Over the past decade, and particularly in the past year, media and civil society have had success through naming and shaming companies acting as “repression’s little helper”: U.S. and E.U. companies who have helped authoritarian countries censor the Internet and surveil their citizens with sophisticated technology. Today, EFF published a whitepaper outlining our suggestions for how companies selling surveillance and filtering technologies can avoid assisting repressive regimes. 

In that vein, the newly-amended Global Online Freedom Act (GOFA), just passed by a House Sub-Committee, while far from perfect, is an important step toward protecting human rights and free expression online.  

This is not the first time that GOFA has been proposed, nor is it even the first time the bill has been approved by the House sub-committee; a 2007 version, which literally named the countries to which filtering technology would be restricted (Belarus, Cuba, Ethiopia, Iran, Laos, North Korea, the People’s Republic of China, Tunisia, and Vietnam), was also approved by the House but never came to the floor for a vote.

In the past, EFF has had extreme reservations about GOFA in part because it sought to add more items to the U.S. export restrictions, which could easily mean that activists and people seeking to secure their own networks would lose out more than repressive governments. But in many respects, GOFA has come a long way, thanks in large part to the efforts of its authors in seeking feedback from the tech community and civil society.  The bill still needs more definitions and clearer definitions of key terms, and we are not yet ready to support it, but we'll be watching it closely. The current version of GOFA would:

  1. Require government assessments of “ freedom of expression with respect to electronic information in each foreign country.”
  2. Require disclosure from companies about their human rights practices, to be evaluated by an independent third party.
  3. Limit the export of technologies that “serve the primary purpose of” facilitating government surveillance or censorship to governments in countries designated as “Internet-restricting.”

But let’s take a deeper look…

Transparency

The bill contains a number of excellent measures that would ultimately encourage more transparency amongst software and hardware companies, as well as online service providers.  The companies involved have been notoriously secretive and have often refused comment to reporters when their products have been found in authoritarian regimes.

Section 103 of the bill would require that the human rights reports already written for each country by the State Department include assessments of country’s Internet freedom, including the availability of Internet access, and government attempts to filter or censor nonviolent, political, or religious expression. Section 103 would also require assessments about the extent to which authorities in a given country have sought information on an individual or group relevant to their nonviolent activities, as well as the electronic surveillance practices of a given country. 
These assessments--undertaken by US diplomatic personnel--would also include the input of human rights organizations, technology and Internet companies, and other “appropriate nongovernmental organizations.”  The inclusion of NGOs is an important addition, since we are concerned that the State Department process could be vulnerable to politicization.  Because of this, we'd like to see the role of non-governmental organizations increase as the bill develops further. Additionally, since the most robust research on Internet censorship and surveillance has come from the academic community and independent researchers, these must be added too.

Importantly, the bill should also be extended to require transparency from all companies providing tools and services that can be used for surveillance and censorship, and not just companies providing Internet communications services. Transparency from technology vendors and providers of other services is as important as transparency from Internet service providers.  In fact, the transparency sections also can and should reach a broader range of technologies and companies than the export restrictions, which should remain narrow if they are to exist at all.  As a result, we recommend decoupling the transparency and export restrictions.

Human Rights Standards for Companies
We also commend Sec. 201, which sets up a good framework for human rights due dillgence procedures for companies operating “in any Internet-restricting country” (a designation upon which we will comment below). It requires reports that must be approved by the most senior level of a company, and independently assessed by a third party. These reports would be made either to the Securities Exchange Commission or to a multi-stakeholder initiative that conducts independent third-party audits.  Unfortunately, only the SEC reports are to be made publicly available online (with an exception for classified information). This should be fixed, but otherwise, the human rights due diligence standards are similar to those in the Human Rights and Technology Sales standards EFF has published today.

All of the aforementioned reports are to be constructed on the basis of Article 19 of the International Covenant on Civil and Political Rights, which states that everyone should have the right to: hold opinions without interference, freedom of expression (including the freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers and through the media of his/her choice).

