© REUTERS/Sergei Karpukhin

In late July, President Vladimir Putin signed law 276-FZ , which amended the federal law “on information, information technologies, and information protection.” With a stoke of his pen, he tightened the net of censorship in Russia even further. The law bans anonymous messaging applications and the use of virtual private networks (VPNs), both of which are used to communicate and browse the internet free from government snooping. While wildly popular with young Russians, one such encrypted messenger was reportedly used by the perpetrators of April’s terrorist attack in St. Petersburg – and the Telegram app’s founder, Pavel Durov, has been locked in a power struggle with authorities, having refused to provide them with backdoor access to the app’s databases.

There are therefore legitimate concerns over the role such technology plays in terrorist attacks. On the other hand, the timing and nature of Law 276 indicates a purpose beyond making life difficult for potential terrorists. In recent months, independent media outlets have also come under increased pressure: at the popular Vedomosti daily, a new editor-in-chief has been brought in from state-run TV, while the Moscow Times has also experienced editorial reshuffles. Such crackdowns had been relatively infrequent in the months prior, making these two all the more unusual.

It would be naive to assume that these events are not linked. The government is facing a level of domestic unrest not seen since the 2011 protests at Bolotnaya Square. Populist firebrand Alexei Navalny is mounting a ferocious political campaign on an anti-corruption platform, organizing several marches throughout the country, and anti-regime bloggers have become so prominent that they are being doused with fluorescent antiseptic by pro-regime activists as a method of public intimidation.

In light of this, two explanations exist for the introduction of this law. The most obvious is that the Kremlin has realized the need to re-assert its grip on the information sphere. From this perspective, Law 276 should be interpreted simply as updating the Kremlin’s legal toolkit. Packing editorial boards with cronies helps to control the narrative in print media, but there are few such boards in the deep web; the tech sector has inserted itself into the media and communication sphere, rendering almost useless the state’s previous playbook for controlling public narratives. Just as the SORM initiative was introduced as the internet exploded in popularity in the 1990s, Law 276 represents a riposte to the advance of technology in the late 2010s.

Russia is far from alone in fighting against encrypted messaging – the pitched battle between WhatsApp and US law enforcement is evidence of this. Yet intelligence services are – or should be – loath to conduct their business in the open. If the FSB or CIA can access these ostensibly secure services, the public would surely not be informed; in any case, introducing new legal tools will not help the state to crack encryption.

A Political Signal

When viewed in the context of the boardroom-level struggles of recent months, it becomes clear that the Kremlin is not seeking to improve its snooping capability. Rather, the explanation lies in its desire to send a political signal. If existing ways of browsing anonymously are banned, it will surely not be long before new tools are invented. A truly determined terrorist will simply turn off his or her phone to avoid being tracked. On the other hand, a curious young Russian may not want to break the law simply to understand why Putin has a $1 million watch. The Russian public will appreciate seeing the state taking apparently concrete steps to combat terrorism. Meanwhile, protest movements – often organized through Telegram and similar apps – will now become harder to convene, with their leaders facing prosecution even before taking to a stage.

This tells us two things. First, the state is getting increasingly worried about Navalny and his ilk. Anonymous messaging and browsing existed long before the horrific attack on St. Petersburg’s underground, and limiting them will be ineffectual in preventing further violence. This law, then, is a reaction to the increasingly vocal political unrest. Introducing new legislation is a relatively cost-effective way of discouraging Russians from engaging in investigative journalism at home. Such a tactic is also politically savvy, signaling to domestic audiences that the government is tough on crime and terrorism.

Second, the Kremlin has made it clear that it is not giving up on the fight against encryption just yet. Even as it appears increasingly difficult to entirely ring-fence political opposition and limit their influence on mainstream Russian narratives, the pitched battle continues between a privacy-obsessed tech sector and a state which abhors being in the dark about its citizens’ browsing habits. For those who want anonymity online – terrorists and dissidents alike – Putin has a message for you: you’re being watched.

The post Fahrenheit 276 appeared first on Berlin Policy Journal - Blog.

© REUTERS/Stringer

Two recent high-level meetings illustrate a worrisome divergence in cyberspace policy. The first, the April meeting of G7 information and communications technology (ICT) ministers in Takamatsu, Japan, resulted in a joint declaration, reaffirming among other points, the principles of the free flow of information, privacy, data protection, and the promotion of cybersecurity. The joint communique read: “We continue to support ICT policies that preserve the global nature of the Internet, promote the flow of information across borders…We oppose data localization requirements that are unjustifiable taking into account legitimate public policy objectives.”

Just a few days earlier in Moscow, top Chinese and Russian ICT officials met to inaugurate the bilateral “Cyberspace Development and Security Forum.” The Russian and Chinese officials promoted the concepts of information control and “cyber sovereignty,” and agreed that they could not rely on the technologies of transnational IT firms.

