Editorial by Wolfgang Kleinwächter MIND 6

Wolfgang Kleinwächter, professor for International Communication Policy and Regulation at the University of Aarhus, works as personal advisor of the UN IGF's Chairman Nitin Desai and is a member of the Panel of High Level Advisers of the GAID. He was President of the legal division of the IAMCR and participates, amongst others, in ICANN and WSIS.

Cybersecurity is as important as the openness and freedom of the Internet. An insecure cyberspace undermines individual human rights, blocks online businesses and hinders the free exchange of information. And it is bad for innovation and sustainable development. People want to live in a safe environment when they enter the virtual space.

But like everything in life, security has a price. Very often the currency for security on the Internet is not only money, it is also privacy and freedom. Governments argue that they need less data protection and have to limit some individual freedoms in order to provide security. Both security and privacy are important issues. In other words, there is a conflict of values and the big challenge is how to find the right balance in the conflict and define the “right price”. If cybersecurity is “overpriced”, the costs which come with the reduction of freedom of expression, freedom of association and freedom of movement could have a damaging effect on the Internet economy and society as a whole.

The problem is even more complex because there is no globally accepted definition of what Internet security – or more broadly “cybersecurity” – means in detail. Different people (and governments) have different ideas. For some groups, it is just the technical security of the network, for others cybersecurity means the fight against cybercrime as defined in the Budapest Convention of 2001. And a third group links the concept of cybersecurity primarily to the issue of national security. In this respect, nearly everything people do on the web has a “security dimension”.

The Internet is an enabling technology. It enables the good guys to develop and introduce wonderful new services and applications which enhance business opportunities and individual freedoms. But it also enables criminals, warriors, terrorists, vandals, hate preachers, pedophiles and other “bad guys” to do bad things. And with the development of “cyberweapons” the risk of a militarization of cyberspace is growing. As a result, we see more Internet control, surveillance of e-mails and state sponsored cyberespionage, which affect the free and open Internet we have known since the early 1990s. Historically, this is not new. When the telegraph emerged as a new communication technology in the 19th century, new laws guaranteed the “privacy of correspondence, posts and telecommunications” as enshrined in the Fourth Amendment to the US Constitution and the constitutions of the main European countries. But the laws also allowed the government and law enforcement agencies to intercept private communications for criminal investigations and to protect “national security”. This was also reflected in the first international telegraph convention of 1865, in which European governments reserved their right to interfere with, and even stop, telegraph communication in cases where “national security” or “state secrets” were at stake. The same legal mechanism was introduced in the Berlin Radio-Telegraphy Convention of 1906, in the Geneva Broadcasting convention of 1936 and even in the Human Rights Convention of 1966, in which Article 19, paragraph 3 allows governments to limit freedom of expression to protect national security, public order, public health and morals.

The vague definition of national security, public order, morals and state secrets creates slippery territory. It is also an invitation for a broad interpretation. The reality is that if governments see a problem with privacy, freedom of association and freedom of expression, they refer to the principle of “national sovereignty” and define for themselves what the security concerns are to justify censorship or interference into private communication.

In a democratic society, independent courts, including constitutional courts, decide whether a government is misusing its rights and violating other individual or institutional rights and freedoms. Not everything governments want to do to “enhance security” is in accordance with recognized human rights and constitutional norms. Cases from the US in the 1970s, such as the Pentagon Papers or the Watergate scandal, where individuals published “state secrets” which were seen by the acting US government as a threat to national security, were brought to court. And in the case of the Pentagon Papers, the US Supreme Court decided in favor of the freedom of the press and against the government. The New York Times continued to publish the Pentagon Papers and after the Watergate scandal, President Nixon had to resign.

In less democratic societies, where the rule of law is disregarded and no independent court system can stop a government doing the wrong thing, the situation is much worse. Governments simply do what they think is needed. This opens the door for all kinds of misuse in the name of “security”. From the Spanish Inquisition to the East German Stasi, a need for surveillance mechanisms has always been justified to protect “national security” and to find the “bad guys” who want to remove the government or damage the reputation of their religious or political leaders.

In other words, the conflict between “security” and “privacy and freedom of expression” is not new, but cyberspace has moved this conflict to a new level. It is not a national issue anymore; the removal of the barriers of time and space has made this a global problem.

Crime and terrorist attacks in cyberspace are taking place in real time and regardless of borders. But our legal procedures are defined within a national jurisdiction. Fighting against the “bad guys” online effectively means that one has to go beyond national borders. This can be done via enhanced cooperation among governments and their law enforcement institutions. This is time consuming and needs a political will to agree on common values, which is quite often unrealistic to achieve.

