Digital Sovereignty and the Future of the Internet
Introduction: The New Guard Posts of Cyberspace
The common wisdom used to be that the internet would inevitably make societies more open and free. It would connect people, cutting across cultural and political boundaries. It would offer new opportunities for self-expression. It would give every human being with an internet connection access to the world’s accumulated stores of knowledge and to the digital public square, along with the ability to be their own one-person publishing house. It would be, in the words of internet pioneer John Perry Barlow’s influential 1996 “Declaration of the Independence of Cyberspace,” “the new home of Mind,” far above the governments that were futilely attempting to “ward off the virus of liberty by erecting guard posts at the frontiers of Cyberspace.”1John Perry Barlow, “A Declaration of the Independence of Cyberspace,” archived at the John Perry Barlow Library (digital), Electronic Frontier Foundation, February 8, 1996, eff.org/cyberspace-independence Then, the internet was largely viewed as simply too decentralized, too massive, and too untameable for any repressive government to fully and indefinitely control.
Few people would make such optimistic pronouncements today about either the internet’s inevitably liberalizing effect or its irrepressibility. Between a rising tide of governmental regulation of the digital sphere, and the domination of the digital public square by a handful of social media giants, it turns out that the internet is in fact much more vulnerable to top-down controls than its early techno-utopian champions would have predicted.2One internet pioneer who did warn about this control was Lawrence Lessig, who wrote in his 1999 work Code: And Other Laws of Cyberspace that “There is no reason to believe that architects of the second generation” of the internet would not implement top-down controls, and warned against assuming that “this initial flash of freedom will not be short-lived.” Barlow himself later admitted that he was overly optimistic about the surveillance potential of the internet, saying in one 2015 interview that “I felt that if I were persuasive enough in giving a vision of the future in which the Internet was inherently free and could not be controlled we had a better shot at it. . . I could also see there was never a better system that could inherently be extended for surveillance. Ever. I knew that. I wasn’t stupid. I just wanted to pretend that was not the future.” David Hershkovits, “John Perry Barlow Talks Acid, Cyber-Independence and his Friendship with JFK Jr.,” Paper, April 22, 2015, papermag.com/john-perry-barlow-talks-acid-cyber-independence-and-his-friendship-wit-1427554020.html Additionally, as societies grapple with the digital spread of extremism, disinformation, hate, and harassment, experts and everyday people alike are now calling for greater regulation of social media and other tech titans. Few people now advocate Barlow’s call for all governments to simply “leave us alone.”
Today, governments across the globe are arguing for new powers to regulate the internet within their countries’ borders for national security, economic health, and other fundamental reasons. Much of this new negotiation for control is occurring between governments and the technology corporations that host and arbitrate online public discourse. Still other aspects of this renegotiation involve who controls how the global internet functions at a basic level.
In this struggle for control, there is potential for multiple bad outcomes—including further concentration of power in the hands of states or corporations, the erosion of human rights norms, and the subversion of the internet’s continued potential as a space for expression, emancipation, and cultural exchange.
As governments redraw the boundaries of their own authority over the internet, many leaders have endorsed or invoked “digital sovereignty,” a phrase intended to explain and legitimize more expansive governmental regulation of the digital sphere in the national interest. But different governments have vastly different interpretations of what this sovereignty actually entails–which “sovereign” rights governments should have over their nations’ internet, what the strategic goals of such “sovereignty” should be, and what constitutes national interest.
Because the internet traverses boundaries, many of these “sovereignty” efforts will have effects that stretch beyond any one country’s domestic space or the experiences of its own citizens. Analysts and experts have warned that governmental efforts to silo the internet or our data into national boxes, or to impose conflicting national laws on the internet broadly, risk fragmenting the internet and undermining its connective potential. Moreover, authoritarian leaders have invoked their “sovereignty” to enshrine the power of the state—through rhetoric, through law and regulation, and through technological developments—in ways that either foreseeably or explicitly contravene human rights, including freedom of expression, privacy rights, and the right to be free of arbitrary detention or other acts of state-sponsored violence and repression.
All this is happening as governments the world over increasingly adopt their future model of internet governance—including fundamental decisions as to what level of digital freedom they afford their populaces. These decisions increasingly intersect with great power politics, as the digital arena emerges as a new front in the increasingly competitive relationship between the United States and China, so that internet governance and infrastructure now represent a new axis of geopolitical contention.
The framework of digital sovereignty has become popular in part because it appears to offer governments a set of tools to address peoples’ serious and legitimate concerns about unaccountable large foreign corporations—from telecommunications companies who control the infrastructure of the internet, to the handful of social media companies whose algorithms can influence human behavior and whose business model is based on the collection and commercialization of people’s data.
Yet as governments renegotiate the terms of their power over the functioning of the internet, the result can be an increase in digitally-facilitated repression. Governments the world over have passed new laws mandating data localization, granting them new powers over their citizens’ data and new levers of control over transnational corporations; they have pressured or forced companies to trigger digital shutdowns, becoming complicit in repression; they have demanded content takedowns and other forms of censorship. Companies’ compliance is often predicated on the argument that they must comply with national law—yet this compliance inevitably conflicts with these same companies’ responsibilities to uphold human rights.
The future shape of the internet is actively being decided, and along with it, the extent of our rights to freely access information and express ourselves online. That makes this an issue of fundamental importance for those concerned with freedom of expression, cultural interchange, and our human rights both on and offline.
PEN America’s analysis and engagement on these issues is motivated by our commitment to the PEN Charter, first drafted in 1948, which commits PEN Members to “the principle of unhampered transmission of thought within each nation and between all nations.”3“PEN International Charter,” PEN International, pen-international.org/who-we-are/the-pen-charter Today, this principle is most embodied by the global internet—the network that allows human beings to communicate across national boundaries and enables information, opinion, and expression to flourish freely. Today this global project is facing increased threat—and demand defending.
In producing this report, PEN America draws upon interviews with more than a dozen experts and advocates on internet policy, digital rights, and country-specific issues, as well as from our review of sources including relevant national legislation and regulations, scholarly and news articles, civil society reports, and international norms and standards.
