When you’re planning a project, it can be difficult to know which organisations or people could access or affect your data. The book Ways to Practise Responsible Development Data book (from page 61 onwards) has more detail on which legislation might affect projects, and what kind of questions to ask.
But how do you know if governments are demanding data that you or people have stored on third-party online services like Google or Twitter? As WITNESS explains:
One valuable set of resources for learning more about this issue…are the transparency reports that Internet-based companies are increasingly producing [to inform]…their users around the world about the demands that governments are making on the companies to hand over users’ data and take down their content.
These reports vary by company, but can include information on which countries asked the company to take down content, at what times and what kinds of content they were targeting. For example, Twitter claimed in a blog post that they ‘denied several requests to silence popular critics of the Russian government and other demands to limit speech about non-violent demonstrations in Ukraine’. WITNESS is currently using these transparency reports to research the causes and effects of content takedowns, and what can be done in response.
Access has more examples of the ways in which companies are producing transparency reports in countries like Nepal:
TeliaSonera, a Swedish-Finnish telco, continues to lead transparency reporting on major incidents impacting freedom of expression. According to the company, these include “mass surveillance initiated by national security authorities, shutting-down of networks or blocking or restricting of access to telecom services or networks.” (Their focus on these issues is timely, since network disruptions abound, such as in the Democratic Republic of Congo in 2015.)
If these reports cover a country where you’re working, you may be able to use them to produce a more informed assessment of the threats that you are facing. However, Social Media Exchange (SMEX) suggests that these transparency reports have limited usefulness for advocacy towards Arab governments and suggests points for improvement:
without greater qualification of the data published, the report’s usefulness to users, researchers, journalists, and advocates is limited…
Users need to know which agencies are asking and on what grounds. In Lebanon’s case, for example, are these requests coming from the President’s office, the Prosecutor General, or the Cybercrime Unit? Is there coordination among them? Without any guarantee of access to information in the country, there’s no sure way to know. Similarly, if Twitter is adhering to local laws, users should know which local laws are being invoked, both to collect the data and in the cases to which they are related.
Using ‘warrant canaries’
The FBI can sometimes demand customer data from US-based internet service providers (ISPs), banks, telecommunications companies and online platforms using a ‘National Security Letter’, which prevents the company from publicly stating that they have received a request. However, as WITNESS says:
there is a tentative workaround — ‘tentative’ because the legality of the maneuver is not entirely clear. It’s call a ‘warrant canary’, and it works very simply. Companies who have never received an NSL simply state that fact on their sites, and if that assertion ever disappears, users and advocates will know that the company has been forced to secretly hand over data to the FBI. It’s a clumsy mechanism that doesn’t offer much clarity, but it’s the best tool that is available under the current rules.
To collect and monitor these warrant canaries, the Canary Watch site has recently been launched by the Electronic Frontier Foundation, the Berkman Center at Harvard, New York University’s Technology Law & Policy Clinic and Calyx Institute.
More generally, some transparency reports suggest that collecting less data can mean less interest from government agencies. Reddit’s recently published transparency report indicates that the site received 55 requests for user data in 2014, compared with around 35,000 requests for Facebook data in the first six months of 2014. The site only collects an email address and password, and deletes all IP addresses that it collects after 90 days. (The Electronic Frontier Foundation has more on the good things about Reddit’s transparency report.)