The ITU and the Real Threats to the Internet, Part IV: the Triumph of State Security and Proposed Changes to the ITRs

This is the fourth in a series of posts on the potential implications of proposed changes and additions to the ITU’s international telecommunications regulations (ITRs) on the internet (earlier posts are here, here and here).

As we assess these potential implications it is necessary to sort out charges that are, in my view, overblown and alarmist versus those that have merit based on a close reading of the relevant ITU texts. I want to be clear that while I think that many of the charges being leveled at the ITU are trumped up baloney, there are actually many reasons to be concerned. I’ll briefly reprise what I see as the over blown claims (OBCs), then set out the most important real areas of concern.

Over Blown Claims (OBC)

(OBC1): The ITU & the Net: The claim that new rules being proposed for the WCIT this December could give the ITU authority over the internet, when currently it has none, is one OBC (see here, here and here), as I laid out in blog post two.

(OBC2) The Global Internet Tax: This is the claim that some countries want to meter internet traffic at their borders, a kind of tax that Facebook, Google, Apple, Netflix and other internet content companies would supposedly be forced to pay to reach users on the other side of the toll – simultaneously serving to fund broadband internet upgrades in foreign countries, constricting the free flow of info, and keeping people sealed off behind the closed and controlled Web 3.0 national internet spaces that are being built in Russia, China, Saudi Arabia, Iran and other repressive states (see here and here).

The kernal of truth in this matter is that European telecom operators have proposed to establish a “fee-for-carriage” model – like cable tv – that would allow them to charge big internet content companies according to the volume of traffic they generate. I don’t like it at all. It is a full-scale assault on network neutrality. Google hates it too (Ryan & Glick, Cerf NYT, Cerf Congress). Net neutrality folks should be up in arms, and some are.

The problem at the root of the critics’ assertions, however, is that the proposal by ETNO is not unusual but embodies the same “fee-for-carriage” model that telecom carriers such as AT&T, Comcast, Bell, Telecom NZ, and others have pursued for the past decade (see post 3). It is wrong to construe the demand to make internet companies pay for carriage as a tax, let alone a diabolical scheme by authoritarian governments to take-over the internet.

In addition, the idea of an internet metered at the border overlooks possible additions to Art. 3.7 of the ITRs that, as discussed in the last post, “enabl[e] direct international internet connections” between countries. “Special Arrangements” set out in Art. 9 of the constitution also means that telecom and internet companies can strike whatever deals they want to create end-to-end connectivity, so long as both countries on either end agree. Again, markets and contracts rule, not some kind of cyber-wall of Berlin.

(OBC3) Spam, Spam, Spam: The third, mostly bogus claim is that proposals to add references to spam in several places in the ITRs are the thin edge of a wedge that could lead to internet content regulation (Article 2.13; Art. 4.3a; and proposed new Art. 8A.5 and 8B). The proposal, however, urges countries to adopt “national legislation” covering spam – as many already do – and “to cooperate to take actions to counter spam” and “to exchange information on national findings/actions to counter spam”. This hardly seems like the thin of a wedge and, moreover, Article 2.13 explicitly excludes content as well as “meaningful . . . information of any type”.

Still, the U.S. is strongly opposed to such measures on the grounds that technological solutions are better suited to the problem than international law. Overkill, it says, and at odds with technological neutrality. Australia calls it too broad, Canada doesn’t like it either, and Portugal is still looking to see how it meshes with EU law. This is hardly an endorsement for the ‘global regulation of spam’ by the supposed axis of internet evil offering it, but the proposal is hardly tantamount to Armageddon, either (for annotated notes outlining countries’ views of proposed changes and additions, see here).

State Security, Splinternet and the Pending Death of the Open Global Internet: the Real Threats to the Internet

Now if you think I’m simply lining up as an apologist for the ITU, you’d be wrong, as the rest of this post makes clear.  Several proposals now on the table (see below) would cast a devastating blow to the internet by blessing the efforts of individual countries to build their own closed and controlled national Web 3.0 internet spaces today. In fact, many countries, including Anglo-European countries, are doing just that, although to a degree and of a kind that is demonstrably different than what is being built in the list of ‘rogue states’ that are often identified with such projects: Russia, China, Saudi Arabia, Iran, etc.

