Mister Chairman, distinguished members of the Committee:

I would like to offer my deep appreciation for the Committee’s interest in this important matter. Congressional engagement is an important factor in deepening understanding of the nexus between global Internet freedom and corporate responsibility, and an essential element for ensuring that the Internet continues on its path towards becoming an ever-greater force for democratic participation and human rights advancement worldwide.

My name is John Palfrey. I teach Internet law at Harvard Law School. My primary research interest is in examining issues related to the Internet and democracy. I am also Executive Director of the Berkman Center for Internet and Society. Of relevance to this hearing, I am a Principal Investigator of the OpenNet Initiative (ONI), a project based at the University of Toronto, the University of Cambridge, the Oxford Internet Institute, and Harvard Law School, that has been conducting research and analysis of Internet censorship, filtering, and surveillance practices worldwide. I submit this testimony along with my colleague, Colin Maclay, Managing Director of the Berkman Center. Together with other great colleagues at Berkman, we have spent over two years on a multi-stakeholder effort—involving companies, non-profits, socially responsible investors, and other academics—to develop principles and associated implementation measures for technology companies seeking to protect and advance privacy and free expression worldwide.

The strides made through this initiative—engaging a range of parties, deepening understanding of the complexity of the issues for each stakeholder, and working towards a viable solution—have been encouraging. I would urge you to support the recommendations generated by this process, in lieu of strong legislation at this time. As this testimony will demonstrate, due to the dynamic nature of the ICT sector and the complexities of the existing regulatory environment, legal regimes cannot adequately address the dilemmas posed by the rise of global filtering, censorship, and surveillance practices worldwide, and are unlikely to be capable of doing so in the near term. Furthermore, the proposals currently being considered could be harmful in the long run, by forcing organizations out of foreign countries altogether or by requiring them to break local laws. At this moment of dynamic change, it would be premature to act now with blunt legislation. Rather, there are several activities which the US government could support and contribute to, such as constructive policy engagement, collaborative learning, multi-stakeholder input and commitment, further technological innovation, and user empowerment, that could have immediate impact not only on our understanding of the landscape, but on our ability to positively contribute to protecting the human rights that are at risk. Furthermore, with practical implementation and global acceptance, the principles that arise from this multi-stakeholder initiative may merit codification by Congress in the relatively near future.

Current State of Affairs and Trends

Since I last testified in February 2006 before the House Subcommittee on Africa, Global Human Rights, and International Operations and the Subcommittee on Asia and the Pacific, and the Congressional Human Rights Caucus, the prevalence of Internet censorship has continued to grow in scope and in depth. Our research through the ONI has identified over two-dozen states actively filtering Internet content, up from a handful five years ago. As access to information and communications technologies (ICTs) increases further, this trend seems likely to continue.

Technological innovations have fueled the expansion of Internet filtering and censorship, enhancing their sophistication and consequently creating troubling implications for human rights. Recent research suggests that several countries are investing in technologies that increase their capacity to target specific web pages, information sources, and applications. Surveillance technologies are likewise advancing, offering states expanded opportunities to eavesdrop on the communications of their citizens. Meanwhile, systems for storing and analyzing data continue to decline in cost, which allow governments to extract new information from existing data originally collected for other purposes.

A related and significant development is the growth of social media (including video and photo-sharing sites such as YouTube and Flickr among others), which significantly amplifies—and further complicates— unresolved tensions concerning content control. As these platforms are combined with other emerging technologies for content analysis, new censorship and privacy concerns will emerge.

Conflicts between differing expectations of privacy, data retention laws and practices, in addition to divergent approaches to traditional telecommunications and Internet communications regulation, give rise to increasingly hard problems. For example, Internet filtering and surveillance involves hardware providers, software providers, and service providers, and US firms are not the only companies offering these products and services. These factors remind us that issues of Internet freedom are part of a much larger policy and technology ecosystem, and require care accordingly.

