Privacy

Last month, India's Supreme Court affirmed that the country's constitution enshrines a right to privacy. The implications of the decision will reverberate around the world.

The executive branch and Congress have had a love-hate relationship with the Privacy and Civil Liberties Oversight Board. Will a new chairman keep the board relevant?

This week: a compromise at Equifax, Russian trolls pay Facebook for ad space, the BRICS summit, and an internet outage in Togo.

The Equifax data breach is a giant mess. Similar events are bound to happen if boardrooms lack a financial incentive to prioritize data security.

Laura K. Donohue argues that section 702 of the U.S. Foreign Intelligence Surveillance Amendments Act is an important tool in the intelligence community’s arsenal, but that it should be amended to bring it within constitutional bounds.

Lorand Laskai is a research associate in Asia studies program at the Council on Foreign Relations. You can follow him @lorandlaskai.  Like most policymakers around the world, the leadership of the Chinese Communist Party is exploring how big data and tech can transform government, producing some uniquely Chinese concepts for future governance. Two weeks ago, party scholar Li Zhen wrote an op-ed in the People’s Daily, the Chinese Communist Party’s official newspaper, on the concept of “cloud governance”  云治理, a term Li coined to envision how big data and other information technologies, like internet of things (IoT) and cloud computing, could converge to transform how China is governed. Li’s concept of “cloud governance” relies on big-data analytics to extend the scope of government while making it more efficient and responsive. He emphasizes the need for “data relations” between government and large data-driven companies. In other words, Beijing must “think of every means possible” to induce companies into data sharing arrangements, even if they are likely to resist. Furthermore, he argues that cloud governance should allow government to be preemptive, using data inputs to anticipate crises and challenges before they occur. Over the past few years, the Chinese government has taken a number of preliminary steps to turn Li’s vision of data-driven governance into a reality. In September 2016, the State Council released a policy document outlining a ‘social credit system’人信用监督 that would pull on various data pools and use algorithms to calculate a citizen’s trustworthiness. Critics have naturally pointed out the plan’s attempt at social control has Orwellian overtones. Even though the system would primarily be used to limit fraud and determine a person’s eligibility for employment, the scope of the data collected far exceeds personal finances and could include such indices as online speech, buying habits and previous run-ins with the law. And the penalties for low social credit score are equally far-ranging, including travel restrictions, limits on certain expenditures (e.g. real estate, tuition for children’s education), daily monitoring by security officials, or punishment. A pilot project currently underway in Hangzhou will pave the way for a nationwide roll out in 2020. As if to complement this futuristic—if not dystopian—vision of Chinese governance, the CEO of e-commerce giant Alibaba suggested in October 2016 that big data analytics from private-public partnerships could help law enforcement preempt crimes. “It’s normal for one person to buy a high-pressure cooker, a timer or even some gunpowder and steel ball bearings [separately], but it wouldn’t be normal if one person bought all that stuff together at once,” Mr. Ma said. Ma’s Minority Report style vision of crime fighting, which would necessarily entail China’s tech giants providing data on a citizen’s consuming habits for authorities to monitor, fulfills the main features of Li’s “cloud governance.” But whether “cloud governance” channels Big Brother, Minority Report, or both, any large-scale big data governance project would face major challenges. Implementation is where many ambitious state-sponsored information and communications technology projects perish, and in China local execution and bureaucratic politics tend to dull even the most energetic initiatives from the central government. The China Securities Regulatory Commission’s (CSRC) effort to build a unified, large-scale big data monitoring system for catching insider trading on Chinese stock exchanges is an instructive example. As Caixin reported, the monitoring system, originally commissioned in 2014, has repeatedly run up against bureaucratic resistance, leaving the project well behind schedule. Former CSRC Chairman Xiao Gang vented in 2015, “some department units are self-centered and are used to working with their own systems, creating all kinds of excuses to delay system and data integration.” Also with a poor implementation track record: the “data relations” and public-private partnerships that Li and Jack Ma both advocate for. In February 2016, the China Food and Drug Administration (CDFA) pulled out of a partnership with Alibaba that mandated drug trading enterprises use Alibaba’s drug monitoring system. The platform had the advantage of standardizing, verifying, and tracking all prescription drugs sold in China—a mechanism sorely needed in a market where counterfeits are widespread—but push back from the pharmaceutical industry and vocal concerns over conflict of interest sunk the project. Without an industry-wide system, the public-private partnerships that Li and Ma both encourage, are infeasible. Setbacks aside, the Chinese government continues to hype the possibilities of big data. Just this week in state-media headlines trumpeted that big data analytics will improve people’s Chinese New Year commutes in Jiangsu; help migrant laborers negotiate wages in Guizhou; and catch cadres using public cars for private use. For the time being, it’s unclear if state-sponsored big data governance projects will fulfill these lofty promises, or if pie-in-the-sky concepts like “cloud governance” will meet the harsh and messy reality of governing.

