U.S., EU Privacy Laws Criticized at U.N. Meeting
NAIROBI -- The U.S. data protection situation took some hits during several sessions on security, privacy and openness at the U.N. Internet Governance Forum. Customers with privacy-sensitive data should think twice about using the services of U.S. companies, said U.S. security and privacy researcher Christopher Soghoian, a former technical consultant to the U.S. Federal Trade Commission, on a panel that included Google evangelist Vint Cerf.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Cerf said technology could help privacy up to a point, and there is work ongoing to make cryptography easier to use, but there’s also a need for legislation. “Google supports a reform of” the Electronic Communications Privacy Act, Cerf said, pointing to new uses of mobile cameras and mobile recording facilities that could end up on the Internet. Google has also been working in the Digital Due Process coalition for ECPA reform (CD March 31/10 p7).
Soghoian said Google, while the most transparent of the Internet companies, is still not transparent enough about the data requests received. He warned IGF participants: “Even if your data is on a server in Finland or Switzerland, U.S. law enforcement will force Google to hand them over for $25, and while I still have rights as a citizen, you have not."
Cerf said in a later press conference that Google is working hard to allow the user to control his data. “If we don’t give people control over their confirmation they go somewhere else.” The mix of privacy-enhancing technology and privacy regulation was also supported by other industry representatives present.
Brian Huseman of Intel said “the practice of data minimization, or only collecting data you need for the purpose or privacy by design, will help to minimize the amount of data and consumer information that would be lost in the event of a security breach.” One problem of strong security and data protection, including encryption, he said, remains that many business models rely on the monetization of user data.
Strong security measures could help to prevent the release of consumers’ information without their consent, Smith said: “Regulation that protects privacy while also providing non-inhibiting strong security measures is important and a positive synergy worth considering."
Alexander Seger of the Council of Europe, who promoted the Cybercrime Convention as a tool that would help not only security but also privacy, said the U.S. certainly was invited to join the Council of Europe’s Data Protection Convention, which is currently under review. The U.S. has already ratified the Cybercrime Convention, which German cybercrime expert Marco Gehrke said certainly also needs some changes. “The Convention does not touch on encryption, and it also does not touch on surveillance,” Gehrke said. Gehrke said the gaps resulted in the popping up of national legislation that did not provide sufficient limitations. British legislation that forced defendants to disclose their passwords, he said, is contrary to the right to remain silent, for example.
A U.S. State Department representative said that “with the growth of cloud computing, with the advent of global data transfers, there are going to be legitimate questions on personal privacy.” It’s important to discuss the facts, he said: “The United States had been a strong supporter of a global open Internet.” With regard to privacy in the commercial world, the U.S. called for a consumer privacy bill of rights, centered on individual control.
The EU data protection situation was criticized by civil rights activists participating in the panels. Katarzyna Szymielewicz, from the Polish Panoptykon Foundation, criticized the EU directive on data retention that she said was implemented in the worst way in her country, forcing telecom providers to store communication traffic and geolocation data for two years with broad access rights for a long list of agencies. Szymielewicz warned that with the advent of the cloud, smart grids and more geolocation data, there are huge risks for the intrusion of privacy.
Human rights and freedom of expression on the Internet should become the main topic of the IGF, said a representative of the Swedish Foreign Ministry, Johan Hallenborg. With the trend for “kill-switches,” but also the trend to increasingly hold intermediaries responsible for alleged illegal activities on the Internet, there’s an urgent need to talk about human rights on the Internet, he said. Sweden has pushed for a expert session on the topic in the Human Rights Council next March, and the IGF should make it the main topic for its next-year session, Hallenborg said.