The Corporate Dilemma

With over a billion people on the Net and about half the world with a mobile phone, more people than ever are using digital technologies and integrating them deeply into their lives and livelihoods. Governments are ever more cognizant of the double-edged sword that technology represents— as both a tool to foster economic growth and competitiveness, and as a potential threat to government sovereignty and power. As governments seek to control information and online activities, private actors, including ICT-related firms, are increasingly called upon to assist in carrying out those efforts.

In our recent book with our ONI partners, Access Denied: The Practice and Policy of Global Internet Filtering, we proposed a taxonomy that describes various types of companies and their involvement in these practices. We identified ICT firms as hardware providers, software providers, online service providers, online publishers, telecommunications providers, and other content providers. Describing them in terms of function, we characterized their activities as direct sales to governments of software and services for filtering online content and for surveillance; direct sales to governments of dual-use technology similar purposes; and offering a service that is subject to censorship, that censors publications, or requires personal information that could be subject to surveillance. Considering these companies functionally is a useful way to examine their activities.

In past hearings, proposed legislation, and the public eye, perhaps the greatest focus has been placed on the activities of the most visible and widely known companies—those in the third category, offering online services. These companies, including Google, Microsoft, and Yahoo!, have shown sustained interest in resisting government demands to assist with censorship and surveillance, and a desire to engage proactively in developing strategies to address the human rights challenges they face. It is important to note that for each of these companies, a core business goal is to provide access to high-quality and secure information and communications services, and that their incentives are thus better aligned with the interests of their users than those of repressive governments.

Within this landscape, it is important not to neglect the companies selling software and hardware directly to governments, as they too form an important layer of the censorship and surveillance ecosystem, and have thus far been relatively silent on these issues. In addition, there are a host of other US businesses that use the Internet to transmit data across borders —from banking and other financial services, technology licensing, news media, and hotel services— each of which may come into contact with government policies on free expression and privacy as they operate in different countries and across jurisdictions. In this testimony, we focus primarily on those who provide online services, because that is where we can lend the greatest insight, precisely because these companies have been willing to jointly explore the obstacles they face.

Conflicting law and dual purpose technologies

Mapping digital technologies onto the governance gaps created by globalization—and identified in the fine work of John Ruggie, our colleague at the Harvard Kennedy School and the UN Special Representative on Business and Human Rights— creates multiple conflicting legal and normative regimes for companies to navigate. Governments may regard companies providing online services to their citizens as similar to their own national media and telecommunications companies—and therefore subject to the same expectations—regardless of the law of the company’s country, its market orientation, or its physical presence in the country. They may expect these companies to adhere to laws and social norms about content parameters (ranging from intellectual property to pornography and national security), and to provide personal information about their users when requested for law enforcement purposes. Some governments have also shown a lack of understanding of how the Internet works—and what is realistically under the control of a company, and what, such as user-generated content, is not.

Companies face a huge challenge as they seek to separate legitimate state requests from those that would require them to abridge human rights. For example, they must discern the difference between claims related to ongoing criminal cases, including kidnapping, terrorist threats, or child pornography, and those that seek to limit fundamental rights by stopping the flow of relevant public information or staunching peaceful political opposition. Thus, a priority must be the creation of effective internal systems, to enable thoughtful assessments of these types of requests, and to ensure that their responses are nuanced and appropriate, protective of the rights of specific citizens in addition to the rights to expression and privacy.

Once a company comes to a decision regarding the legitimacy of the request, it must also consider the consequences of complying or not complying. Acquiescence to illegitimate requests may cause them to jeopardize their social and economic values by abridging core human rights. They may also incur risks such as losses in user confidence, brand identity, profit, and employee satisfaction, as well as the threat of legal (including shareholder) action. However, choosing to push back or initiate legal action can also generate risks. In choosing to resist law enforcement demands, companies may endanger operating licenses and institutional relationships, and more importantly, the potential safety of their employees on the ground. In the case of ill-chosen resistance, the risk can be broader, extending to public safety and beyond.

