ICT, Human Rights & Business: A Roundup of 2014 and Challenges for 2015

As 2015 begins, it is that time again to take stock of key developments over the past 12 months in the information and communication technologies (ICT) sector and their links to international human rights principles and standards. The ICT sector continued to develop rapidly during 2014 and debates around privacy and freedom of expression continued to spring surprises, which kept us all extremely busy.

Growing concerns over surveillance and its impacts on privacy rights were a central focus of IHRB’s Digital Dangers programme in 2014. However, it is important to remember as well that threats to freedom of expression continue worldwide more than ever. The brutal murder of 17 people in France, 12 of which died during the attack on the offices of French satirical magazine Charlie Hebdo, are a painful reminder of the ongoing struggle to protect this fundamental right. In 2015, we will be giving renewed attention to the role of the ICT sector in promoting respect for freedom of expression, beginning with a Digital Dangers case study on the issue, focused on Pakistan, and continuing to work on the human rights implications of network disconnections.

The Importance of Freedom of Expression

IHRB’s collaboration with Wilton Park in November 2014 to organise a major meeting on Privacy, Security and Surveillance rightly highlighted the continued threats to freedom of expression around the world: the imprisonment of activists for expressing opinions online, blasphemy laws governing the internet, and ultimately the shrinking of civil society space in many countries. Among the many high profile cases of imprisoned internet activists in 2014 were the Zone 9 bloggers in Ethiopia, Alaa Abd El-Fattah in Egypt, Nabeel Rajab in Bahrain, Bloggers Nguyen Huu Vinh and Nguyen Thi Minh in Vietnam.

ICT companies are increasingly expected to understand the political environments of countries where they operate, in particular state records in protecting or suppressing freedom of expression. This is all the more crucial for companies exporting cyber security technology, as these tools could enable states to restrict legitimate free expression in some countries, especially where the technology is sold as lawful interception tools in countries that do not have strong rule of law.

The past year saw a number of troubling moves by governments to impose stronger censorship on the Internet. Examples included Turkey blocking Twitter during protests in February. China continued to censor content, including blocking articles from the newly launched LinkedIn service and preventing access to Google’s Gmail. Several governments ramped up actions to use network disconnection as a form of control.

Surveillance Reform and Corporate Action

As with 2013, the main focus for civil society advocates and others in 2014 was again the race to stop government mass surveillance from becoming a new global standard. In January 2014, US President Barack Obama promised NSA reforms, around the same time the Pope declared the Internet a “gift from god”. Despite this promising start, it was reported that the Winter Olympics in the Russian city of Sochi was under total surveillance, another reminder of the continued dominance of the mass surveillance debate in the ICT space.

Various reviews of state surveillance practices during 2014 returned conflicting results: The Commissioner for Human Rights at the Council of Europe concluded that mass surveillance is not in conformity with human rights law and cannot be justified by threats to national security. While the Investigatory Powers Tribunal (IPT) in the UK concluded that mass surveillance conducted by one of its intelligence agencies, GCHQ, is consistent with the UK’s human rights obligations.

Working on the premise that mass surveillance is not consistent with international human rights principles and standards, tech companies fought to rebuild trust with consumers damaged by allegations of co-operating with US and UK security services’ mass surveillance practices. Some companies increased security features in their products such as encryption while others pursued legal battles to keep intelligence agencies from accessing data. Yahoo! faced threats of a $250,000 fine for each day it refused to co-operate in the controversial Prism programme. The director of Lavabit, a popular encrypted email service used by many, including former US defence contractor Edward Snowden whose interviews exposed the scale of surveillance in several countries, revealed how FBI pressure to hand over encryption keys resulted in the company’s decision to shut down its operations. Vodafone publicly denounced the ‘Dishfire’ programme, which collects and stores millions of text messages. Mobile operators EE, O2 and 3 followed suit by demanding answers about this government programme, the outcome of which is not yet known. Vodafone also published its landmark transparency report in June, providing for the first time information on steps the company must take to comply with laws in the countries where it operates and what information it is prevented from disclosing.

Growing tensions between technology companies and governments spilled over into a war of words as law enforcement and intelligence agencies spoke out against companies’ more defiant stances. The director of the FBI attacked Apple for introducing default encryption on its operating system for the IPhone. The new director of the UK’s GCHQ attacked tech companies as well, calling them “command-and-control networks of choice for terrorists and criminals” and vaguely suggesting a “new deal” is needed between governments and tech companies. Other developments, including a UK Intelligence and Security Committee (ISC) report reinforced views of some that Internet companies should be obligated to monitor content for terrorist activities. Placing such requirements on companies is a slippery slope and is likely to result in unnecessary restrictions on privacy and freedom of expression.

The battle for data control

Microsoft began 2014 with a bold move, giving users the option to have their personal data stored on Microsoft servers based outside the US, seemingly beyond the reach of US intelligence agencies. Privacy advocates oppose forced data localisation, arguing that customers should be free to choose where to store their data based on their own preferences, which could include the perceived strength of a country’s privacy laws. Some cloud and web-hosting companies had already begun marketing their services along this vein, such as in Finland and Germany. When a US warrant was presented to Microsoft for data held on servers in Ireland, Microsoft refused to comply, declaring a US warrant was not valid in other countries. This has led to a legal battle that all tech companies are watching closely and could be a landmark case in 2015.

This issue of “digital-sovereignty” was under the spotlight at the end of 2014, involving two very different players. Few were surprised by news that Sony had been hacked again, as they were several times in 2011, but this was a little different as the government of North Korea was blamed for the action. The fallout has caused a political storm, including new US sanctions against North Korea, and is unlikely to disappear any time soon. The incident also led to a lively debate on major media companies and freedom of expression, with Sony first withdrawing, and then screening, a film to which North Korea had objected, and whose potential release was believed to be a probable cause for the hack.

Looking Ahead in 2015

Even as 2014 brought many additional challenges, including the European Court of Justice’s controversial ruling on the Right to Be Forgotten and the battle to control online extremist content, the surveillance debate shows no sign of abating in 2015. The battle for control of data of three billion Internet users worldwide, where it is stored and who can access it is likely to dominate this year.

Our own Digital Dangers programme will continue to produce case study reports highlighting specific dilemmas for ICT companies. Our look at human rights challenges for network vendors, featuring Ericsson, showcased the dilemmas network vendors face in preventing misuse of telecommunication systems. We will also continue to engage broader industry associations, building on experiences such as our work with Tech UK and its members to produce human rights guidance for cyber security companies, the first of its kind in the world. We expect to build on this work in 2015, engaging more cyber-security companies from around the world in the debate. In addition, we are working the Swedish export credit agencies on a report regarding telecommunications exports and human rights.

IHRB will also be working through our links with the Myanmar Centre for Responsible Business (MCRB) to develop a Sector Wide Impact Assessment (see commentary on IHRB’s August trip here), on ICT in Myanmar which is expected to be published this year.

It is worth remembering that 2015 is the 800th anniversary of the signing of the Magna Carta, the document widely regarded as one of the first to limit the power of those who rule, thus enshrining the idea of human rights. As the ICT sector develops at speed and technology becomes ever more complex, this ancient document is an important reminder that the struggle for human dignity and equality remain continuing challenges and the core of our work.