This report begins by identifying and distinguishing between differing conceptions of digital sovereignty, examining the authoritarian origins of the concept alongside its subsequent broader application by governments across the political spectrum, and explaining how the different baseline rights protections within different countries influence how many sovereignty proposals play out in practice. In the second section, we examine how authoritarian countries are pushing for a new model of a more nationalized internet, domestically and on the international stage, threatening to splinter the internet into increasingly disconnected and incompatible networks. We then explore how governments are attempting to re-balance their relationship with the online service providers who control substantial aspects of our digital reality, focusing on how rights-repressive governments specifically have developed or accelerated regulatory tactics to compel or induce corporations to comply with abusive demands. Such tactics, we explain, illustrate how calls for corporate accountability must be thought through with care, to avoid simply handing governments new powers they can use for political ends. Finally, we explain how rising US-China tensions are changing the terms of the debate over global digital regulation, before evaluating calls for a new form of digital democratic multilateralism. We end this report with a call for a global approach to digital regulation that affirms the primacy of human rights and global connectivity, and for a greater corporate commitment to international human rights standards in the face of repressive national dictates.
Section I: Digital Sovereignty, Digital “Deciders,” and the Future of the Internet
At its most basic, the doctrine of digital sovereignty holds that governments should be able to exercise sovereign control over both the infrastructure and the content of the digital realm within their own borders, in order to better serve their national interests.4See generally Julia Pohle and Thorsten Thiel, “Digital Sovereignty,” Internet Policy Review 9, no. 4 (December 17, 2020): policyreview.info/concepts/digital-sovereignty Yet because governments define their national interests so differently, the way this sovereignty is invoked varies vastly.5Julia Pohle and Thorsten Thiel, “Digital Sovereignty,” Internet Policy Review 9, no. 4 (December 17, 2020): policyreview.info/concepts/digital-sovereignty (“Today, the concept of digital sovereignty is being deployed in a number of political and economic arenas, from more centralised and authoritarian countries to liberal democracies. It has acquired a large variety of connotations, variants and changing qualities. Its specific meaning varies according to the different national settings and actor arrangements but also depending on the kind of self-determination these actors emphasise”). Note: While there has been an increasing usage of the term to refer to individual digital sovereignty—that is, an individual person’s sovereignty over their digital data—that usage is less common. Here, unless otherwise specified, PEN America refers to digital sovereignty in terms of the state.
As a doctrine, digital sovereignty suffers from an unfortunate starting point—its earliest proponents have been authoritarian leaders who subscribe to a vision of sovereignty that gives them substantial power to restrict or violate the rights of their own citizens. These leaders have invoked this notion of sovereignty over the digital sphere as a justification for the privileges of state, and as a convenient justification for digital repression. Today, authoritarian governments have not only implemented this framework of digital sovereignty domestically, but—as this report discusses in greater detail—have pushed for it on the global stage.
In recent years, however, many others have begun invoking digital sovereignty: from key leaders within the European Union, who invoke it as a framework for more muscular regulation, to regulators in countries with developing digital economies who argue this sovereignty offers them a shield to defend their citizens and businesses from unaccountable foreign actors. The extent to which these actors are able to re-package digital sovereignty to fit within a democratic and rights-respecting framework, while avoiding the temptation to accrue dangerous or injurious new powers over the digital space, will play a large role in determining the future of the global internet.
Under this approach, the state is empowered to act as the ultimate gatekeeper for all digital information entering or exiting the country, as well as the manager of all information flows within the country.8Interview with Alena Epifanova, Research Fellow, International Order and Democracy, German Council of Foreign Relations, October 6, 2020 (“the state becomes the main gatekeeper for digital information. The state decides which information will come into the country, and the state is also the main regulator or manager of information flow within the country.”) This empowerment exempts the government from any obligation to ensure the free flow of information across—or even within—national borders, allowing an authoritarian state to place its own prerogatives over its citizens’ rights. Such centralized state control allows the government to hardwire digital censorship and surveillance into the state’s regulatory and technological infrastructure.
This authoritarian framework of digital sovereignty also gives precedence to considerations of national security, treating the free movement of information as inherently hostile and dangerous, and enabling rights-abusive measures in the name of the national interest. As Konstantinos Komaitis, the policy director of the Internet Society, describes it, this conception of digital sovereignty is one that is “predominantly attached to notions of national security and securitization,” or in other words, “all about the right of national governments to supervise, regulate, and censor all electronic content that passes through its borders.”9Konstantinos Komaitis, “Sovereignty Strikes the internet: When Two Don’t Become One,” The Conversation, April 2, 2020, komaitis.org/the-conversation/category/sovereignty
From the beginning, supporters of this view of digital sovereignty have essentially admitted that this formulation explicitly contravenes human rights guarantees. In 2011, member states of the Shanghai Cooperation Organization (SCO)—a Beijing-initiated intergovernmental grouping that then consisted of China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan, and Uzbekistan10In 2017, India and Pakistan joined the SCO.