Global Network Initiative Promises to Protect Privacy and Freedom of Expression Online

A collection of information and communication companies, advocacy groups, and academic centers have announced the formation of the Global Network Initiative, aimed at protecting free expression and privacy on the Internet on a global scale.

From the announcement:

In an effort to protect and advance the human rights of freedom of expression and privacy, a diverse coalition of leading information and communications companies, major human rights organizations, academics, investors and technology leaders today launched the Global Network Initiative.

From the Americas to Europe to the Middle East to Africa and Asia, companies in the information and communications industries face increasing government pressure to comply with domestic laws and policies that require censorship and disclosure of personal information in ways that conflict with internationally recognized human rights laws and standards.

The Initiative is founded upon new Principles on Freedom of Expression and Privacy – supported by specific implementation commitments and a framework for accountability and learning – that provide a systematic approach for companies, NGOs, investors, academics and others to work together in resisting efforts by governments that seek to enlist companies in acts of censorship and surveillance that violate international standards.

The Initiative’s website includes a full list of participants and three core documents that describe the Initiative’s objectives and key commitments, including a statement of Principles, Implementation Guidelines, and a Governance, Accountability & Learning Framework.

There is a lot to parse here, but I’ll provide some initial reactions below.

Participants

The list of participants includes the usual suspects in initiatives like these, including Google, Microsoft, Yahoo!, Berkman Center for Internet & Society, Center for Democracy & Technology, Electronic Frontier Foundation, Human Rights Watch, etc. It also includes a variety of (sociall-minded) investment firms, like Domini Social Investments, F&C Asset Management, and Trillium Asset Management, perhaps indicating a new focus on brining the financial sector of the ICT industry into the fold on these vital issues.

Noticeably absent from the list of partners are other major tech companies who commonly confront issues of privacy and freedom of expression, such as Facebook (ahem), AT&T (ahem), Cisco (ahem), or Skype (ahem). Also absent are other major advocacy groups like EPIC or Amnesty International. It is unkown whether these groups we asked to join and declined, or haven’t been approached to contribute to these efforts.

Principles

The GNI’s Principles outline its commitment to the protection and advancement of freedom of expression and privacy online, largely based on international human rights laws and standards including the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the International Covenant on Economic, Social and Cultural Rights.

The Principles statement opens with a strong endorsement of protecting human rights:

All human rights are indivisible, interdependent, and interrelated: the improvement of one right facilitates advancement of the others; the deprivation of one right adversely affects others. Freedom of expression and privacy are an explicit part of this international framework of human rights and are enabling rights that facilitate the meaningful realization of other human rights.

And then continues to outline how freedom of expression and privacy fit into that human rights perspective. Notably, it defines “privacy” as:

Privacy is a human right and guarantor of human dignity. Privacy is important to maintaining personal security, protecting identity and promoting freedom of expression in the digital age.

Right on. Unfortunately, however, it frames the threat to privacy solely in terms of government interference:

The right to privacy should not be restricted by governments, except in narrowly defined circumstances based on internationally recognized laws and standards.

Participating companies will respect and protect the privacy rights of users when confronted with government demands, laws or regulations that compromise privacy in a manner inconsistent with internationally recognized laws and standards.

Given this language, it appears these principles are meant to provide guidelines to prevent unwarranted government access to personal information, but does little to address how the companies themselves might be impacting users’ privacy rights through their own collection and use of personal information.

Implementation Guidelines

The Implementation Guidelines provide more details on how the partners plan to put the Principles into practice. Notably, it calls for the boards of the participating companies to “incorporate the impact of company operations on freedom of expression and privacy into the Board’s review of the business”, as well as “employ human rights impact assessments to identify circumstances when freedom of expression and privacy may be jeopardized or advanced, and develop appropriate risk mitigation strategies”. This is to be achieved through the “creation of a senior-directed human rights team, including the active participation of senior management, to design, coordinate and lead the implementation of the Principles.”

This is incredibly similar to a recent shareholder proposal that Google’s board rejected (twice). What made them change their mind? Perhaps they wanted to make it appear as an inernal & altruistic move, rather than “giving in” to shareholder demands? One wonders…

With regard to privacy, the Implementation Guidelines outlines numerous steps for the Partners to follow, including some key items related to transparency:

Participating companies will seek to operate in a transparent manner when required to provide personal information to governments. To achieve this, participating companies will:

  • Disclose to users in clear language what generally applicable government laws and policies require the participating company to provide personal information to government authorities, unless such disclosure is unlawful.
  • Disclose to users in clear language what personal information the participating company collects, and the participating company’s policies and procedures for responding to government demands for personal information.
  • Assess on an ongoing basis measures to support user transparency, in an effective manner, regarding the company’s data collection, storage, and retention practices.

Many of the partner companies have been working hard to make their data collection practices more transparent, and this is good stop towards codifying these efforts. In particular, I hope the first point above means that privacy policies will be more explicit when they state a company will disclose personal information to “satisfy any applicable law, regulation, legal process or enforceable governmental request.”

Finally, the Guidelines also call for the creation of a “confidential multi-stakeholder Advisory Forum [to] provide guidance to participating companies on emerging challenges and opportunities for the advancement of freedom of expression and privacy.” Why must this be confidential? I have no idea, and contradicts the efforts towards transparency stressed above.

Governance, Accountability & Learning Framework

The Governance, Accountability & Learning Framework outlines a multi-stakeholder governance structure, goals for collaboration and a system of company accountability to support the Principles, maximize opportunities for learning and ensure the integrity and efficacy of the Initiative.

Essentially, each of the Partners will contribute to the formation of an Organization to oversee the Initiative, “with equal representation from company and non-company participants that will strive to operate on a consensus basis.” A key task of this Organization will be to conduct “independent assessments” of the participating companies to ensure compliance with the Principles. Note, however, that the companies get to choose their independent assessor (“in close consultation with the Organization”). Hopefully the independence criteria to become an accredited assessor are sufficient to ensure fair assessments of the companies’ actions.

Summary

To summarize, this is an important (perhaps unprecedented?) step by members of the tech industry to recognize how their products and actions impact human rights, and I am thrilled that they are willing to sign on to such an initiative. I know many of the people who have been working on this (I’ve been hearing rumors of its creation), and I know they are committed to protecting both freedom of expression and privacy rights across the globe.

While there are gaps, this is an important step, and I hope momentum builds and real action emerges as a result.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s