[liberationtech] GNI in the news and it's not looking hot

[Jacob Appelbaum]

On 03/08/2011 08:45 AM, Rebecca MacKinnon wrote:
> Hey there Jake,
> 
> As you know I'm on the GNI board and have been involved with it from
> the beginning. Everything I'm about to write represents nobody else's
> opinion but my own.
> 

You're one of the people that I thought of when I thought of a person
with an impossible job. You clearly care and your heart is in the right
place.

> I will leave it to GNI corporate participants named in your e-mail to
> respond to your critiques or not as they see fit. Video of the panel
> you mentioned can be found here:
> http://fora.tv/2009/05/04/Corporate_Responsibility_and_Complicity
> 

Most of my experience after the fact was not on camera as my questions
were not accepted during the panel.

> You have put your finger on the obvious fact that GNI is not a high
> bar. As you rightly point out, the fact that so many companies can't
> even be bothered to meet GNI standards and commit publicly to a few
> baseline principles on free expression and privacy is patently
> outrageous.
> 

Agreed. I think that there is a key thing to realize here - many company
may exceed the GNI standards but they're just not pushing an agenda of
joining the GNI or publicizing it.

> I agree that if large numbers of companies were to join GNI, many of
> the problems you and I and others on this list are concerned about
> are going to be far from solved. The need for viable non-commercial,
> user-friendly, decentralized and distributed alternatives to
> commercial platforms and networks is critical. The need for more
> aggressive activism of all kinds is urgent. More public
> awareness-raising is urgent. Efforts like Shava's nascent privacy
> icon project are important and necessary. There needs to be better
> and more intelligent public policy coming from nations that call
> themselves democracies. I could go on and on about all of the things
> that are urgently needed.  We need a massive ecosystem of efforts.

I think we're in total agreement here.

> But I do not agree that GNI is a "corporate-washing joke."
> 

I know that you feel hopeful about GNI.

> Based on my own involvement with the organization over the past few
> years, while I think that GNI is only one step forward, and like all
> multi-stakeholder initiatives involves compromise, I nonetheless do
> believe that it's a step in the right direction.  I do believe that
> the world's most politically vulnerable Internet and mobile users
> will be better off if Internet and telecoms companies join GNI than
> if they don't. If GNI prevents even one person going to jail and
> having their life ruined, or enables even one more activist group to
> get its message out at a critical moment when it otherwise would have
> been foiled, then to me that is worth it even though it falls short
> of how things ought to be in the ideal world.
> 

I'm not convinced. I agree that it will good if people aren't jailed but
it's not as simple as you propose.

How many people will be jailed by these same corporations for following
CALEA laws in the USA? Will people choose their services because they're
respecting human rights and are part of the GNI only to fall afoul of
the so called lawful interception systems?

None of these companies appears to be fighting against interception in
the USA. The GNI does not seem to encourage companies to resist CALEA or
to work for better laws.

So - overall, what's the gain? The gain is a brand boost without a clear
metric for reduction of actual human suffering across the board.

Only Google appears to have done something in this department with their
transparency reports[0] but its still far from great.

> Here are a few ways I think GNI has made a difference: - While none
> of the GNI member companies are perfect and some are doing better
> than others, the human rights assessments that they've started to do
> as GNI members has helped member companies avoid some screwups which
> we'll never know about because they never happened. 

That's an interesting issue - how do we measure things that never happen?

> Yahoo, for
> instance, after conducting a human rights assessment decided to run
> its Vietnamese service out of Singapore in order to avoid being
> complicit in jailing dissidents as it was in China. 

Why not change the nature of the services offered to make it impossible
to jail people in whatever country is desiring of this?

We need fundamental changes to the structure of services offered.
Jurisdiction hopping is a cute law hack but I sincerely doubt it's going
to work for much longer.

In any case, it's not like the Vietnamese government can't compromise a
Yahoo! mail account - they don't need Yahoo!'s help directly, they just
need Yahoo! to continue down the path of the security status quo.

We know that this happens in Vietnam - the keyboard driver backdoor[1]
written about by Ethan a few years ago explores this issue.

- Most companies
> have little or no in-house human rights expertise. GNI membership
> gives companies a channel through which to seek advice from human
> rights groups before making decisions about certain details of
> certain products and services, or deciding how to manage problems
> that crop up. I assure you, this channel is used with great
> regularity in ways the human rights groups would not want to be
> involved with if they didn't think they were making a real difference
> for real people. 

In my experience, I'd agree. Many companies lack human rights expertise
and this does sound like it might be a good channel for discussion.

