Posted tagged ‘transparency’

Transparency 2.0: Ubiquitous Transparency as an Answer to Ubiquitous Surveillance? (part 2)

4 novembre 2013

Internet has enabled the possibility of ubiquitous networks, in which information processing has been integrated into everyday objects to enable seamless activities without users being aware of it (via smartphones, mobiles…). The current PRISM scandal has alerted public opinion about the extent and the abuses of such a ubiquitous surveillance that seems difficult to stem in spite of growing claims in favour of augmented privacy… unless a reciprocal principle of ubiquitous transparency is set up. Transparency reports are only the beginning of this process, and they have the merit of pointing at the risks to democracy if surveillance is allowed to go rampant.

The risks of transparency erosion

When transparency and accountability are lacking, the risks are numerous, at all levels of governance. The very technical foundations of the Internet may be affected or even undermined if governments develop their own security mechanisms to circumvent the existing ones.  Hacking strategies, scrambling systems, encryption, sensors and viruses of all kinds can impact the architecture of the net. They can also induce competing states to engage in a cyberwar that may be damaging for the transborder advantages of the current Internet as a critical resource for development. They can modify the broadband infrastructure layer that connects networks and routers and reduce the scope and security at the core of the Internet backbone, which can have deep implications for policy perspectives.

A larger risk lies in the impact of erosion on the global interoperability and openness of the Internet, two principles that have laid the foundations of digital value for the world community at large. Technically, interoperability requires attention to standards at the design level of a programme and can have significant impact on usability, with economic, political and social consequences; openness combines the technical layer and the legal and content layer of freedom of expression and right to information (against censorship and surveillance). They both are becoming pillars of governance and jeopardizing them may lead to Internet mayhem.

The risk of conflict of interest is also quite present, as always when industry gets involved in policy-making. The pure players lobbies are being quite active to frame and shape legal decisions worldwide, not just in the USA, as exemplified by the EU-US negotiations on data protection agreement and the generalized spying on political leaders and European economic groups revealed by PRISM. The political and social costs of transparency erosion can also lead to lack of public deliberation and have a chilling effect on expression; it can also have inhibiting effects on creativity and productivity (self-censorship).

The solutions towards ubiquitous transparency and accountability

Such risks point to a need to review confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for service providers, law enforcement agencies and users at large. The new context of PRISM and general surveillance has had the positive effect of re-engaging national governments in regulation, of focusing policy-making on to accountability claims and of reframing some of the norms by which the netroots can influence policy effectively, with increased obligations for reporting. The problem needs to be addressed at several levels of intervention, that have started before PRISM but for which PRISM can be a meaningful catalyst: the right to information, the regulatory authority, the peer-to-peer leveraging of civil society and finally media and information literacy for the larger empowerment of the public.

1/ The Right to Information  (RTI)

In recent years, the Right to Information has been successfully construed as a complement to the right to freedom of expression. The purpose, amongst others, is to promote transparency and open information flows in certain sectors such as information related to scientific information, environmental matters, public budgets, extractive industries and the use of natural resources. Internet as a critical resource could be added to that list.

The RTI framework is characterized by a number of principles that could be used for transparency reports: maximum disclosure, obligation for public bodies to publish key information, limited scope of exceptions, processes to facilitate access to government-held information, open meetings, disclosure taking precedence over secrecy laws, protection for whistleblowers, together with low costs for information access, and the promotion of open government. Additional actors have come under the scope of RTI since the 1990s, such as companies that are owned or controlled by the state and private entities that perform a public function or are recipients of substantial government funding. This should be extended to include the pure players as well as the Telco’s and the ISPs (see Frau-Meigs, UNESCO “Exploring the Evolving Mediascape” report, 2013 available here).

2/Public-interest regulatory authority

There is a need for a mechanism or instrument that ensures that transparency reports are produced with clear criteria and with independence (far from the pressure of media, politics or economics). Going for a policy-making mechanism may mean to look at existing regulatory agencies because governments are not willing to create new institutions. It is important to identify national and intergovernmental monitoring bodies, at regional level to provide for cooperative, multi-stakeholder spaces.

