Burn After Reading

Senator Tom Udall (D-NM) captured the essence of the dilemma when he said, “It’s very, very difficult, I think, for us to have a transparent debate about secret programs approved by a secret court issuing secret court orders based on secret interpretations of the law.” Yet there is no choice but to push forward. Even investors motivated solely by profit are certainly thinking about the fact that U.S. cloud data storage providers could lose as much as $180 billion globally as companies shift to foreign competitors to avoid the prying eyes of the National Security Agency.

Plan A in the socially responsible investor’s toolkit usually calls for dialogue with corporations. If dialogue proves unproductive, shareholder proposals can be helpful in getting corporations to be more transparent about their impacts on society. But companies involved in government surveillance may not wish to be —or cannot be — as honest or candid with us as they are on other issues.

This uncertainty is deeply unsatisfying, and yet Plan B — divesting of these stocks wholesale – would be a mistake at this point in history. While the governance of the Internet is still actively evolving, stakeholders such as investors, civil society groups, academics, and customers are exercising influence over developing norms, standards, and regulations, and they must continue to do so.

It’s Complicated

Continued engagement is the route advocated by journalist-turned-activist Rebecca MacKinnon in Consent of the Networked: The Worldwide Struggle for Internet Freedom (Basic Books, 2012). Written for a general audience, it is a nuanced exploration of the struggle for control of the Internet by groups she dubs “digital sovereigns”: governments, civil society, and companies in the information technology and communications (ITC) sector. MacKinnon says that “right now our social contract with the digital sovereigns is at a primitive, Hobbesian, royalist level” in which we trade the meeting of our basic cyber needs to corporate “sovereigns” who, if we are lucky, do no evil. “It is time to upgrade the social contract over the governance of our digital lives to a Lockean level” that better reflects “the consent of the networked,” she says.

In exploring how we got here, MacKinnon argues that ITC companies’ conception of their obligations is pretty dismal on the whole. “[M]ost Internet-related companies have failed to apply the concept of pubic trust, sustainability, or shared value to the digital public spheres they are responsible for creating, shaping, and governing.”  Yet a determined movement to dethrone corporations as sovereigns of the Internet can take credit for some successful pushback. Positive developments described by MacKinnon:

  • Google’s decision to discontinue its Chinese search engine
  • Yahoo’s decision to base its Vietnamese-language operations outside the country, to avoid complicity in the likely persecution of political bloggers
  • Facebook’s improvements to encryption and security settings and to its appeals process for users deactivated for using pseudonyms (a vital tactic for political activists under repressive regimes)
  • Twitter’s successful legal fight to unseal a court order demanding account information for individuals associated with WikiLeaks
  • Consent of the Networked was published before the Snowden disclosures. More recently, Google, Mozilla, Twitter, Facebook, and Yahoo have undertaken what a recent New York Times article calls a “digital arms race” with the NSA to prevent the agency’s spying upon their data.

Don’t Seethe, Organize 

Two organizations have emerged in which investors play a prominent role by design. Open Mic was launched in 2006 to empower shareholder activists to hold ITC companies accountable on issues related to Internet access, freedom of expression, and privacy. It has begun weighing in on surveillance issues this fall with shareholder proposals at AT&T and Verizon that call for them to report publicly on requests for information received by the U.S. and foreign governments, as do Facebook, Microsoft, Twitter, and Google (see below).

Shareholders are also a key constituency of the Global Network Initiative (GNI), launched in 2008 by Google, Microsoft, and Yahoo. Members pledge to a set of principles on privacy and freedom of expression rooted in international human rights standards. The GNI’s goal is to “provide guidance to the ITC industry and its stakeholders on how to protect and advance the human rights of freedom of expression and privacy when faced with pressures from governments to take actions that infringe upon these rights.”  GNI’s 2012 annual report contains brief profiles of the companies’ efforts to implement their commitments. The organization is also developing an auditing methodology that will be used by independent third-party assessors whose analyses will be publicly available.