What a difference one year makes. When 2015 ended, prospects for digital trade looked good. In bilateral, regional, and multilateral contexts, initiatives were advancing that were, in part, designed to increase opportunities for digital commerce and strengthen rules for it. The European Union launched its Digital Single Market strategy and was negotiating the Trans-Atlantic Trade and Investment Partnership (TTIP) agreement with the United States. In addition to TTIP, the United States concluded the Trans-Pacific Partnership (TPP) agreement with eleven countries, and was negotiating the Trade in Services Agreement (TISA) with over twenty nations and the European Union. As 2016 ended, these initiatives were damaged, in danger of failure, or dead. The Brexit referendum began the United Kingdom’s departure from the European Union and the single European market. With all major U.S. presidential candidates opposing it, the TPP agreement was in trouble before Donald Trump won. President-elect Trump confirmed the United States would not join, effectively killing one of the most important trade initiatives of the twenty-first century. The TTIP agreement’s chances suffered from opposition within the EU, the decision of the United Kingdom—a TTIP supporter—to exit the bloc, and the anti-trade policies of president-elect Trump. TISA negotiators cancelled the December 2016 meeting where they once expected to finalize the agreement, with doubts swirling whether negotiations would be revived given Trump’s hostility to trade agreements. The forces that produced these outcomes go beyond criticisms of the digital trade aspects of these initiatives. The Brexit vote and the anti-trade zeitgeist of the U.S. election revealed widespread anger with cornerstones of British and American international economic engagement—liberalization of trade and investment through treaties as a strategic commitment of the UK and U.S. governments. The dimmed prospects for digital trade are collateral damage from a populist upheaval against economic interdependence and globalization. Prior to this upheaval, digital technologies helped catalyze interdependence and globalization, even when treaties lagged behind how digital devices and networks transformed the global movement of goods, services, capital, and information. The impact of digital technologies on commerce produced concerns about privacy, cybersecurity, abuse of market power by tech companies, and sovereignty. Despite these concerns, governments around the world supported liberalization of digital trade and worked to promote this objective in trade and investment agreements. The Digital Single Market, TTIP, TPP, and TISA represented, in different contexts, strategies to advance digital commerce’s deeper integration into international economic law. Brexit, the death of TPP, the demise of TTIP, and doubts about TISA do not portend the imminent collapse of digital trade. After all, digital commerce expanded much faster than countries addressed it in trade and investment agreements in the post-Cold War era. However, what happened in 2016 takes away the support these initiatives gave to advancing and protecting digital trade in global economic governance. The absence of this support might allow countervailing forces, including requirements for data localization and national cybersecurity measures, to produce increasing restrictions on digital trade. Existing trade and investment agreements, such as the WTO’s General Agreement on Trade in Services, might prove inadequate in managing disputes over new restraints on digital commerce. In addition, new trade and investment agreements might not have provisions for digital trade that achieve what the initiatives discussed above aimed to accomplish. For example, the chapter on electronic commerce in the Comprehensive Economic and Trade Agreement concluded by the European Union and Canada in 2016 comes nowhere close to what Canada accepted in the TPP agreement and what the European Union seeks in the Digital Single Market. In 2017, indicators of where digital trade is headed will emerge from four sources. First, the Trump administration’s implementation of its trade policies will signal how it plans to promote U.S. digital commerce. Second, the European Union will pursue the Digital Single Market without British participation, and this initiative, in combination with EU privacy law, will affect digital commerce between the European Union and its trading partners. Without TTIP, the European Union has fewer incentives to moderate its regulation of U.S. tech companies, and the Trump administration will lack leverage to bargain on their behalf. The TPP’s death also means the European Union does not have to worry about whether that agreement would have created market pressures on how it regulated digital commerce in the single market. Third, as Brexit moves forward, the UK government will seek to conclude trade and investment agreements with the European Union, the United States, and other countries. What the United Kingdom negotiates will be important in understanding how nations are thinking about liberalizing and protecting digital trade. Finally, how China promotes its Regional Comprehensive Economic Partnership to fill the void left by the TPP’s demise bears watching for its impact on digital commerce in Asia.

Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.  There were a number of developments that shaped the encryption and digital privacy landscape this year. It started off with a bang in February when the FBI successfully obtained a court order requiring Apple to build software to unlock the iPhone of one of the San Bernardino terrorists. That sparked a month-long debate among pundits, lawmakers, and civil society groups who lined up behind their respective champion and shouted invective at each other. Even then-candidate Donald Trump got in on the action, calling for a boycott of Apple in response to the tech giant’s unwillingness to comply with the order. The debate ended almost as quickly as it started when the FBI asked the court to rescind its order given that a third party had approached the agency with a proof of concept to get into the iPhone without Apple’s help. Despite the intensity of the debate, it’s hard to gauge what impact it had, if any, toward finding a compromise between the law enforcement and civil liberties camps. Last year, this blog noted the ritualization of the encryption debate, whereby something bad happens, people yell at each other, the debate goes away, and nothing has been accomplished. The same thing happened this year. Bills were introduced into Congress, commissions were proposed, but nothing really happened. During the Apple-FBI fight, the United States and Europe announced their agreement on the successor to the invalidated Safe Harbor pact, calling it Privacy Shield. In contrast to the previous agreement, Europeans now have a right to redress in U.S. courts if they believe their privacy rights were violated and an ombudsperson to resolve any complaints on behalf of Europeans concerned about the U.S. intelligence community capturing data transferred under the deal. Although data protection authorities in Europe expressed skepticism of the deal, they said they would give it at least a year before reviewing its adequacy and possibly challenging it in EU court. Their actions were preempted by Digital Rights Ireland, a privacy group, which challenged the European Commission’s assertion that the shield was adequate to protect EU citizens’ privacy rights. The Privacy Shield challenge, along with the possible invalidation of model clauses--another legal mechanism used to transfer data across the pond--increase the likelihood of more turbulence for U.S.-EU data transfers next year. 2016 also saw the passage of a number of controversial interception and data retention laws. In the United Kingdom, the Investigative Powers Bill--known to detractors as the Snooper’s Charter--received royal assent. Among other things, the bill requires communications service providers (CSPs) to maintain "internet connection records" of their users, reiterated existing requirements that CSPs maintain a capability to decrypt communications, and created a new oversight body to monitor law enforcement and the intelligence community’s use of the new powers. In China, the cybersecurity law that went through several drafts since 2015 finally entered into force in November. In addition to U.S. business concerns that it will subject their wares to regular security audits and pose a threat to their intellectual property, the Chinese bill requires CSPs to mandate users register with their real world identities (no anonymity allowed) and a requirement for undefined "critical information infrastructure operators" to store user data in the country--a practice known as data localization. Like the UK measure, the Chinese law requires that tech companies provide "technical support" with law enforcement investigations, presumably meaning providing a decryption capability. Finally, the election of Donald Trump as president of the United States gave a shot in the arm to privacy activists. His election sparked discussions about the state of online privacy for the next four years and concerns that even modest reforms the NSA surveillance programs will be rolled back. A month after his election, Signal, the Edward Snowden-endorsed messaging app, experienced a 400 percent jump in daily app downloads. 2016 was pretty hectic for the privacy world, but probably no more than previous years. What does 2017 have in store? Court challenges and opinions. Expect lots of them. Privacy activists and companies are likely to test the legality of the UK’s Investigative Powers Act, the viability of model clauses and the Privacy Shield, and trigger another encryption fight if U.S. law enforcement can’t unlock a device during the investigation of a high profile or particularly heinous crime.

