Global Online Freedom Act: How Do We Stop "Illegitimate" Law Enforcement?

Congress is considering new legislation to prevent US companies from assisting the censorship and surveillance regimes of so-called Internet-Restricting Countries (IRCs): China, Iran, and so forth. On balance, the Global Online Freedom Act would probably help companies make smarter decisions about blocking and monitoring its customers, and at the very least would provide some valuable data on just what is being blocked and monitored. Yet the bill has some serious flaws which would not help the cause of Internet freedom, and would probably hurt it. You can read about Sec. 201, which would force companies to relocate servers out of IRCs, on Jonathan Zittrain's blog. This post focuses on Sec. 202, which would prevent companies from giving customers' personal information to governments for purposes the Department of Justice did not deem "legitimate." (Just what is an "illegitimate" government purpose? It's hard to say, though the bill states that any effort for "control, suppression, or punishment of peaceful expression of political or religious opinion" would fall under that category)

US companies ought not to violate fundamental human rights, and to the extent that Sec. 202 prevents them from doing so, that is a good thing. But under Sec. 202, any company that complied with an illegitimate request - say, by handing over the emails of a Chinese journalist - would face hundreds of thousands of dollars in civil liabilities, and the officials within the company would face up to five years in prison. The trouble is, if a company refused to comply with an illegitimate request, it might face similar liabilities from the IRC. Put in such a bind, a US company might simply opt out of doing business in an IRC and be replaced by a less scrupulous indigenous company.

If we want to prevent IRCs from making illegitimate requests, rather than just prevent US companies from assisting them, we need to do more. Here are three suggestions:

  1. Make surveillance costly: by making Internet privacy a formal consideration point in trade deals and foreign aid pacts with the US government, IRCs may find it unattractive to persist in their surveillance regimes. And by making Internet openness a formal consideration in international trade dispute mechanisms, companies within IRCs might find it appealing to pressure their governments to reform.
  2. Make surveillance illegitimate: By setting an example of freedom and innovation around the world, the US can show that openness and prosperity go hand-in-hand. Therefore the US ought to re-examine its own censorship and surveillance policies before trying to reform the policies of others.
  3. Make surveillance useless: By giving citizens access to technologies like Tor and Anonymizer, the US can make it impossible for governments to track political, religious, and personal communication. In this way, IRCs can continue to request private consumer information from US companies, but the companies simply won't have anything to give.

But don't let all this criticism overwhelm: GOFA is, on balance, a good bill. But as I have written elsewhere, it alone cannot make the Internet more free: it needs smart users and responsible companies to help.