RConversation

Testimony of

 

Rebecca MacKinnon

Visiting Fellow, Center for Information Technology Policy, Princeton University

Co-Founder, Global Voices Online (globalvoicesonline.org)

 

 

At the hearing:

“Global Internet Freedom and the Rule of Law, Part II”

 

Senate Judiciary Committee

Subcommittee on Human Rights and the Law

 

March 2, 2010

 

 

Thank you, Mr. Chairman, for the opportunity to testify today. I am a great admirer of your tireless leadership on issues related to Internet freedom, civil liberties, human rights, and corporate social responsibility. I look forward to answering your questions, along with those of Ranking Member Senator Coburn, and other esteemed members of this Subcommittee.

 

My name is Rebecca MacKinnon. I am currently a visiting fellow at Princeton University’s Center for Technology Policy. Earlier in my career I worked as a journalist for CNN in China, living in Beijing for more than nine years. For the past six years while based at several different academic institutions I have researched Chinese Internet censorship alongside global censorship trends, examining in particular how the private sector assists government efforts to silence or manipulate citizen speech. In 2006 I became involved in discussions between members of industry, human rights groups, investors, and academics which eventually led to the formation in 2008 of the Global Network Initiative, the non-governmental multi-stakeholder initiative that aims to help Internet and telecommunications companies uphold the principles of free expression and privacy around the world.  I am also co-founder of an international bloggers’ network called Global Voices Online, which is now five years old and has an active community of contributors from more than 100 countries. Several of our community members have been jailed or exiled because of their online activities, and many more have been threatened. My testimony today is informed by my experience as a journalist who has lived under and reported on authoritarian controls firsthand; as a researcher of Internet censorship; as a practitioner of new media; and as an advocate for free expression and human rights on the Internet.

 

After describing how authoritarianism is adapting to the Internet - in ways that involve companies - I will offer some specific policy recommendations, addressed to companies as well as to the U.S. government. 

 

 

 

Authoritarianism is adapting to the Internet

 

Technology company executives have long argued that more connectivity will bring more freedom - even in repressive regimes where the Internet is under heavy censorship and surveillance. I myself have heard such arguments made here on Capitol Hill numerous times, beginning with the February 2006 hearing on Internet freedom chaired by the late Representative Tom Lantos. As time passes, however, people like myself who study the Internet and global politics are finding that the reality isn’t so simple - and the future isn’t automatically rosy just because the Internet exists and connectivity is spreading. Internet and mobile phones have empowered many people around the world, and they do have the potential to facilitate greater freedom and democracy. But more connectivity doesn’t automatically lead to more freedom. Other political, legal, and technical factors affect whether it’s possible for communication technology to live up to its potential.

 

In the four years since the late Rep. Lantos’ famous February 2006 hearing where Google, Yahoo, Microsoft and Cisco first defended their business practices in China, the number of Internet users on the planet has almost doubled. Yet according to the latest “Freedom of the World” study released by Freedom House, the overall level of freedom in the world declined in 2009 for the fourth consecutive year.[1]  Ironically, many of the countries with the most serious declines in freedom are also experiencing rapid growth in Internet and mobile usage. Take China, for example. The number of Chinese Internet users quadrupled in the past four years. It is true that the Internet has enabled people to expose corruption, bring justice to innocent victims of official malfeasance, and even change some laws and regulations, in ways that were not possible in the past. But this has not led to the overall strengthening of rule of law, greater independence of the courts from the Communist Party, or greater protection of civil liberties by the system as a whole. According to the Dui Hua Foundation, in 2008 arrests and indictments on charges of “endangering state security” – the most common charge used in cases of political, religious, or ethnic dissent – more than doubled for the second time in three years, and the trend is expected to continue when figures come out for 2009.[2] China is pioneering new, flexible but effective methods to control and manipulate online speech and suppress citizen dissent – not controlling everybody and everything one hundred percent, but squashing or isolating certain types of Internet speech effectively enough that they can prevent reform movements from succeeding, or in some cases even from emerging.

