Posted tagged ‘surveillance’

Transparency 2.0: Ubiquitous Transparency as an Answer to Ubiquitous Surveillance? (part 2)

4 novembre 2013

Internet has enabled the possibility of ubiquitous networks, in which information processing has been integrated into everyday objects to enable seamless activities without users being aware of it (via smartphones, mobiles…). The current PRISM scandal has alerted public opinion about the extent and the abuses of such a ubiquitous surveillance that seems difficult to stem in spite of growing claims in favour of augmented privacy… unless a reciprocal principle of ubiquitous transparency is set up. Transparency reports are only the beginning of this process, and they have the merit of pointing at the risks to democracy if surveillance is allowed to go rampant.

The risks of transparency erosion

When transparency and accountability are lacking, the risks are numerous, at all levels of governance. The very technical foundations of the Internet may be affected or even undermined if governments develop their own security mechanisms to circumvent the existing ones.  Hacking strategies, scrambling systems, encryption, sensors and viruses of all kinds can impact the architecture of the net. They can also induce competing states to engage in a cyberwar that may be damaging for the transborder advantages of the current Internet as a critical resource for development. They can modify the broadband infrastructure layer that connects networks and routers and reduce the scope and security at the core of the Internet backbone, which can have deep implications for policy perspectives.

A larger risk lies in the impact of erosion on the global interoperability and openness of the Internet, two principles that have laid the foundations of digital value for the world community at large. Technically, interoperability requires attention to standards at the design level of a programme and can have significant impact on usability, with economic, political and social consequences; openness combines the technical layer and the legal and content layer of freedom of expression and right to information (against censorship and surveillance). They both are becoming pillars of governance and jeopardizing them may lead to Internet mayhem.

The risk of conflict of interest is also quite present, as always when industry gets involved in policy-making. The pure players lobbies are being quite active to frame and shape legal decisions worldwide, not just in the USA, as exemplified by the EU-US negotiations on data protection agreement and the generalized spying on political leaders and European economic groups revealed by PRISM. The political and social costs of transparency erosion can also lead to lack of public deliberation and have a chilling effect on expression; it can also have inhibiting effects on creativity and productivity (self-censorship).

The solutions towards ubiquitous transparency and accountability

Such risks point to a need to review confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for service providers, law enforcement agencies and users at large. The new context of PRISM and general surveillance has had the positive effect of re-engaging national governments in regulation, of focusing policy-making on to accountability claims and of reframing some of the norms by which the netroots can influence policy effectively, with increased obligations for reporting. The problem needs to be addressed at several levels of intervention, that have started before PRISM but for which PRISM can be a meaningful catalyst: the right to information, the regulatory authority, the peer-to-peer leveraging of civil society and finally media and information literacy for the larger empowerment of the public.

1/ The Right to Information  (RTI)

In recent years, the Right to Information has been successfully construed as a complement to the right to freedom of expression. The purpose, amongst others, is to promote transparency and open information flows in certain sectors such as information related to scientific information, environmental matters, public budgets, extractive industries and the use of natural resources. Internet as a critical resource could be added to that list.

The RTI framework is characterized by a number of principles that could be used for transparency reports: maximum disclosure, obligation for public bodies to publish key information, limited scope of exceptions, processes to facilitate access to government-held information, open meetings, disclosure taking precedence over secrecy laws, protection for whistleblowers, together with low costs for information access, and the promotion of open government. Additional actors have come under the scope of RTI since the 1990s, such as companies that are owned or controlled by the state and private entities that perform a public function or are recipients of substantial government funding. This should be extended to include the pure players as well as the Telco’s and the ISPs (see Frau-Meigs, UNESCO “Exploring the Evolving Mediascape” report, 2013 available here).

2/Public-interest regulatory authority

There is a need for a mechanism or instrument that ensures that transparency reports are produced with clear criteria and with independence (far from the pressure of media, politics or economics). Going for a policy-making mechanism may mean to look at existing regulatory agencies because governments are not willing to create new institutions. It is important to identify national and intergovernmental monitoring bodies, at regional level to provide for cooperative, multi-stakeholder spaces.

Citizens need sense-making mechanisms for looking at the data or else the statistics will just be unused and will put in the shadow other important issues, such as terms of service (that can be problematic for the private sector). The reports from different actors/Stakeholders need to be created as a standard setting process. They have to be organised according to objectives and circumstances duly described by the law, as well as the suspected crimes by nature, by service (asking for interception), by operator (on the territory and also outside) and also by decision (suppression, acceptation, effect or not). All reports should be public (they are not in all countries, including the USA).  And citizens should have the right to complain, in public court or bureau, with violations reviewed in adversary proceedings.

