Salil Shetty Address to Stanford University on "Companies, consumers and the state: Defining private industry´s obligation to protect privacy"
Video courtesy of the Handa Centre and Stanford University
Thank you to Jessie and the Handa Centre, and Professor Granick and the Centre for Internet and Society at the Law School for having me here today. I welcome the opportunity to address this important subject right in the middle of the world’s digital nerve centre - Silicon Valley.
At the outset, it is important to put the attack on the right to privacy online in context. In recent years young people, women, minorities and other vulnerable groups, have been increasingly standing up for their rights, empowered by their access to new information and communications tools, much of it enabled by technology. The speed and scalability of mobilising ideas and people through mobile phones and the internet is unprecedented. This has caught unaccountable governments and even corporations entirely off guard. More often than not, their reaction has been to suppress even peaceful protests on the streets and maidans or online with disproportionate force and heavy handedness. This is not the story only of the Arab Spring, but from Hong Kong to Burundi to Brazil, curbing dissent and protest has been more the norm. Last year alone, Amnesty International’s annual state of the world’s human rights report, revealed that at least 113 countries had restricted freedom of expression. The curbing of digital rights is a key part of this unfortunate tale.
Since Snowden´s explosive revelations almost 3 years ago there is almost no week that goes by without some new story on government surveillance hitting the headlines. Last Friday, media reported that Facebook´s free basics service was blocked in Egypt after the company refused the government the ability to spy on its users.
Two weeks ago, there was the unprecedented showdown between FBI and Apple over a US court order that would have compelled Apple to dismantle the security of its iPhone – with the FBI changing its mind hours before the court hearing.
Each new story adds new fuel to an already well stoked public debate about privacy online: What should be the proper limits and oversights on government surveillance in the digital age? What responsibilities do companies have to keep secure the vast treasure trove of personal data entrusted to them by their users?
On the one side, law enforcement and intelligence agencies tell us they need broader and more intrusive surveillance powers to stop cybercriminals and terrorists. That an Internet whose backbone is built on strong encryption would become a fertile ground for crime.
On the other side, technologists, security experts and civil society warn us that we are sleepwalking into a surveillance state. The powers governments are granting themselves are vast and unaccountable and without strong encryption everyone is more vulnerable – not just to surveillance by their own governments but to cyber-crime, foreign intelligence and corporate misuse of their data.
In the middle are the big tech companies themselves - the Googles, the Facebooks, the Apples - performing a balancing act between their profits and our privacy.
Between these powerful interests of governments and companies, it is the rights of ordinary people around the world that often lose out. But what can we do about it? How can we make sense of these debates and come up with practical solutions that build human rights into the architecture and institutions of the digital world we live in?
I want to make three points today:
Firstly, whilst armed extremist groups have increased their visibility and violent actions, the supposition that we have to choose between human rights and public security has to be challenged.
Many of you will have heard officials here in the US speak out publically against strong encryption over fears of “going dark” – a term used to describe the declining capabilities of law enforcement agencies to access the content of communications due to stronger encryption in everyday communication technologies and services.
In late 2014, James Comey, the Director of the FBI, dramatically stated that “we confront serious threats—threats that are changing every day and I want to make sure I have every lawful tool available to keep you safe from those threats. Encryption threatens to lead all of us to a very dark place”.
It is an extension of a security narrative that started in 2001 and that has insidiously crept into every corner of our societies: that rights are expendable when it comes to the so called “War on Terror”. In the years after 9-11 the right to be free from torture was the first victim of this new security discourse as justifications for torture began to creep in. 15 years on and the latest victim is the right to privacy as governments erode longstanding protections that were designed to prevent abuses of power - such as the requirement to demonstrate reasonable suspicion and seek proper judicial authorization before accessing the private communications of citizens.
Sadly, it is also a distortion of the truth. The reality is that intelligence agencies have never had access to as much data as at this moment in history. Even with the vast capabilities revealed by the Snowden documents they tell us they need more. It seems they believe they are entitled to a totality of access into everybody’s lives. The British PM David Cameron said this last year: “we cannot allow modern forms of communication to be exempt from the ability… from being listened to” which effectively means that UK citizens need to get used to the idea that even if they are doing nothing wrong the government may access their data.
We are often told that the general public prefers safety over privacy. But a poll that Amnesty conducted last year with YouGov, which covered 15,000 people from 13 countries across every continent, demonstrated that people do not want their government to intercept, store and analyse their phone and internet use. On average, twice as many were against surveillance by their government (59%) as those who approved (26%). Nearly two thirds said they wanted tech companies – like Google, Microsoft and Yahoo – to secure their communications to prevent government access.
