A new project aimed at “countering illegal use of the Internet” is making headlines this week. The project, dubbed CleanIT, is funded by the European Commission (EC) to the tune of more than $400,000 and, it would appear, aims to eradicate the Internet of terrorism.
European Digital Rights, a Brussels-based organization consisting of 32 NGOs throughout Europe (and of which EFF is a member), has recently published a leaked draft document from CleanIT.
On the project’s website, its stated goal is to reduce the impact of the use of the Internet for “terrorist purposes” but “without affecting our online freedom.” While the goal may seem noble enough, the project actually contains a number of controversial proposals that will compel Internet intermediaries to police the Internet and most certainly will affect our online freedom. Let’s take a look at a few of the most controversial elements of the project.
Privatization of Law Enforcement
Under the guise of fighting ‘terrorist use of the Internet,’ the “CleanIT project,” led by the Dutch police, has developed a set of ‘detailed recommendations’ that will compel Internet companies to act as arbiters of what is “illegal” or “terrorist” uses of the Internet.
Specifically, the proposal suggests that “legislation must make clear Internet companies are obliged to try and detect to a reasonable degree … terrorist use of the infrastructure” and, even more troubling, “can be held responsible for not removing (user generated) content they host/have users posted on their platforms if they do not make reasonable effort in detection.”
EFF has always expressed concerns about relying upon intermediaries to police the Internet. As an organization, we believe in strong legal protections for intermediaries and as such, have often upheld the United States’ Communications Decency Act, Section 230 (CDA 230) as a positive example of intermediary protection. While even CDA 230’s protections do not extend to truly criminal activities, the definition of “terrorist” is, in this context, vague enough to raise alarm (see conclusion for more details).
Erosion of Legal Safeguards
The recommendations call for the easy removal of content from the Internet without following “more labour intensive and formal” procedures. They suggest new obligations that would compel Internet companies to hand over all necessary customer information for investigation of “terrorist use of the Internet.” This amounts to a serious erosion of legal safeguards. Under this regime, an online company must assert some vague notion of “terrorist use of the Internet,” and they will have carte blanche to bypass hard-won civil liberties protections.
The recommendations also suggest that knowingly providing hyperlinks to a site that hosts “terrorist content” will be defined as illegal. This would negatively impact a number of different actors, from academic researchers to journalists, and is a slap in the face to the principles of free expression and the free flow of knowledge.
Internet companies under the CleanIT regime would not only be allowed, but in fact obligated to store communications containing “terrorist content,” even when it has been removed from their platform, in order to supply the information to law enforcement agencies.
Material Support and Sanctions
The project also offers guidelines to governments, including the recommendation that governments start a “full review of existing national legislation” on reducing terrorist use of the Internet. This includes a reminder of Council Regulation (EC) No. 881/2002 (art. 1.2), which prohibits Internet services from being provided to designated terrorist entities such as Al Qaeda. It is worth noting that similar legislation exists in the US (see: 18 U.S.C. § 2339B) and has been widely criticized as criminalizing speech in the form of political advocacy.
The guidelines spell out how governments should implement filtering systems to block civil servants from any “illegal use of the Internet.”
Furthermore, governments’ criteria for purchasing policies and public grants will be tied to Internet companies’ track record for reducing the “terrorist use of the Internet.”
Notice and Take Action
Notice and take action policies allow law enforcement agencies (LEAs) to notify and act against Internet companies, who must remove “offending” content as fast as possible. This obligates LEAs to determine the extent to which content can be considered “offensive.” An LEA must “contextualize content and describe how it breaches national law.”
The leaked document contains recommendations that would require LEAs to, in some cases, send notice that access to content must be blocked, followed by notice that the domain registration must be ended. In other cases, sites’ security certificates would be downgraded.
Real Identity Policies
Under the CleanIT provisions, all network users, whether in social or professional networks, will be obligated to supply their real identities to service providers (including social networks), effectively destroying online anonymity, which EFF believes is crucial for protecting the safety and well-being of activists, whistle-blowers, victims of domestic violence, and many others (for more on that, see this excellent article from Geek Feminism). The Constitutional Court of South Korea found an Internet “real name” policy to be unconstitutional.
Under the provisions, companies can even require users to provide proof of their identity, and can store the contact information of users in order to provide it to LEAs in the case of an investigation into potential terrorist use of the Internet. The provisions will even require individuals to utilize a real image of him or herself, destroying decades of Internet culture (in addition to, of course, infringing on user privacy).
The plan also calls for semi-automated detection of “terrorist content.” While content would not automatically be removed, any searches for known terrorist organizations’ names, logos or other related content will be automatically detected. This will certainly inhibit research into anything remotely associated with what law enforcement might deem “terrorist content,” and would seriously hinder normal student inquiry into current events and history! In effect, all searches about terrorism might end up falling into an LEA’s view of terrorist propaganda.
LEA Access to User Content
The document recommends that, at the European level, browsers or operating systems should develop a reporting button of terrorist use of the Internet, and suggests governments draft legislation to make this reporting button compulsory for browser or operating systems.
Furthermore, the document recommends that judges, public prosecutors and (specialized) police officers be able to temporarily remove content that is being investigated.
Frighteningly, one matter up for discussion within the CleanIT provisions is the banning of languages that have not been mastered by “abuse specialists or abuse systems.” The current recommendation contained in the document would make the use of such languages “unacceptable and preferably technically impossible.”