3/ Peer-to-Peer leveraging

Fears about mass data surveillance have preoccupied civil society for a while, especially after media disclosures of such non-military spying programmes as ECHELON (1988) and STELLARWIND (2008). As a result of these early disclosures, P2P technology was developed to empower individuals to protect themselves. P2P enables the repurposing of innovations made for completely different reasons. End-users can create solutions to counter the threat, thus fully exerting their right of leverage. The computer community has released several strong cryptographic software tools such as Pretty Good Privacy (PGP), in response to government pressure. Making cryptography available online, especially via PGP that works on open standards, can redirect the control over privacy protection from the government to the end-users.

P2P leveraging can also be exerted offline, as creative solutions are also being set up by the netroots at the political and legal level of intervention. Civil society movements such as “Restore the Fourth” have emerged to denounce the onslaught on individual privacy, to restore due process about unreasonable searches and seizures and to hold public officials accountable if responsible for undue surveillance. Watchdog Organisations such as The Electronic Frontier Foundation have filed lawsuits against the NSA to end unconstitutional surveillance; others such as Transparency International, Human Rights Watch and Amnesty International have called attention to the case of windblowers and the need to protect them, as in the case of Snowden, bereft in Russia for lack of a proper solution.

4 /Media and Information Literacy (MIL)

The current civic apathy of the larger public can be turned into civic agency by early exposure to Media and Information Literacy. Education takes time and its results are not easily and quickly seen, which explains partly the slow move by governments to implement MIL programmes in schools. Yet education is the best filter and it provides for the possibility for self-protection against intrusion and disclosure. It also encourages young people to practice peer-transparency and to request for accountability from politicians and businesses alike.

With this repertoire of strategies, transparency could thus be less ideological and more pragmatically effected.  Yet Transparency 2.0 will remain a dystopian view if not sustained by accountability in Internet governance. Accountability needs to be construed as a normative notion, as an obligation to perform and report, so that citizens can see as much of their leaders as their leaders can see of them. Accountability would then be based on democratic consent and its underlying human rights values.

Transparency 2.0. Being Transparent about Transparency: Strengths and Weaknesses of Current Reporting (part 1)

4 novembre 2013

The year 2013, via scandals like PRISM and Offshore Leaks, has made it apparent that governments and businesses endeavour to circumvent Internet security mechanisms beyond what is expected of their roles and missions. The threat to public trust and to protection of human rights is being attenuated by a flurry of transparency claims and reports.

There are two ways of dealing with transparency today: 1/ by operator (that tends to look at consumer issues and government requests) or 2/ by regulatory agency (that considers issues such as safety, security, terror, etc., according to their finalities and the implicated services). Strikingly absent from the debate are the Telco’s and the Internet Service Providers (ISPs). The strengths and weaknesses of these reports depend on the motivation and legitimacy of the agencies that provide and promote them.

Transparency by operator: looking at Google transparency reports  (last published, March 2013)

The responsibility and accountability of private sector entities is engaged in unprecedented ways in the digital world. The economy of the broadband media is basically built on personal data-mining by unrelated third parties, which implies having access to the expression of users for developing new services and for making business based on direct marketing purposes. The consensus currently accepted is that calling on their social responsibility can be done in a framework of self-regulation in which good practices are encouraged. This is the case with the Global Network Initiative created in 2008 to protect and advance freedom of expression and privacy, composed of ICT sector companies and civil society organizations (including human rights groups). Only four major American corporations (Google, Microsoft, Facebook and Yahoo!) were involved at the start, with a vested interest in promoting their image for transparency and in maintaining state intervention at bay. The snowball effect of the initiative is such that other pure player companies (Apple, Twitter, Dropbox, LinkedIn, etc.) have been induced to join the move, especially as their compliant role in the PRISM surveillance of customers is hotly under public scrutiny.

Google was the first to start publishing its “Transparency Report”, in 2009-10, before the scandal emerged. The reports show government requirements to take down information (blogs, images…) and reveals statistical patterns of traffic per requesting country (not by country requested). They give an idea of the priorities of business that they cover: government interventions (in all countries), requests to take down for copyright infringement, requests about users:

  • it is mostly connected to industry competition and Google-centred (YouTube and Google take downs)
  • it doesn’t give its criteria, its internal procedures and provides no information about NSA requests and Google’s level of compliance with them
  • it sends the reader to ECPA due process (an American legal framework is assumed here, not international)
  • it provides a semblance of seamless (self)regulation and doesn’t show the role of lobbies but also of social networks in the number of requests  (case of Brazil for instance).