—submitted to the UN General Assembly a proposed International Code of Conduct for Information Security, an attempt to develop new norms for digital regulation that would have given their view of digital sovereignty the status of an international standard. In the Code, SCO members called for an affirmation that “policy authority for Internet-related public issues is the sovereign right of States, which have rights and responsibilities for international Internet-related public policy issues.”11Sarah McKune, “An Analysis of the International Code of Conduct for Information Security,” The Citizen Lab, accessed May 14, 2021, September 15, 2018, citizenlab.ca/2015/09/international-code-of-conduct The Code—which was not adopted12In 2015, SCO members proposed a largely similar version of the Code, which was similarly not adopted. Sarah McKune, “An Analysis of the International Code of Conduct for Information Security,” The Citizen Lab, accessed May 14, 2021, September 15, 2018, citizenlab.ca/2015/09/international-code-of-conduct—also argued that “rights and freedom to search for, acquire, and disseminate information” was predicated on “complying with relevant national laws and regulations,” a formulation incompatible with human rights law.13Sarah McKune, “An Analysis of the International Code of Conduct for Information Security,” The Citizen Lab, accessed May 14, 2021, September 15, 2018, citizenlab.ca/2015/09/international-code-of-conduct In addition, the Code would have bound states to a pledge not to use the internet to “interfere in the internal affairs of other States,” a digital corollary to the long-standing authoritarian rhetoric that human rights advocacy represents interference in their domestic affairs.14Sarah McKune, “An Analysis of the International Code of Conduct for Information Security,” The Citizen Lab, accessed May 14, 2021, September 15, 2018, citizenlab.ca/2015/09/international-code-of-conduct; see e.g. Yu-Jie Chen, “China’s Challenge to the International Human Rights Regime,” New York University Journal of International Law and Politics 51, no. 4 (Summer 2019): 1179–1222, nyujilp.org/wp-content/uploads/2019/09/NYI403.pdf
The Chinese internet experience, as PEN America documented in its 2018 report Forbidden Feeds, is one circumscribed by centralized state control: the world’s most systemic and sophisticated censorship system, lack of privacy protections from state security services, and advanced filtering capabilities that block or surveil access to much of the global internet behind the country’s Great Firewall.15“Forbidden Feeds: Government Controls on Social Media in China,” PEN America, March 13, 2018, pen.org/wp-content/uploads/2018/06/PEN-America_Forbidden-Feeds-report-6.6.18.pdf In its western Xinjiang region, the ruling Chinese Communist Party has pioneered new forms of digitally-assisted repression, wielding digital technologies to sweep up massive amounts of data and using “predictive policing”-style algorithmic analysis to determine which Uyghurs and other members of ethnic or religious minorities to send to the region’s internment camps.16Bethany Allen-Ebrahimian, “Exposed: China’s Operating Manuals for Mass Internment and Arrest by Algorithm,” International Consortium of Investigative Journalists, November 24, 2019, icij.org/investigations/china-cables/exposed-chinas-operating-manuals-for-mass-internment-and-arrest-by-algorithm/; See also American University School of Communication, “The Future of Internet Freedom: Policy, Technology and Emerging Threats,” YouTube, December 7, 2020, accessed May 11, 2021, youtu.be/UL2f4GzYy-c?t=1056 (comments from Xiao Qiang of China Digital Times: “I see China’s well on its way to developing further the digital technology and control apparatus–[or] if you want to call it the surveillance state apparatus–on top of its ideological state apparatus and a repressive state apparatus such as police and military. This is a whole new level of the state-controlled, or state has access to [sic], including all of China’s private businesses, Internet businesses… So what we’re really seeing is China is on its way, heading to, a digital totalitarianism state.”) This imposition of a digital police state is facilitating systematic crimes against humanity and cultural erasure, a dystopia that would have been unimaginable only decades ago, and illustrates the most extreme risks of a digital sphere deployed purely in service of the state.17“China: Big Data Fuels Crackdown in Minority Region,” Human Rights Watch, February 26, 2018, hrw.org/news/2018/02/26/china-big-data-fuels-crackdown-minority-region# Under the authoritarian view of digital sovereignty, employing such technology to facilitate abusive policies is not only permissible, but in furtherance of legitimate government aims.
As this report will examine, China and Russia in particular have taken a leadership role in modeling or propagating this particular model of digital sovereignty, to the point that some observers have begun referring to it as “the China model” of digital regulation,18Valentin Weber, “The Sinicization of Russia’s Cyber Sovereignty Model,” Council on Foreign Relations, April 1, 2020, cfr.org/blog/sinicization-russias-cyber-sovereignty-model while others warn it represents a “digital authoritarianism.”19Leonid Kovachich and Andrei Kolesnikov, “Digital Authoritarianism With Russian Characteristics?,” Carnegie Moscow Center, April 21, 2021, carnegie.ru/2021/04/21/digital-authoritarianism-with-russian-characteristics-pub-84346; Alina Polyakova and Chris Meserole, “Exporting digital authoritarianism: The Russian and Chinese models,” The Brookings Institution, August 2019, 11, brookings.edu/wp-content/uploads/2019/08/FP_20190827_digital_authoritarianism_polyakova_meserole.pdf
Governments are Adopting and Adapting New Models of Digital Sovereignty
While the concept of digital sovereignty may have originated with Beijing, other actors have since taken up the term. “Years ago, anyone who was talking about cyber sovereignty was assumed to be affiliated with a top-down, authoritarian or at least autocratic internet governance approach,” said Jason Pielemeier, director for policy and strategy at the Global Network Initiative, a multi-stakeholder initiative on human rights in the telecommunications and internet sector. “That’s no longer true. The fact that the European Union, among others, has come to use this idea of sovereignty to refer to technology governance and regulation has made it harder to rely on this language in a meaningful way to distinguish between authoritarian and democratic approaches.”20Interview with Jason Pielemeier, Director for Policy and Strategy, Global Network Initiative, November 9, 2020.
In the past few years, key decision-makers in the European Union (EU) have broadcasted their intent to develop a ‘third way’ of digital regulation, a framework for digital sovereignty that rejects both the comparatively regulation-free approach of the American model of internet governance, and the state-centered authoritarian model pioneered by China. In 2018, at the UN-affiliated Internet Governance Forum (IGF), French president Emmanuelle Macron called for a “new path” for digital regulation—one he distinguished from the “Californian form of the internet” and the “Chinese internet”—where “governments, along with Internet players, civil societies and all actors are able to regulate properly.”21“IGF 2018 Speech by French President Emmanuel Macron,” Internet Governance Forum, 2018, accessed May 11, 2021, intgovforum.org/multilingual/content/igf-2018-speech-by-french-president-emmanuel-macron At the following IGF, Germany’s Angela Merkel offered similar remarks endorsing of a European framework for digital sovereignty, saying:
“What we have to clarify is, what do we mean when we talk about digital sovereignty . . . As I see it, sovereignty does not mean protectionism. It does not mean that a State body can say this or that information may pass through. That would be censorship . . . We are very well aware of the technological advances and companies that developed them, cannot always just be given a free rein. You have to have guardrails in place.”22“German Chancellor’s Remarks to the IGF 2019,” Internet Governance Forum, November 26, 2019, accessed May 11, 2021, intgovforum.org/multilingual/content/german-chancellors-remarks-to-the-igf-2019. Transcript available at intgovforum.org/multilingual/content/igf-2019-%E2%80%93-day-1-%E2%80%93-convention-hall-ii-%E2%80%93-opening-ceremony