With more than 200 commonly-used languages and more than 6,000 languages spoken globally, it seems highly unlikely that the abuse specialists or systems will expand beyond a select few. For the sake of comparison, Google Translate only works with 65 languages.
At a time when new initiatives to preserve endangered languages are taking advantage of new technologies, it seems shortsighted and even chauvinistic to consider limiting what languages can be used online.
What Is Terrorism, Anyway?
While the document states that the first reference for determining terrorist content will be UN/EU/national terrorist sanctions list, it seems that the provisions allow for a broader interpretation of “terrorism.” This is incredibly problematic in a multicultural environment; as the old adage goes, “one man’s terrorist is another man’s freedom fighter.” Even a comparison of the US and EU lists of designated terrorist entities shows discrepancies, and the recent controversy in the US around the de-listing of an Iranian group shows how political such decisions can be.
Overall, we see the CleanIT project as a misguided effort to introduce potentially endless censorship and surveillance that would effectively turn Internet companies into Internet cops. We are also disappointed in the European Commission for funding the project: Given the strong legal protections for free expression and privacy contained in the Charter of Fundamental Rights of the European Union [PDF], it’s imperative that any efforts to track down and prosecute terrorism must also protect fundamental rights. The CleanIT regime, on the other hand, clearly erodes these rights.
- EU proposal to stop terrorist sites even more ridiculous than it sounds (arstechnica.com)
- Leak shows EU’s plans for largescale surveillance of all communications (edri.org)
- Leaked Clean IT Document Is Frightening (webpronews.com)
- Police across Europe will “patrol” Facebook, Google and Twitter for postings supporting terrorism under an EU project says leaked report (familysurvivalprotocol.com)
No sooner did a mandatory data retention law go into effect in Austria this month than thousands of Austrians banded together in a swift opposition campaign to overturn it. The Austrian law originated as the misshapen offspring of the 2006 European Data Retention Directive. Led by AK Vorrat Austria, a working group against mandatory data retention, the pushback against this mass-surveillance law demonstrates that opposition remains alive and well six years after the European Union adopted the infamous Directive.
The Austrian data retention law compels all ISPs and telcos operating in Austria to retain everyone’s incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data. The information is collected for all citizens, rather than just those suspected criminal activity. In many cases, the data is handed over to law enforcement.
Austrian activists took advantage of a two-year delay of the implementation of this ill-conceived Directive in their country by mapping out their opposition strategy in advance. They sought to leverage a two tier strategy to beat back the Data Retention Directive at the European level, and to fight against the Austrian data retention law at the national level.
One day before the law entered into force, Austrian activists organized funeral marches to protest this anti-privacy, anti-anonymity, anti-free expression law.
Now, just weeks after the Directive officially went into effect, its future hangs in the balance as a pair of efforts calling for its reversal speed toward Austria’s Constitutional Court. Austrian activists are seeking to overturn the legality of the Austrian law with a mass complaint filed with Austria’s Constitutional Court. With nearly 7,000 supporters formally signed on and 18,000 declaring their intent to join, that effort that is shaping up to be “the biggest complaint in the history of the republic,” according to European Digital Rights (EDRi), a coalition of 32 privacy and civil rights organizations working in the European Union, including EFF. AK Vorrat Austria initially announced that it hoped to bring 1,000 individuals together to sign onto the complaint – and surpassed that goal in two days’ time.
But activists aren’t stopping there. On a parallel track, AK Vorrat Austria has already gathered 100,000 signatures for a citizens’ initiative calling for their government to work towards the abolishment of the EU Directive. The signatures are enough to meet the required threshold to force the issue to be considered by the National Council, Austria’s legislative branch of government.
This isn’t the first time this Directive has sparked an uproar in Europe. When it first became clear that the EU was going to cave to governmental lobbying interests from the U.S. and UK and enact a sweeping law that would effectively legitimize mass surveillance, the Freedom not Fear movement responded with massive street protests in Germany and across Europe.
The opposition continues, and is only growing. Courts in Romania, Germany, and the Czech Republic have declared their national laws derived from the EU Directive to be unconstitutional, while a court in Ireland has referred a case to the European Court of Justice—the highest Court in Europe for matters related to European Union law—questioning the legality of the overall EU Data Retention Directive. The European Data Protection Supervisor Peter Hustinx has called the Directive “the most privacy-invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.” Despite all this, the European Commission is still defending it even though it has not been able to provide any evidence that the Directive is necessary, and therefore legal, in the European Union.
Austrian Association for Internet users (VIBE!AT), the Ludwig Boltzmann Institute of Human Rights and several other Austrian activists are encouraging all concerned Austrians to join this fight. Austrians can join the mass complaint against the Austrian data retention law by filling out the declaration form by May 18, available at verfassungsklage.at.
Meanwhile, all Austrians age 16 and older should support the citizens’ initiative online at zeichnemit.at (in German) to call for the abolishment of the EU data retention directive. Take Action: Sign the citizens’ initiative now. Tell the Austrian government to fight for the repeal of the European Data Retention Directive in Brussels.
- ACTA in the EU: We Can’t Call it Dead Yet (alethonews.wordpress.com)
- European Data Retention Directive At Work: Polish Authorities Abuse Access to Users’ Data (eff.org)