 

China is now the model for authoritarian survival in the Internet age. The Chinese Communist Party fully recognizes that it is no longer possible for a nation to be economically competitive without being connected to the global Internet. Rather than try to restrict connectivity, modern authoritarian governments are working aggressively to use Internet and mobile technologies to their own advantage.  Iran is one of China’s most eager students, as the Ahmadinejad regime finds ways to counter the Green Movement’s use of technology. The Iranian government recently set up an official cyber defense command under the Islamic Revolutionary Guards Corps to fight “cyber crime” – with “crime” defined broadly to include criticism of the Ahmadinejad regime.[3] Last month Iran’s chief of police warned protestors against using e-mail, text messaging and social networks to organize demonstrations. “The new technologies,” he said, “allow us to identify conspirators and those who are violating the law without having to control all people individually.”[4]

 

The inconvenient truth is that authoritarianism is adapting to the Internet age.

Google’s recent public challenge to the Chinese government’s cyber-attacks and censorship took place in this broader context.  In my view it shows a recognition that the status quo – in terms of authoritarian censorship, regulation, and manipulation of the Internet – will not necessarily improve any time soon, and could continue get worse unless a broader range of companies, citizens, and governments, realize what’s happening and take responsibility for the future of freedom in the Internet age.

 

The expanding toolbox of Internet controls

 

Governments seeking to control online speech began their efforts in the late 1990s with “filtering” or “blocking” of web content. Today, modern authoritarian regimes have at their disposal an expanding toolbox of technical, legal, commercial and political mechanisms to censor, manipulate, and monitor citizens’ online speech. In addition to the classic filtering and blocking with which this Subcommittee is most familiar, other techniques used by regimes to restrict Internet freedom that involve technology companies include: deletion of content, device and local-level controls, surveillance, and cyber-attacks. For the record, I will explain each of these briefly:

 

• Filtering or “blocking:” This is the original and best understood form of Internet censorship. Internet users on a particular network are blocked from accessing specific websites. The technical term for this kind of censorship is “filtering.”  Some congressional proceedings and legislation have also referred to this kind of censorship as “Internet jamming.”  Filtering can range in scope from a home network, a school network, university network, corporate network, the entire service of a particular commercial Internet Service Provider (ISP), or all Internet connections within a specific country. It is called “filtering” because a network administrator uses special software or hardware to block access to specified web pages by banning access to certain designated domain names, Internet addresses, or any page containing specified keywords or phrases. A wide range of commercial filtering products – including SmartFilter now sold by McAfee – are developed and marketed here in the United States by U.S. companies for use by parents, schools, government departments, businesses, and anybody else who wants to control how their networks are used. All Internet routers – including those manufactured by the U.S. company Cisco Systems – come with the ability to filter because it is necessary for basic cyber-security and blocking universally reviled content like child pornography. However, the same technology can just as easily be used to block political content. According to the Open Net Initiative, an academic consortium that has been following global Internet filtering since 2002, more than forty countries now practice Internet filtering to some extent at the national level. As this Committee is well aware, China’s Internet filtering system – known to many as “the Great Firewall of China” – is the most sophisticated and extensive in the world. Researchers believe Iran to have developed the world’s second-most comprehensive system of filtering. But filtering is widely deployed on the national level in Asia, the Middle East, and increasingly though more narrowly in Europe.[5]

 

