friday to pressure U.S. Internet companies to work more closely with British intelligence services, The Guardianreported Thursday.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Governments are "concerned at the increasingly frequent use of the Internet to fuel hatred and violence and signal our determination to ensure that the Internet is not abused to this end, while safeguarding that it remains, in scrupulous observance of fundamental freedoms, a forum for free expression," officials said in their statement condemning the Paris attacks. "The partnership of major Internet providers is essential to create the conditions of a swift reporting of material that aims to incite hatred and terror and the condition of its removing, where appropriate/possible," they said.
The EU e-commerce directive already requires ISPs, when made aware of illegal activities, to act quickly to remove or disable access to the information concerned, an EC official told us. The removal or disabling of access must be undertaken in light of the principle of freedom of expression and of procedures established for the purpose at a national level, she said. The directive doesn't stop EU governments from mandating that service providers who host information provided by recipients of their service apply a duty of care, which can reasonably be expected from them and which is enshrined in national law, to detect and prevent certain kinds of illegal activities, she said. "Any further measure would need to be discussed with all parties involved," the official said. The European Internet Services Providers Association said it hasn't discussed the ministerial statement internally.
Article 19, a London-based global organization that defends free speech, is concerned that governments have in mind a "reporting" button that will be used to crack down on legitimate, though highly distasteful, speech without due process safeguards, Legal Officer Gabrielle Guillemin said in an interview. While incitement to terrorism and advocacy of hatred constituting incitement to violence, hostility or discrimination "must be prohibited under international law, this often translates into overbroad domestic laws that are used to silence dissenting opinions and offensive speech," she said.
Article 19 believes social media platforms such as Facebook and Twitter should be required to remove content that's an incitement to terrorism or advocacy of hatred only as decided by the courts, "which are much better placed to make these kinds of determinations than a corporate entity," Guillemin said. Social media companies can and may well remove content on the basis of their terms and conditions, but the problem is that they're likely to be flooded with removal requests and take down material without proper review, or to act inconsistently or arbitrarily, chilling free speech, she said. It would be "really good" to have more details on what officials meant by swift reporting and takedown, she said.
Banning Encryption Unworkable
Sophos, which designs information technology security products, is hoping for clarification on what the British prime minister meant by closing the "safe spaces" used by terrorists on the Internet, Data Protection Director Anthony Merry said in an interview Thursday. A ban on encryption can't be done easily and will hurt innocent people more than terrorists, he said.
If Cameron is actually calling for an end to encryption, it flies in the face of EU data protection rules, Merry said. He offered the example of a lab that sends a patient's blood test results to his doctor. Under data protection law, that's personal data that must be protected, he said. A ban on encryption would mean the test results aren't safeguarded as they're messaged from the lab to the doctor, which would fundamentally affect privacy rights, he said. It's possible Cameron meant the government should be able to force tech companies that provide encrypted online mail to open the mail to security services, Merry said. If so, the proposal signals a "very strong shift" from the privacy to the security side of the balance, he said. Cameron's office didn't comment.
Sophos' clients want software that's secure and can't be breached, Merry said. The company has security researchers who can create encryption technology, and there's also a great deal of open-source cryptography code on the market that allows anyone to build a secure communications system quickly, he said. The question is whether a ban on encryption would make Sophos the bad guy if it provided that capability in the U.K., he said -- another reason Cameron's comment must be explained.
Restricting the use of encryption and encrypted communication "further risks undermining the UK's status as a good and safe place to do business," the Internet Services Providers' Association (UK) said in a Jan. 13 statement. Given the growing number of cyberattacks and government initiatives to raise awareness of cyber-risks, "encryption is widely accepted as a key measure to do business safely online," it said. ISPA accepts that the communications landscape is changing, but the ongoing, independent, government-commissioned review into investigatory powers "is the sort of considered and informed process ... that we hope will inform and develop policy in this area," it said.
Barring encrypted mail would undermine trust in the Internet and seriously endanger human rights defenders, journalists and bloggers, who rely on the technology to carry out their work, Article 19 said. Eradicating encrypted spaces and technologies "is simply not within Britain's capabilities," a Privacy International spokesman said. The U.K. can't order foreign manufacturers and providers of services such as Whatsapp or Google Hangout to modify their services to accommodate the desires of British spies, he said.