Internet Restricting Countries

While there is much to like in GOFA, we still have extreme reservations about giving the Secretary of State sole authority to determine that a country is an "internet-restricting country." The Secretary is to determine, based on the review of evidence, whether the government of the country is “directly or indirectly” responsible for a systematic pattern of substantial restrictions on Internet freedom during any part of the preceding 1-year period.  As we noted above, one way to help mediate that is to increase the role of non-governmental organizations, academic institutions and independent researchers.

More transparency should also be injected into this process.  Already a description of evidence used by the Secretary of State to make the determination, as well as all unclassified portions of the report must be posted online, which is good.  Unfortunately, this only applies to countries placed on the “internet-restricting countries” list. The Secretary of State should include information about countries left off the list: Politics and diplomatic pressure can cut both ways. To better ward of claims of politicization, the public should be able to see the evidence for why a country has or has not been included.

We also have concerns about the “Safe Harbor” provision of the bill, in Sec. 201(a)(3), which would allow companies to circumvent reporting requirements by joining the Global Network Initiative (GNI) or another multi-stakeholder group (defined in the bill as a group made up of civil society, human rights organizations, and companies, and committed to promoting the rule of law, free expression, and privacy).  While as members of the GNI, we believe that membership in it or similar initiatives should be encouraged, companies should not be given a pass for reporting to the public or fulfilling any other requirements merely for joining such groups. The Safe Harbor could still allow the companies to avoid reporting to the SEC, but it must not allow them to avoid public reporting. Moreover, companies should have to participate in a Multi-Stakeholder group as defined in the bill under section 201(a)(3)(B), including having an independent body provide honest analysis of a company’s exports laid out in the bill. The GNI could be one such group, of course, but it shouldn't have special status.

Export Restrictions

We also continue to be concerned about the export restrictions, although the bill is now much less worrisome than it once was.  The authors smartly now propose only a very limited export restriction that reaches only sales to government end users in Internet restricting countries. As an organization with a long history of fighting the overbroad application of export restrictions, we’re still concerned, but the limited scope here can at least minimize the chances that these regulations could hinder activists in foreign countries from getting, for instance, technologies that can help them monitor their own communications for security vulnerabilities and backdoors. We will need to watch this process carefully, though. At a minimum, the bill should create a very clear and simple process for those seeking to provide technologies to people overseas to challenge any agency action that oversteps this narrow category.

Waiver

We’re also concerned about the broad waiver provision.  It allows the President on a case-by-case basis to certify to Congress that “it is in the national interests of the United States to” issue an exemption. We think the President should have to justify any waiver publicly, to the extent that any part of the analysis is not classified. Also, the standard should be more robust than just the recitation of “national interests.”  That is too easily abused.

It’s not hard to see that much of the technology that was misused by governments during the “Arab Spring” was originally sold to countries that were “allies” of the US at the time. Yet, most of these technologies were easily and quickly used to suppress dissent of citizens. A prime example is Egypt, which likely was an ally of the U.S. when it purchased the Narus surveillance technologies used against democracy activists.  Similarly, Libya bought technology from France under the guise of fighting terrorism, but used the technology to surveil activists, human rights campaigners, and journalists. Would such a waiver provision be used for Bahrain—still a staunch ally of the US—where several cases have emerged in which activists were tortured while being read transcripts of their text messages and phone calls?

Intellectual Property?

Finally, for no good reason the bill now references intellectual property: “No provision under this Act shall be construed to affect a country’s ability to adopt measures designed to combat infringement of intellectual property.” This provision appears to have no substantive impact, but instead appears to have been included to appease Congressional offices (and their content industry patrons) that seemingly require that intellectual property be mentioned in any law that also mentions the Internet. Frankly, the inclusion of this provision makes Congress look unserious. It simply has no place in a legislative proposal aimed at curbing the use of technology to aid in torture, summary execution and other deadly serious human rights abuses. It should be removed.