Digital Watch newsletter – Issue 28 – February 2018

1. Renewed calls for cyber norms

The debate on cyber norms has picked up after renewed calls for adopting rules to tackle cybercrime and cyber conflict were made this month.

Referring to the use of warfare among states, UN Secretary General António Guterres warned that cyber-attacks against military targets and critical infrastructure will likely initiate future wars, and called to minimise the impact of electronic warfare on civilians.

During his address at the University of Lisbon, Guterres said that it is not clear how existing international humanitarian law, including the Geneva Conventions, apply to cyberwarfare. He said the UN could serve as a platform for various stakeholders to work on rules that can ensure 'a more humane character' to cyber conflicts.

Addressing also during the Munich Security Conference, he called for discussions on the related international legal framework using the competence of the First Committee of the UN General Assembly. ‘I don’t intend that the United Nations has a leadership role on this, but I can guarantee that the United Nations would be ready to be a platform in which different actors could come together and discuss the way forward.’

During the conference, several leading global IT companies presented their joint Charter of Trust for a Secure Digital World, calling for shared ownership of IT security by governments and industry.

Meanwhile, top Russian and Indian officials also called for the adoption of regulations, norms, and principles of state behaviour in cyberspace, under the UN’s role as a coordinator. They also called for the continuation of the UN GGE activities in drafting the rules.

2. Are countries and companies GDPR-ready?

With three months to go until the EU’s General Data Protection Regulation (GDPR) comes into effect, experts are assessing the GDPR-readiness of companies and countries.

Although the GDPR is directly applicable in the EU without the need to be transposed into national law, the regulation provides for several areas which allow the member states to regulate within their respective jurisdictions. Over 50 provisions in the GDPR allow for such flexibility.

Countries have been preparing draft legislation to introduce more specific provisions where the GDPR allows for this. An ongoing survey indicates that only one-fifth of EU countries still have to introduce draft bills.

GDPR-readiness is a tougher challenge for companies. A Forrester Research survey found that half of European companies are or expect to be compliant soon. An EY survey found that fewer companies in other markets were GDPR-ready: 27% of companies surveyed in Africa and the Middle East, 13% in the Americas, and 12% in the Asia-Pacific region.

3. New details about proposed EU tax reforms emerge, as pressure mounts

Internet companies are no doubt waiting to see the tax reforms which the EU will propose by the end of March.

This month, new details have emerged. As revealed by Bloomberg, the European Commission is planning two new taxes: (a) a temporary tax on the advertising revenue of large Internet companies such as Facebook and Google – considered to be a ‘politically palatable’ solution, and (b) a separate tax aimed at online platforms such as Amazon, Ebay, and Airbnb.

The proposals will also introduce the concept of the virtual permanent establishment. In a letter sent to the US Secretary of Treasury, technology companies have expressed concerns over the impact of these plans on the ‘global business climate’, and asked the US to ‘engage directly and forcefully’ in the debate.

Currently, EU member states are split. There are those in favour of tax reforms, such as France and Germany, and smaller countries like Ireland that believe the EU should wait for the OECD’s taxation proposals, arguing that tax reform should be tackled on a global level.

The OECD is in fact reviewing options for tackling the tax challenges raised by the digitalisation of the economy. Some EU countries,  however, have expressed concern that the process is too slow, and said that the EU should move ahead on its own. Both the EU’s proposal and the OECD’s interim report are expected in the next few weeks.

4. Computer systems and websites exploited to mine cryptocurrency

In the latest cybercrime trend to have hit the Internet, systems and websites are being exploited to mine cryptocurrency.

Researchers discovered that cryptocurrency mining scripts were operating on Tesla's cloud system and on thousand of websites around the world.  Scientists working at one of Russia’s nuclear facilities were arrested for allegedly trying to use the site’s powerful computers to mine cryptocurrencies.

The so-called cryptojacking is a relatively new trend in cybercrime. Users are tricked into clicking a link, or visit an infected site, and a script is automatically executed. The script, which taps into the user’s computing power, carries out ‘accounting’ services for the currency, in return for a fee. Cryptocurrency mining is in itself a legitimate way of raising cryptocurrency; exploiting a user’s computer without the user’s consent is a crime.

If governments are concerned about the use of cryptocurrency for fraudulent purposes, cryptojacking practices will add to those concerns.  