Google presents itself as the defender of the user first (in the section where it describes its refusal to take down for instance) but doesn’t give its reasons for refusing or agreeing to remove content. As often with transparency, what is not under the light is not visible, so nothing really indicates where Google stands with regard to government requests of a secret nature as revealed by PRISM scandal. Besides, statistics by single operators are not very illuminating and tend to be boring. Trust is not secured because the operator is both judge and party and there is no real transparency on its procedures. Google and other pure players have since been reactive to growing criticism by petitioning the government in order to be able to say more about FISA (Foreign Intelligence Surveillance Act), including section 702 (on foreign surveillance programmes like PRISM).

Transparency by regulatory authority: looking at CNCIS (Commission Nationale de Contrôle des Interruptions de Sécurité) public yearly reports (last published, February 2013)  

The CNCIS, created in 1993, gives the perspective of governments and their priorities in what such an agency can cover. In France, 3 majors motives appear: criminality prevention (50% of requests), national security (30%), terrorism (20%). This government perspective tends to provide a procedural approach besides the usual statistics (in relation to services and objectives   including data traffic and anti-terrorist requests):

  • it shows the field not covered by French law on secrecy of messages and mail and its exceptions while being out of its competence (including French equivalent to PRISM for “mass” surveillance which is “extralegal”, CNCIS being  competent on targeting surveillance)
  • it provides too short a comparison with other countries but points to possible exchanges and reciprocal training…
  • it is informative, with a good description of criteria and their relation to due process and the law.

The reports also point to a certain amount of good practices:

  • a posteriori and a priori surveillance can be interrupted
  • continuous control is applied, even of accepted interceptions, at random, to ensure that the legal procedure is respected
  • a priori control of the decisions to intercept is activated (even in case of “urgence absolue”), which often allows dialogue between various services
  • the capacity for quick response is ensured (less than an hour to evaluate “urgence absolue” requests), and a 24/24 hotline is maintained
  • decision-makers are audited by the CNCIS council, to keep dialogue and ensure accountability.

The government reports point to a concern against disproportionate requests or lack of legitimacy of procedures that could be conducted by other means such as local investigation. They lack nonetheless the relation to the general public, that seems to be absent from the procedure, as there doesn’t seem to be place for an ombudsmen or a formal complaints bureau (for people to ask for information about them).

Both types of reports reveal a certain amount of strengths and weaknesses in transparency that leave way for improvement and for a more general and shareable transparency template:

  • the need to define what one is to be transparent about: the status of chats, forums or blogs is not clear for instance, and so it is difficult to assess if such forms of communications should/ought/could lend themselves to interception…
  • the determination of  the type of crimes that can legitimate interception is still unclear
  • there is an urgent need for clarification between national interests (very large and general) and national security (that often deals with terrorism).

In fact, transparency is used as a kind of mantra, but seems to have become an ideology, much as secrecy (its reverse) was in the last century. However, unless full reciprocal transparency can be guaranteed, it is a dystopian goal, because it creates new ways of cheating with information, new imbalances, new disparities and discrepancies. Taking into account the two-faced activities of the worthy and the wicked, we need to acknowledge the moral ambiguity of transparency 2.0. It might be less naïve and more effective to refer to accountability rather than to transparency: it is not about saying everything all the time, it is about ensuring procedural fairness, access to information and reparation of torts and damages when applicable. In that context, the full interest of the public, as consumer and citizen, can be taken into account, and ensure trust.

PRISM 1. Le scandale de la surveillance généralisée : pourquoi une telle apathie citoyenne ?

29 octobre 2013

Le peu de mobilisation de la société civile par rapport au scandale du programme d’espionnage généralisé PRISM n’est pas sans surprendre.  La surveillance illégale des Etats-Unis n’a pas seulement porté atteinte à la souveraineté des Etats mais elle s’est aussi ingérée dans la vie privée des individus, en France comme ailleurs.