Under the European Union’s envisioned framework, the body acts as an attentive regulator, but stops well short of trying to comprehensively control the internet. Instead, their focus is on technological and economic safeguards from foreign actors and tech companies, rather than on state domination of the internet and what is shared on it.23Carla Hobbs, ed., “Europe’s Digital Sovereignty: From Rulemaker to Superpower in the Age of US-China Rivalry,” European Council on Foreign Relations, July 30, 2020, ecfr.eu/publication/europe_digital_sovereignty_rulemaker_superpower_age_us_china_rivalry/; see also Konstantinos Komaitis, “Sovereignty Strikes the internet: When Two Don’t Become One,” The Conversation, April 2, 2020, komaitis.org/the-conversation/category/sovereignty (distinguishing between European, authoritarian, and Indian approaches to sovereignty). Importantly, the EU’s most aggressive actions to achieve this digital sovereignty are positioned as measures to afford individuals substantial personal control and choice over their data.24Tambiama André Madiega, “Digital Sovereignty for Europe,” European Parliament Think Tank, July 2, 2020, europarl.europa.eu/RegData/etudes/BRIE/2020/651992/EPRS_BRI(2020)651992_EN.pdf
This envisioned ‘new path’ of European digital sovereignty is influencing EU legislators’ approach to the upcoming Digital Services Act (DSA) and accompanying Digital Markets Act (DMA), two omnibus digital regulatory bills which came before the European Parliament in December 2020. While the Acts are not expected to be finalized until 2022, the DSA would impose new obligations on social media companies to disclose information to regulators, such as how their algorithms and content takedown processes function. Many of these new obligations will only apply to platforms with more than 45 million users—that is to say, the digital behemoths that have become household names, such as Facebook, YouTube, and TikTok.25Billy Perrigo, “How the E.U’s Sweeping New Regulations Against Big Tech Could Have an Impact Beyond Europe,” Time, December 30, 2020, time.com/5921760/europe-digital-services-act-big-tech/ These laws will be far-reaching in their impact, and rights groups have been quick to warn about provisions that could lead to abuse—such as a proposed mandate that internet companies inform law enforcement of “suspicious criminal offences” from their users.26Iverna McGowan, David Nosak, Emma Llanso, “Feedback to the European Commission’s Draft Proposal on the Digital Services Act,” Center for Democracy and Technology, April 1, 2021, cdt.org/insights/feedback-to-the-european-commissions-consultation-on-the-draft-proposal-on-the-digital-services-act/ On the whole, though, these proposals seek primarily to protect and reinforce, rather than curtail, the agency of EU residents online.
The EU’s ability to effectuate its commitment to human rights within its envisioned framework of digital sovereignty may determine the future of the internet. As the former United Nations Special Rapporteur on Freedom of Opinion and Expression, David Kaye, has warned, European regulators “could show the way toward rights-oriented regulation” across the globe, or they could instead “give cover to those who want to undermine rights in favor of protections against vague concepts like extremism and national security.”27David Kaye, Speech Police: The Global Struggle to Govern the Internet (New York: Columbia Global Reports, 2019).
This is especially the case because the EU is not the only entity seeking to develop its own model of digital sovereignty. Nations with developing digital economies—such as India, Brazil, Indonesia, Nigeria, and various others—have begun evoking digital sovereignty as an organizing principle for their own regulatory frameworks.28Luca Belli, “BRICS countries to build digital sovereignty,” Open Democracy, November 18, 2019, opendemocracy.net/en/hri-2/brics-countries-build-digital-sovereignty/; PTI, “India’s data must be controlled by Indians: Mukesh Ambani,” mint, January 20, 2019, livemint.com/Companies/QMZDxbCufK3O2dJE4xccyI/Indias-data-must-be-controlled-by-Indians-not-by-global-co.html; Chike Onwuegbuchi, “Stakeholders seek stronger data sovereignty initiatives for Nigeria,” The Guardian Nigeria, January 31, 2021, guardian.ng/technology/stakeholders-seek-stronger-data-sovereignty-initiatives-for-nigeria/; Quentin Velluet, “Can Africa salvage its digital sovereignty?” The Africa Report, April 16, 2021, theafricareport.com/80606/can-africa-salvage-its-digital-sovereignty/; Ed Davies and Stanely Widianto, “Indonesia needs to urgently establish data protection law: minister,” Reuters, November 16, 2019, reuters.com/article/us-indonesia-communications/indonesia-needs-to-urgently-establish-data-protection-law-minister-idUSKBN1XQ0B8 India—which has the world’s second largest internet user base29PTI, “Covid-19 pandemic laid threadbare issue of digital divide: Ravi Shankar Prasad,” The Hindustan Times, April 29, 2021, hindustantimes.com/india-news/covid19-pandemic-laid-threadbare-issue-of-digital-divide-ravi-shankar-prasad-101619667722665.html; Kushe Bahl et al., “Global India: Technology to Transform a Connected Nation,” McKinsey Global Institute, March 2019, 23, mckinsey.com/~/media/McKinsey/Business%20Functions/McKinsey%20Digital/Our%20Insights/Digital%20India%20Technology%20to%20transform%20a%20connected%20nation/MGI-Digital-India-Report-April-2019.pdf—has in particular sought to carve out its own doctrine of digital sovereignty, one predicated around active government intervention in the country’s digital development alongside a model of economic and regulatory protectionism aimed at re-orienting the balance of power between itself and foreign internet companies.30PTI, “India’s data must be controlled by Indians: Mukesh Ambani,” mint, January 20, 2019, livemint.com/Companies/QMZDxbCufK3O2dJE4xccyI/Indias-data-must-be-controlled-by-Indians-not-by-global-co.html Indian regulators have argued for an approach where the state plays an active role in enabling the development of local digital platforms that operate as public goods.31Nandan Nilekani, “India’s Inclusive Internet,” Foreign Affairs, August 13, 2018, foreignaffairs.com/articles/asia/2018-08-13/data-people Yet these proposals are gaining traction at the same time that India is experiencing a backslide in its democratic commitments under the Modi government,32“India: Freedom in the World 2021 Country Report,” Freedom House, accessed May 11, 2021, freedomhouse.org/country/india/freedom-world/2021 (downgrading India from “free” to “partly free”). raising the question as to whether Indian officials will use protectionist measures for the people’s benefit, or for their own.33Karan Deep Singh and Paul Mozur, “As Outbreak Rages, India Orders Critical Social Media Posts to Be Taken Down,” The New York Times, May 1, 2021, nytimes.com/2021/04/25/business/india-covid19-twitter-facebook.html This captures a key concern—that regulators may develop frameworks of digital sovereignty that supposedly protect citizens from unaccountable foreign actors but instead place them at greater risk from their own governments.