Citizens need sense-making mechanisms for looking at the data or else the statistics will just be unused and will put in the shadow other important issues, such as terms of service (that can be problematic for the private sector). The reports from different actors/Stakeholders need to be created as a standard setting process. They have to be organised according to objectives and circumstances duly described by the law, as well as the suspected crimes by nature, by service (asking for interception), by operator (on the territory and also outside) and also by decision (suppression, acceptation, effect or not). All reports should be public (they are not in all countries, including the USA).  And citizens should have the right to complain, in public court or bureau, with violations reviewed in adversary proceedings.

3/ Peer-to-Peer leveraging

Fears about mass data surveillance have preoccupied civil society for a while, especially after media disclosures of such non-military spying programmes as ECHELON (1988) and STELLARWIND (2008). As a result of these early disclosures, P2P technology was developed to empower individuals to protect themselves. P2P enables the repurposing of innovations made for completely different reasons. End-users can create solutions to counter the threat, thus fully exerting their right of leverage. The computer community has released several strong cryptographic software tools such as Pretty Good Privacy (PGP), in response to government pressure. Making cryptography available online, especially via PGP that works on open standards, can redirect the control over privacy protection from the government to the end-users.

P2P leveraging can also be exerted offline, as creative solutions are also being set up by the netroots at the political and legal level of intervention. Civil society movements such as “Restore the Fourth” have emerged to denounce the onslaught on individual privacy, to restore due process about unreasonable searches and seizures and to hold public officials accountable if responsible for undue surveillance. Watchdog Organisations such as The Electronic Frontier Foundation have filed lawsuits against the NSA to end unconstitutional surveillance; others such as Transparency International, Human Rights Watch and Amnesty International have called attention to the case of windblowers and the need to protect them, as in the case of Snowden, bereft in Russia for lack of a proper solution.

4 /Media and Information Literacy (MIL)

The current civic apathy of the larger public can be turned into civic agency by early exposure to Media and Information Literacy. Education takes time and its results are not easily and quickly seen, which explains partly the slow move by governments to implement MIL programmes in schools. Yet education is the best filter and it provides for the possibility for self-protection against intrusion and disclosure. It also encourages young people to practice peer-transparency and to request for accountability from politicians and businesses alike.

With this repertoire of strategies, transparency could thus be less ideological and more pragmatically effected.  Yet Transparency 2.0 will remain a dystopian view if not sustained by accountability in Internet governance. Accountability needs to be construed as a normative notion, as an obligation to perform and report, so that citizens can see as much of their leaders as their leaders can see of them. Accountability would then be based on democratic consent and its underlying human rights values.

Transparency 2.0. Being Transparent about Transparency: Strengths and Weaknesses of Current Reporting (part 1)

4 novembre 2013

The year 2013, via scandals like PRISM and Offshore Leaks, has made it apparent that governments and businesses endeavour to circumvent Internet security mechanisms beyond what is expected of their roles and missions. The threat to public trust and to protection of human rights is being attenuated by a flurry of transparency claims and reports.

There are two ways of dealing with transparency today: 1/ by operator (that tends to look at consumer issues and government requests) or 2/ by regulatory agency (that considers issues such as safety, security, terror, etc., according to their finalities and the implicated services). Strikingly absent from the debate are the Telco’s and the Internet Service Providers (ISPs). The strengths and weaknesses of these reports depend on the motivation and legitimacy of the agencies that provide and promote them.

Transparency by operator: looking at Google transparency reports  (last published, March 2013)

The responsibility and accountability of private sector entities is engaged in unprecedented ways in the digital world. The economy of the broadband media is basically built on personal data-mining by unrelated third parties, which implies having access to the expression of users for developing new services and for making business based on direct marketing purposes. The consensus currently accepted is that calling on their social responsibility can be done in a framework of self-regulation in which good practices are encouraged. This is the case with the Global Network Initiative created in 2008 to protect and advance freedom of expression and privacy, composed of ICT sector companies and civil society organizations (including human rights groups). Only four major American corporations (Google, Microsoft, Facebook and Yahoo!) were involved at the start, with a vested interest in promoting their image for transparency and in maintaining state intervention at bay. The snowball effect of the initiative is such that other pure player companies (Apple, Twitter, Dropbox, LinkedIn, etc.) have been induced to join the move, especially as their compliant role in the PRISM surveillance of customers is hotly under public scrutiny.

