Digital Watch newsletter – Issue 28 – February 2018
1. Renewed calls for cyber norms
The debate on cyber norms has picked up after renewed calls for adopting rules to tackle cybercrime and cyber conflict were made this month.
Referring to the use of warfare among states, UN Secretary General António Guterres warned that cyber-attacks against military targets and critical infrastructure will likely initiate future wars, and called to minimise the impact of electronic warfare on civilians.
During his address at the University of Lisbon, Guterres said that it is not clear how existing international humanitarian law, including the Geneva Conventions, apply to cyberwarfare. He said the UN could serve as a platform for various stakeholders to work on rules that can ensure 'a more humane character' to cyber conflicts.
Addressing also during the Munich Security Conference, he called for discussions on the related international legal framework using the competence of the First Committee of the UN General Assembly. ‘I don’t intend that the United Nations has a leadership role on this, but I can guarantee that the United Nations would be ready to be a platform in which different actors could come together and discuss the way forward.’
During the conference, several leading global IT companies presented their joint Charter of Trust for a Secure Digital World, calling for shared ownership of IT security by governments and industry.
Meanwhile, top Russian and Indian officials also called for the adoption of regulations, norms, and principles of state behaviour in cyberspace, under the UN’s role as a coordinator. They also called for the continuation of the UN GGE activities in drafting the rules.
2. Are countries and companies GDPR-ready?
With three months to go until the EU’s General Data Protection Regulation (GDPR) comes into effect, experts are assessing the GDPR-readiness of companies and countries.
Although the GDPR is directly applicable in the EU without the need to be transposed into national law, the regulation provides for several areas which allow the member states to regulate within their respective jurisdictions. Over 50 provisions in the GDPR allow for such flexibility.
Countries have been preparing draft legislation to introduce more specific provisions where the GDPR allows for this. An ongoing survey indicates that only one-fifth of EU countries still have to introduce draft bills.
GDPR-readiness is a tougher challenge for companies. A Forrester Research survey found that half of European companies are or expect to be compliant soon. An EY survey found that fewer companies in other markets were GDPR-ready: 27% of companies surveyed in Africa and the Middle East, 13% in the Americas, and 12% in the Asia-Pacific region.
3. New details about proposed EU tax reforms emerge, as pressure mounts
Internet companies are no doubt waiting to see the tax reforms which the EU will propose by the end of March.
This month, new details have emerged. As revealed by Bloomberg, the European Commission is planning two new taxes: (a) a temporary tax on the advertising revenue of large Internet companies such as Facebook and Google – considered to be a ‘politically palatable’ solution, and (b) a separate tax aimed at online platforms such as Amazon, Ebay, and Airbnb.
The proposals will also introduce the concept of the virtual permanent establishment. In a letter sent to the US Secretary of Treasury, technology companies have expressed concerns over the impact of these plans on the ‘global business climate’, and asked the US to ‘engage directly and forcefully’ in the debate.
Currently, EU member states are split. There are those in favour of tax reforms, such as France and Germany, and smaller countries like Ireland that believe the EU should wait for the OECD’s taxation proposals, arguing that tax reform should be tackled on a global level.
The OECD is in fact reviewing options for tackling the tax challenges raised by the digitalisation of the economy. Some EU countries, however, have expressed concern that the process is too slow, and said that the EU should move ahead on its own. Both the EU’s proposal and the OECD’s interim report are expected in the next few weeks.
4. Computer systems and websites exploited to mine cryptocurrency
In the latest cybercrime trend to have hit the Internet, systems and websites are being exploited to mine cryptocurrency.
Researchers discovered that cryptocurrency mining scripts were operating on Tesla's cloud system and on thousand of websites around the world. Scientists working at one of Russia’s nuclear facilities were arrested for allegedly trying to use the site’s powerful computers to mine cryptocurrencies.
The so-called cryptojacking is a relatively new trend in cybercrime. Users are tricked into clicking a link, or visit an infected site, and a script is automatically executed. The script, which taps into the user’s computing power, carries out ‘accounting’ services for the currency, in return for a fee. Cryptocurrency mining is in itself a legitimate way of raising cryptocurrency; exploiting a user’s computer without the user’s consent is a crime.
If governments are concerned about the use of cryptocurrency for fraudulent purposes, cryptojacking practices will add to those concerns.
5. Child online sexual abuse increasing
This year’s Safer Internet Day, on 6 February, served to highlight the growing abuse against children, and the need for stronger cooperation among stakeholders to protect children online. UNICEF estimates that a child goes online for the first time every half a second, every day. The organisation said that children tap into the opportunities offered by the Internet, but also face grave risks.