> For example: while there are plenty of issues with
> Microsoft, I think that their ties to the human rights community
> through GNI enabled them to respond to the mess they found themselves
> in in Russia more intelligently and helpfully than they would have if
> the same thing had happened before they joined GNI. [1] -

This is a difficult topic for me. I do not feel entirely informed on the
issue. It's good to hear that GNI may have impacted Microsoft's decision
making process and that shouldn't be discounted.

It seems that Microsoft entrenched themselves deeper while perhaps
adequately thwarting a specific tactic of government repression. I am
entirely unclear on the actual level of success here and I have no idea
how one may measure long term impact of this kind of action.

Now people in Russian NGOs are safe from licensing issues but the
Russian authorities may use Microsoft forensic tools[2] to attack them.

That's a strange trade off and I don't really understand a metric to
measure progress for events of this nature. I'd be curious to see how
GNI wants to value these kinds of trades. Is this like carbon credits?
human justice credits perhaps?

>  GNI has
> gotten at least some investors to start including free expression and
> privacy in their ethical investing criteria. Before 2005 the
> investment community screened companies for labor, environment,
> sustainability etc, but not for free expression and privacy. In fact
> it hadn't occurred to the "ethical investing" community that this was
> an issue. They're learning fast now and a growing number are starting
> to include free expression and privacy in their investment criteria.

That's a great idea - how do they measure that? What investment firms do
this in public today?

> While we've seen from the environmental and sustainability movements
> that it can take a long time to influence entire industries in this
> way, over time the criteria of ethical investors can make a
> difference in how companies impact the lives of human beings all over
> the world. - The GNI principles take the Universal Declaration of
> Human Rights and a body of other international human rights law and
> articulate how those pre-internet concepts should be upheld by
> Internet and telecommunications business. [2] Beyond GNI, investors,
> civil society, policymakers, and even non-GNI companies are starting
> to use the principles in a range of contexts that I believe are
> meaningful though hard to quantify at this stage.
> 

Which of the GNI are opposing CALEA, National Security Letters, sealed
court orders, and taking governments to task for their abuses?

Which corporations in the GNI are fighting against the abuses that
exploit user trust in corporate systems to harm users across the board?

Which corporations are building, funding, fielding or improving systems
that make those kinds of orders impossible to execute without informing
the user directly?

> GNI is one organism in a very young and fragile ecosystem of groups
> and coalitions trying to defend and protect civil liberties and human
> rights in digital spaces. As with the environmental movement and
> other movements, this cause is going to require a much more robust
> ecosystem of diverse efforts over many years in order to ensure that
> the net momentum is in a more forward than backward direction. In the
> environmental movement, some organizations and initiatives have seen
> value in working with corporations or governments or both to achieve
> baby steps forward. Others are opposed to compromise and insist on
> radical alternatives as the only course. All points on the spectrum
> need to exist in order to make any progress at all.
> 

I agree that we need many points of resistance and many voices for change.

This does not change that I think those leaked spying guides are
indicative of a major failure of GNI. For one - why did those guides
have to be leaked in the first place? How about some transparency that
is really available to everyday users at risk?

Additionally, those guides indicate that these companies still build
systems that are unable to stand up to someone with basic access. This
does not bode well for targeted hacking such as the Aurora attacks as
the actual technical core isn't solid. It is rumored that the Aurora
attackers had access to legal intercept equipment - so that's probably a
pretty bad deal if true.

It doesn't help that the policy and public rhetoric of most corporations
isn't much better.

Essentially all of this amounts to security, privacy, and support of so
called human rights by policy, rather than by technology design.

> Members of this ecosystem certainly need to be able to handle - and
> should welcome - criticism of one another, along with major
> philosophical disagreements. However I hope that we can all
> fundamentally respect each others' shared intentions and goals.
> 

I respect your work on this issue.

It should be stressed that corporations aren't people and I hold them to
a much higher standard.

California should have revoked Yahoo!'s corporate charter when they let
Shi Tao rot in jail. It almost doesn't matter what efforts they made
after the fact with Dr. Rice on her trip to China; the damage was
already done.

I'm glad to know that they gave his wife an undisclosed sum of money.
I'm sad to hear that he'll lose ten years of his life because Yahoo!
didn't consider that their logging might impact people negatively. What
have they changed about this? What press release implores other
companies to never fall into this trap again?

All the best,
Jake

[0] http://www.google.com/transparencyreport/governmentrequests/
[1]
http://www.ethanzuckerman.com/blog/2010/04/01/is-vietnam-conducting-surveillance-via-malware/
[2] http://en.wikipedia.org/wiki/Computer_Online_Forensic_Evidence_Extractor