Interestingly, the poll showed that attitudes to surveillance are significantly different when it comes to foreigners. Across the 13 countries, slightly more people (45% on average) approve of their governments monitoring foreigners’ phone and internet use in their country, compared to 40% against. In a climate of xenophobia and fear mongering this is a worrying trend in the direction of profiling and discrimination against minorities. If you ask a Muslim in France right now whether they are worried about government surveillance, you might get a very different answer to most non-Muslim French citizens.
That is why measures which allow the government to spy on entire countries or populations under broad and sweeping warrants are simply not a proportionate response to national security threats. Measures to undermine the security of the Internet as a whole through weakening - or compelling companies to weaken - encryption that protects millions of people worldwide – are not proportionate either.
Governments have always had to be checked by public pressure not to overreach and abuse their powers. This is why we have laws. It is not the first time that societies have faced external or internal threats and nor will it be the last. Governments must respect human rights in times of threat or they risk abandoning the very values they claim to protect.
Secondly, I think it is crucial that we understand the global implications of actions taken in the U.S. and other what have been called more “open societies”.
Frequently the conversations over data, privacy and surveillance take place as if they only concern citizens of the US and Western Europe. Less than 5% of the world´s population live in the US but the policies and practices of US technology companies impact more than 3 billion Internet users worldwide.
These individuals use the Internet in so many ways, from the transactional – credit cards, financial information and health data – to the political - seeking information, forming opinions and speaking out on issues that they care about. In each case, their personal data can reveal extraordinarily intimate details about their identities and beliefs. Without strong encryption this data is ripe for theft and spying, whether from criminals or governments.
This of course impacts upon everyone´s right to privacy but it also affects many other human rights. In particular, the rights to privacy and freedom of expression are often understood as mutually reinforcing rights. When people have a secure space to seek information, expand their knowledge, develop opinions, and express ideas, the right to privacy acts an enabler to the right to freedom of expression. The confidence to communicate our ideas and opinions – however controversial – is underpinned by the knowledge that we are protected from unlawful interference with those communications.
In many of the countries where Amnesty works this is critical. In the past few years, we have seen an extremely harmful erosion of human rights protections that have been fought for and built up over the past 70 years.
Just three days ago we received reports from Ethiopia of a social media black-out, especially outside of the capital and surrounding region, where protests have been happening since November last year. Citizens, armed with their mobile phones, have been capturing evidence and reporting on the atrocities committed in the context of these protests using social media, especially Facebook and Twitter. Now it appears as though the government has decided to block access to these services as well as mobile messaging applications such as Whatsapp and Viber, which we are trying to verify and investigate in more detail.
We have the Malaysian political cartoonist Zulkiflee Anwar Ulhaque, also known as “Zunar”, who is facing nine charges under the draconian Sedition Act – and potentially decades in prison - for tweets he sent criticizing the judiciary.
There is also ample evidence that repression has now become as sophisticated as it is brutal thanks to the increasingly cheap surveillance technology available and sold to repressive countries with virtually no regulation. Turning on webcams of phones and computers remotely, logging every single key stroke - once a victim has been infected by this kind of spyware, every call, conversation, file and email is in the possession of the attacker.
Amnesty´s contacts from countries as wide ranging as Mexico, Saudi Arabia and the Gambia have described the crippling uncertainty and paranoia generated because of electronic surveillance, and the convoluted steps they must take to communicate with colleagues because they cannot trust their digital communications. Bahraini activist Saeed Al-Shehabi,who was the target of government malware while living in exile in the UK, told us how he lives in fear even though he is outside Bahrain because he doesn’t know how much information the government has on him, how it will be distorted and used to discredit him or to go after others in his network.
We have also heard cases of how the private material that is hacked from activists is used to out lesbian and gay activists, or used to shame and discredit women human rights defenders in public spaces, who then face backlash and violence from their communities because they do not conform to traditional cultural norms.
Secure communications can even be a case of life and death to those who risk their lives to peacefully stand up for the rights of themselves and their communities. Amnesty documented at least 156 cases of human rights defenders killed last year. These were people who were killed because of their peaceful and legitimate work standing up for the rights of themselves and their communities.
This is why AI believes that encryption is a critical enabler of human rights. Without encryption, those who stand up to government oppression, corruption and negligence – whether they are human rights defenders, investigative journalists or environmental activists – are unable to operate in a world of ubiquitous government surveillance.