Toutes sortes d’hypothèses quant à cette apathie généralisée peuvent être avancées, avec un certain degré de validité :

  • Le public est devenu cynique par rapport à toutes ces crises d’espionnage qui relèguent les histoires de James Bond à la préhistoire pré-numérique.
  • Le public n’a plus confiance en la presse pour l’informer et, en retour, pour y exprimer son indignation et son ressentiment. Elle opère comme un filtre des émotions tout comme des informations et ne joue pas à plein son rôle de relais lorsque les affaires explosent, comme si elle était muselée par l’Etat et les magnats de la presse alliés au pouvoir.
  • Le public n’a pas de recours à qui s’adresser pour exprimer son indignation : l’Etat français ? Il est soupçonné de faire de même par le biais de la DGSE et ses molles protestations à l’égard des Etats-Unis sont plutôt une confirmation qu’une dénégation ? L’Etat américain ? Il est trop loin et la loi d’action de classe est trop récente pour être un outil juridique efficace à ce stade. La Cour pénale internationale? Les Etats-Unis se sont bien gardés d’en ratifier le statut.
  • Les Français ont moins d’attentes à l’égard des Etats-Unis que d’autres citoyens européens en Allemagne ou au Royaume-Uni, pays alliés indéfectibles. Ils se sont donc moins sentis trahis que les Allemands et les Anglais et ne sont pas allés protester dans la rue ou auprès de leurs élus car ils n’attendent pas plus de leur Parlement que du Congrès américain. C’est pourtant dommage car la trahison est avérée, même si sa direction n’est pas claire : soit le Congrès ne savait pas et alors la NSA a caché ses activités à son propre gouvernement ce qui en fait une forfaiture caractérisée, soit le Congrès savait et alors c’est un cas d’agression contre un allié démocratique qui ne devrait pas être tolérée.
  • Les Français sont peu sensibles au droit à l’oubli numérique ou à la protection des données de la vie personnelle. La CNIL, dont la vigilance est appréciée,  est censée veiller à ces questions et elles lui sont déléguées. En outre, tant qu’un Français n’est pas cruellement touché dans son intégrité, l’émotion n’est pas assez forte pour susciter une mobilisation forte par rapport à des principes abstraits et lointains.

L’hypothèse qui n’est pas avancée est celle du manque de sensibilisation du public du fait de l’absence criante d’une éducation aux médias et à l’information qui prenne en compte la nouvelle donne numérique dans notre pays. Etant donné les circonstances,  il devient de plus en plus indispensable d’appuyer cette littératie numérique sur les droits humains et leur déclaration universelle, en particulier la dignité (article premier), la vie privée (article 12), la liberté d’expression (article 19), sans compter l’éducation (article 27) et la participation (article 29).

Que ferait une éducation aux médias et à l’information digne de ce nom ?

  • Elle utiliserait PRISM (tout comme WIKILEAKS) comme un cas d’école pour rendre concrètes et éthiques des notions abstraites et basées sur des principes généraux : le code et qui le contrôle, le manque de transparence malgré les rapports sur la transparence, la dépendance des états démocratiques à l’égard des Etats-Unis pour ce qui touche à l’internet (serveurs racine, ICANN…).
  • Elle susciterait l’esprit critique en posant les questions qui fâchent : Qui est à blâmer ?  Les Etats-Unis, l’Etat français, les pourvoyeurs de services… Qui a le plus à perdre ? Les grandes entreprises monopolistiques d’Hollyweb malgré leurs protestations de bonne foi, les agences de surveillance ayant outrepassé les droits autorisés par leur propre autorité de contrôle …
  • Elle insisterait sur l’exigence d’une législation transfrontière et d’un traité sur la gouvernance d’Internet et exigerait un mécanisme de règlement des différends avec un dispositif de recours du public.
  • Elle montrerait  à quoi sert l’exploitation des données et formerait à la protection des personnes, sans attendre le gouvernement ou les pourvoyeurs de service, ce qui implique de faire muter l’éducation aux médias et  à l’information à l’ère numérique, en lui ajoutant une éducation à l’informatique des usages.
  • Elle pointerait vers les solutions alternatives qui existent, même si elles ne correspondent pas aux attentes d’un grand public habitué à la facilité des plateformes prêtes à médiatiser d’Hollyweb. Elle ne ferait pas du public un complicite de ce qui arrive, par son apathie et son inertie, voire son cynisme bien entretenu sur les réseaux sociaux, mais plutôt un 5e pouvoir avec son autonomie propre et sa capacité d’agir à partir de la base.

Faut-il s’étonner alors que l’éducation aux médias et à l’information ne soit pas la priorité des gouvernements ou des entreprises du secteur des médias numériques ? Un scandale en cacherait-il un autre ?…


%d blogueurs aiment cette page :