You need two to tango: The responsibility of companies to respect privacy and free expression in the digital age

You need two to tango: The responsibility of companies to respect privacy and free expression in the digital age

13 June 2016

"State capacity to conduct surveillance may depend on the extent to which business enterprises cooperate with or resist such surveillance” notes the Special Rapporteur on freedom of expression in his report on the role of the private sector to respect human rights in the digital age. The Special Rapporteur will present its findings and recommendations to the Human Rights Council on Thursday.

It is no longer sufficient for companies to simply point the finger at intelligence and security agencies for the violations of the rights to freedom of expression and to privacy. This report provides a comprehensive mapping of the range of companies active in the Information and Communication Technology (ICT) sector and begins to address their responsibility to protect human rights.

As Privacy International noted in our submission to this report, the roles and responsibilities of ICT companies in respecting and promoting the rights to freedom of expression and privacy on-line are intrinsically linked.

The role of the surveillance industry

Historically, the private sector played a limited role in providing the surveillance capabilities used by state law enforcement and intelligence agencies. This picture has shifted significantly.

The Special Rapporteur notes how now

“the private sector supplies hardware, software and other technologies that enable States to intercept, store or analyse communications and other information. Infrastructure vendors, hardware manufacturers and software developers may design or customize products on behalf of States, or supply dual use equipment and technology that States subsequently tailor for their own needs. Internet and telecommunication service providers may also purchase equipment or software from these companies to install on their network components in order to comply with legally mandated interception protocols in the States where they operate. "

Surveillance technologies provided by private companies can be used by governments to target political opponents, journalists and lawyers, crackdown on dissent, harass human rights defenders, intimidate populations, discourage whistle-blowers, chill expression, and destroy the possibility of private life and space for political opposition. Privacy International has published reports showing intelligence and law enforcement agencies being complicit in human rights violations using surveillance systems in ColombiaEgyptEthiopia,  MoroccoPakistanUganda, and Central Asia.

These companies should not escape responsibility. Most often the companies selling surveillance technologies point the finger at the end users, i.e. governments, for “misuse” of the technologies. However, they make few or no attempts to limit the availability of intrusive technology, or to assess the human rights' implication of its use prior to entering into a commercial relationship with a buyer. Companies merely hoping that an end user will not violate human rights using a product that is designed for surveillance falls short of the necessary assessments and measures companies should undertaking to ensure they respect human rights.

After a complaint by Privacy International last year, the UK National Contact Point for the OECD Guidelines for Multinational Enterprises concluded that the actions of UK surveillance company Gamma International were not in compliance with OECD guidelines, which require that enterprises do appropriate due diligence, encourage business partners to observe Guidelines standards, have a policy commitment to respect human rights, and provide for or co-operate through processes to remediate human rights impacts.

As the Special Rapporteur notes, “companies that sell equipment and services to Governments to implement covert surveillance techniques may be implicated in human rights violations that flow from their sales."

The role of internet and telecom service providers 

"State capacity to conduct surveillance may depend on the extent to which business enterprises cooperate with or resist such surveillance” notes the Special Rapporteur.

Privacy International has documented how some ICT companies “cooperate” in unlawful surveillance. Certain countries require direct access by law enforcement and intelligence agencies to the communications network. As part of these requirements, the relevant companies may also need to ensure that their networks are directly connected to surveillance monitoring centres.

As for effective strategies of resistance, these include: the inclusion of human rights guarantees in licensing agreements and other relevant contracts; restrictive interpretations of government requests; transparency mechanisms, negotiations with government officials about the scope of such requests; judicial challenge of overbroad requests or laws; providing affected individuals, the media or public with relevant information; and suspension of service within, withdrawal from, or decisions not to enter a particular market.

Next steps

The Special Rapporteur is scheduled to present his report at 11am (BST) on Thursday 16 June. The session will be webcasted live here.

We welcome the Rapporteur’s plan to focus future research on the role of private companies in censorship and surveillance, and on the efforts by some governments to undermine digital security. The latter topic is significantly relevant to the current debate around privacy and surveillance. The “efforts” governments make to undermine digital security take many shapes: from attempts to limit the availability of encryption technologies, to the reliance on vulnerabilities to carry out state hacking (euphemistically called “equipment interference” in the UK); from requirement to provide direct access to communications networks, to the imposition of blanket, indiscriminate data retention to companies.

By choosing this among the next priorities, the Special Rapporteur has ensured that the responsibility of companies to respond to the policies and practices increasingly deployed or sought by governments with most significant implications on the rights to privacy and freedom of expression, are addressed.