And that leads me to my third point which speaks to the responsibilities of both States and companies when it comes to realising this range of rights in the digital age
Of course, in international law it is States who hold the duty to “respect, protect and fulfil” our human rights. Since the Snowden disclosures, there have been a number of developments at the UN level, as well as landmark decisions in courts around the world that respond to state surveillance of communications “in the digital age”. There now exists significant legal authority to support the understanding that mass surveillance fundamentally undermines and violates the right to privacy.
And yet the spate of new legislation introducing mass surveillance powers continues. In 2015, countries including Pakistan, France, Poland, Switzerland and the UK have passed laws or introduced bills which give governments intrusive powers to spy on electronic communications.
In many of the new laws or bills that have been introduced, the most worrying provisions would force technology companies to collect and retain their customer’s data for longer periods of time and in formats that make it accessible to security agencies. For example, a current provision in France may go so far as to impose fines and prison sentences on companies who do not hold that data in ways that make it possible to respond to decryption orders and data requests. Even if this is not an explicit ban on encryption, if passed, it could have the effect of deterring companies from providing strong device and messaging encryption.
As states continue to show they can´t be trusted not to abuse the intrusive powers technology gives them, companies have become the bulwark between our data and government surveillance, as well as the focal point for this debate.
Following the Snowden revelations, ten companies launched the ReformGlobal Government Surveillance Coalition calling for “the world’s governments to addressthe practices and laws regulating governmentsurveillance of individuals and access to their information.”
Some companies have gone further, implementing stronger security in their platforms and services and challenging government data requests in court. Microsoft has launched three government law suits against the US government since 2013. And as we saw recently Apple has not only challenged the FBI in court over a request to backdoor the iPhone, but they may well argue that if the San Bernadino phone has been successfully hacked by the FBI they have a right to know so they can fix the vulnerability.
But there are questions about how deep this commitment to consumer´s security and privacy will go and whether it is enough to protect our rights in the digital age.
At the end of the day, companies still have their bottom line. In some cases their business interests happen to align with more privacy protections for their customers. Companies such as Apple want to be left alone from expensive and unpopular law enforcement requests and so are taking steps to secure our data in ways that make it out of reach to both themselves and governments.
But there are also the Googles and Facebooks who also want to be left alone by governments but want to be free to access and use our data themselves. After all, storing, mining and selling advertising based on the personal data of their users is their business.
That´s why Amnesty International has started to call much more consistently for companies to bring their practices in line with human rights standards.
The UN guiding principles on business and human rights alongside other legal developments at the international level, make it clear that companies have a responsibility to respect all human rights wherever they operate in the world. This responsibility exists independently of a state’s ability or willingness to fulfil its own human rights obligations.
Companies need to put in place measures to identify, prevent and address human rights abuses within their global operations (what we call human rights due diligence).
If they do not, they could be responsible for causing or contributing to human rights abuses. This can carry serious repercussions.
For years, Amnesty International has investigated and documented instances where the operations of oil and gas, and mining companies have led to serious human rights abuses, including: severe pollution affecting the rights to health, livelihoods and environment in the Niger Delta - to forced evictions in Myanmar. In some instances, our research has contributed to legal action against companies, such as litigation by communities.
Most recently, we issued two supply chain reports linking companies to serious human rights abuses – one documenting the worst forms of child labour in Congolese cobalt supply chains and the other documenting forced labour in sub-contracting chains in Qatar in preparation for FIFA’s 2022 World Cup. Here, in California, the Transparency in Supply Chains Act is a good example of where explicit legal requirements are placed on companies in relation to human trafficking and slavery.
The bottom line is that all companies are coming more and more under pressure to ensure that their operations are human rights compliant.
Because of the critical role that tech companies play in enabling the rights to privacy and freedom of expression around the world, they may contribute to human rights abuses by governments or other actors if they do not adequately protect the data of their customers. We want to see technology companies and service providers taking concrete steps to assess and mitigate against such risks in each jurisdiction where they operate or plan to operate.
As Amnesty International, we are spelling out the following three obligations for companies.
Firstly, companies have a responsibility to provide an adequate level of encryption where their products or services involve the storage, processing or transmission of personal data. This should be the strongest level of encryption necessary to protect against identified risks.
Secondly, companies have a responsibility to explicitly and clearly communicate to their users the level of security deployed in their products as well as whether they can be compelled under relevant national law to make private user data accessible to the law enforcement or intelligence agencies.
Thirdly, if a company receives a demand from a government which is illegal under local law, or which complies with local law but would risk breaching international human rights standards, the company should challenge such requests and do everything that they can to respect human rights to the greatest extent possible in the circumstances.
