The year 2013, via scandals like PRISM and Offshore Leaks, has made it apparent that governments and businesses endeavour to circumvent Internet security mechanisms beyond what is expected of their roles and missions. The threat to public trust and to protection of human rights is being attenuated by a flurry of transparency claims and reports.
There are two ways of dealing with transparency today: 1/ by operator (that tends to look at consumer issues and government requests) or 2/ by regulatory agency (that considers issues such as safety, security, terror, etc., according to their finalities and the implicated services). Strikingly absent from the debate are the Telco’s and the Internet Service Providers (ISPs). The strengths and weaknesses of these reports depend on the motivation and legitimacy of the agencies that provide and promote them.
Transparency by operator: looking at Google transparency reports (last published, March 2013)
The responsibility and accountability of private sector entities is engaged in unprecedented ways in the digital world. The economy of the broadband media is basically built on personal data-mining by unrelated third parties, which implies having access to the expression of users for developing new services and for making business based on direct marketing purposes. The consensus currently accepted is that calling on their social responsibility can be done in a framework of self-regulation in which good practices are encouraged. This is the case with the Global Network Initiative created in 2008 to protect and advance freedom of expression and privacy, composed of ICT sector companies and civil society organizations (including human rights groups). Only four major American corporations (Google, Microsoft, Facebook and Yahoo!) were involved at the start, with a vested interest in promoting their image for transparency and in maintaining state intervention at bay. The snowball effect of the initiative is such that other pure player companies (Apple, Twitter, Dropbox, LinkedIn, etc.) have been induced to join the move, especially as their compliant role in the PRISM surveillance of customers is hotly under public scrutiny.
Google was the first to start publishing its “Transparency Report”, in 2009-10, before the scandal emerged. The reports show government requirements to take down information (blogs, images…) and reveals statistical patterns of traffic per requesting country (not by country requested). They give an idea of the priorities of business that they cover: government interventions (in all countries), requests to take down for copyright infringement, requests about users:
- it is mostly connected to industry competition and Google-centred (YouTube and Google take downs)
- it doesn’t give its criteria, its internal procedures and provides no information about NSA requests and Google’s level of compliance with them
- it sends the reader to ECPA due process (an American legal framework is assumed here, not international)
- it provides a semblance of seamless (self)regulation and doesn’t show the role of lobbies but also of social networks in the number of requests (case of Brazil for instance).
Google presents itself as the defender of the user first (in the section where it describes its refusal to take down for instance) but doesn’t give its reasons for refusing or agreeing to remove content. As often with transparency, what is not under the light is not visible, so nothing really indicates where Google stands with regard to government requests of a secret nature as revealed by PRISM scandal. Besides, statistics by single operators are not very illuminating and tend to be boring. Trust is not secured because the operator is both judge and party and there is no real transparency on its procedures. Google and other pure players have since been reactive to growing criticism by petitioning the government in order to be able to say more about FISA (Foreign Intelligence Surveillance Act), including section 702 (on foreign surveillance programmes like PRISM).
Transparency by regulatory authority: looking at CNCIS (Commission Nationale de Contrôle des Interruptions de Sécurité) public yearly reports (last published, February 2013)
The CNCIS, created in 1993, gives the perspective of governments and their priorities in what such an agency can cover. In France, 3 majors motives appear: criminality prevention (50% of requests), national security (30%), terrorism (20%). This government perspective tends to provide a procedural approach besides the usual statistics (in relation to services and objectives including data traffic and anti-terrorist requests):
- it shows the field not covered by French law on secrecy of messages and mail and its exceptions while being out of its competence (including French equivalent to PRISM for “mass” surveillance which is “extralegal”, CNCIS being competent on targeting surveillance)
- it provides too short a comparison with other countries but points to possible exchanges and reciprocal training…
- it is informative, with a good description of criteria and their relation to due process and the law.
The reports also point to a certain amount of good practices:
- a posteriori and a priori surveillance can be interrupted
- continuous control is applied, even of accepted interceptions, at random, to ensure that the legal procedure is respected
- a priori control of the decisions to intercept is activated (even in case of “urgence absolue”), which often allows dialogue between various services
- the capacity for quick response is ensured (less than an hour to evaluate “urgence absolue” requests), and a 24/24 hotline is maintained
- decision-makers are audited by the CNCIS council, to keep dialogue and ensure accountability.
The government reports point to a concern against disproportionate requests or lack of legitimacy of procedures that could be conducted by other means such as local investigation. They lack nonetheless the relation to the general public, that seems to be absent from the procedure, as there doesn’t seem to be place for an ombudsmen or a formal complaints bureau (for people to ask for information about them).
Both types of reports reveal a certain amount of strengths and weaknesses in transparency that leave way for improvement and for a more general and shareable transparency template:
- the need to define what one is to be transparent about: the status of chats, forums or blogs is not clear for instance, and so it is difficult to assess if such forms of communications should/ought/could lend themselves to interception…
- the determination of the type of crimes that can legitimate interception is still unclear
- there is an urgent need for clarification between national interests (very large and general) and national security (that often deals with terrorism).
In fact, transparency is used as a kind of mantra, but seems to have become an ideology, much as secrecy (its reverse) was in the last century. However, unless full reciprocal transparency can be guaranteed, it is a dystopian goal, because it creates new ways of cheating with information, new imbalances, new disparities and discrepancies. Taking into account the two-faced activities of the worthy and the wicked, we need to acknowledge the moral ambiguity of transparency 2.0. It might be less naïve and more effective to refer to accountability rather than to transparency: it is not about saying everything all the time, it is about ensuring procedural fairness, access to information and reparation of torts and damages when applicable. In that context, the full interest of the public, as consumer and citizen, can be taken into account, and ensure trust.