Constitutions and tussles in cyberspace

Dr Ian BrownOxford Internet Institute

University of Oxford

OverviewTussles and human

rights

The effectiveness of constitutions as design-time constraints

Designing for privacy

Protecting free speech

Government privacy tussles

If data can be collected about individuals, there will be government pressure to store, enhance and access that information

E.g. PATRIOT Act National Security Letters, NSA activities within the US, EU data retention directive, National DNA Database

Encryption is no protection if governments can compel decryption by third parties

Govt censorship tussles US Communications

Decency Act of 1996; Child Online Protection Act of 1998

UK Internet Watch Foundation and CleanFeed

Australia planning to block access to sites “unsuitable for children” and “unsuitable for adults”

Great Firewall of China

Disconnecting BurmaFlickr user racoles (2007)

Key constitutional protectionsReaffirming their profound belief in those fundamental freedoms which are the foundation of justice and peace in the world:…§8 Everyone has the right to respect for his private and family life, his home and his correspondence

§9 Everyone has the right to freedom of thought, conscience and religion

§10 Everyone has the right to freedom of expression

§11 Everyone has the right to freedom of peaceful assembly and to freedom of association with others (ECHR, 1950)

extending the ground of public confidence in the Government, will best insure the beneficent ends of its institution…

I: Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble

IV: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated (US Bill of Rights, 1791)

Constitutional enforcers “the blanket and indiscriminate nature of the powers of retention

of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences…fails to strike a fair balance between the competing public and private interests…Accordingly, the retention at issue constitutes a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society.” S. & Marper v UK (ECtHR Nos 30562/04 and 30566/04, 2008)

“As the most participatory form of mass speech yet developed, the Internet deserves the highest protection from governmental intrusion…just as the strength of the Internet is chaos, so the strength of our liberty depends upon the chaos and cacophony of the unfettered speech the First Amendment protects.” ACLU v. Reno, 929 F. Supp. 824 (E.D. Pa. 1996)

When constitutions fail “There can be no doubt that the

use of force protects the Nation's security and helps it achieve its foreign policy goals. Construing the Constitution to grant such power to another branch could prevent the President from exercising his core constitutional responsibilities in foreign affairs.” –OLC, 25.ix.01

Prof. Doug Cassel: If the President deems that he’s got to torture somebody, including by crushing the testicles of the person’s child, there is no law that can stop him?Prof. John Yoo: No treaty.Cassel: Also no law by Congress. That is what you wrote in the August 2002 memo.Yoo: I think it depends on why the President thinks he needs to do that.

Designing for privacy Data minimisation key: is your

data really necessary? (Marsh, Brown and Khaki, 2008)

Limit personal data collection, storage, access and usage In particular, of persistant global

identifiers such as IP addresses Minimise middlebox plaintext access

(Brown, 2001) and external observability (Stajano and Anderson, 1999)

Users must also be notified and consent to the processing of data – user interfaces? Ade Rowbotham (2005)

Protecting free speechRegulate production and consumption rather

than distribution – strengthen “mere conduit” and “actual knowledge” law (Brown, 2007)

Build replicated, highly redundant Content Distribution Networks with blind peers – encrypt data flows and caches (Anderson, 1996)

Minimise points of observation and control (Zittrain, 2006)

Conclusions “Law enforcement was not supposed to be easy. Where it is

easy, it's called a police state.” –Jeff Schiller, IETF Security AD (12.xii.1999)

“Just as publication of the Bible challenged the abuses that had accreted over centuries of religious monopoly, so the spread of technical know-how destroyed the guilds. Reformation and a growing competitive artisan class led to the scientific and industrial revolutions, which have given us a better standard of living than even princes and bishops enjoyed in earlier centuries.” –R.J. Anderson (1996)

Build technologies that support European privacy law and US free speech law, and not vice versa

ReferencesR.J. Anderson. The Eternity Service. In 1st Intl. Conf. on the Theory and Applications of

Cryptology, 1996.

F. Stajano and R.J. Anderson. The Cocaine Auction Protocol: On The Power Of Anonymous Broadcast. LNCS 1768, 1999 pp. 434—447.

I. Brown. End-to-end security in active networks. PhD thesis, UCL, 2001.

D. Clark, K. Sollins, J. Wroclawski, R. Braden. Tussle in Cyberspace: Defining Tomorrow's Internet. IEEE/ACM Transactions on Networking 13 (3), 2005 pp. 462—475.

J. Zittrain. A History of Online Gatekeeping. Harvard Journal of Law and Technology, 19(2), 2006 pp.253—298.

I.Brown. The law and economics of cybersecurity (Eds. Mark F. Grady and Francesco Parisi). Law Quarterly Review (123), 2007 pp.172—175.

S. Marsh, I. Brown, F. Khaki. Privacy Engineering, Cybersecurity KTN, 2008.

I. Brown. Internet filtering — be careful what you ask for. In Kirca, S and Hanson, L. (eds.) Freedom and Prejudice: Approaches to Media and Culture, Istanbul: Bahcesehir University Press, 2008 pp.74—91.

I. Brown. Regulation of Converged Communications Surveillance. In B. Goold and D. Neyland (eds.) New Directions in Privacy and Surveillance, Exeter: Willan, 2009 pp.39—73.