Big Data, Big Government, Big Companies: NSA data gathering raises new questions about corporate responsibility

While Microsoft, Google and Twitter publish transparency reports which show the number of worldwide government requests they receive for user information and content takedown and whether and how they comply, they now admit that those reports do not include FISA requests, leaving users with only partial information about what is happening to their web presence.

Sometime last year, activists, academics, and journalists specializing in Myanmar received warnings from Google. The message referred to “state-sponsored attacks” on their email accounts, and urged caution with passwords and other online activity. Two journalists who write about Myanmar told me they found the warnings helpful and appreciated that the company cared for its customers.

Assuming the now released presentation slides of the so-called “Prism” programme, accurately reflect mass data gathering by the US National Security Agency, then Google has not similarly disclosed to its users that since January 2009 it has been acceding to US government requests and orders under the Foreign Intelligence Surveillance Act.

To be sure, Google did not do anything illegal. The whole point of FISA is that even the existence of requests for a user’s data can’t be disclosed, and the charges, the courts, and the hearings can be secret. Google could not have informed users unless it was willing to break the law. And it should be remembered that the US Congress has passed with large majority the variants, refinements, and amendments to FISA and building on the Patriot Act, which significantly enhance the powers of the state to impose surveillance on individuals and groups.

And this is not to single out Google. As we now know, eight other major companies – Microsoft, Yahoo!, Facebook, Paltalk, YouTube (a Google subsidiary), Skype (a Microsoft subsidiary), AOL, and Apple – have cooperated with the NSA. (Twitter and Amazon are conspicuous absentees).

While what the NSA demands may be legal under the powers Congress has granted the agency, and the companies have no practical alternative other than to comply with the NSA’s demands, the latest revelations have serious implications for human rights, and raise critical questions about what the corporate responsibility to respect human rights means both for Internet companies and for private contractors working for the government.

The fact is that while Microsoft, Google and Twitter publish transparency reports which show the number of worldwide government requests they receive for user information and content takedown and whether and how they comply, they now admit that those reports do not include FISA requests, leaving users with only partial information about what is happening to their web presence.

Surveillance and its implications require exceptional attention because there is always room for error. It is only in a perfect universe that each request for surveillance or each lawful intercept demand is accurate, and the person placed under surveillance is someone likely to commit a major crime.

Innocent people routinely get placed under surveillance – it happens in the real world, and there is no reason to assume that the technological universe is better. Democracies have checks and balances, which is why companies facing demands from the government rightly ask for legally executed orders, or requests authorised by courts of law, before considering if they should accede.

FISA, which the US government says it uses only sparingly, is meant to overcome such legal niceties, by requiring compliance, and by gagging the company from disclosing anything. A user could be under surveillance for an extended period and the company would break the law if it warns the individual.

The companies involved in the latest reports all say they provide no direct access to the government, and the mechanism is largely procedural whereby, after a request has been vetted by the company’s lawyers, the company deposits the requested data in a secure online ‘room’ or ‘portal’ for the government to ‘pick up’. Yet some reports suggest that in at least one instance, an NSA official spent weeks at the office of one company, monitoring real-time traffic in a specific case, bringing his own laptop to the company’s premises. If the report is accurate, it shows extraordinary cooperation on the part of the company.

While governments can suspend certain human rights during an emergency, they do not have blanket powers to impose such surveillance. The absence of effective checks and balances under FISA strongly suggest the Prism is unaccountable, with companies becoming accomplices, willing or not. A number of leading companies in the industry have tried creating their own bulwarks, such as the Global Network Initiative, but clearly it cannot defy FISA.

(Four of the nine companies named in the Prism disclosures are members of the GNI, which brings together companies, academics, and organisations committed to protecting and advancing freedom of expression and privacy in information and communication technologies).

As regards the consultants and companies to which jobs are outsourced, the Washington Post reported in 2010 in a series called Top Secret America, the powers the US government has acquired after the attacks in the United States in September 2001 are unprecedented, and hundreds of thousands of people in Washington, and perhaps ten times more around the world, have access to data which is classified as restricted, secret, confidential, and so on.

Some of this work has been outsourced to private sector companies, including, as we now know, the consulting firm Booz Allen and Hamilton. Thousands of employees of such companies have access to personal data about millions of people around the world. Assuming they have all been vetted carefully under the narrow criteria of security clearance, it still raises the valid question: Are they well-versed in the US Constitution’s specific protections against unlawful search and seizure, or international human rights standards ensuring freedom of expression (Article 19) and privacy (Article 17) of the International Covenant on Civil and Political Rights?

Decisions concerning infringing on someone’s human rights are too important to be left in the hands of untrained staff who are not accountable to the government but to a private company.

When Google stared back at China in 2010; when former US Secretary of State Hillary Clinton extolled Internet freedom in 2011 and requested Twitter to delay its routine service maintenance so that people in Iran could continue to microblog in 2009; and when British Foreign Secretary William Hague said in 2011 that governments must not censor the Internet; the world looked Manichean – with the West challenging the East.

But as we know from the work of the Open Net Initiative, the West (or at least western companies) was also busy helping the East censor the Internet and install intrusive surveillance technology.

Now we discover the West expects its citizens to trust government, as it monitors societies. This isn’t restricted to the West; India, the world’s most populous democracy, has enacted rules that can chill free speech and privacy on the Internet, Human Rights Watch has warned.

There are ways companies could do more to prevent harm to human rights. For example, Internet companies could make it easier for users to encrypt their data. They could also cease collecting and storing data about users and facilitating extremely easy access for the government by building bespoke, secret systems. Granted, such proposals raise questions concerning copyright protection and piracy, and could seriously affect the business model of the companies, which want to market the data they gather to advertisers.

But the fact is clear: if companies collect user data, then just like advertisers, governments will want it. If they stop accumulating vast amounts of information on users, they will truthfully be able to tell governments they simply do not possess what the government wants. Some companies have already done a variant of this, by moving their servers to jurisdictions that are less likely to seek such information. Some companies have required user encryption of all data, thereby making it impossible for the company to see what is shared on its own servers. A new, different way to finance the online world may also have to be found, and that may mean users have to bear some cost for accessing the Internet.

In the coming days we will learn more – about the state’s duty to protect rights, companies’ responsibility to respect rights, and ways to develop remedies when the gaps become large enough for rights to fall through the cracks. At the Institute for Human Rights and Business, we call these emerging warning signs Digital Dangers. Over the next two years, we will be working with the University of Washington’s Law School to prepare a global database of these dangers, and investigate case studies of corporate behaviour during times of stress, to highlight the human rights risks and impacts, and recommend steps governments and companies must take to ensure that in pursuit of safety from crime, essential principles of liberty are not compromised.

In Part II, Lucy Purdon has written about the human rights responsibilities in the Telecom Sector in the age of mass surveillance.