Last week, the UN Security Council’s Counter-Terrorism Committee held meetings on preventing the exploitation of information and communication technologies (ICTs) for terrorist purposes. These meetings, like similar ones in December 2015, focused on the self-declared Islamic State’s use of the internet and social media and highlighted increased activities during 2016 against ICT terrorism by international organizations, governments, civil society, and tech companies. However, problems exposed in 2015 appeared again in these meetings, raising questions about what impact the increased actions have had. This year’s meetings also did not grapple with how terrorist exploitation of ICT is changing in light of the territorial losses the Islamic State has suffered, the killing of leaders of its online activities, and American, British, and Australian offensive cyber operations against it. The impact of the military campaign against the Islamic State means, in the future, terrorist activity in cyberspace might not resemble the threat the Counter-Terrorism Committee’s meetings addressed. Highlights from the 2016 Meetings The 2016 meetings covered many issues combating ICT terrorism raises, including technical challenges, law enforcement cooperation, human rights, company self-regulation, public-private partnerships, counter-content strategies, and counter-messaging approaches. Presentations discussed efforts to counter online terrorism and highlighted developments in 2016 involving, among others, the Security Council, U.S. Global Engagement Center, EU Internet Referral Unit, ICT4Peace’s partnership with the Counter-Terrorism Committee’s Executive Directorate, Global Network Initiative, Access Now, VOX-Pol Network, Al-Azhar University’s Observatory, and Twitter. Intensified efforts have not, however, overcome problems previously identified with measures against ICT terrorism. Skepticism about the effectiveness of counter-content and counter-messaging activities, and whether effectiveness can be measured, was prominent, as it was during the 2015 meetings. While increased action corresponded with a decrease in Islamic State online activity, speakers acknowledged that correlation was not causation, and other factors, such as the military campaign against the Islamic State, played a bigger role. The impact of military attacks helps explain why the foreign terrorist fighter (FTF) threat was less prominent than during the 2015 meetings. In 2016, the flow of FTFs to areas controlled by the Islamic State decreased. The lack of attention on FTFs this year means few think ICT terrorism countermeasures deserve credit for this outcome. The scale of the challenge facing strategies against ICT terrorism was frequently mentioned, especially the volume of terrorist social media use, the multiple platforms exploited, the different languages employed, and the diversity of communications. The scale problem prompted discussion about whether automation is needed in combating ICT terrorism, an issue on policymakers’ minds in 2016. As happened last year, experts identified problems, and frustration, with law enforcement capabilities and mutual legal assistance concerning ICT terrorism and cybercrime. One speaker claimed cybercriminals enjoy “virtual immunity” despite years of effort. Unlike 2015, this year’s meetings did not involve much consternation about the threat encryption presents to fighting crime and terrorism. Diplomatic statements often emphasize the need for ICT terrorism countermeasures to respect international law, including human rights law. Here, tensions were again palpable. Despite tech companies explaining their policies, delegates from some UN member states expressed irritation with what they believe is corporate failure to act responsibly against online terrorism. Informing this frustration was a sense that foreign tech company behavior undermines national values, domestic law, and sovereignty protected by international law. The session on privacy and freedom of expression involved criticisms that states are violating human rights in countering ICT terrorism. These criticisms echo findings that, in 2016, internet freedom declined for the sixth consecutive year. Representatives of some UN member states pushed back, but the discussion highlighted the gap between rhetoric about the importance of human rights online and realities about privacy and freedom of expression under threat in cyberspace. The Future of ICT Terrorism The 2016 meetings did not discuss how the military campaign against the Islamic State is transforming ICT terrorism. As the “caliphate” shrinks under military pressure, the Islamic State is shifting to encrypted and dark web communications through its external operations network to guide extremists in, among other things, attacking adversaries at home. None of the strategies discussed at last week’s meetings address this type of ICT terrorism. Nor are they designed to counter cyberattacks launched by terrorists, a threat the meetings highlighted despite the lack of such attacks to date. Those warning about this threat identified the vulnerabilities the “Internet of Things” creates, as seen in recent Mirai malware botnet attacks on internet service providers accomplished by hacking insecure IoT devices. Efforts against ICT terrorism will continue. On December 5, Facebook, Microsoft, Twitter, and YouTube announced a new partnership to curb the spread of terrorist content online. The Counter-Terrorism Committee will submit a comprehensive framework for counter-messaging to the Security Council in April 2017. However, after the 2016 meetings, questions about the effectiveness and legitimacy of existing strategies and doubts about their relevance to the changing nature of ICT terrorism will be increasingly difficult to avoid in the coming year.

The Council on Foreign Relations is holding a half-day, multi-session symposium to bring together leading policymakers and experts for candid analysis of online privacy, with a particular focus on the United States, the U.S.-European Union relationship, and big data. You can watch the discussion below or by clicking here. Panel 1: The State of Online Privacy in the United States Panel 2: Is Reconciling the EU and U.S. Privacy Regimes Possible? Panel 3: Risks and Rewards of Big Data Keynote: Penny Pritzker, secretary of commerce