The Dutch Advisory Council on International Affairs (AIV), which in 2012 published advice on cyber warfare, has now published advice on internet freedom (.pdf, in Dutch). The report follows a request for advice that the Minister of Foreign Affairs sent to the AIV in February 2014. The AIV is an independent agency that administratively resides in the Ministry of Foreign Affairs.
The 97-page report is written by well-read people: references are made to, among others, DARPA’s Total Information Awareness program of 2002, the NSA’s Bullrun project, writings from Evgeny Morozov and Jonathan Zittrain, opinions expressed by the US PCLOB, and so on — in addition to explaining the history and politics of ICANN and the ITU, and the complex concepts of privacy, freedom and censorship.
Three questions are addressed (official translation; emphasis is mine):
- How can the Dutch government ensure that internet freedom is embedded and further operationalized in Dutch domestic and foreign policy as effectively as possible, against the background of:
- the challenge facing governments, including the Dutch government, in weighing the right to privacy — as formulated in the UN resolution on this right — against other interests to be protected by those governments as they look for solutions to issues raised by digital communications;
- the leading role of the Netherlands in foreign policy concerning internet freedom, as illustrated by the Freedom Online Coalition (FOC), and the opportunities which the Netherlands has to influence the international debate, including the International Conference on Cyberspace in the spring of 2015; [=the Global Conference on Cyberspace 2015 (GCCS2015) – on 16 and 17 April, 2015]
- an international playing field in which more and more countries are seeking to exert tighter control over the internet (and its architecture) and are developing initiatives to that end;
- the right to protection of personal data, which is addressed in different ways by the UN, the Council of Europe and the EU.
- Is Dutch jurisdiction over internet freedom limited to activities in the Netherlands, or does it, by virtue of the increased technological possibilities, extend to situations outside the country? If such jurisdiction does not extend this far, how can the Dutch government help to effectively safeguard internet freedom beyond the Netherlands’ borders?
- To what extent are businesses responsible for protecting citizens’ internet freedom in countries where they operate, and how can the Dutch government, both by itself and in cooperation with other countries, encourage businesses to assume such responsibility? [spoiler alert: the AIV defers this to corporate social responsibility, such as pursued by the Ruggie Framework]
The report makes the following eleven recommendations (my translation; emphasis is mine; ~1400 words):
Paragraphs III.2, III.4 and IV.3.2 explain that data of Dutch internet users is often stored on servers outside the Dutch jurisdiction. The countries where the servers are located are usually authorized to demand access to that data under certain conditions. Because computers cannot process encrypted data very well, and the data are stored outside the realm of Dutch legal protections, the cloud is potentially completely vulnerable. Safe Harbor agreements do not provide sufficient protection, because they are inadequate, hardly enforceable, and have large exceptions concerning national security. These risks deserve the cabinet’s full attention.
The Dutch government’s policy intends to make all domestic government-citizen relations happen via cyberspace: government records, registers and transactions must all take place electronically by 2017 [see a statement by the Minister of the Interior]. The AIV finds it to be urgent that clarity be sought on whether the storage and processing of these data risks the data to end up outside Dutch jurisdiction, where they cannot be sufficiently protected technically and legally. Policy measures and legal measures must be taken to prevent that, at least providing legal guarantees concerning access to the data equivalent to the legal safeguards that apply in the Netherlands (see paragraphs III.5.1 and III.5.2). Furthermore, it is important that the legal protection is sufficiently guaranteed.
The Netherlands has a good economic position on the internet market. It can improve this position by creating a positive business climate by means of optimal protection of internet freedom in all ways and facets discussed in the present advice. The organization of international conferences and institutes has a positive spin-off, but that remains ephemeral if it is not anchored in the Dutch internet community. As part of the international promotion of optimal internet freedom, the Netherlands could create a positive business climate in the Netherlands for internet companies, and stimulate the concentration of internet specialists in innovative science centers in the universities. Furthermore, the Ministry of Economic Affairs, that has a key role in this, could have better coordination between the directorates that deal with the internet.