For a young, small organization working on one of the most challenging issues of our time, GNI has a modest track record and much potential. Yet we at Clean Yield are concerned that its core ITC members remain a small group – still missing in action are Twitter, IBM, Cisco, Apple, Verizon, AT&T, and Oracle, for starters. But far more problematic is the fact that pillar companies within GNI have been revealed to be embedded in the government’s outsized security apparatus. For this reason, Electronic Frontier Foundation (EFF), one of the premier organizations championing the privacy rights of Internet users, withdrew its GNI membership in October, citing a “fundamental breakdown in confidence that the group’s corporate members are able to speak freely about their own internal privacy and security systems in the wake of the National Security Agency (NSA) surveillance revelations.” The group also expressed a lack of confidence in the audit process. EFF pledged to continue to provide guidance to GNI, which it says “can still serve an important role as a collaborative project between human rights groups, companies, investors, and academics.”

I asked Jillian York, EFF’s director for international freedom of expression, how GNI’s non-ITC members (which include socially responsible investors) can move forward in collaboration knowing that their corporate partners are so very compromised. “I would love to see investors take a principled stance when companies don’t fulfill their GNI obligations or otherwise violate human rights principles,” she replied.

Both GNI and EFF support legislation to bring greater transparency to the Foreign Intelligence Surveillance Act (FISA) court, which oversees requests for surveillance warrants against suspected foreign intelligence agents by federal law enforcement agencies; they also support the creation of a special advocate to champion the civil liberties of the suspects.

Additionally, Microsoft, Google, Facebook, and Twitter, as well as Sonic.Net, SpiderOakDropBox and LinkedIn, publicly disclose data on global law enforcement requests concerning criminal activity as well as national security. The companies’ policies vary as to when they will hand over requested data. Google’s website states that it will “sometimes” voluntarily disclose user information to the government to prevent imminent danger to someone; Facebook and Twitter are silent on the question of voluntary disclosure. Microsoft draws a harder line, stating that it provides customer data only when compelled to by a legally binding order or subpoena and never voluntarily. “We want to ensure that governments use legal process rather than technological brute force to obtain customer data — it’s as simple as that,” Microsoft’s general counsel told the New York Times.

So what do these company transparency reports actually tell us? Each states the number of data requests received from U.S. and foreign law enforcement agencies, the number of user accounts implicated, and the percentage of instances in which the company has complied at least partially with a data request. For all but the most engaged advocates for Internet privacy, however, the information may provide a sense of scale, but nothing that is especially empowering. For example, perusing these reports, one picks up that

Microsoft and Google each received requests for information from U.S. agencies on 20,000–25,000 accounts in 2012; Facebook faced that many requests in the first half of 2013 alone. Twitter received just over 1,300. It may say something about the nature of Twitter that not even law enforcement agencies seem to care what criminals and terrorists are tweeting.

Most of the time, companies comply at least partially with the data requests — 65% of the time for Microsoft, 88% of the time for Facebook.

U.S. agencies’ requests swamp those of other governments. How much? In 2012, Google received five times the number of data requests from the U.S. than it did from the next nosiest national inquirer, India. Next in line were Germany, Britain, and France, followed by Brazil, Italy, and South Korea.

Clearly this data is transparent only to those with an in-depth knowledge of national legal infrastructures, and even then, it is insufficient. EFF’s York said she would like to see these reports also state the nature of each company’s legal obligations in each country, where they keep in-country offices, and where they may have no legal obligations at all. (For more-detailed analyses of company law enforcement agency reports, see the Electronic Frontier Foundation’s blog.)

Watch This Space

Clean Yield is actively monitoring developments in this area, with an eye toward engaging selected ITC companies held in client portfolios. In June, we signed on to an open letter from investors organized by Open Mic that urged companies to increase transparency, fight to protect consumer privacy, and implement strong privacy rights management. We look forward to further collaborations with other concerned investors. We also look forward to the fruits of a project headed up by Rebecca MacKinnon (Ranking Digital Rights) that is developing a methodology to assess, compare, and ultimately rank ITC companies on their policies and practices related to free expression and privacy.

Terrorism and criminal behavior are real, and they cannot be fought without discretion and some amount of secrecy. But the slide toward an all-knowing, all-seeing, ever-snooping Internet, whether controlled by commercial or state actors, must be resisted before the solution becomes worse than the problem.