In other words, the G7 group’s positions on cyberspace on the one hand and those of China and Russia on the other hand remain firmly at odds. But what does this contested political framework actually mean for Western businesses and organizations operating in China?

Fixed Game

Talking cyberspace and China, multiple interconnected issues come into play – national security, commercial interests, and domestic censorship. Those are coupled with an ever-changing, often opaque regulatory framework, whose latest additions include the new Cybersecurity Law that went into effect on January 1, 2016, and additional new rules regarding online publishing by foreign companies introduced earlier this year.

In a nutshell, these new laws require foreign companies to assist the Chinese authorities in decrypting user data, ostensibly to fight terrorism, and make it illegal for them to publish a wide range of content online unless they team up with a local company and obtain government approval. While Beijing argues that these laws are necessary for reasons of domestic stability and national security, they also serve as a powerful protectionist weapon to support China’s own tech sector.

These new cyber laws fit in neatly with Beijing’s overall grand strategy, one geared toward becoming a major power on par with the United States. The pillars of this strategy include the Chinese Communist Party retaining absolute political power, enhancing and restructuring the People’s Liberation Army (modeled on the US military), and tightening domestic information control. Additionally, a key Chinese objective is to achieve technological independence from foreign companies. This approach was highlighted again by President Xi Jinping in a speech given at the Work Conference for Cybersecurity and Informatization in mid-April when he stressed that “The fact that core technology is controlled by others is our greatest hidden danger.”

While China is unlikely to achieve parity with the US in terms of military technology any time soon, Beijing has done a rather efficient job sheltering the Chinese commercial IT sector. Major international players such as Google, Twitter, YouTube, and Facebook remain partially or entirely blocked in mainland China, and domestic platforms such as WeChat have become highly successful and, technologically speaking, increasingly sophisticated.

It is true that Beijing dropped a few particularly strict provisions from the Cybersecurity Law at the behest of Washington – provisions requiring international companies to keep the data of Chinese netizens on servers physically located inside China, and to provide the Chinese authorities with back-door access to their systems. But it re-introduced these concepts at the “Cyberspace Development and Security Forum” in Moscow. Other measures in the same vein include proposed revisions to China’s domain name management law that call for the domains of websites hosted in China to be filed with a Chinese registrar. These proposed provisions again drew criticism from the US government.

Pushing for “Digital Sovereignty”

It is likely that Beijing will continue to pursue its dual goal of complete information control at home and technological independence by further promoting a breaking up of the internet and the creation of national borders in cyberspace. Experts have referred to this as the “balkanization” of the internet, and have warned of a new legal arms race that could have profound impact on the future of the web. Data localization measures such as the ones introduced by Beijing are a central force behind this alarming push for “digital sovereignty.” Spearheaded by China and supported by illiberal regimes such as Russia, Cuba, and Saudi Arabia, these policies restrict the free flow of data, hamper innovation, and threaten the transnational architecture of the internet.

At the same time, it remains to be seen how the new Chinese laws will actually be implemented. One has to suspect that the ambiguity in some of the language of the Cybersecurity Law and the online publishing regulations is actually intentional. As is customary in Chinese political and business culture, vagueness provides officials and executives with room to maneuver. It seems reasonable to assume that the Chinese authorities will give Western businesses as much space in the Chinese market as is necessary to gain access to valuable technologies and satisfy consumer demand for foreign brands. However, once there is nothing to gain – or even worse, much to lose (e.g. control of the digital media) – Western companies may get blocked from the market.

Ultimately, Western businesses have to get used to the idea of (at least partly) operating in a grey zone, which, of course, makes them vulnerable to attack. Even though they often have the option of teaming up with a local partner – as explicitly mentioned in the online publishing regulations – this is by no means a guarantee of smooth sailing either. Such arrangements do not prevent the authorities from investigating Western companies for alleged violations (e.g. Microsoft), or the partnerships with Chinese firms turning sour.

And, at least in the short term, there is a limit to the diplomat pressure the West can exert in this area. The repeal of the “safe harbor” agreement last fall showed that there are considerable differences between European and American officials on issues of privacy and data protection, and it is unclear if a new data transfer agreement will be approved by the EU member states. The Snowden revelations also gave China a powerful tool to discredit Washington’s conduct in cyberspace, and enabled Beijing to promote its own version of a “safe” and controllable “harbor.”

While Washington may indeed have lost the moral high ground, the other members of the G7 should still do their utmost to mend fences, reach a new data transfer agreement, and demonstrate unity. More broadly speaking, when it comes to internet governance, the G7 should continue pushing for a multi-stakeholder model based on international cooperation with the objective of formulating a new, transnational legal framework. A pragmatic approach to this admittedly daunting challenge would be to focus on somewhat less controversial cyber norms first, and to win the clear support of countries like India and Brazil.