The principle of human rights policy (one of the corner stones of the foreign policy) is that the Netherlands itself, without pretending to be perfect, wants to set an example, mostly in terms of openness and accountability: local democracy and freedom is the measure. This implies that the Netherlands must strive for the same high level of protection nationally as it promotes internationally. This is a responsibility of all Ministries, notably the Ministries dealing with internet topics.
In the pending constitutional amendment, the planned renewal of the Dutch Intelligence & Security Act of 2002, and the draft proposal Computer Crime III, it must be especially considered whether the Dutch government is following a policy and/or creates regulation that it can uphold internationally [in Dutch: “voor de dag kan komen”]. [note: essentially, this recommendation states that the Dutch govt should practice what is preaches, or else risks losing credibility. Dutch readers: see p.61 and p.68]
The ensuring of effective and independent oversight on intelligence and security services has got a lot of attention in the US following the Snowden affair, and it has also been discussed in the Netherlands by the review of the Dutch Intelligence & Security Act of 2002, among others by the motion filed by the Christian Democratic Appeal (CDA) party in the Senate that was adopted on October 7th 2014 (Eerste Kamer der Staten-Generaal, vergaderjaar 2014-2015, CVIII, D). The UN resolution “The promotion, protection and enjoyment of Human Rights on the Internet“, adopted in July 2012 by the UN Human Rights Council, according to which individuals have the same rights online as they have offline, must be guiding for Dutch policy. If, because of the permanent terror threat, means must be used against (categories of) persons that are not specifically suspected of anything, doing so can only be justified if effective and independent oversight exists. The AIV finds the strengthening of effective and independent oversight by the Dutch Data Protection Authority and the Dutch Review Committee on the Intelligence and Security Services (CTIVD) on the lawful and proportional use of investigatory and preventative powers, of great importance to internet freedom, as defined in the present advice, in the current state of technology and the changed international relations. [note, here, that the AIV does not rule out mass surveillance per se; it only states that mass surveillance can only be justified if “effective and independent oversight” exists.]
In 2014, the Netherlands will spend approximately 53.5 million euro on human rights policy (including Radio Netherlands Worldwide). Part of that is spent on promoting internet freedom. The Netherlands supports various important projects concerning internet freedom by providing man power and money. However, a coherent vision of the internet and the various facets that must be distinguished and emphasized, is lacking. Choices made concerning the support of such activities should be preceded by a general substantiation and prioritization, aimed at the facets of the internet problems that are relevant to the Netherlands. The government could, in consultation with those involved, develop specific measures that promote the freedom and security of the internet, such as the development and publishing of open source software. The AIV considers the lack of attention for improving international policy-making (such as the Internet Governance Forum and the reorganization of ICANN) to be a clear omission. [note: also see Recommendation 8: in the context of companies and internet organizations dominated by companies, the AIV considers it to be the government’s role to monitor whether new software and protocols infringe upon the European interpretation of the freedom of expression, privacy, and data protection.]
Much is happening concerning the EU issues as well. The Netherlands has a wait-and-see attitude concerning the upholding — or not — of the Safe Harbor agreement and the negotiations about the Umbrella agreement. The Netherlands has ample knowledge to play a more leading role in these topics. The Netherlands must take the view that upholding of the Safe Harbor agreement can not, without significant improvements, be a basis for data exchange with the US in the private sector. The Netherlands can use its chairmanship of the EU in 2016 to develop proposals for the EU with the purpose of renewing the existing, outdated legislation that has effects on internet freedoms.
A point of special attention is to provide better safeguards in the exchange of data between national intelligence and security services within Europe and beyond. In the renewal of the Dutch Intelligence & Security Act of 2002, the exchange of data between Dutch and foreign intelligence and security services should be legally regulated, in which sufficient safeguards must be provided for citizens, as explained in paragraph III.2.