• Deletion and takedown of content by Internet companies: Filtering is the primary means of censoring content over which an authority has no jurisdiction. When it comes to websites and Internet services over which a government does have legal jurisdiction – usually because at least some of the company’s operations and computer servers are located in-country – why merely block or filter content when you can delete it from the Internet entirely? The technical means for deleting content, or preventing its publication or transmission in the first place, vary depending on the country and situation. The legal mechanism, however, is essentially the same everywhere. In Anglo-European legal systems we call it “intermediary liability.” The Chinese government calls it “self-discipline,” but it amounts to the same thing, and it is precisely the legal mechanism through which Google’s Chinese search engine, Google.cn, was required to censor its search results.[6] All Internet companies operating within Chinese jurisdiction – domestic or foreign – are held liable for everything appearing on their search engines, blogging platforms, and social networking services. They are also legally responsible for everything their users discuss or organize through chat clients and messaging services. In this way, much of the censorship and surveillance work in China is delegated and outsourced by the government to the private sector – who, if they fail to censor and monitor their users to the government’s satisfaction, will lose their business license and be forced to shut down. It is also the mechanism through which China-based companies must monitor and censor the conversations of more than fifty million Chinese bloggers. Politically sensitive conversations are deleted or blocked from being published at all. Bloggers who get too influential in the wrong ways can have their accounts shut down and their entire blogs erased. That work is done primarily not by “Internet police” but by employees of Internet companies.[7]

 

• Cyber-attacks:  The sophisticated, military-grade cyber-attacks launched against Google were targeted specifically at the GMail accounts of human rights activists who are either from China or work on China-related issues. This serves as an important reminder that governments and corporations are not the only victims of cyber-warfare and cyber-espionage. Human rights activists, whistleblowers and dissidents around the world, most of whom lack training and resources to protect themselves, have over the past few years been victim of increasingly aggressive cyber attacks.[8] The effect in some cases is either to bring down dissident websites at critical political moments or for frequent short periods of time, putting a great strain on the site’s operators just to keep the site running and preventing them from doing their main work. Targets range from Chinese human rights defenders to an independent Russian newspaper website, to Burmese dissidents, to Mauritanian opponents of military dictatorship.[9]  On December 17, 2009, the home page of Twitter – which was instrumental in spreading world about protests in Iran – was hacked by a group calling itself the “Iranian cyber army.” Twitter was back up after a couple of hours.  An Iranian Green Movement website Mowjcamp.com was attacked on the same day but – lacking the same resources and clout as Twitter and hampered by U.S. laws that forbid American web hosting companies from doing business directly with Iranians – remained offline for more than six weeks.[10] 

 

In other cases cyber attacks compromise activists’ internal computer networks and e-mail accounts to the point that it becomes too risky to use the Internet at all for certain kinds of organizing and communications, because the dissidents don’t feel confident that any of their digital communications are secure.

 

Likewise, journalists who report on human rights problems and academics whose research includes human rights issues have also found themselves under aggressive attack in places like China, exposing their sources and making it much more risky to work on politically sensitive topics. Like the activists, these groups are equally unprepared and unequipped to deal with such attacks.[11]

 

• Compliance with political “law enforcement”: In countries whose governments define “crime” broadly to include political dissent, companies with in-country operations and user data stored locally can easily find themselves complicit in the surveillance and jailing of political dissidents. This committee is of course very familiar with the most notorious example of law enforcement compliance gone wrong: between 2002 and 2004 Yahoo’s local China-based staff handed over to the Chinese police e-mail account information of journalist Shi Tao, activist Wang Xiaoning, and at least two others engaged in political dissent.[12] There are other examples. Skype partnered with a Chinese company to provide a localized version of its service, then found itself being used by Chinese authorities to track and log politically sensitive chat sessions by users inside China.[13] This happened because Skype delegated law enforcement compliance to its local Chinese partner without sufficient attention to how the compliance was being carried out.