Child sexual online abuse is on the increase, the WeProtect alliance has revealed. Cybersex trafficking has become a ‘brutal form of modern-day slavery’. The alliance believes that authorities should have access, under due process, to the necessary data to protect children, to ensure effective investigation, and support prosecution of offenders.
The Council of Europe’s Lanzarote Committee, which monitors the implementation of the Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse, has recommended that countries specifically address the issue of sexual abuse in the circle of trust through dedicated subjects at school.
Digital policy developments
The monthly Internet Governance Barometer of Trends tracks specific Internet governance issues in the public policy debate, and reveals focal trends by comparing the issues every month. The barometer determines the presence of specific IG issues in comparison to the previous month. Learn more about each update.
Global IG architecture
The Internet Society launched a Collaborative Governance Project to ‘expand the global knowledge and use of collaborative governance processes to solve problems and develop norms’.
Several global companies, including Airbus, IBM, Siemens, and Deutsche Telekom, signed a Charter of Trust for a Secure Digital World.
The Food and Agriculture Organization and Telefonica have concluded an agreement to work together on leveraging the use of digital technologies such as the Internet of Things (IoT) and big data for agricultural development, food security, and nutrition. The World Bank Group and the GSMA also announced a partnership on harnessing big data from the IoT for growth and development.
Speaking at the Munich Security Conference, UN Secretary General António Guterres called for ‘a serious discussion about the international legal framework in which cyberwars take place’.
India and Russia agreed to broaden cooperation on cybersecurity. They also called for norms to govern state behaviour in cyberspace, and for the continuation of the UN GGE. The UK and the USA have publicly accused Russia of being behind the NotPetya ransomware attack in June 2017. Russia denied the accusations as groundless.
The Worldwide Threat Assessment of the US Intelligence Community, presented by the US Director of National Intelligence, sees cyberthreats among top global threats in 2018.
A Russian supercomputer for nuclear research, Tesla’s cloud system, and thousands of websites worldwide have been exploited to mine cryptocurrency.
E-commerce and Internet economy
More than five years after Amazon was given a tax bill of almost €200 million by French tax authorities, the two parties have reached a ‘comprehensive settlement agreement’ for an undisclosed amount. The European Commission will present its plan for tax reforms for Internet giants by the end of March. According to EU Economic Affairs Commissioner, Pierre Moscovici, ‘digital taxation is no longer a question of if’, but rather of how.
In a case brought by an Uber driver, the labour tribunal in Paris, France ruled that Uber's 'business is intermediation rather than transportation', and that the driver was self-employed. In Morocco, Uber suspended its activity, due to regulatory uncertainty. The US State Secretary proposes the creation of a Bureau for Cyberspace and the Digital Economy, 'to formulate and coordinate a strategic approach necessary to address current and emerging cyber security and digital economic challenges'.
The European Commission launched the EU Blockchain Observatory and Forum, to help the EU stay at the forefront of blockchain developments. The Indian government announced that it does not recognise bitcoin as a legal tender for payment, and that it will seek for a thorough regulation of the cryptocurrency industry. The General Manager of the Bank for International Settlements warned that cryptocurrencies could become a threat to financial stability. The Swiss Financial Market Supervisory Authority published a set of Guidelines on Initial Coin Offerings (ICOs).
Venezuela launched the world’s first sovereign cryptocurrency, the petro.
The Article 29 Working Party released revised guidelines concerning the implementation of the EU GDPR. The European Commission has sent a second letter to the Internet Corporation for Assigned Names and Numbers (ICANN), expressing concerns over the organisation's proposed models for ensuring compliance between its WHOIS policy and the GDPR.
A Belgian court decided that Facebook has been in breach of privacy laws by tracking users on third-party sites. Facebook intends to appeal the ruling.
Jurisdiction and legal issues
A Clarifying Lawful Overseas Use of Data Act (CLOUD Act) bill introduced in the US Congress seeks to clarify the conditions under which US authorities can access data stored by US companies outside national border.The bill was welcome by the Internet industry, and received with reticence by human rights organisations.
The European Parliament voted in favour of a new regulation on geoblocking, aimed to facilitate cross-border access to online services, within the EU, preventing the restriction or discrimination of content in particular locations. An exception for copyrighted materials has drawn criticism from consumer rights group.
ICANN decided not to delegate the .corp, .home, and .mail generic top-level domains (gTLDs) because of concerns over collisions with name labels used in private networks.