In any case, it is a battle worth fighting: the G7 should not capitulate to China and let Beijing’s vision of a fractured internet become an acceptable model.

The post Controlled Harbor appeared first on Berlin Policy Journal - Blog.

(c) REUTERS/Herwig Prammer

The EU’s Charter of Fundamental Rights is a quick and enlightening read. In 53 articles over 14 well-spaced pages, the document lists rights from the inviolability of human dignity to bans on torture and slavery, taking watertight positions on big issues that are non-negotiable for EU member states.

Imagine for a minute, then, the uproar if the European Commission admitted they were unable to guarantee the ban on torture. Imagine the scandal if the Brussels-based EU executive admitted it couldn’t protect EU citizens from slavery – and this before the European Court of Justice (ECJ), the EU’s highest court.

The European Commission admitted they were unable to guarantee a fundamental right this week: not preventing torture or slavery but guarding EU citizens’ privacy. Article 8 of the charter states that “everyone has the right to the protection of personal data concerning him or her” and that compliance with this “shall be subject to control by an independent authority.”
 But what happens if you think your data is not protected, your personal information is no longer private, and the European authorities are not doing anything about it?

This was why Austrian privacy campaigner Max Schrems lodged a complaint about Facebook to the Data Protection Commissioner (DPC) in Ireland, where the social network’s international operations are based. Schrems had heard US whistleblower Edward Snowden’s claim that the National Security Agency (NSA) had leaned on Facebook and other US tech companies to pass on, directly or indirectly, their user data to its PRISM program. Their digital dragnet, Schrems believed, contradicted his right to privacy.

The Irish DPC dismissed his complaint, saying it was not responsible for such data transfers. They are the business of the European Commission, the DPC said, and its Safe Harbor provisions. That is the name given to 15-year-old rules allowing US companies to collect user data inside the bloc and export it to the US once they meet “adequate” protection requirements.

Around 2000 such arrangements have been reached between the EU and companies in other countries, such as New Zealand, but it is primarily American firms taking advantage of this data express lane. For years privacy campaigners have complained that this harbor isn’t safe at all, and Snowden’s claims just confirmed their suspicions.

Washington has never confirmed or denied the NSA PRISM program, though since 9/11 it has stepped up collection of all data it believes necessary in its so-called “war on terror.” 
Unlike the EU, the US has no defined privacy laws and any external agreements are subservient to US domestic law. Thus Safe Harbor provisions have no legal standing in the US, with both government officials and private companies viewing them merely as best-practice aspirations.

So how can the Commission ensure that Safe Harbor provisions are being honored? The simple answer: it cannot.

The Schrems Facebook complaint dismissed by the Irish DPC was referred to the Irish High Court, which in turn referred questions on Safe Harbor to Luxembourg’s ECJ. It was here a week ago Tuesday that judges asked probing questions about the fundamental right of all EU citizens to privacy in the era of Facebook, the NSA, and PRISM.

“Let’s imagine I am on Facebook and I decide my rights have been breached,” said Advocate General Yves Bot. “If I don’t see the [European] Commission taking action, what recourse do I have open to me?”

After some hemming and hawing, European Commission counsel Bernhard Schima said, “You might consider closing your Facebook account and revoking your consent.”

Judge Bot replied drily, “I anticipated that problem by never opening a Facebook account.”

It was a telling moment, a declaration of bankruptcy in the European Commission’s ability to defend a fundamental right of EU citizens. 
For many EU countries who addressed the court, the problem with Safe Harbor is that it lacks legal teeth. 
“It could be said that Safe Harbor is not a safe harbor for the data of EU citizens, but a safe harbor for pirates,” said Gerhard Kunnert, counsel for Austria.

The European Commission is in a bind. On the one hand it is obliged to defend the fundamental rights of EU citizens. On the other hand, it fears Washington’s wrath.

The US is already wary of an overhaul of EU data rules under discussion in Brussels, fearing they will put the brake on tech giants like Google and Facebook. The European Commission knows this and so, where once it was critical of US attitudes toward Safe Harbor, Brussels is now more cautious. Officials admit there are problems with the provision but pleaded with the ECJ for time to remedy the situation. But given that talks began in 2013 with end date and outcome still unknown, ECJ judges appeared to take a dim view of this request.

Senior Commission officials fear most that the ECJ will strike down Safe Harbor and that Washington, fearing complications for their tech giants, will pull out of TTIP talks.

When the ECJ judges will deliver their verdict on June 24 it could be a defining moment for European privacy in the 21st century and the uneasy tug-of-war between free trade and fundamental rights.

The post The End of Offshore Data? appeared first on Berlin Policy Journal - Blog.