09 January 2014

Abuse and Astroturf

The Guardian reports that the Australian royal commission into child sex abuse has successfully sought access to information gathered through police phone-tapping.
A notice in the commonwealth government gazette this week revealed that in December the attorney-general, George Brandis, had added the royal commission to the list of organisations that can legally receive information under section 5AA of the Telecommunications (Information and Access) Act 1979. ...
A spokeswoman said the royal commission had "sought this authority from the attorney-general in order to legally receive … relevant information from police, and other agencies, including information that might have been gathered through interception".
She said the royal commission needed the authority to be given historical information that the police had gathered through phone intercepts, and had "no intention" of using it to instigate new phone tapping requests.
Under the act, police forces and organisations such as the NSW Crimes Commission and the Independent Commission Against Corruption can request and access information gathered through intercepts, but royal commissions must be explicitly conferred the power.
Meanwhile the Global Network Initiative (GNI) - "Protecting and Advancing Freedom of Expresssion [sic] and Privacy in Information and Communications Technologies" - has oh so very surprisingly awarded its members a shiny gold star for privacy compliance.

The GNI Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo [PDF] states that
This is the public report on the independent assessments of the Global Network Initiative’s (GNI) founding companies: Google, Microsoft and Yahoo. It also includes the first determination by GNI’s Board of the three companies’ compliance with the GNI Principles on Freedom of Expression and Privacy.
Created in 2008, GNI brings together companies, civil society organizations, investors, and academics to help companies respond to government requests while respecting the freedom of expression and privacy rights of their users. Companies participating in GNI are independently assessed on their implementation of the principles and guidelines. Only assessors accredited by GNI’s multi-­stakeholder Board are eligible to conduct assessments of member companies. The companies select assessors from among the accredited organizations. Foley Hoag, KPMG, and PwC were selected by the founding companies for the assessments described in this report.
The assessments focus on how companies respond to government requests implicating freedom of expression or privacy rights, looking at a selection of cases arising out of government demands from July 2011 through June 2013. Assessors asked the companies to provide cases based on criteria set out by the assessors, informed by consultation with GNI’s non-­company participants and independent research. The objective was to select a range of cases that were salient to each company’s business model, operating environments, and particular human rights risk profile.
GNI has established a three-phase assessment process. After the completion of the third assessment, the GNI Board makes a determination of compliance or non-­compliance with the GNI Principles for each company. A finding of compliance indicates that the GNI Board believes the company has committed to our Principles by adopting policies and procedures to implement them; and based on the cases reviewed, is making a good faith effort to implement and apply them, and improve over time. The assessment process did not and cannot determine whether these policies and procedures are functioning in every case, or whether the company has acted appropriately with respect to each of the many thousands of requests received each year from governments.
Based on its evaluation of each independent assessor’s report and other information described herein, GNI’s Board determined that Google, Microsoft, and Yahoo are compliant with the GNI Principles.

The report goes on to state that -
GNI and national security surveillance requests
The news headlines of the last six months have brought to the world’s attention the surveillance practices of the United States and other governments. Protecting the free expression and privacy rights of Internet users around the world - the goal behind the creation of GNI - has never been so vital. It was not possible, however, to assess the way in which GNI companies respond to U.S. national security requests because of the restrictions under U.S. law that prohibit the companies from disclosing any information related to such requests. This strengthens our belief that legal and policy reform is necessary and advocacy for increased transparency and other changes will be a greater part of our work in future.
Key findings from the assessments illustrate the challenges that companies are facing across a variety of operating environments.
  • The limitations on independent assessments regarding secret national security requests, where companies are prohibited by law from disclosing information about those requests, reinforce our conviction that significant reform by governments is urgently necessary. 
  • Implementing the principles during acquisitions—and with partners, suppliers, and distributors—remains a challenge. The use of contractual language to limit third party disclosure of company user data can be an important tool in this regard in various ways across the companies. The pace of acquisitions in the technology sector, where many acquisitions are highly confidential and time sensitive, also present a challenge for ensuring that human rights risks are integrated into the due diligence process. 
  • Decisions on whether content violates a company’s Terms of Service when facing government restrictions should be subject to appropriate internal review to ensure the company's compliance with its commitments to the GNI Principles.
This is the first time, to our knowledge, that such assessments involving case reviews of these types of requests have been undertaken by any organization. A number of challenges were encountered, including limitations on assessor access to company information due to assertions of attorney-­client privilege and other concerns identified below. Although assessing internal company policies and procedures for responding to law enforcement and other government requests in a highly charged legal environment is a complex undertaking, this report describes the significant progress we have been able to achieve.
In 2014, GNI will carry out a review of the assessment process to integrate learning from this first cycle of assessments, as we also begin assessments of new company members. We expect that the process will evolve over time, and we look forward to working with additional companies as they join us in our work to protect privacy and freedom of expression around the globe.
Attention to over-reaching by government agencies is laudable but the reports disregard of privacy invasive practices by its members erodes the credibility of the document and of the GNI as such.