Foreign affairs ministers of ASEAN countries expressed support for a proposal to build an ASEAN Smart Cities Network.
The Telecom Regulatory Authority of India recommended the adoption of policies to encourage the development of networks especially suited to IoT.
In the USA, states are taking measures to preserve net neutrality after the Federal Communications Commission (FCC) adopted the Restoring Internet Freedom Order last December. The Internet Association expressed support for the Senate Congressional Review Act resolution, put forward to invalidate the FCC order. Attorneys-general in 22 states and Washington DC re-filed a lawsuit challenging the order.
The Netherlands’ Authority for Consumers and Markets denied a request to take action against T-Mobile’s alleged breach of net neutrality rules through its zero-rated music streaming offer.
In a report on Open Internet and Devices, the French regulator ARCEP noted that neutrality rules should also apply to devices, and not only to networks.
New technologies (IoT, AI, etc.)
India is is setting up its first artificial intelligence (AI) institute, and has created four committees tasked with preparing a national roadmap on AI.
Germany does not have any intention to procure autonomous weapons systems.
The Worldwide threat assessment of the US Intelligence Community lists AI, the IoT and big data among areas that could generate national security. A report released by academic and civil society organisations outlines security threats that could be generated by the malicious use of AI systems, and makes recommendations on how to better forecast, prevent, and mitigate such threats.
Many policy discussions take place in Geneva every month. The following updates cover the main events of the month. For event reports, visit the Past Events section on the GIP Digital Watch observatory.
Launch of the Data Diplomacy report
The GIP hosted the launch of the report Data Diplomacy: Updating Diplomacy to the Big Data Era, on 8 February, prepared by DiploFoundation and commissioned by the Ministry of Foreign Affairs of Finland. The report maps the main opportunities of big data in different areas of diplomacy, proposing ways for ministries of foreign affairs to capture its potential, while describing the key considerations to take into account for big data to flourish. The event was attended by diplomatic representations, international organisations, and civil society in Geneva.
Global Commission on the Future of Work: Second Meeting
The second meeting of the International Labour Organization’s Global Commission on the Future of Work, on 15‒17 February, focused on the main themes to be addressed in the 2019 report, prepared for the ILO centenary. The work of the high-level Global Commission is part of the ILO Future of Work Initiative launched by the ILO Director-General, Guy Ryder, in 2013. In its discussions, the 28-member Commission focused, among others, on the platform economy, skill building, the situation of youth, and universal social protection. The Commission agreed to seek outreach opportunities via technical meetings, collaboration with international organisations, and an information session with member states later this year. The next meeting of the Global Commission will take place in Geneva on 15‒17 May.
WSIS Forum: Final Brief
The 2018 edition of the World Summit on the Information Society Forum (WSIS Forum) will be held on 19–23 March in Geneva on the theme ‘Leveraging ICTs to Build Information and Knowledge Societies for Achieving the Sustainable Development Goals (SDGs)’. The consultation process for the WSIS Forum finalised on 19 February with a brief on preparations for the event, workshop submission information, and innovations in this year’s programme. More than 250 submissions were received from different stakeholder groups, proportionally distributed as follows: 22% government, 22% civil society, 20% international organisations, 19% private sector, and 17% academia. As in previous editions, the week-long event will feature a high-level track (consisting of a moderated policy session, high-level dialogues, the WSIS Prize 2018, and a ministerial roundtable) and a forum track (consisting of thematic and country workshops, interactive sessions, facilitation meetings, knowledge cafés etc.). The 15-year celebration of the Geneva Plan of Action is the highlight of this year’s event.
Expert Workshop on the Right to Privacy in the Digital Age
The expert workshop, organised by the Office of the High Commissioner for Human Rights (OHCHR) on 19‒20 February, focused on the identification of principles, standards, and best practices regarding the promotion and protection of the right to privacy. The two-day discussion comprised six different thematic panels ranging from the existing legal framework regulating the right to privacy to the role of individuals, governments, business enterprises, and private organisations in the processing of data. Both the panellists and the participants stressed repeatedly the importance of focusing on the collective dimension of rights while addressing data protection. The discussion concluded that further guidance is needed to unpack the available legal framework for the protection of privacy. In addition to developing the principles, greater effort is needed to ensure adequate implementation of existing provisions as there is still a lack of adequate legal and procedural guidance at national level. Furthermore, the emergence of powerful data-driven technology brings both opportunities and challenges ‒ especially considering that there is an increasing reliance on extraterritoriality and demand for access to data stored abroad. The protection of children’s rights in the digital space also emerged as a new and important discussion point in the near future.