The activities of companies and internet organizations dominated by companies can have a significant influence on internet freedom. Companies are primarily guided by profit considerations, and have to deal with various national and international legal frameworks. It is the government’s role to monitor whether new software, protocols, and such, infringe upon the European interpretation of the freedom of expression, privacy, and data protection. NGOs can have a signaling role. The question of how internationally operating companies can be involved in the Dutch human rights policy has been on the agenda for a long time. In the context of the present advice, the question is very urgent, because a small number of international companies is responsible for the international confidential and public communications, and the safeguards that should be provided. The government must therefore address the responsibility of these companies on international forums, and enter into a dialogue about human rights, such as the government also intends to do with foreign governments.
Questions related to internet freedom, as apparent in numerous places in the present advice, transcend governments departments, and are increasingly connected to responsibilities that must be carried by the private sector and other stakeholders. The transcending issues make the execution of the Dutch human rights policy, especially in this domain, into a shared responsibility. The AIV therefore recommends that coordination and shared responsibility is striven for during decision preparation and decision making concerning internet issues.
The Netherlands must have a more consistent policy concerning the question of the internet views it wants to express at which international forums, and in what coalitions. The Ministry must spend more money and man power in the Internet Governance Forum. Furthermore, it could promote privacy-enhancing measures within the ICANN and other internet organizations. An example is given in paragraph V.1: the WHOIS database of the SIDN, that registers domain names for the .nl domain, does not show address information of the domain name holder; bailiffs and lawyers can however request that data. The Netherlands could promote such a solution internationally.
In the policy-making concerning internet freedom, various Ministries are involved: the Ministry of Foreign Affairs, the Ministry of Security & Justice, the Ministry of Economic Affairs, the Ministry of the Interior, and the Ministry of Defense. The Ministry of Economic Affairs regularly consults with Dutch stakeholders in preparation for international meetings. This is an example that other Ministries can follow. Interviews with experts give the impression that the Ministry of Foreign Affairs has little connection with the Dutch internet community. It is desirable that the Ministry of Foreign Affairs assigns more personnel to bring knowledge of the internet up to standard, and to strengthen contacts with the domestic and foreign internet communities, also considering the EU.
We’ll have to wait and see how the government will respond to this advice, i.e., which recommendations they will (not) follow. The report does not address net neutrality; on page 9 it is stated that net neutrality is out of scope “because it relates to (European) competition law”. I don’t know how to interpret that (perhaps the AIV, which resides in the Ministry of Foreign Affairs, does not want to interfere with an issue that primarily resides in the Ministry of Economic Affairs).
These are ongoing developments in the Netherlands in which internet freedom can be at risk (probably a non-exhaustive list):
- In November 2014, the Dutch govt announced it proposal is being drafted to grant Dutch intelligence & security agencies bulk cable-interception power: the government is drafting a legislative proposal, conceptually described here, to update the Dutch Intelligence & Security Act of 2002, that would expand the existing bulk interception power of the Dutch intelligence agencies AIVD and MIVD from ether-only to also include cable communications. (Note: the latter already happened in Sweden in 2009: the FRA used to only be allowed bulk intercept of ether communications, but as of 2009 is also allowed to carry out bulk interception of cable communications, if tasked to do so. The Netherlands would, AFAIK, be the first country to contemplate introducing bulk cable interception in the post-Snowden era.)
- In November 2014, the Dutch govt expressed its intent to uphold telecom data retention: in April 2014, the ECJ ruled the EU Data Retention Directive to be invalid. In November 2014, the Dutch govt expressed its intent to uphold the Dutch implementation, i.e., the Dutch Telecommunications Data Retention Act of 2009, with some cosmetic changes. They also intend to proceed with implementing a nation-wide ANPR database.