Public Awareness, Pressure, and Understanding

Public awareness of these issues continues to grow. High profile violations of the rights to expression and privacy, shareholder actions, human rights campaigns, academic analysis, and Congressional interest have kept the pressure on. Companies are increasingly aware that the challenges they face are real and lasting and require a concerted and sustained effort in order to confront them effectively. The value of this rising awareness, however, will be greatest if accompanied by a deep understanding of the issues, so as to create robust and lasting solutions.

The cases that attract public attention are often extreme examples of the challenges ICT companies face. For example, China’s censorship, manipulation, and detention practices are a real and immediate danger. However, associated media coverage does not span the range of issues but instead directs public attention to the problems that are the most straightforward to address. High profile cases are deeply unsettling at best, but they are closer to the sharp and menacing tip of the iceberg rising above the waterline than they are to the substantial and complicated dangers lying below it. The threat to digital expression and privacy is global and extends well beyond what is commonly reported, and the practices of any one state should not dominate our understanding and approach to solutions. We must opt to address the complexities of these issues that lie beyond the public eye, and bring them to light with greater transparency and accurate data. From that understanding, we have a much stronger platform upon which to develop solutions that engage the wide range of stakeholders necessary to affect change.

Constructive Engagement

Despite the substantial human rights challenges that the ICT sector faces, the continued presence and constructive engagement of technology companies in these markets is critical. The tools and services offered by ICT companies bring social, economic, and political value through increased information and communication and through improved business and cross-cultural connections. They also hold great promise for international development. Furthermore, American businesses can influence positively the practice of government and local businesses, bring greater transparency to interactions that are often opaque, and provide a continued platform for informed government-to-government and government-to-individual exchanges. A collaborative approach in which stakeholders create principles for operating in such regimes will, over time, generate opportunities for mutual learning, respectful exchange of views, and more effective solutions.

Conversely, the disengagement of these stakeholders from foreign markets through legislative would likely not improve the situation. Competitors to the US companies are on the rise, and placing limitations on the engagement of US firms in these markets runs a very real risk of simply handing them to other companies who may be less open to constructive influence and may have a lower commitment to human rights. Thus, rather than focusing on limiting opportunities for US corporate activities, it is important to address challenges to privacy and free expression so as to have a positive and sustained global impact on the behavior of companies based both in the US and around the world, as well as having a positive impact on the regulatory environment in which these companies operate overseas.

In an industry in which rapid change, innovation and evolution dictate that these dilemmas will remain a moving target, and subject to shifting technologies, business models, regulations and politics, the creation of an adaptive platform is essential. These multi-faceted scenarios suggest the wisdom of establishing a collaborative forum for multiple stakeholders— including government, nonprofit, academics, and business— to come together for learning, coordinated action, increased transparency, innovation, and enhanced channels of communication, to promote a nuanced understanding that will benefit all stakeholders. This process has been started, and would benefit from broad support.

Recommendations on a Starting Point

Over the past two years, in partnership with the Center for Democracy and Technology and Business for Social Responsibility, in addition to other academic institutions, human rights groups, socially-responsible investors, and leading ICT firms, the Berkman Center has been involved in a collaborative initiative designed to identify solutions to the problems related to freedom of expression and privacy online.

As the Committee recognizes, these matters are complex. After two years of deliberation and study, we understand more clearly the nuances and complexities of the issues. However, we are still far from defining solutions to these growing challenges. Furthermore, we believe that legislative action now that would prescribe what US companies can and can not do overseas would be premature and potentially damaging to the long-term objective of promoting greater freedom online.

This process represents a promising way forward, one that we believe will ultimately inform legislation and serve as a productive means of interaction with government. It calls on companies to develop a dynamic principles-based approach to ensuring that they operate ethically, consistently, and strategically (for human rights advancement) in these charged contexts, with an emphasis on strong internal rights-focused processes that are supported and informed by group collaboration. While the Principles, Implementation Guidelines and governance structure are as yet not finalized, we expect that agreement and initiation of collaboration will take place in fall 2008.

It is important that any legislation not be tailored so broadly as to attempt to confront every issue and actor with one set of rules, but neither should the law address one set of issues and ignore the others. A better approach is to promote the learning and deeper understanding that would lay the foundation for future legislation, ideally in conjunction with the aforementioned Principles process.