Companies have a responsibility to respect human rights, which means defending their customer´s right to privacy not only when it suits them.
So, we´re standing at a crossroads and the trends I have just outlined are not headed in a good direction. These problems are only going to get more difficult for us in the years to come as even more of our daily devices – TVs, refrigerators and even children´s dolls – generate and leak personal data.
So what can be done?
Amnesty International has more than fifty years of fighting for human rights. Freedom of expression is our bread and butter. But as governments adapt their tools and tactics for controlling information, Amnesty is also having to adapt the toolbox we use to fight back.
One way we are doing this is to use technology in innovative ways to defend human rights and support the people we work with. Amnesty has decades of experience supporting Human rights defenders at high risk, whether providing trainings, advocacy or practically helping them to cross borders. Now we are looking at empowering them through technology.
There is a growing range of apps and tools that provide strong encryption and anonymity in messaging and email. But for these to be adopted and effective for human rights activists they must be accompanied by greater awareness about the digital risks. Amnesty is focusing on increasing access to security trainings and tools as well as supporting the development of protocols for what to do when they are victim of spyware or have their accounts or websites hacked.
As a people´s movement and organisation, Amnesty International also faces many of the same threats ourselves. We always suspected some countries might be trying to spy on us. But it came as a shock last year that UK intelligence agencies had illegally accessed Amnesty International´s private communications, when they were forced to come clean after we and several other human rights organisations took them to court.
That we were unlawfully spied on by the UK government on UK soil was a shocking revelation and we still don´t have any information about what they accessed, when, for how long or why.. Given the close intelligence cooperation between the UK and several other countries, among them the US, we are concerned about who else has spied on our private communications. We have taken them to the European Court of Human Rights to find out more.
But the revelation has also helped us to innovate, working with an initiative called Globaleaks to set-up an internal system so that our contacts and partners can share information with us, whilst protecting their identity in the process.
We are also looking at how we make use of the positive role that technology can play in human rights. For example, we worked with activists to co-design and build a Panic Button app for Android that turns a mobile phone into an alert system at the touch of a concealed button. The idea is to connect activists to their network in an emergency and provide location information so that lawyers, colleagues, family members can respond quickly.
And technology goes much further than that – even as we are conscious that it presents new risks, in the past few years we have invested in innovative new tactics to document abuses to hold those in power to account.
360 degree cameras that allow us to capture the devastation of barrel bombs in Syria in virtual reality. The alt click project, which invites Amnesty´s supporters to help us analyse large amounts of data – such as satellite imagery - by parcelling it up into discrete tasks and having people identify points of interest that may highlight the patterns of violations on the ground. And the Gaza Platform, an initiative we launched last year that cross-references all available data, including social media reports, to build a detailed pattern of Israeli strikes on Gaza in the summer of 2014.
The fact is Amnesty relies on technology more and more in our own work, both to help us in our overall mission and to defend ourselves and those we work with from intrusive surveillance. As we continue to adapt to this new information environment, it is even more important that we call on the companies who provide the technologies we use to live up to the promise of these platforms: that they continue to promote freedom of expression, access to information and connection.
So in conclusion,
Ultimately, these are issues that we are all invested in. They go straight to what kind of societies we will live in in the years to come. About the kinds of protection and security we are building into the architecture and institutions of this new digital world. About what is at stake if we do not build these in ways that protect and rights vital to all of us.
We must be clear that human rights do not have backdoors. There are no ´get out clauses´ when governments find that rights are no longer convenient. The slippery slope we are on is towards a world where mass surveillance is the norm in the US as it is in China and where Internet security is a race to the bottom. We must consider the logical conclusion when everyone wants you to have security, except from them.
Weakening the security that companies provide their users sets a precedent of all governments. That´s why Companies must do more to protect their users’ privacy from unauthorized and unlawful government surveillance and build stronger encryption into their products.
That is also why companies must be transparent. People have a right to know what happens to their data, what companies do with it and how they protect it. Providing pages of dense and technical text spelling out the terms of service do not help people protect their privacy. The information must be accessible and clear.
In 2016 we will campaign for consumers to exercise the power they have and push companies to live up to their commitments when it comes to transparency and privacy.
There is a high cost if these companies do not do that: the human rights and security of millions of people. And Governments will become increasingly unaccountable to their citizens.
The Stanford community has a vital role in getting tech companies in Silicon Valley to put people before profits in the battle for the right to privacy.
I thank you.