 

• Device-level and local controls: In late spring of 2009 the Chinese Ministry of Industry and Information Technology (MIIT) mandated that by July 1^st of that year all computers sold in China must be pre-installed with a specific software product called “Green Dam – Youth Escort.”[14] While the purpose of “Green Dam” was ostensibly for child protection, researchers inside and outside of China quickly uncovered the fact that it not only censored additional political and religious content, it also logged user activity and sent this information back to a central computer server belonging to the software developer’s company.[15] The software had other problems that made it easy for U.S. industry to oppose: It contained serious programming flaws which increased the user’s vulnerability to cyber-attack. It also violated the intellectual property rights of a U.S. company’s filtering product. Faced with uniform opposition from the U.S. computer industry and strong protests from the U.S. government, the MIIT backed down on the eve of its deadline, making the installation of Green Dam voluntary instead of mandatory.[16]  The defeat of Green Dam, however, did not diminish other efforts to control and track Internet users at more localized levels inside the national “Great Firewall” system – for instance at the level of a school, university, or apartment block as well as at the level of a city-wide Internet Service Provider (ISP). It was reported in September last year that local governments were mandating the use of censoring and surveillance products with names like “Blue Shield” and “Huadun.” The function and purpose of these products appeared similar to Green Dam, though they had the benefit of involving neither the end user nor foreign companies.[17] The implementation of these systems has received little attention outside of China.

 

Recommendations

Given the mounting challenges outlined above, it is clear that a policy aimed at supporting global Internet freedom requires a sophisticated, multi-pronged, multi-stakeholder, and truly global approach. While private sector companies have a responsibility to respect and uphold the rights of customers and users, they cannot on their own be expected to solve the political and geopolitical problems that threaten free expression in the first place. Addressing the core problems requires government leadership: from the Administration and from Congress. Thus my recommendations address companies and civil society as well as the executive and legislative branches.

 

• Corporate responsibility: In order to ensure that American businesses assume the appropriate level of responsibility for the human rights of their users and customers, I support a voluntary component backed up by legislation if necessary.  

 

Mr. Chairman, your recent letters to thirty companies in the Information, Communications and Technology (ICT) sector were an important step in advancing an urgent conversation about how we can help American companies compete and succeed in the global marketplace while at the same time upholding core values of privacy and freedom of expression. Only a few months after your last hearing on this subject in May 2008, Google, Yahoo, and Microsoft took the important step of joining the Global Network Initiative (GNI), a code of conduct for free expression and privacy in the ICT sector.  The GNI can help companies uphold a shared commitment to the values of free expression and privacy while recognizing that no market is without political difficulties or ethical dilemmas.

 

Just as companies have a social responsibility not to pollute our air and water or exploit twelve-year-olds, companies have a responsibility not to collaborate with the suppression of peaceful speech.  The GNI’s philosophy is grounded in the belief that people in all markets can benefit from Internet and mobile technologies. In most cases companies can contribute to economic prosperity and individual empowerment by being engaged in countries whose governments practice some of the Internet controls I have described above – as long as they are aware of the human rights implications of their business and technical decisions. It is fundamentally reasonable to expect all companies in the ICT sector to include human rights risk assessments in their decisions about market entry and product development, just as they and other companies consider environmental risks and labor concerns.

 

With a multi-stakeholder membership including human rights groups, socially responsible investors and academics like myself, GNI’s goal is to help companies do the right thing while bringing expanded Internet communications and mobile access to the people who stand to benefit most from these technologies. All GNI members are participating in this process because we believe in the transformative importance of the ICT sector and want innovative businesses to be successful and competitive. We are working with companies in good faith. I personally believe that the GNI member companies are managed by people who want both to do well and to do good, but who recognize that they face difficult problems, and that they could use support and advice in order to avoid mistakes. As an academic researcher and free speech advocate, my goal in working with GNI member companies is to help them foresee and avoid mistakes long before they happen. When mistakes do happen, companies should be held appropriately accountable in ways that can help the entire industry learn from these mistakes and do a better job of avoiding them in the future.