In fact, several sections of the ITU’s current framework already allow these kinds of projects, before any changes. Proposals to change or add new elements to the ITRs could make matters even worse, however.

Intercepting, Suspending and Blocking the Flow of Information since the 1850s: the Dark Side of the ITU

To see how, we need only to realize that nation-states have always claimed unbridled power to control national communication spaces, and to intercept, suspend and block the cross-border flow of information. The authority to inspect, suspend and cut-off communications that “appear dangerous to the security of the State or contrary to its laws, to public order or to decency” was first asserted by European governments in the 1850s during their drive to squelch popular rebellions. That authority was acknowledged by the Austro-German Telegraph Union and Western European Telegraph Union at the time, before being folded into the ITU when these organizations merged in 1865 (see Constitution, Article 34). That legacy hangs over the current WCIT talks like a dark cloud.

The supremacy of national security has been retained ever since and forms the basis of Articles 34, 35 and 37 in the ITU’s current Constitution, as the extracts below illustrate:

“Member States reserve the right to stop . . . the transmission of any private telegram which may appear dangerous to the security of the State or contrary to its laws, to public order or to decency” (Art. 34(1), Stoppage of Telecommunications, emphasis added).

“Member States also reserve the right to cut off, in accordance with their national law, any other private telecommunications which may appear dangerous to the security of the State or contrary to its laws, to public order or to decency” (Art. 34(2) Stoppage of Telecommunications, emphasis added).

“Each Member State reserves the right to suspend the international telecommunication service, either generally or only for certain relations and/or for certain kinds of correspondence” (Art. 35, Suspension of Services, emphasis added).

“Member States agree to take all possible measures . . . to ensur[e] the secrecy of international correspondence[, but] . . . reserve the right to communicate such corre­spondence to the competent authorities in order to ensure the application of their national laws or the execution of international conventions to which they are parties” (Art. 37, Secrecy of Telecommunications).

One proposal by the United Arab Emirates aims to replicate these measures in three new clauses to be added to the ITRs (Art. 7.3, 7.5 and 7.6, respectively), allowing such norms to do double-duty as high-level principles and day-to-day regulatory guidelines. The U.S. opposes the move, not because it sees telecoms and internet as a kind of global commons beyond the reach of harsh geopolitical concerns, but likely because the ITU already reflects the fact that national security concerns trump everything, and because it would not be unduly constrained by global norms anyway.  The US response to the UAE proposal is clear on the point: “We support retaining these provisions in the CS [constitution] and do not agree with . . . duplicating them in the ITRs”.

Cyberwar and the Fifth Domain of Battle: Militarization of the Internet versus Global Commons

The U.S. also refuses to be drawn into the proposals bandied about by Russia (mostly), China and a few other powerful military states over the past decade, this time to add a sprawling new section to the ITRs covering cybercrime, national security and cyberwar issues (Article 8A). The U.S. has rebuffed these moves for the same reasons mentioned above and, more to the point, because behind the veil of its global-internet-freedom-as- foreign-policy rhetoric is its more pressing conviction that the internet is now the fifth domain of war, alongside land, sea, air and space, a terrain where it grandiosely seeks to assert total infosphere dominance.

Seen in this context, overtures to “network defense and response to cyberattacks” (Article 8A.1) have no chance of adoption, even if setting aside the internet as a global commons under ITU protection outside the field of war might be a good idea. Moreover, and however, that rubicon has already been crossed with Russia believed to have been behind cyber-attacks against Georgia in 2008 and the Obama Administration’s recent admission that it played a role in the Stuxnet attacks against Iranian nuclear facilities.