- In January 2015, the Dutch govt will propose hacking powers for Dutch LE: there is the legislative proposal “Computer Crime III”, described here, that would provide law enforcement remote hacking powers to, under certain conditions, break into systems of which the geographic location is unknown (thus including systems that reside outside the Dutch jurisdiction);
- In August 2014, the Dutch govt announced anti-jihadism plans that include voluntary censorship imposed on ISPs: in August 2014, the Dutch govt expressed its intent to implement a sort-of-voluntary censorship regime, in which the govt asks Dutch ISPs to voluntarily take content offline without involving a judge. This evolved from, among other, the controversial Clean IT Project, describe here, that the Netherlands was chair of. From leaked documents of Clean IT, it turns out that one of the ideas that was going to be discussed internally was to exclude non-conforming ISPs from government tenders.
- The Pirate Bay was blocked for three years in the Netherlands: in 2011, Dutch ISPs were ordered to block access to The Pirate Bay following a court ruling in a case started by Dutch anti-piracy organization BREIN. In January 2014, a court decided (.pdf, in Dutch) that the blocking was ineffective and disproportional, and the blockade was lifted. The point of this: Dutch citizens were subject to a three year long court-imposed blockade that only eventually was ruled to be ineffective and disproportionate.
The Netherlands will be hosting the fourth international Cyberspace Conference — Global Conference on Cyberspace 2015 (GCCS2015) — on April 16-17th 2015, and will be chair of the EU in 2016; these are opportunities for the Dutch government to pursue its stated human rights objectives; for instance by following the AIV’s recommendations. According to the National Cyber Security Strategy 2 – From awareness to capability (.pdf, 2013) , the Netherlands seeks to be a diplomacy hub for expertise on international law and cyber security (quote from page 25):
The Netherlands aims to develop a hub for expertise on international law and cyber security in order to promote the peaceful use of the digital domain. To this end, the Netherlands combines knowledge from existing centres. The centre brings together international experts and policymakers, diplomats, military personnel and NGOs. This creates a network that brings together multidisciplinary knowledge about subjects such as international standards for conflict prevention, civil-military cooperation and non-proliferation of cyber weapons in the digital domain. The network also contributes to discussions about this subject. This forms the basis for a series of multi-stakeholder, high-level meetings.
It would be nice to see the Dutch national developments — many of which have international implications — be discussed at the Cyberspace Conference in 2015. I’m not aware whether that is the case.
The remainder of this post consists of a translation of the press release (Dec 19, in Dutch) and of the paragraph “Summary and conclusions”. Hyperlinks and parts in  are mine.
WARNING: THESE ARE UNOFFICIAL TRANSLATIONS.
Here is a translation of the AIV’s press release (~400 words):
The internet: a global free space with limited state control
The internet was initially seen as a new technology that would provide a large contribution to the freedom of expression, but it also has consequences for other human rights, notably the right to privacy. This is of importance to a number of current legislative proposals, such as the renewal of the Dutch Intelligence & Security Act of 2002 (Wiv2002), the renewal of Article 13 of the Dutch Constitution concerning the postal secret [in Dutch: “briefgeheim”], and the proposals to extend powers of the police to fight computer crime.
Nearly everything that individuals do on the internet leaves trails, the so-called traffic data. The collection and analysis of very large amounts of traffic data has become possible thanks to increased computational power. While such data by itself does not say a lot about the internet user, by combining various traffic data a profile can often be made of an individual. That can threaten the privacy of internet users.
Governments and companies are increasingly offering services via the internet. The government, for instance, wants citizens to apply for a scholarship or housing benefits via the internet, because it is cheaper. The storage and processing of digital data in the cloud risks data ending up in a location outside the jurisdiction of Dutch authorities. In the US, where the large internet companies are located, the protection of privacy for foreigners is weaker than in the EU. In the cloud, data can not technically and legally be sufficiently protected. Other governments or companies, who have nothing to do with the scholarship or housing benefits of Dutch citizens, can then sometimes obtain access to that data. The Netherlands and the EU must take policy measures and legal measures to prevent that, for instance by making better arrangements with other countries.
Due to the permanent terror threat, intelligence and security services in various countries also increasingly make use of these possibilities. They also collect data about individuals who are not suspected of terrorism or other crimes. The AIV finds that this is only justifiable if effective and independent oversight exists on the intelligence and security services.