5. Child online sexual abuse increasing

This year’s Safer Internet Day, on 6 February, served to highlight the growing abuse against children, and the need for stronger cooperation among stakeholders to protect children online. UNICEF estimates that a child goes online for the first time every half a second, every day. The organisation said that children tap into the opportunities offered by the Internet, but also face grave risks.

Child sexual online abuse is on the increase, the WeProtect alliance has revealed. Cybersex trafficking has become a ‘brutal form of modern-day slavery’. The alliance believes that authorities should have access, under due process, to the necessary data to protect children, to ensure effective investigation, and support prosecution of offenders.

The Council of Europe’s Lanzarote Committee, which monitors the implementation of the Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse, has recommended that countries specifically address the issue of sexual abuse in the circle of trust through dedicated subjects at school.

The monthly Internet Governance Barometer of Trends tracks specific Internet governance issues in the public policy debate, and reveals focal trends by comparing the issues every month. The barometer determines the presence of specific IG issues in comparison to the previous month. Learn more about each update.

Many policy discussions take place in Geneva every month. The following updates cover the main events of the month. For event reports, visit the Past Events section on the GIP Digital Watch observatory.

Launch of the Data Diplomacy report

The GIP hosted the launch of the report Data Diplomacy: Updating Diplomacy to the Big Data Era, on 8 February, prepared by DiploFoundation and commissioned by the Ministry of Foreign Affairs of Finland. The report maps the main opportunities of big data in different areas of diplomacy, proposing ways for ministries of foreign affairs to capture its potential, while describing the key considerations to take into account for big data to flourish. The event was attended by diplomatic representations, international organisations, and civil society in Geneva. 

Global Commission on the Future of Work: Second Meeting

The second meeting of the International Labour Organization’s Global Commission on the Future of Work, on 15‒17 February, focused on the main themes to be addressed in the 2019 report, prepared for the ILO centenary. The work of the high-level Global Commission is part of the ILO Future of Work Initiative launched by the ILO Director-General, Guy Ryder, in 2013. In its discussions, the 28-member Commission focused, among others, on the platform economy, skill building, the situation of youth, and universal social protection. The Commission agreed to seek outreach opportunities via technical meetings, collaboration with international organisations, and an information session with member states later this year. The next meeting of the Global Commission will take place in Geneva on 15‒17 May.

WSIS Forum: Final Brief

The 2018 edition of the World Summit on the Information Society Forum (WSIS Forum) will be held on 19–23 March in Geneva on the theme ‘Leveraging ICTs to Build Information and Knowledge Societies for Achieving the Sustainable Development Goals (SDGs)’. The consultation process for the WSIS Forum finalised on 19 February with a brief on preparations for the event, workshop submission information, and innovations in this year’s programme. More than 250 submissions were received from different stakeholder groups, proportionally distributed as follows: 22% government, 22% civil society, 20% international organisations, 19% private sector, and 17% academia. As in previous editions, the week-long event will feature a high-level track (consisting of a moderated policy session, high-level dialogues, the WSIS Prize 2018, and a ministerial roundtable) and a forum track (consisting of thematic and country workshops, interactive sessions, facilitation meetings, knowledge cafés etc.). The 15-year celebration of the Geneva Plan of Action is the highlight of this year’s event.

Expert Workshop on the Right to Privacy in the Digital Age                                        

The expert workshop, organised by the Office of the High Commissioner for Human Rights (OHCHR) on 19‒20 February, focused on the identification of principles, standards, and best practices regarding the promotion and protection of the right to privacy. The two-day discussion comprised six different thematic panels ranging from the existing legal framework regulating the right to privacy to the role of  individuals, governments, business enterprises, and private organisations in the processing of data. Both the panellists and the participants stressed repeatedly the importance of focusing on the collective dimension of rights while addressing data protection. The discussion concluded that further guidance is needed to unpack the available legal framework for the protection of privacy. In addition to developing the principles, greater effort is needed to ensure adequate implementation of existing provisions as there is still a lack of adequate legal and procedural guidance at national level. Furthermore, the emergence of powerful data-driven technology brings both opportunities and challenges ‒ especially considering that there is an increasing reliance on extraterritoriality and demand for access to data stored abroad. The protection of children’s rights in the digital space also emerged as a new and important discussion point in the near future.