Bearing those points in mind, Russian proposals to carve out new rules of cyberwar are hypocrisy, while the acknowledged facts of U.S. military policy means that it will dismiss such notions out of hand. Based on this, worries that additions to the ITRs intended to deal with such matters could serve as a Trojan horse for repressive controls over the internet can probably be safely tossed aside. It is worth noting, however, that amidst all the hand-wringing over the ITU threat to the internet, no one, as far as I know, touches upon how the hard realities of military power shape global telecom and internet policy, instead settling into numbing nostrums that pit the state against the individual.

A Laundry List of Many Items with Potentially Really Big Implications

Beyond the stance of the U.S. on the above matters, and questions of network defense and cyberwar, Article 8A starts off innocently enough, but quickly opens into a chamber house of horrors. It blandly refers to “confidence and security” in the title and the need to garner trust in online spaces (true enough), followed by a list of technical-sounding proposals about network security, data retention, data protection, fraud, spam, and so on.

Some of these principles are worthy of discussion, but the way they have been teed up for WCIT utterly fails to inspire confidence or hope. The measures are spearheaded by Russia and supported by China, with the latter telling us in the notes accompanying the proposals that new tools and rules are needed to:

“. . . protect the security of ICT infrastructure, misuse of ICTs, respect and protection of user information, build a fair, secure and trustworthy cyberspace . . . [with] new articles on network security in the ITRs”.

There is also a sundry list of other items included in the proposed new Article 8A as well as others drawn from recommendations at past conferences that deal with child online protection, fraud, user identity, etc.  One by one, most of these measures are reasonable, and most countries are dealing, on their own and in cooperation with one another, with all of them already.

Looking across all these proposals, however, reveals a raft of threats that, in their entirety, would usher in the foundation of controlled and closed national internet spaces that are subordinate to the unbound power of the state in every way:

• Anonymity and Online Identity are implicated in repeated references to the need for users to have a recognized identity. This comports well with laws in countries such as China that require internet users to tie their online identity to the ‘real-name’ identity but if identifiability is the first step to regulability, as Lawrence Lessig claimed a decade ago, than this raft of references insisting on the need for online identity is a problem (e.g. proposed new Art. 3.6, 6.10, 8A.7, 8A.8). As ISOC states, such moves entail a “very active and inappropriate role in patrolling newly defined standards of behaviour on telecommunication and internet networks and in services”. I agree;

• Privacy as well as Data Collection, Retention and Disclosure are mentioned as being critically important values several times (Articles 3.6, 8A.1, 8A.3, 8A.4) but are hemmed in by the repressive national security norms described above. While the wave of telecom and web monitoring bills currently under consideration just in the US (CISPA), Canada (Bill C-30) and the UK (Communications Data Bill) suggests that there is a need to reign in governments’ strong inclination to apply new surveillance and security measures to the internet, proposed changes to the ITRs would likely pressure telecom providers and ISPs to maximize rather than minimize the amount of personal data they collect, retain and disclose to state authorities.

• Internet content regulation is seen as a threat scattered across many proposed changes to the ITRs but I think most of these claims are, as noted above, overblown. This threat, however, does loom large, but is mostly concentrated in a proposal to add the new Article 8A to the ITRs. Focusing our attention there, I agree with ISOC that the new rules could speed along and legitimate the development of national internet content regulation.

The worst examples of this come in two places in the new Article 8A.4 put forward by Russia. The first appears in a passage that reaffirms people’s “unrestricted” right to use international telecom services but immediately clips such rights with the caveat: “except in cases where . . . telecommunication services are used [to] . . . interfer[e] in the internal affairs or undermin[e] the sovereignty, national security, territorial integrity and public safety of other states”. One can only imagine how such measures might steel the hand of governments intent to interrupt the flow of tweets, Facebook updates, and other social media interactions that have played an important role, for example, in Arab Spring, the Occupy Wall Street protests, Wikileaks, etc. This is an effort to replicate the national security values already found in the Constitution in the ITRs, similar to the proposals of the UAE outlined above, and should be opposed for the same reasons.

