Can they hear me now? (On ICT regulations, governments, and transparency)

By: Helmi Noman on 24 February 2009
Posted in Egypt, Middle East and North Africa (MENA), Legislation, Arrests and legal action, Human rights, Surveillance, Privacy, Data retention

On February 11, Vodafone's global head of content standards, Annie Mullins, revealed that Vodafone handed over communications data to the Egyptian authorities in response to government demands. This data may have been used to help identify rioters who were protesting over bread crisis.

Food riots erupted in the Egyptian town Mahalla el-Kubra in April 2008. Some of the protesters tore down a giant poster of Hosni Mubarak, the Egyptian president during the riots and shouted anti-government slogans. During the demonstrations, many protesters carried cell phones, using them to call friends and send text messages. In December, twenty-two people were convicted in connection with the food riots.

It is not particularly surprising either that Egyptian authorities demanded the data or that Vodaphone turned it over. Perhaps of greater note is the fact that Vodaphone representatives have spoken so openly about turning over data in the aftermath of the riots.

This revelation highlights a number of interesting issues:

Cell phones and other digital tools are thought by many to be ‘liberation technologies’ when used to organize protests and support opposition movements. While they have been effective in this role, they also provide a digital record for governments to explore. A prime example is the supposed use of Flickr photos by Burmese government to identify anti-government protesters there.

Government surveillance, for good or for bad, generally consists of authorities requesting data from private companies, the same data that companies retain for commercial reasons.

Vodaphone’s Mullins warned about the danger of technology industry regulation being used by governments for other purposes. "Regulation can be a Trojan horse", she said. The view that regulation designed for one purpose might be repurposed to another less worthy purpose is reasonable, but this seems off target in cases such as these. The basic fact of the matter is that governments around the world will gain access to private data when they suspect wrongdoing – as long as the data is still there.

There are of course great differences across the world in the definition of what constitutes a crime. But where governments draw the line between illegality and permissible actions is a separate issue from the procedures and processes of data acquisition. The differences across the globe in process, such as the rigor of the legal processes that are necessary before gathering data and the level of oversight and transparency, are smaller. The absence of regulation provides no safeguard against inappropriate or excessive data acquisition by governments. Governments that are not tolerant of dissenting views and political opposition or intend on snooping on their citizens are going to have their way with private companies regardless of the regulatory framework. There are few reliable safeguards: private companies can destroy the data (which constitute a company asset), government can require companies to destroy the data (and thereby tying their own hands), or users can encrypt communications (where possible). Yes, excessive regulation could lower the bar on government data requests and require too much data retention. Just this week, US politicians called for a new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations.

Regulation could also force companies to destroy data.

While it is not clear whether the data submitted by Vodafone led to arrests of rioters, cell phone and Internet users should be familiar by now with the notion that governments will have access to their data if they are suspected of crimes and in some places of anti-government activities. It is unfortunate that such incidents as this, often decided in the throes of a crisis, define the boundaries of relationships between companies and governments, and hence risks to their customers.

If ICT companies have no option but to give in to government requests for data, even if these requests are of dubious merit, then the least the public might expect is greater accountability and transparency from their service provider. Should we expect companies to give clear and timely information when users’ privacy and freedom of speech have been jeopardized, especially if this is due to government restrictions which may conflict with the internationally recognized human rights of freedom of expression and privacy?