Companies play an increasingly large role in internet freedom in various ways. They can thwart governmental censorship, or cooperate with it. Some companies intend to collect data about individuals, threatening the right to privacy. Internet companies can design their technology in a way that increases internet freedom, or not pay attention to that. The legal role of companies in these aspects is not yet established. The AIV believes it is useful if the Human Rights Ambassador would not only consult with other countries, but also has human right dialogues with large internet companies.
Here is a translation of the paragraph “Summary and conclusions” of the advice report (~1400 words):
Summary and conclusions
Chapter II explains that the internet has disembodied itself from the classic structure of international law of a treaty (that laid down global agreements about telecommunication), an international organization (the ITU) and the national states cooperating therein. A semi-private multistakerholder model replaced it, consisting of the ICANN (naming and addressing) and a set of technical groups that deal with internet standards and protocols. This was accompanied by a technical revolution in the way of sending data and a social revolution in the way of communication. Formally, the ICANN is still part of the US Department of Commerce. After the Snowden affair, the general feeling is that this association can no longer be upheld. A new structure needs to be found, based on the multistakeholder model.
This form of governance limits itself to the technical layers of the internet, although no consensus exists within the internet community even about this narrow definition of governance (see Chapter V.2). Besides this new internet structure, the old organization ITU actively keeps trying to expand its influence, recently in attempt to change the International Telecommunications Regulations during the World Conference on International Telecommunications in Dubai, so far without success. Within the ITU, states such as Russia and China attempt to increase their control over internet communications, also its content. However, the UN started a new development with the Internet Governance Forum. In this global platform, states, in cooperation with other stakeholders, attempt to achieve consensus about the meaning of internet governance. So far with partial success, because it is very difficult — outside of the more technical issues — to reach consensus on topics that involve various views on values. The government’s questions are answered against this background.
The first question was: how can the Dutch government ensure that internet freedom is embedded and further operationalized in Dutch domestic and foreign policy as effectively as possible? Chapter III discusses this question at a conceptual level. First, it is explained that the current constitutional communications and privacy framework no longer suits today’s technology. At the same time, it is evident that such change must involve deliberation and carefulness, because a change can result in decreased protection.
This is demonstrated by, among others, the communication secret [in Dutch: “communicatiegeheim”] in relation to traffic data. In a network society, the communications secret is no longer a fixed given, but a protection of how and in what context an individual can communicate freely. A second aspect is that legal concepts are either designed for a different technical reality than the current internet (for instance the concept of “processing” in the data protection law), or assume a situation in which a clear distinction can be made between the “transport of a message” and “expressing a message” (from media and telecommunications law). Two other entangled questions are the international jurisdiction and universality versus national sovereignty. This contradiction is best seen in the difficult negotiations between the EU and US about the Safe Harbor principles in data protection. Another important aspect is the ongoing erosion of the concept of personal data, as a result of developments such as Big Data and mass or targeted surveillance of citizens. Many incorrectly assume that traffic data are, by definition, not personal data, while a collection of traffic data can allow establishment of (individual) profiles. The assumption that anonymous data can be collected on a large scale without effective oversight, is thus incorrect.
In addition, it is found that security must be understood in the context of the rule of law. Striving for the unattainable ideal of precluded event security can result in measures that are disproportional and harm the balance of the rule of law.
Furthermore, the present advice points out the ongoing battle concerning the broadening of the concept of internet governance; this too is important for the anchoring of internet freedom. This battle is fought in, among others, the ITU (paragraph II.3). The debate about the new organization that will replace ICANN is also of great importance, because control over the root is critical to internet freedom, and because ICANN is central to internet governance (paragraph V.1). The Internet Governance Forum seems like a suitable forum to discuss issues concerning the operationalization of internet freedom, but the secretariat of this forum suffers from a lack of personnel and financial means.