Things are made worse yet by including what we might call the ‘anti-Wikileaks’ clause immediately afterwards, a provision that would trump people’s right to communicate when telecom-internet facilities are used “to divulge information of a sensitive nature” (Art. 8A.4). Leaking ‘sensitive information’, however, is not a crime and the idea that the “sensitive nature” of info will serve as a standard has no reference in free speech/press law and ideals. It also assumes an unbound conception of the state’s security interests, and gives it carte blanche to do as it pleases.

It is impossible to reconcile such prohibitions against info disclosure/publishing/leaking with the goal of furthering the development of a global and open internet or the right to communicate and of the free press. Accepting such a standard would be a much more potent Wikileaks killer than the heavy-handed measures that have already been used by the U.S. because it would give a legal sheen to what the U.S. has had to do so far by skirting around the edge of its on laws. Through such a clause, states would have free reign to crackdown on whistle-blowers with impunity and without limits.

A Few Final Thoughts

This exercise has forced me to change my views. The proposed additions and changes to the ITRs are worse than I thought. It is important that proposals now on the table for discussion at the upcoming WCIT get as much critical scrutiny as they can, and seen in that light, the WCITleaks site created by the folks at the Technology Liberation Front is a very useful tool.

That said, the analysis of the ITU and the proposed changes afoot have been largely strained through the prism of ideology, indiscriminately jumbling together overblown claims with real insights. As far as I can see, it is not the myriad of small changes to one section of the ITRs after another that constitute the major problem, but rather a set of issues that are mostly clustered in proposals by Russia, and supported by China, to add new sections to Article 8.  The damage such proposals could do to unsettled internet policy issues related to anonymity and online identity, privacy and personal data protection, as well as internet content regulation are enormous and can hardly be exaggerated.

On a more modest note, I understand that there is a battle over language that will occur in other sections, notably in Articles 1 and 2 over the definition of telecoms, with those who believe that the ITU does not cover the internet rejecting at every turn proposals by those who do to pepper the ITRs with explicit references to the internet. I believe the ITU’s authority already covers the internet, but understand that the politics of language will play a big role as countries stake out their turf on the matter.

I see no new global internet tax on the horizon and do not believe that references to spam are the thin of the wedge that will lead to national internet content regulations being imposed in one country after another. The truly awesome power of the state over communications, including the internet, however, comes into view as soon as we realize how stilted the existing ITU framework is in favour of national security imperatives.

Indeed, national security appears to trump everything, including the right to communicate and the free press. The fact that such norms are derived from a history of suppressing popular uprisings in Europe ought to make us think long and hard about their continued role amidst the political uprisings and revolts sweeping the world. Attempts by the UAE and Russia (with the support of China) to replicate repressive national security values in the ITRs through additions to Articles 7 and 8, respectively, do pose a threat to an open internet and political protest the world over.

This is important, too, because while I doubt that such measures have much chance of succeeding, they mesh with certain trends that define our times, with moves aplenty to impose comprehensive telecom and web monitoring plans in one country after another, as well as the copyright maximalist agenda that is turning telecom-ISPs across the world into internet cops on behalf of the media and entertainment industries. Such initiatives will continue with or without changes to the ITRs, which also highlights the reality that the ITU’s influence in these affairs is limited and not omnipotent.

Even if the most repressive aspects of proposed changes and additions to the ITRs were approved, this would not bind the whole world to implementing a single internet model. It would, however, bless the national Web 3.0 spaces that are already being built on the basis of three layers of control: (1) the systematic use of filtering and blocking to deny access to restricted websites and the recognition of such measures in national law; (2) dominance of national internet-media spaces by national champions (Baidu, Tencent, Yandex, Vkontakte, Facebook, Google, Apple, etc.) and (3) the active use of government-driven internet-media-communication campaigns (propaganda) to shape the total information environment (See Deibert & Rohozinski, ch. 2). The changes to the ITRs being sought by some countries, notably Russia and China, would add a fourth layer – international norms steeped in 19th century models of state security – that would further entrench the web 3.0 model and further lay waste to more important international norms associated with the right to communicate and free press.