Google was the first to start publishing its “Transparency Report”, in 2009-10, before the scandal emerged. The reports show government requirements to take down information (blogs, images…) and reveals statistical patterns of traffic per requesting country (not by country requested). They give an idea of the priorities of business that they cover: government interventions (in all countries), requests to take down for copyright infringement, requests about users:

  • it is mostly connected to industry competition and Google-centred (YouTube and Google take downs)
  • it doesn’t give its criteria, its internal procedures and provides no information about NSA requests and Google’s level of compliance with them
  • it sends the reader to ECPA due process (an American legal framework is assumed here, not international)
  • it provides a semblance of seamless (self)regulation and doesn’t show the role of lobbies but also of social networks in the number of requests  (case of Brazil for instance).

Google presents itself as the defender of the user first (in the section where it describes its refusal to take down for instance) but doesn’t give its reasons for refusing or agreeing to remove content. As often with transparency, what is not under the light is not visible, so nothing really indicates where Google stands with regard to government requests of a secret nature as revealed by PRISM scandal. Besides, statistics by single operators are not very illuminating and tend to be boring. Trust is not secured because the operator is both judge and party and there is no real transparency on its procedures. Google and other pure players have since been reactive to growing criticism by petitioning the government in order to be able to say more about FISA (Foreign Intelligence Surveillance Act), including section 702 (on foreign surveillance programmes like PRISM).

Transparency by regulatory authority: looking at CNCIS (Commission Nationale de Contrôle des Interruptions de Sécurité) public yearly reports (last published, February 2013)  

The CNCIS, created in 1993, gives the perspective of governments and their priorities in what such an agency can cover. In France, 3 majors motives appear: criminality prevention (50% of requests), national security (30%), terrorism (20%). This government perspective tends to provide a procedural approach besides the usual statistics (in relation to services and objectives   including data traffic and anti-terrorist requests):

  • it shows the field not covered by French law on secrecy of messages and mail and its exceptions while being out of its competence (including French equivalent to PRISM for “mass” surveillance which is “extralegal”, CNCIS being  competent on targeting surveillance)
  • it provides too short a comparison with other countries but points to possible exchanges and reciprocal training…
  • it is informative, with a good description of criteria and their relation to due process and the law.

The reports also point to a certain amount of good practices:

  • a posteriori and a priori surveillance can be interrupted
  • continuous control is applied, even of accepted interceptions, at random, to ensure that the legal procedure is respected
  • a priori control of the decisions to intercept is activated (even in case of “urgence absolue”), which often allows dialogue between various services
  • the capacity for quick response is ensured (less than an hour to evaluate “urgence absolue” requests), and a 24/24 hotline is maintained
  • decision-makers are audited by the CNCIS council, to keep dialogue and ensure accountability.

The government reports point to a concern against disproportionate requests or lack of legitimacy of procedures that could be conducted by other means such as local investigation. They lack nonetheless the relation to the general public, that seems to be absent from the procedure, as there doesn’t seem to be place for an ombudsmen or a formal complaints bureau (for people to ask for information about them).

Both types of reports reveal a certain amount of strengths and weaknesses in transparency that leave way for improvement and for a more general and shareable transparency template:

  • the need to define what one is to be transparent about: the status of chats, forums or blogs is not clear for instance, and so it is difficult to assess if such forms of communications should/ought/could lend themselves to interception…
  • the determination of  the type of crimes that can legitimate interception is still unclear
  • there is an urgent need for clarification between national interests (very large and general) and national security (that often deals with terrorism).

In fact, transparency is used as a kind of mantra, but seems to have become an ideology, much as secrecy (its reverse) was in the last century. However, unless full reciprocal transparency can be guaranteed, it is a dystopian goal, because it creates new ways of cheating with information, new imbalances, new disparities and discrepancies. Taking into account the two-faced activities of the worthy and the wicked, we need to acknowledge the moral ambiguity of transparency 2.0. It might be less naïve and more effective to refer to accountability rather than to transparency: it is not about saying everything all the time, it is about ensuring procedural fairness, access to information and reparation of torts and damages when applicable. In that context, the full interest of the public, as consumer and citizen, can be taken into account, and ensure trust.

%d blogueurs aiment cette page :