Today, digital sovereignty is a contested term, with various actors invoking the doctrine to encompass very different concepts of the state’s powers and role. While the authoritarian meaning of such sovereignty is fairly settled, including in its inherent hostility to human rights, governments across the political spectrum now invoke their sovereignty to advance a broad set of digital policies in furtherance of their own national goals.
What is emerging is a global series of differing national (and in the European Union’s case, regional) frameworks for digital sovereignty. Each of these developing frameworks will be deeply shaped by states’ pre-existing commitments to human rights, rule of law, and stable public institutions. “It’s tricky to figure out how to address some of these digital regulatory problems in countries that lack robust checks and balances or mechanisms for independent oversight,” Freedom House’s Adrian Shahbaz affirmed in his conversation with PEN America, “because even if they have the exact same wording as laws as in other countries, they won’t be implemented in the same way.”34Interview with Adrian Shahbaz, Director for Technology and Democracy, Freedom House, November 9, 2020.
For authoritarians and autocrats, the conceptual ambiguity around digital sovereignty and what it entails in practice is politically useful, allowing them to propose rights-abusive laws, rules, and standards on the global stage while hiding behind the conceptual screen of sovereignty also nominally defended by democratic states and blocs. This ambiguity also enables autocratic rulers to depict their own repressive efforts as fundamentally similar to initiatives from established democracies with rule of law and stable institutions. “Authoritarian governments,” as David Kaye warns, “are taking cues from the loose regulatory talk among democracies.”35David Kaye, Speech Police: The Global Struggle to Govern the Internet (New York: Columbia Global Reports, 2019), 113.
As one analysis from the German Council of Foreign Relations puts it, “both Russian and Chinese leadership understand perfectly that [the] idea of censorship is difficult to sell to a global audience. Therefore, they are mimicking the language and terminology used by many European countries,” in order to camouflage the abusive elements of their digital regulatory policies.36Andrei Soldatov, “Security First, Technology Second,” DGAP, March 7, 2019, dgap.org/en/research/publications/security-first-technology-second Alena Epifanova, a researcher with the German Council, made this point in her conversation with PEN America, drawing on the Russian example: “The Russian government actually uses this lack of clarity around sovereignty to their advantage,” she noted, “as it makes it much easier for them to promote their vision of internet governance—where the internet should be state-centered—on the international level.”37Interview with Alena Epifanova, Research Fellow, International Order and Democracy, German Council of Foreign Relations, October 6, 2020.
All this underscores a vital point: the foundation of any democratic framework for digital sovereignty must, by definition, include a commitment to and continuous investment in people’s digital privacy and free speech, along with a system of rule of law and functioning institutions to guarantee these rights in the face of government or corporate power. Any democratic state invoking such sovereignty must foreground these commitments.
Digital Sovereignty as a Rejection of The American Internet Model
Today, the impulse toward greater digital sovereignty is ascendant, in large part, as a result of significant global concerns over the negative consequences of the hands-off ‘American model’ of digital governance, in addition to the outsized control that both the American government and American-based internet titans appear to have over the global internet.
Firstly, there are valid concerns over the lack of democratic accountability for American internet corporations. In the Global South especially, analysts and advocates have argued that Silicon Valley’s domination of the digital economy has been so lopsided that it constitutes a new phenomenon of “digital colonialism,” for which government intervention is not just desirable but necessary.38Michael Kwet, “Digital colonialism is threatening the Global South,” Al Jazeera, March 13, 2019, aljazeera.com/opinions/2019/3/13/digital-colonialism-is-threatening-the-global-south; Jacqueline Hicks, “‘Digital colonialism’: Why some countries want to take back control over their citizens’ data,” Scroll.in, October 2, 2019, scroll.in/article/938733/digital-colonialism-why-some-countries-want-to-take-back-control-over-their-citizens-data; see also David Kaye, Speech Police: The Global Struggle to Govern the Internet (New York: Columbia Global Reports, 2019), 31-32; Sally Adee, “The global internet is Disintegrating. What Comes Next?” BBC, May 14, 2019, bbc.com/future/article/20190514-the-global-internet-is-disintegrating-what-comes-next (“Nations like Zimbabwe and Djibouti, and Uganda, they don’t want to join an internet that’s just a gateway for Google and Facebook” to colonise their digital spaces, [Maria Farrell of Open Rights Group] says.”). Digital sovereignty is being invoked as a countermeasure to this domination.39Jacqueline Hicks, “‘Digital colonialism’: Why some countries want to take control of their peoples’ data,” Mail & Guardian, September 30, 2019, mg.co.za/article/2019-09-30-digital-colonialism-some-countries-want-to-take-control-of-their-peoples-data/
These fears tie into global alarm over the increasingly apparent, often menacing social effects of the business models for some of the world’s largest technology companies—social media and digital advertising platforms in particular. Academic and author Shoshanna Zuboff has forcefully argued that the prevailing model of our digital reality amounts to “surveillance capitalism,” an economic system geared toward the commoditization of people’s personal data.40Shoshana Zuboff, The Age of Surveillance Capitalism: the Fight for A Human Future at a New Frontier of Power (New York: PublicAffairs, 2020).
Secondly, concerns over American intelligence gathering have also fed into the global push for more digital sovereignty. The revelations, exposed in 2013 by Edward Snowden, that US intelligence agencies were engaged in widespread dragnet surveillance of both U.S. and foreign citizens, are almost universally cited as a major impetus for this shift.41Zygmunt Bauman et al., “After Snowden: Rethinking the Impact of Surveillance,” International Political Sociology 8, no. 2 (June 2014): academic.oup.com/ips/article-abstract/8/2/121/1794335?redirectedFrom=fulltext; see also Heikki Heikkilä et al., eds, Journalism and the NSA Revelations: Privacy, Security, and the Press (London: I.B. Tauris, 2017), chap. 8, Google Books, books.google.com/books?hl=en&lr=&id=N7qKDwAAQBAJ&oi=fnd&pg=PA147&dq=defining+digital+sovereignty&ots=Fbre4KMOP5&sig=CiEKB-yYQEbPaFu-O4sI0NlbXbs#v=onepage&q=defining%20digital%20sovereignty&f=false (“In mainstream media around the world, the issues raised by the NSA scandal . . . provoked debate about the US technological monopoly over global information and communication networks. The large-scale exposure of US intelligence capacity bolstered a strong argument for constructing an alternate model for internet governance, both globally and domestically.”); American University School of Communication, “The Future of Internet Freedom: Policy, Technology and Emerging Threats,” YouTube, December 7, 2020, accessed May 11, 2021, https://youtu.be/UL2f4GzYy-c?t=447 (comments by American University professor Aram Sinnreich: “Back when Secretary of State Hillary Clinton first introduced the term ‘internet freedom’ on the world stage a decade ago, America was kind of seen as this gold standard of openness and transparency and accountability. But beginning with the Snowden leaks in 2013, and following through some of the changes to American technological and cultural diplomacy in the Trump era, I think there’s a lot of mistrust poisoning the international waters.”); Akash Kapur, “The Rising Threat of Digital Nationalism,” The Wall Street Journal, November 1, 2019, wsj.com/articles/the-rising-threat-of-digital-nationalism-11572620577; Sally Adee, “The global internet is Disintegrating. What Comes Next?” BBC, May 14, 2019, bbc.com/future/article/20190514-the-global-internet-is-disintegrating-what-comes-next (“Along with every other expert interviewed for this article, Farrell reiterated how unwise it would be underestimate the ongoing reverberations of the Snowden revelations – especially the extent to which they undermined the decider countries’ trust in the open web.”)
