Feeder Workshop: Global Trends to Watch: The Erosion of Privacy and Anonymity and The Need of Transparency of Government Access Requests

29 September 2011 - A Main Session on Security in Nairobi, Kenya


At a time when individuals regularly turn to search engines, social networks and other Internet intermediaries to find information online, record their emotions on microblogs, share personal data with friends, store private and sensitive information such as email, use their mobile devices to connect and interact on the Internet, and save vast amounts of their information to the virtual “cloud,” digital privacy is of paramount importance. Yet research by social scientists has found that few Internet users fully understand how much information they are revealing about themselves and the potential impact this disclosure can have.

In addition, government agencies throughout the world are pushing for laws that force these online third party providers to collect and store more personal information that they need for the purposes of their business. Citizens groups and civil society organizations find these controversial laws invasive and overbroad, and some countries’ courts have struck down data retention laws unconstitutional.

Date retention legal obligations to log users’ Internet use are usually paired with provisions that allow the government to obtain those records, ultimately expanding governments’ ability to surveil their citizens. There are few centralized data sources that provide transparency on the number of government data requests.

Many online service providers follow the best practice of notifying users of a government request for information, thereby allowing users to effectuate their due process rights and contest any legal process. However, other service providers do not notify the users and some government requests for user information attempt to forbid notification. Without notification, due process protections for the information can become illusory.

Moreover, several government initiatives are investing in security research to analyze the wealth amount of information they are collecting though the Internet. For example, the European Union has launched the advanced profiling and automated threat detection research, named INDECT (www.indect-project.eu/). In the US, the CIA’s Open Source Center (https://www.opensource.gov) bills is monitoring, collecting and storing information from publicly accessible Internet sources such as blogs, chat rooms, and social networking sites.

A growing number of businesses have been built on modern surveillance technologies, seeking to predict and prevent not only crimes but also identify alleged future security risks. These technologies raise serious privacy and freedom of association concerns because the technology may bring the unnecessary and chilling government scrutiny on citizens engaged in legitimate opposition to government polices. Across the globe there have been numerous individuals whose lives have been endangered by information that has been collected through their use of technology.

The panel will offer a snapshot of current existing and proposed regulatory frameworks and aims to surface the potential risks, global trends, best and worst practices, details about the Cybercrime Convention, the mutual legal assistance treaties of gathering and exchanging information among countries, and the lack of transparency of governments’ access requests.



A brief substantive summary and the main events that were raised:
This panel discussion at the Internet Governance Forum in Kenya offered a snapshot of existing and proposed regulatory frameworks for Internet privacy. It looked at potential risks, global trends, best and worst practices. Panelists examined the Cybercrime Convention, and the need for transparency in government requests for access to personal data.

A comprehensive report is attached to this page.

Conclusions and further comments:
Internet users’ privacy is increasingly at risk as millions of users utilize social networks, blogs, and other cloud computing services whose function depends on obtaining and storing personal information. Recent cases from all over the world demonstrate that users’ private data is not properly protected against misuse and exploitation by corporate entities and governments. Many online service providers, especially ones that provide their services for free, have designed their business model in a way that monetizes data to sell and display targeted ads on their pages. This stored information remains vulnerable to third parties that may use it to profile and target individuals.

As consumers have embraced cloud computing and mobile technologies, law enforcement agencies have followed. Law enforcement agencies can gain access to users’ records, some times without a court-issued warrant, nor a notification to the users themselves. The issue of state surveillance is most prominent in authoritarian or totalitarian regimes.

Mandatory data retention regimes were also criticized during the session. This regime forces online third party providers to unnecessarily log users’ personal information alongside legal provisions allowing state agencies easy access to these records.

The Council of Europe’s Cybercrime Convention has extensively assisted countries that ratified the treaty in implementing its provisions into national law, but it also effectively served as a policy guideline for states developing similar national legislation to combat threats of cybercrime in their respective countries. While the Treaty is more specific on increased law enforcement powers, it remains vague in outlining privacy protections and standards ensuring that those law enforcement powers are not abused. States must become more transparent in their processes in obtaining user data and educate their citizens on the importance of digital privacy. Policy makers have much to do to improve regulations in a way that will respect user’s fundamental rights on the Internet for the years to come.