Abstract
Without a commitment to transparency and solid knowledge about how the internet works, the UK government is hampering online freedom. It’s time to overhaul the system, says security expert
Online censorship is regularly practised in the United Kingdom. It began with an attempt to block images of child sexual abuse, but today, the system is used to address unlawful use of the public internet, of both a criminal and a civil nature.
The dangers of the internet tend to be exaggerated
In the 1990s, a system was developed to reduce the likelihood of people accidentally accessing images of the sexual abuse of children, although this system has proved easy to bypass. At any one time there were only a few hundred web addresses blocked and all entries were manually checked, so it was rare for material to be incorrectly categorised. However, once the blocking system was in place, there was pressure for its remit to be extended.
First the film and music industries successfully obtained court orders to ensure entire websites that facilitated access to copyright-infringing material were blocked. Now the UK government is proposing to censor legal adult websites too (unless the person who pays for the internet connection requests to opt out from the blocking system and can prove their identity and age). Customers using mobile internet connections are already prevented from accessing adult material (unless they opt out), but, due to the huge number of websites now being blocked, the system for checking what belongs on the list has been compromised. Among the websites being incorrectly blocked are the sites of political parties, news sites and sites providing sex education. Measures that were aimed at banning a small number of carefully selected web addresses containing illegal material universally regarded as abhorrent have morphed into the mass censorship of legal material, with little or no human intervention in the vetting process. In the US, internet users can lose their connection entirely if anyone from their household is too frequently accused of infringing copyright; the UK government is one of several countries discussing similar measures.
Surveillance technology
Blocking images of child sexual abuse does not prevent the crime: for the vast majority of other crimes involving the internet, this is the case too – there are no technical measures that can prevent these offences taking place. Therefore, when it comes to legislation, the emphasis has been on detecting and punishing perpetrators in the hope that it will deter others. One area of rapid growth in this field has been internet surveillance, with the UK government’s draft Communications Data Bill being its most privacy-intrusive proposal yet. The law, if enacted, would allow public bodies to order internet service providers to record their customers’ activities, even when the customer is not suspected of having committed a crime and where there has been no judicial oversight of the order. Though the Queen’s Speech in May 2013 effectively announced the end of the bill, following on from the violent murder of a soldier in Woolwich a few weeks later, there were signs that it might be reconsidered.
The costs of implementing this bill would be substantial (very conservatively estimated at £1.8bn or US$2.79bn over ten years) and the purported benefits are debatable (the parliamentary committee investigating the bill described the Home Office’s estimates as ‘fanciful’). It would also create a chilling effect on freedom of speech. Highly sensitive details of people’s lives would be recorded and put at risk of unauthorised disclosure as a result of failures of computer security, human error and corruption.
Even developing the technology for surveillance is dangerous, as demonstrated by the fact that numerous European companies designed spy software to fulfil Western governments’ requirements but then sold the same products on to repressive regimes. The German firm Elaman even marketed their product as useful for identifying ‘political opponents’.
Following the toppling of the Muammar Gaddafi regime in Libya, it was discovered that software from French firm Amesys had been used to target journalists and members of Libyan human rights NGOs. Additionally, University of Toronto researchers have discovered that the UK-developed FinFisher surveillance system, which installs software on a targeted computer and monitors the users’ activities, was sold to countries including Bahrain, Egypt and Turkmenistan.
Bad laws
The legal landscape poses significant problems with regard to freedom online. The problems are not, however, limited to legislation that was specifically written with the internet in mind. In some cases, laws are applied to scenarios that were not even envisaged when the laws were drafted, leading to undesirable outcomes.
One such law is the Computer Fraud and Abuse Act (CFAA) in the United States, which was created to criminalise hacking, but which has been used to combat bullying online and the sharing of passwords. The US Justice Department has interpreted this law to mean that any violation of the small print on websites could be a crime punishable by up to ten years in prison. CFAA has been used in a number of serious cases already, but this interpretation goes even further, granting the state the discretion to prosecute almost anyone they want to, representing a significant threat to civil liberties.
Similarly, in the UK, we have seen jail sentences handed down to people guilty of posting tasteless jokes online – which very few people are likely to have seen had the media not drawn them to the public’s attention in the first place. The Communications Act prohibits the sending of messages that cause offence, even if the offended person is not the recipient of the message. Far worse jokes are being made, both over the internet and person-to-person. But the internet is susceptible to abuse of the law because it is easy for someone who wants to stir up trouble to find a comment that might be offensive to someone, drum up a lynch mob and possibly point the way to a prosecution.
However, progress is being made: two courts have ruled against the Justice Department’s interpretation of the CFAA, with one pointing out that the result would be an ‘overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent internet users into misdemeanant criminals’. In the UK, the Crown Prosecution Service published guidelines advising against prosecution if communications were not intended for a wide audience, and set a higher bar for what should be considered offensive.
ABOVE: Libyan data journalists uploading protest footage, Benghazi, March 2011. Later it was reported that software firm Amesys had been used to target Libyan journalists and activists
Credit: Johann Rousselot/laif/Camera Press
But the Communications Act and CFAA are indicative of a more widespread problem: when it comes to the internet, some legal activities become illegal and punishments for already-illegal activity become disproportionately harsh. There are a number of possible reasons for this trend. One is simply that the people setting and enforcing laws are not familiar with the internet: their experience of online behaviour is confined to instances when the internet has been abused. To them, the internet appears to be a strange, lawless place that needs to be controlled, as is evident from the unhelpful popular description of the internet as ‘cyberspace’. In fact, online communication is just another type of speech; as a result, it needs to be protected in the same way that speech communicated via traditional media is protected.
Harsh crimes and exaggerated dangers
Both the fragility and the dangers of the internet tend to be hyped and exaggerated. To persuade people to buy their products, the security industry vastly overstates the scale of the problem. Companies that have been the victims of cyber attacks claim they have incurred huge costs, not least because they want to encourage law enforcement agencies to investigate these crimes. But when the numbers actually matter, in legally required disclosures to the Securities and Exchange Commission, the picture is different. Out of the top 100 US companies, 27 per cent declared they had been the victim of cyber attacks, but out of them, only 1 per cent said they had suffered ‘limited losses’, with the remainder reporting that there had been no material impact. A relatively small number of law enforcement personnel deal with internet crime, and so prosecutions are rare – when they do occur, punishments are relatively harsh in order to deter other would-be criminals. Those singled out for prosecution are thus unfairly treated, and are often those individuals who are easy to find, rather than the most serious offenders.
There’s no magic formula for dealing with internet-related crime: it’s very clear that it is possible to slip up both when drafting laws specifically for the internet and re-tasking laws written for other purposes. Good education for policymakers, lawyers, judges and law enforcement on the nature of the internet and its uses will go a long way to correcting some of the imbalances, and digital rights NGOs are helping with this initiative. Open consultation with experts, accurate data and transparent processes must be encouraged.
In drafting laws that may restrict speech, particular consideration must be given to protecting speech online. More proportionate action could be taken if there were better ways to estimate both the cost of online crime and to understand how resilient networks are.
Greater transparency is crucial; in particular, there is a need for transparency about what surveillance equipment is being sold to which countries. This would encourage ethical behaviour. For example, following disclosures that Nokia-Siemens had sold surveillance software to Iran, the company put an ethics review process in place regarding sales, which resulted in three sale offers being declined in 2011. Export control laws have done little to prevent companies from selling surveillance software to repressive regimes, while added bureaucracy has hindered the distribution of software designed to protect human rights. And as is often the case, the way to address internet crime while at the same time protecting liberties will be through promoting more speech, not less.