An alternative is to use new surveillance technologies and to go beyond national borders without the consent of a third party or the affected national jurisdiction. This certainly has a number of legal implications which need further investigation. In the hunt for terrorists, is it justified to break privacy and data protection laws in third countries? Is intercepting undersea fiber optic cables, which are used for private communication, allowed because the interception points are outside of a national jurisdiction and the issue is not regulated in the UN Law of the Sea Convention of 1982? What about intercepting satellite communications, which is becoming more important with further cloud computing and the Internet of Things? And who monitors the surveillants and controls the controllers? Who defines what level of surveillance is needed to enhance the security of people and countries? And finally, is it possible to bring the legally required surveillance under the rule of law and in line with national constitutional rights and freedoms, as well as with international legal norms, as enshrined in the Charter of the United Nations?

There are now proposals on the table to add a “Privacy Protocol” to the UN Covenant on Civil and Political Rights of 1966. The NATO Center of Excellence in Tallinn, Estonia, has published a manual in which it is investigated how existing international law, including international humanitarian law, is applicable to a cyberwar. Discussions on cybersecurity and cyberwar have started in the OSCE and in the 1st Committee of the UN General Assembly. The UN has established a so-called Group of Governmental Experts (GGE) to find out what can be done and whether one can start with confidence building measures in cyberspace to find a balanced solution which contributes to enhancing security in the online world. The US government has entered into bilateral consultations with a number of governments, including China, Russia and Germany.

The disclosure of the NSA PRISM program and other online activities of intelligence agencies has pushed the discussion to a new level. The risk is now that we could see not only a militarization of cyberspace, but also something that could be similar to the nuclear arms race during the Cold War of the second half of the 20th century. Will competing governments try to develop their own technologies for global surveillance and spy as much as possible on what is going on in third countries? This would certainly undermine the trust in Internet communication and would have negative effects on the global Internet economy and individual freedoms. This would be a bad choice.

The Brazilian President Dilma Rousseff raised these issues in her speech at the 68th Session of the UN General Assembly in New York on September 24, 2013 when she said: “Information and telecommunication technologies cannot be the new battlefield between States. Time is ripe to create the conditions to prevent cyberspace from being used as a weapon of war, through espionage, sabotage and attacks against systems and infrastructure of other countries.” She proposed “the establishment of a civilian multilateral framework for the governance and use of the Internet” which should be based, inter alia, on “freedom of expression, privacy of the individual and respect for human rights”, “transparency”, “universality, “cultural diversity” and network neutrality under the full participation of all stakeholders.^[1]

The question is whether the multistakeholder approach to Internet governance offers an alternative for discussing and enhancing security in cyberspace. Could this become a helpful tool which would enable governments to find the right balance to do what they have to do to keep the Internet secure by respecting individual rights and freedoms? The non-governmental stakeholders obviously have a great role to play.

Private sector corporations, such as Google, Facebook and others, have already started to bring more transparency into their relationships with governments by disclosing data requests coming from governmental agencies. The technical community, such as the IETF, has started discussions on how standards and protocols can be developed to make individual communication more resistant against foreign or domestic surveillance. And civil society is coming together to write statements and protest in the streets. In Berlin, more than 20,000 people protested against surveillance in early September 2013. Recent statements by organizations including the Electronic Frontier Foundation, Human Rights Watch and the Internet Society have shown that people do not accept governmental wrongdoing, neither from democratic nor from non-democratic governments. The Internet Society President and CEO, Lynn St. Amour, said as a response to the NSA activities on September 10th, 2013: “If true, these reports describe government programs that undermine the technical foundations of the Internet and are a fundamental threat to the Internet’s economic, innovative and social potential. Any systematic, state-level attack on Internet security and privacy is a rejection of the global, collaborative fabric that has enabled the Internet‘s growth to extend beyond the interests of any one country.”

In 2011, the UN Human Rights Council unanimously affirmed that “the same rights that people have offline must also be protected online [so has the Collaboratory‘s 5th expert initiative], in particular freedom of expression”. This means that the offline right for private communication to be protected against unauthorized external inspection and investigated only under strict legally defined circumstances, based on evidence of wrongdoing and under the inclusion of a neutral third party, is also relevant for the online world.

A lot of things relating to cybersecurity will need to be discussed in the years ahead of us. One place for discussion could be the Internet Governance Forum (IGF). This is a place where all stakeholders are involved. And it would certainly be useful if governments were ready to discuss issues related to cybersecurity not only in their own circles, but also share their ideas, needs and positions with other stakeholders on a global level. While it is understandable that not everything can be open to the public and governments (as individuals) need their “secrets”, a lot more transparency can be brought to the issue, in particular with regard to procedures.

We hope that MIND 6 – which will be distributed to all participants of the 8th Internet Governance Forum (IGF) in Bali in October 2013 – will make a contribution to this discussion. You are invited to continue this debate online at: http://www.collaboratory.de/

References:

1. ↑ http://gadebate.un.org/sites/default/files/gastatements/68/BR_en.pdf

MIND-Multistakeholder Internet Dialog MIND stands for Multistakeholder Internet Dialogue. The discussion paper series is a platform for modern polemics in the field of internet governance. Each issue is structured around a central argument in form of a proposition of a well-known author, which is then commented by several actors from academia and the technical communities, the private sector, as well as civil society and government in form of replications. all MIND-publications