In 2015, PEN America conducted our own global survey of writers across 50 countries, to assess the impact of the Snowden revelations on their willingness to write freely. We concluded then that American mass surveillance had “gravely damaged the United States’ reputation as a haven for free expression at home, and a champion of free expression abroad.”42“Global Chilling: The Impact of Mass Surveillance on International Writers,” PEN America, January 5, 2015, pen.org/sites/default/files/globalchilling_2015.pdf It is no surprise, then, that these surveillance programs have had tangible effects on digital policy, spurring other countries to act defensively—either out of the desire to shield their citizens from unaccountable foreign surveillance or out of national security or power-competition considerations.
The development of the European Union’s General Data Protection Regulation, or GDPR, for example, was deeply influenced by the Snowden disclosures, turbocharging European privacy advocates at a crucial point in the process.43Nikhil Kalyanpur, “Today, a new E.U. law transforms privacy rights for everyone. Without Edward Snowden, it might never have happened.” The Washington Post, May 25, 2018, washingtonpost.com/news/monkey-cage/wp/2018/05/25/today-a-new-eu-law-transforms-privacy-rights-for-everyone-without-edward-snowden-it-might-never-have-happened/; Nikhil Kalyanpur and Abraham Newman, “The MNC-Coalition Paradox: Issue Salience, Foreign Firms, and the General Data Protection Regulation,” Journal of Common Market Studies (January 6, 2019): doi.org/10.1111/jcms.12810 The European Parliamentary Committee on Civil Liberties, Justice and Home Affairs was actively investigating the impact of the Snowden disclosures on the rights of EU citizens at exactly the same time that it began evaluating the first formal draft of the regulation.44Hallie Coyne, “The Untold Story of Snowden’s Impact on the GDPR,” Cyber Defense Review (CDR), November 15, 2019, cyberdefensereview.army.mil/Portals/6/Documents/CDR%20Journal%20Articles/Fall%202019/CDR%20V4N2-Fall%202019_COYNE.pdf?ver=2019-11-15-104104-157 The GDPR, adopted in 2016 and becoming enforceable in 2018, created a minimum standard of data protection for all EU internet users, and has become the world’s most significant data protection standard in place today, inspiring other countries—including Argentina, Brazil, Chile, Japan and Kenya—to adopt legislation modeled on it.45Ben Wolford, “What is GDPR, the EU’s new data protection law?,” GDPR.eu, accessed April 26, 2021 gdpr.eu/what-is-gdpr/; Tony Anscombe, “Twelve years later, has GDPR fulfilled its promise?,” WeLiveSecurity, May 25, 2020, https://www.welivesecurity.com/2020/05/25/two-years-later-has-gdpr-fulfilled-its-promise/; David Ruiz, “GDPR: An impact around the world,” MalwareBytesLabs, April 1, 2020, https://blog.malwarebytes.com/privacy-2/2020/04/gdpr-an-impact-around-the-world/; see also Francesca Lucarini, ”The differences between the California Consumer Privacy Act and the GDPR,” Advisera, April 13, 2020, advisera.com/eugdpracademy/blog/2020/04/13/gdpr-vs-ccpa-what-are-the-main-differences/.
In two highly public decisions, the European Court of Justice has ruled that the United States’s privacy protections did not adequately protect Europeans’ data under the GDPR. In 2015, in a case known as the “Schrems decision,” the Court invalidated the “Safe Harbor” arrangement between the US and the EU, which had permitted the transfer of personal data from EU member countries to US-based companies.46Case C-362/14, Maximilian Schrems v Data Protection Commissioner, Judgment of the European Court of Justice (Grand Chamber), 6 October 2015; Viviane Reding, “Digital Sovereignty: Europe at a Crossroads,” European Investment Bank Institute, October 26, 2015, accessed May 11, 2021, institute.eib.org/wp-content/uploads/2016/01/Digital-Sovereignty-Europe-at-a-Crossroads.pdf; Court of Justice of the European Union, “The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid,” press release, October 6, 2015, curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf The Court made a similar decision in 2020, known as the “Schrems II decision,” invalidating the subsequent US-EU data-transfer agreement known as the Privacy Shield.47Case C-311/18, Data Protection Commissioner v Maximillian Schrems, Judgement of the Court of Justice of the European Union (Grand Chamber), 16 July 2020; Caitlin Fesnessy, “The ‘Schrems II’ decision: EU-US data transfers in question,” iapp, July 16, 2020, iapp.org/news/a/the-schrems-ii-decision-eu-us-data-transfers-in-question/ In both cases, the Court cited a lack of adequate safeguards preventing US intelligence agencies from accessing personal data held by US-based companies.48Case C-362/14, Maximilian Schrems v Data Protection Commissioner, Judgment of the European Court of Justice (Grand Chamber), 6 October 2015; Case C-311/18, Data Protection Commissioner v Maximillian Schrems, Judgement of the Court of Justice of the European Union (Grand Chamber), 16 July 2020
Authoritarian leaders have also been able to leverage these same concerns to pursue their state-centered framework of digital sovereignty, using the Snowden revelations as justification to seek greater state control over the digital sphere. In Russia, Vladimir Putin has played up fears that the internet is controlled or surveilled by American intelligence agencies. In a 2019 televised interview, for example, Putin warned that the internet is the “creation” of Western intelligence agencies, that they “hear, see and read everything that you are saying and they’re collecting security information.” As a result, he argued, Russia “must create a segment [of the internet] which depends on nobody.”49Andrew Roth, “Russia’s great firewall: is it meant to keep information in – or out?” The Guardian, April 28, 2019, theguardian.com/technology/2019/apr/28/russia-great-firewall-sovereign-internet-bill-keeping-information-in-or-out
“For both the EU and Russia,” says Alena Epifanova, a digital regulations researcher at the German Council on Foreign Relations, “much of the conversation about the need for another model of internet governance originates from the Snowden revelations. The EU said, ‘Okay, we can’t trust our US partners. We aren’t sure where the data of our European users would land.’ Russia had the same concern, but followed a different model—towards more centralized state control of the internet.”50Interview with Alena Epifanova, Research Fellow, International Order and Democracy, German Council of Foreign Relations, October 6, 2020.