 

GNI’s principles are supported by implementation guidelines and an accountability framework that can be adapted to a range of business models, including hardware companies and Internet service providers, if these companies choose to engage with the GNI.  We look forward to working with them so that it will be possible for them to join in the near future. While GNI is presently most relevant to Yahoo, Google and Microsoft because those were the three companies that launched the initiative, it is also clear that the thirty companies contacted by you, Mr. Chairman, share varying degrees of human rights risk, even as their business models, technologies, and geographies vary widely. They have an obligation to at least consider joining the GNI and if they choose not to, to find other appropriate policy and operational responses to address the inescapable human rights implications of their products or services.

• Legislative measures: Congress has a range of legislative tools at its disposal. Some should be implemented as soon as possible, while others may take more time and consideration in order to ensure that they are proportional, appropriate, and effective.

 

• Legal support for victims: Companies will have a further disincentive to collaborate with repressive surveillance and censorship if victims or corporate collaboration in human rights abuses can more easily sue them in a U.S. court of law.

 

• Incentives for socially responsible innovation: Established companies as well as entrepreneurial new startups should be encouraged, perhaps through tax breaks and other incentives, to develop technologies and features that enhance users’ ability to evade censorship and surveillance, as well as to help users better understand what personal information is being stored, how it is used, and who has access to it.

 

• Upgrade export controls: Existing export control laws require updating in order to remain consistent with their intent in the Internet age, in two ways:

 

• Halt denial of service to human rights activists: The United States has several laws that bar the sale of specific kinds of software to, or forbid business transactions with, individuals and groups from specified countries. These laws do not take into account new Internet developments, and as a consequence have resulted in denial of website hosting and other services to dissident groups from repressive nations. U.S. laws – exacerbated by corporate lawyers’ over-cautious interpretation of them – have recently prevented U.S. web-hosting companies from providing services to opposition groups based in Iran, Syria and Zimbabwe.  They should be upgraded as soon as possible so that American Internet businesses can welcome rather than turn away some of the world’s most vulnerable and politically isolated groups.[18]

 

• Make collaboration with repression more difficult: Recognizing that no connectivity at all is even worse than censored connectivity, and also recognizing that many information communications technologies have “dual use” capabilities that are used for legitimate security and law enforcement as well as repression, it should nonetheless be made more difficult for U.S. companies to provide censorship and surveillance capabilities to governments with a clear track record of using those technologies to suppress peaceful political dissent.

 

• Technical support for free expression: People in repressive regimes require support in a broad range tactics and technologies – along with the training and education in their use – to reflect the growing sophistication with which governments are stifling and silencing peaceful speech. In addition to helping people around the world to circumvent Internet blocking, we need to help people fight cyber-attacks, counter-act content removal by companies, fight deployment of device-level spyware and censorware, and educate each other quickly about new forms of technical control as new methods and technologies emerge.

 

• Circumvention technologies: Congress deserves great praise for its allocation of funds over the past few years to support the development of tools and technologies that help Internet users in repressive regimes circumvent Internet filtering. Support for a healthy range of circumvention tools – in a manner that fosters competition, innovation, accountability, and user choice – is important and must continue. The problem is that circumvention tools only address Internet filtering: they don’t address other methods of control that repressive regimes now use to censor Internet content and silence dissent. Thus, an effective Internet freedom strategy cannot focus on circumvention alone.

 

• Anonymity and security:  In my interactions with journalists, human rights activists, civil liberties lawyers, bloggers, and academics in authoritarian countries around the world, I have found that a shockingly large number are uninformed about how to evade online surveillance, how to secure their e-mail, how to detect and eliminate spyware on their computers, and how to guard against even the most elementary cyber-attacks.  Local-language, culturally appropriate technologies, accompanied by robust education and training, is desperately needed. The recent cyber-attacks against Chinese GMail users only highlights the urgency.