Moreover, the government can contribute to promoting internet freedom by applying the same normative principles in domestic policy discussions as those it promotes abroad. There is a risk that free constitutional democracies develop a Janus Face of legally protected freedom and insufficiently legal limitations of freedom, such as explained in paragraph V.2. That currently undermines the credibility of the US, as criticized in the Foreign Policy study “Begins At Home” by Richard Haass, president of the Council of Foreign Relations.
The second question was whether Dutch jurisdiction over internet freedom is limited to activities in the Netherlands, or Dutch jurisdiction, by virtue of the increased technological possibilities, extends to situations outside the country? If such jurisdiction does not extend this far, how can the Dutch government help to effectively safeguard internet freedom beyond the Netherlands’ borders? On the internet, the production, storage and distribution of information is no longer restricted by time and location. The internet does not have national boundaries. Although the technical possibilities have increased, this does not imply that powers are extended. In paragraph V.2.2 this question is focused on the legislative proposal Computer Crime III. The AIV finds that the draft proposal provides extended powers that exceed what is permissible by international law.
Nonetheless, national states have an important role because the physical infrastructure of the internet starts and ends within a territory over which the states have factual and legal power. The questions concerning access and free and uncontrolled communication are thus focused within national law. Chapters III and V, in which questions of access, surveillance and censorship are addressed, show that it concerns national decisions that must be tested against international (or regional: ECHR and EU) treaties. Paragraph V.4, on the other hand, explains that the large international enterprises, who have a key role in access and free use of the internet, are only very partially within Dutch jurisdiction, namely only when acts take place within the Dutch jurisdiction. It is regularly discussed when this precisely is the case in internet services. The Google Spain arrest of the European Court of Justice is a breakthrough on this aspect.
The third question was whether companies are responsible for protecting citizen’s internet freedom in countries where the companies operate, and how the Dutch government, by itself and in cooperation with other countries, can call upon companies to take that responsibility. The present advice explains that the organization of modern electronic communication strongly differs from the era in which the fixed phone and telex where the most important means of communication. State monopolies in international legal structure are replaced by a system of many players. In this system, the role of companies is large; this is discussed in several places in this advice, notably in Chapter II and in paragraph V.4. Companies have an important role in internet governance, and are provides of various services such as search engines, cloud (paragraph III.4.1 and IV.3.2) and email. Sometimes, companies are forced to act as an extension of the government, such as in data retention (paragraph III.2) or censorship, that they may or may not oppose (paragraph V.3). Companies thus have a considerable influence on internet freedom.
It can be concluded that the position of internet companies is not always clear legally. For instance, in the Netherlands, it is not clear for social media whether they are subject to telecommunication law or to media law. The answer to that question has important consequences for the extent to which those companies can be called to take responsibility concerning the contents of communications and publications. Furthermore, companies can be stuck between national jurisdictions with various legal regimes. For companies, commercial considerations are usually decisive, also where it involves the collection, processing and storage of data of internet users. The answer to the question to what extent companies are responsible for protecting internet freedom can not yet be given, legally. This question must be understood within the wider context of corporate social responsibility. To that end, the Ruggie Framework was established, which is topic of international discussion, but that has special relevance in this domain.
The AIV states it interprets the word “internet freedom” in terms of the House of Freedom’s categories, as included in the Freedom on the Net 2013 report (.pdf, 2013):
- Obstacles to access: assesses infrastructural and economic barriers to access; governmental efforts to block specific applications or technologies; and legal, regulatory, and ownership control over internet and mobile phone access providers.
- Limits on content: examines filtering and blocking of websites; other forms of censorship and self-censorship; manipulation of content; the diversity of online news media; and usage of digital media for social and political activism.
- Violations of user rights: measures legal protections and restrictions on activity; surveillance; privacy; and repercussions for online activity, such as prosecution, imprisonment, physical attacks, or other forms of harassment.
- 2015-02-27: Governments Covertly Fund Internet Freedom Activists (re: Hivos’ Digital Defenders Partnership (DDP), started by NL, US & UK in 2012)