Roundtable on data partnerships in international organisations
As part of the GIP’s Data Talks series, representatives of international organisations gathered on 22 February to discuss how they could best engage in sustainable partnerships with the private sector to obtain new forms of data that could better inform their activities. The session zoomed in on three case studies of such cooperation between international organisations and the Internet industry, focusing on social media firms Facebook and Twitter, and e-commerce giant Alibaba. While it became clear that these kinds of partnerships need a tailored approach, some common lessons appeared, such as the importance of trust-building between organisations, and the need to set clear objectives, roles, and deliverables from the outset.
US CLOUD Act: Implications and reactions
In the USA, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is proposing to establish a new framework for authorities to access data stored abroad and thus amend the Stored Communications Act (SCA). We look at the salient features of the bill, and its implications.
The draft bill, introduced to the US Congress on 6 February 2018, highlights electronic data held by companies as essential for authorities to investigate crime and prevent threats. Currently, authorities claim they are largely unable to access data stored outside the USA in an effective way; companies are also facing conflicting legal obligations across various jurisdictions. The proposed bill therefore aims ‘to improve law enforcement access to data stored across borders’.
Preservation and disclosure of communications and records
One of the key parts of the proposed bill introduces a new provision in Chapter 121 of the SCA:
A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
Chapter 121 regulates how and to what extent a public authority can request US providers to disclose data and communications stored online. The amendment would authorise governmental authorities to force US companies to disclose information, even if held in another country.
If approved, this bill could be seen as an exercise of extraordinary jurisdiction, though remaining consistent with longstanding notion of state authority to legislate in areas that have domestic effects.
However, the proposed bill would give providers a ‘statutory right’ to challenge warrants or other legal processes and establish international comities that could limit their reach.
Finally, the CLOUD Act would give the right to providers to notify foreign governments when they receive a legal data request from US authorities about one of their nationals/residents, provided that these foreign governments have entered into agreements with the US government.
Support and criticism
Reactions to the bill have been mixed. Among the actors favouring this bill are the tech companies; human rights organisations and NGOs are strongly opposed to it.
Tech companies, including Apple, Facebook, Google, Microsoft, and Oath, signed a letter supporting the bill, stating that it ‘reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data.’
However, the Electronic Frontier Foundation (EFF) argues that the draft bill constitutes ‘a dangerous expansion of police snooping on cross-border data’. In EFF’s view, the bill would provide US law enforcement agencies with access to content about individuals wherever they live or where the information is stored.
The bill would offer to the US President the possibility to enter into ‘executive agreements’ with foreign governments, and thus provide them with data on users regardless of the respective privacy laws of these countries. It would also lead to the failure of Mutual Legal Assistance Treaties (MLATs), systems that would better guarantee data protection.
Other privacy groups such as the Open Technology Institute (OTI) and Access Now also oppose the bill, claiming that sufficient safeguards for privacy, civic liberties, and human rights are lacking.
CLOUD Act in context: the Microsoft Ireland case
The CLOUD Act needs to be understood in the light of past legal cases that have shone a spotlight on the issue of the extraterritorial application of US law.
The dispute in the Microsoft Ireland case emerged when the US Department of Justice issued a warrant requesting Microsoft to hand over the details and content of an e-mail account – related to a suspected drug trafficker – stored in Ireland. Initially, Microsoft denied to comply: Since the data and communication requested was located in Microsoft’s Dublin data centre, Microsoft has argued that US authorities should have used their legal international channel with Irish authorities in order to obtain these communications. A federal judge initially upheld the warrant, but then the Second Circuit determined that ‘that execution of the warrant would constitute an unlawful extraterritorial application of the Act’. The US authorities, however, considered the warrant valid, since it had international reach, and counter-appealed the Second Circuit decision to the Supreme Court.
The decision of the Supreme Court will have profound implications for US laws regarding data requests, and in all likelihood for the CLOUD Act.
CLOUD Act and the GDPR
Though the CLOUD Act and the GDPR are essentially different in their aim and scope, the CLOUD Act may enter into conflict with certain provisions of the GDPR. Experts believe that the GDPR (article 48) addresses foreign – including US – investigations and prohibits the transfer or disclosure of personal data unless pursuant to an MLAT or other international agreement. This example tends to illustrate the seemingly diverging dynamics of Europe and the USA in dealing with privacy and data requests.
The CLOUD Act will likely be the subject of further discussions at national and international levels. It constitutes a strong stance by the US government and also reflects the partial obsolescence of current national legal frameworks and the challenges of international regulations in the digital era.