 

• Preservation and re-distribution of deleted content: In the course of my research about the Chinese Internet, I have noticed that quite a lot of people around Chinese blogosphere and in chatrooms make a regular habit of immediately downloading interesting articles, pictures, and videos which they think those materials could get deleted or taken offline. They then re-post these materials in a variety of places, and relay them to friends through social networks and e-mail lists. This is done in an ad-hoc way. Thus, it is often difficult for people to locate and spread this material. The United States should support the creation of searchable, accessible, and secure repositories of censored materials from countries where companies are systematically required to delete and take down politically sensitive material. Combined with robust circumvention tools, such repositories could do much to counter-act the effects of widespread content deletion and takedown within authoritarian countries.

 

• Distributed “opposition research”: After the Chinese government mandated the nation-wide installation of the “Green Dam” censorware last year, loosely organized “opposition research” networks sprang into action. A group of Chinese computer programmers and bloggers collectively wrote a report exposing Green Dam’s political and religious censorship, along with many of its security flaws. They posted the document at Wikileaks.[19] This information was then used by domestic and foreign opponents of Green Dam in a successful campaign to reverse the government’s mandate. Another anonymous group of Chinese netizens have collected a list of companies and organizations – domestic and foreign – who have helped build China’s Internet censorship system.[20] Opposition research has also helped to expose the Tunisian government’s use of cutting-edge “deep packet inspection” techniques for censorship and surveillance. In 2008 Global Voices Advocacy Director Sami Ben Gharbia – a Tunisian exile – conducted tests that demonstrated DPI being used in Tunisia to block certain emails, or even alter certain contents of emails like attachments.[21] If people in repressive regimes had better mechanisms through which to collect and share information about how their governments are stifling free expression, it would be easier for activists around the world to help each other develop effective technologies and tactics to fight back.

 

• Other legislative measures: Further legal steps may be necessary to ensure adequate respect for human rights by companies that fail to take voluntary action. It is important, however, that any law be flexible enough to accommodate the rapidly-changing nature of information communications technology, as well as the complex and highly diverse nature of ICT businesses – including many small startups, as well as innovations that are difficult to define or categorize. It is important that any law concerning the human rights implications of ICTs be truly global in scope, recognizing that companies face human rights dilemmas in almost every market. Furthermore, the extent to which any given country might be considered “free” or “repressive” can change overnight with a coup or rigged election.

 

• Censorship as barrier to trade: A number of prominent experts in trade law in North America and Europe have argued that Internet censorship should be considered a barrier to trade under the World Trade Organization. In November the European think tank ECIPE concluded that WTO member states are “legally obliged to permit an unrestricted supply of cross-border Internet services.”[22] The United States Trade Representative should be encouraged to pursue cases against China and other countries that block their citizens from accessing the online services of U.S. Internet companies.

 

• Continued executive branch leadership. Secretary of State Clinton’s landmark speech on Internet freedom made it clear that this is a core American value. She has placed the United States squarely in a leadership position by identifying a range of threats to Internet freedom, as well as the range of tools and policies that can be brought to bear. In reviving the Global Internet Freedom Task Force (GIFT), the Administration now has a mechanism to coordinate between government and industry to ensure that U.S. companies play a constructive role around the world. GIFT will also need to tackle the challenging job of coordinating between all the different U.S. government agencies whose work touches upon the Internet in various ways. If we are serious about promoting global Internet freedom, it is important that U.S. foreign policy, trade, commerce, and national security all be consistent in advancing Internet freedom.

 

Conclusion

 

There is no “silver bullet” for global, long-term and sustainable Internet freedom. Offline physical freedom here in the United States - or anywhere else for that matter - was not won easily, and cannot be expanded, preserved or protected without constant struggle and vigilance. Internet freedom is no different. A global struggle for freedom and control of cyberspace is now underway. As with our physical freedom, Internet freedom will not be possible without a supportive ecosystem of industry, governments, and concerned citizens working together. Chairman Durbin, Ranking Member Coburn, and all other members of this Subcommittee, I commend you for taking historic first steps in building the global support system for Internet freedom.