Roundtable on data partnerships in international organisations

As part of the GIP’s Data Talks series, representatives of international organisations gathered on 22 February to discuss how they could best engage in sustainable partnerships with the private sector to obtain new forms of data that could better inform their activities. The session zoomed in on three case studies of such cooperation between international organisations and the Internet industry, focusing on social media firms Facebook and Twitter, and e-commerce giant Alibaba. While it became clear that these kinds of partnerships need a tailored approach, some common lessons appeared, such as the importance of trust-building between organisations, and the need to set clear objectives, roles, and deliverables from the outset.

In the USA, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is proposing to establish a new framework for authorities to access data stored abroad and thus amend the Stored Communications Act (SCA). We look at the salient features of the bill, and its implications.

The draft bill, introduced to the US Congress on 6 February 2018, highlights electronic data held by companies as essential for authorities to investigate crime and prevent threats. Currently, authorities claim they are largely unable to access data stored outside the USA in an effective way; companies are also facing conflicting legal obligations across various jurisdictions. The proposed bill therefore aims ‘to improve law enforcement access to data stored across borders’.

Preservation and disclosure of communications and records

One of the key parts of the proposed bill introduces a new provision in Chapter 121 of the SCA:

A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.

Chapter 121 regulates how and to what extent a public authority can request US providers to disclose data and communications stored online. The amendment would authorise governmental authorities to force US companies to disclose information, even if held in another country.

If approved, this bill could be seen as an exercise of extraordinary jurisdiction, though remaining consistent with longstanding notion of state authority to legislate in areas that have domestic effects.

However, the proposed bill would give providers a ‘statutory right’ to challenge warrants or other legal processes and establish international comities that could limit their reach.

Finally, the CLOUD Act would give the right to providers to notify foreign governments when they receive a legal data request from US authorities about one of their nationals/residents, provided that these foreign governments have entered into agreements with the US government.

Support and criticism

Reactions to the bill have been mixed. Among the actors favouring this bill are the tech companies; human rights organisations and NGOs are strongly opposed to it.

Tech companies, including Apple, Facebook, Google, Microsoft, and Oath, signed a letter supporting the bill, stating that it ‘reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data.’

However, the Electronic Frontier Foundation (EFF) argues that the draft bill constitutes ‘a dangerous expansion of police snooping on cross-border data’. In EFF’s view, the bill would provide US law enforcement agencies with access to content about individuals wherever they live or where the information is stored.

The bill would offer to the US President the possibility to enter into ‘executive agreements’ with foreign governments, and thus provide them with data on users regardless of the respective privacy laws of these countries. It would also lead to the failure of Mutual Legal Assistance Treaties (MLATs), systems that would better guarantee data protection.

Other privacy groups such as the Open Technology Institute (OTI) and Access Now also oppose the bill, claiming that sufficient safeguards for privacy, civic liberties, and human rights are lacking.

CLOUD Act in context: the Microsoft Ireland case

The CLOUD Act needs to be understood in the light of past legal cases that have shone a spotlight on the issue of the extraterritorial application of US law.

The dispute in the Microsoft Ireland case emerged when the US Department of Justice issued a warrant requesting Microsoft to hand over the details and content of an e-mail account – related to a suspected drug trafficker ­– stored in Ireland. Initially, Microsoft denied to comply: Since the data and communication requested was located in Microsoft’s Dublin data centre, Microsoft has argued that US authorities should have used their legal international channel with Irish authorities in order to obtain these communications. A federal judge initially upheld the warrant, but then the Second Circuit determined that ‘that execution of the warrant would constitute an unlawful extraterritorial application of the Act’. The US authorities, however, considered the warrant valid, since it had international reach, and counter-appealed the Second Circuit decision to the Supreme Court. 

The decision of the Supreme Court will have profound implications for US laws regarding data requests, and in all likelihood for the CLOUD Act.

CLOUD Act and the GDPR

Though the CLOUD Act and the GDPR are essentially different in their aim and scope, the CLOUD Act may enter into conflict with certain provisions of the GDPR. Experts believe that the GDPR (article 48) addresses foreign – including US – investigations and prohibits the transfer or disclosure of personal data unless pursuant to an MLAT or other international agreement. This example tends to illustrate the seemingly diverging dynamics of Europe and the USA in dealing with privacy and data requests.

The CLOUD Act will likely be the subject of further discussions at national and international levels. It constitutes a strong stance by the US government and also reflects the partial obsolescence of current national legal frameworks and the challenges of international regulations in the digital era.