The National Security Agency’s (NSA) surveillance program is not the only U.S. policy of the past decade that has prompted some governments to seek out greater digital sovereignty. In March of 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, which—among other provisions—formalized the ability of American law enforcement authorities to compel user data and content from American companies regardless of where in the world that data is actually stored.51“H.R.4943 – CLOUD Act,” Congress.gov, accessed April 27, 2021, congress.gov/bill/115th-congress/house-bill/4943 These provisions triggered a new wave of conversation around digital sovereignty, in the name of ensuring the privacy of people’s data in the face of American intelligence agencies. In June 2019, for example, France issued a parliamentary report condemning the CLOUD Act provisions and calling for measures to “restore the sovereignty of France.”52Dan Shefet, “A French Perspective on Extraterritorial Enforcement of U.S. Laws,” The ALI Adviser, December 24, 2019, thealiadviser.org/conflict-of-laws/a-french-perspective-on-extraterritorial-enforcement-of-u-s-laws/
American policymakers, analysts, and rights advocates must be aware of, and responsive to, these concerns, as they participate in the debate over the future of the global internet. It is not enough to respond to rising calls for digital sovereignty by simply insisting on a return to the status quo ante. For too many people, the “American model” of internet governance increasingly represents an unfair playing field for American economic or governance interests.
“Digital Deciders” are Choosing Their Model of Internet Governance
These conversations around sovereignty come at a time when countries across the world and across the political spectrum are actively choosing between different frameworks of digital governance that are on offer, making foundational decisions about what the internet will look like within their borders.
Some analysts point to a large set of digital “digital deciders”, countries that are essentially opting for either a closed or an open internet.53Sally Adee, “The global internet is disintegrating. What comes next?” BBC, May 14, 2019, bbc.com/future/article/20190514-the-global-internet-is-disintegrating-what-comes-next; Robert Morgus, Jocelyn Woolbright, and Justin Sherman, “The Digital Deciders: How a group of often overlooked countries could hold the keys to the future of the global internet,” New America, October 23, 2018, newamerica.org/cybersecurity-initiative/reports/digital-deciders/ Several of these nations are among the world’s most populous and are rising global leaders, like India, Brazil, Indonesia, and Nigeria. Moreover, these digital deciders include more than two dozen countries that the NGO Freedom House categorizes as Partly Free–such as illiberal democracies and countries slowly transitioning away from authoritarian pasts.54There are 29 countries in total that are both listed by New America as “digital deciders” and by Freedom House as “partly free”: Albania, Armenia, Bolivia, Bosnia and Herzegovina, Colombia, Côte d’Ivoire, Dominican Republic, Ecuador, El Salvador, Georgia, Honduras, India, Indonesia, Kenya, Kuwait, Lebanon, Malaysia, Mexico, Morocco, Nigeria, Pakistan, Papua New Guinea, Paraguay, Peru, Philippines, Serbia, Singapore, Sri Lanka, and Ukraine. “The Digital Deciders: How a group of often overlooked countries could hold the keys to the future of the global internet,” New America, October 23, 2018, newamerica.org/cybersecurity-initiative/reports/digital-deciders/; “Countries and Territories,” Freedom House, 2021, accessed May 14, 2021, freedomhouse.org/countries/freedom-world/scores Former Special Rapporteur David Kaye has warned that it is such countries–the “transitional ones that see-saw between openness and control, that could tip into blossoming democracy or creeping authoritarianism”–that are particularly likely to “borrow” the language of internet regulation and deploy it to rights-injurious ends.55David Kaye, Speech Police: The Global Struggle to Govern the Internet (New York: Columbia Global Reports, 2019). In 2018, researchers from the US-based think tank New America determined, worryingly, that these “digital deciders” are increasingly choosing a more closed internet, not a more open one.56David Kaye, Speech Police: The Global Struggle to Govern the Internet (New York: Columbia Global Reports, 2019).
Recent events may only exacerbate these trends. In the past year alone, for example, the COVID-19 pandemic has served as a useful opportunity—or excuse—for governments to expand their control over the digital realm in the name of safeguarding public health and public order. The International Center for Not-for-Profit Law has identified more than 50 examples of countries introducing or amending laws or policies to criminalize disinformation or otherwise limit free expression in response to the pandemic—including 16 countries on New America’s “digital decider” list57Armenia, Bolivia, Bosnia, Botswana, Colombia, India, Indonesia, Jordan, Kenya, Morocco, Macedonia, Papua New Guinea, Philippines, Serbia, South Africa, and Thailand.—alongside another 40 other forms of pandemic-related constraints on free expression.58COVID-19 Civic Freedom Tracker, International Center for Not-for-Profit Law (ICNL), and European Center for Not-for-Profit Law (ECNL), icnl.org/covid19tracker/?location=&issue=4,9&date=&type=1,2,3,4 The substantial majority of these new policies and new constraints touch upon the digital sphere, with many such policies seeking to criminalize or otherwise punish digital “misinformation” about the pandemic.59COVID-19 Civic Freedom Tracker, International Center for Not-for-Profit Law (ICNL), and European Center for Not-for-Profit Law (ECNL), icnl.org/covid19tracker/?location=&issue=4,9&date=&type=1,2,3,4; see also Justin Sherman, “Covid Is Accelerating a Global Censorship Crisis,” Wired, August 30, 2020, wired.com/story/opinion-covid-is-accelerating-a-global-censorship-crisis/ As PEN America has recently noted in its Freedom to Write Index review of the past year, these laws pose an obvious threat to freedom of expression, by granting officials broad new powers to police speech that can easily bleed into repression.60Karin Deutsch Karlekar et al., “Freedom to Write Index 2020,” PEN America, April 21, 2021, pen.org/report/freedom-to-write-index-2020/ Digital deciders are hardly alone in facing the impulse to respond to issues of genuine social concern with a heavy governmental hand and cynical political self-interest. But they do so at a time when their governments are making broader decisions regarding the architecture of their digital future.