If the Principles that are currently being developed in the context of the multi-stakeholder process are implemented, grow in stability, and gain acceptance, they will be a good basis for future legislation to codify and bolster the norms that emerge.

We offer the following for your consideration, many of which have emerged from the Principles initiative:

1. Support Research, Learning and Awareness

Contribute knowledge and resources to improve understanding of online censorship, filtering, and surveillance practices. Facilitate the preparation of annual human rights reports that include assessments of the risks to freedom of expression and privacy with respect to ICT. Fund research into relevant legal regimes, events, and trends in Internet freedom, and make the results publicly accessible.

2. Create Alternative Paths

Fund and promote the development and dissemination of innovative technologies that promote Internet freedom. Contribute to education and awareness regarding online security.

Explore options for structured cooperation with foreign law enforcement by creating or adhering to a recognized, standardized and streamlined process for legitimate requests for information from US companies, such that companies have guidance on the appropriate course of action, and pressure on companies to physically locate data in certain jurisdictions is mitigated.

3. Build Partnerships and Enhance Coordination

Create regular opportunities for open exchange between the ICT sector, human rights organizations, academic researchers, and the US government. Consistently and strategically raise concerns about surveillance and censorship in appropriate international bi- and multi-lateral fora.

4. Create Incentives

The current multi-stakeholder initiative is a promising near-term approach to understanding and addressing the challenges faced by US companies providing services internationally via the Internet. The US government can best assist this effort by providing incentives to cooperate with this multi-stakeholder effort, and should avoid legal restrictions or penalties that could discourage cooperation.

Promote the compilation and sharing of information. Facilitate the sharing of information by companies on threats to free expression and privacy. Assist companies in tracking threats to free expression and privacy.

Recognize and reward legal, practical, organizational and technical progress on these issues by countries, companies and other innovators.

5. Lead the Way

The US government can help to facilitate change in policy regimes worldwide by closely examining our own regime and then sharing resources with other countries willing to follow our lead.

Identify and address inconsistencies in US policy including privacy, data retention, surveillance, anonymity and speech, recognizing that a holistic US policy framework informs related approaches in other nations.

Assist countries in clarifying and improving their policy regimes with respect to ICT generally, and privacy and expression specifically.

6. Foster Transparency

In order to address fully the challenges in this sphere, we should encourage companies to be more transparent about the impact of their policies and practices on rights of privacy and freedom of expression. There are a number of ways that these companies can make their actions more transparent to users, more protective of civil liberties, and more accountable to all of us.

Encourage US companies to inform users about content restrictions or threats to privacy in a clear and timely manner, recognizing legal restrictions.

7. Codify the Principles

To extent that the multi-stakeholder Principles initiative leads to a workable solution, the US Congress should consider legislating this approach over time, much as Congress did with regard to the Sullivan Principles.

Conclusion

The Internet has the capacity to foster active and participatory democracies around the world, and to advance and protect the human rights of expression and privacy. The rise of filtering, censorship, and surveillance practices worldwide has profound implications for the global development, proliferation and health of democratic values—such as privacy, access to information, participation, freedom of expression, and other human rights. Because the Internet is a truly global network that shows no sign of slowing down, the ramifications of restrictions within the online space should be of paramount concern to US policy-makers, and should inform their relationships and negotiations with governments worldwide. We support Congress’ laudable effort to improve understanding of these important and timely issues.

There are significant challenges and complex ethical dilemmas across this landscape for corporations, governments, and users. At this relatively early stage of our understanding, any legislative approach should support adaptive, realistic, and engagement-oriented efforts by companies operating in these contexts. We must buttress this legislative approach with increased knowledge, communication, study, and coordination to help turn back threats to human rights. Ultimately, while the measures we and others have offered will hopefully increase Internet freedom, the only truly reliable way to reduce excessive filtering and inappropriate surveillance is via a change of policy within the countries where this occurs.

Written testimony of John Palfrey with Colin Maclay, May 20, 2008, to the US Congress.