Meanwhile, champions of the authoritarian vision of digital sovereignty are actively nudging digital deciders toward more closed digital spheres. In Eurasia, at least nine of Russia’s neighboring states have adopted technical or legal aspects of Russia’s internet surveillance structure, while Russian companies have exported the Russian government’s internet surveillance system, known as SORM, to telecom companies in the Middle East and Latin America.61Chris Meserole and Alina Polyakova, “Exporting digital authoritarianism: The Russian and Chinese models,” The Brookings Institution, accessed May 13, 2021, brookings.edu/wp-content/uploads/2019/08/FP_20190827_digital_authoritarianism_polyakova_meserole.pdf; Jaclyn A. Kerr, “Information, Security, and Authoritarian Stability: Internet Policy Diffusion and Coordination in the Former Soviet Region,” International Journal of Communication 12, (September 18, 2018): 3814-3834, ijoc.org/index.php/ijoc/article/view/8542/2460 Meanwhile, China’s Xi Jinping has offered up Beijing’s model of internet governance to other countries as an example of how they can “speed up their development while preserving their independence,”62“China’s Approach to Global Governance,” Council on Foreign Relations, accessed April 27, 2021, cfr.org/china-global-governance/ a description that will appeal to digital deciders—and one that is conspicuously silent about the human rights implications of such a model.
Beijing’s most powerful mechanism for exporting its model of digital governance has been its Belt and Road Initiative, the largest infrastructure development program in the world. As part of this Initiative, Beijing has created what it terms a “Digital Silk Road,” an extensive international development and technology-sharing program.63“Assessing China’s Digital Silk Road Initiative,” Council on Foreign Relations, accessed April 27, 2021, cfr.org/china-digital-silk-road/ Under this program, China has entered into bilateral relationships with an estimated 40 other countries, primarily developing economies that are still building out their digital infrastructure and their digital policies.64“Assessing China’s Digital Silk Road Initiative,” Council on Foreign Relations, accessed April 27, 2021, cfr.org/china-digital-silk-road/; See also Alan Weedon and Samuel Yang, “China trumpets tech power at 6th World Internet Conference, signalling a ‘digital arms race’,” ABC News, October 22, 2019, abc.net.au/news/2019-10-23/sixth-world-internet-conference-china-wuzhen/11623426
This Digital Silk Road enables Beijing to accelerate its exportation of technology that comes with China’s model of digital governance pre-baked into the formula.65“Assessing China’s Digital Silk Road Initiative,” Council on Foreign Relations, accessed April 27, 2021, cfr.org/china-digital-silk-road/; See also Alan Weedon and Samuel Yang, “China trumpets tech power at 6th World Internet Conference, signalling a ‘digital arms race’,” ABC News, October 22, 2019, abc.net.au/news/2019-10-23/sixth-world-internet-conference-china-wuzhen/11623426 This includes internet infrastructure that enables other countries to recreate substantial aspects of China’s Great Firewall, and grants governments new powers of censorship and surveillance. Maria Farrell, former director of the UK-based NGO Open Rights Group, has described the Digital Silk Road as offering a “plug-and-play” internet that gives digital decider countries an option for developing their national internet infrastructure without committing to an open internet. As she puts it, “What China has done is put together a whole suite of not just technology, but information systems, censorship training, and model laws for surveillance. It’s the full kit, and the laws, and the training, to execute a Chinese version of the internet.”66Sally Adee, “The global internet is Disintegrating. What Comes Next?” BBC, May 14, 2019, bbc.com/future/article/20190514-the-global-internet-is-disintegrating-what-comes-next
Adrian Shahbaz, Director for Democracy and Technology at Freedom House, has closely followed Beijing’s efforts in this area. Shahbaz warned in his conversation with PEN America that “we are approaching a stage where the Chinese model of internet governance is looking more appealing to certain states, particularly as they perceive the unregulated internet as a threat to either social stability or regime survival.”67Interview with Adrian Shahbaz, Director for Technology and Democracy, Freedom House, November 9, 2020. It falls upon those who are committed to the vision of an open, global, and human rights respecting internet to offer a contrasting agenda to which digital deciders can rally.
Special Section: Digital Sovereignty as Control over Data
One of the primary digital sovereignty concerns of governments is over their residents’ data. Such data represents an economic and analytic goldmine, leading some commentators to declare that “Data is the new oil.”68Adeola Adesina, “Data is the New Oil,” Medium.com, November 13, 2018 medium.com/@adeolaadesina/data-is-the-new-oil-2947ed8804f6: Kiran Bhageshpur, “Data Is The New Oil — And That’s A Good Thing,” Forbes, November 15, 2019, forbes.com/sites/forbestechcouncil/2019/11/15/data-is-the-new-oil-and-thats-a-good-thing/#669f22707304; Joris Toonders, “Data Is the New Oil of the Digital Economy,” Wired, wired.com/insights/2014/07/data-new-oil-digital-economy/; see also Lindsay P. Gorman, “A Future Internet for Democracies: Contesting China’s Dominance in 5G, 6G, and the Internet-of-Everything,” Alliance for Securing Democracy at The German Marshall Fund of the United States, October 27, 2020, securingdemocracy.gmfus.org/wp-content/uploads/2020/10/Future-Internet.pdf Increasingly, countries around the world are insisting on sovereign control over this data: how it is used, who has access to it, and where it is stored or allowed to travel.
As a result, governments have enacted a wave of laws and regulations implementing data localization (or “data residency”) requirements. Broadly, this means mandating that the data generated by users within their country be stored within national borders. Internet experts have long warned that mandatory localization efforts will contribute to internet fragmentation and impede the openness and accessibility of the global internet, by creating new barriers to transnational data flows.69See e.g. Anupam Chander et al., “Exploring International Data Flow Governance,” World Economic Forum, 22, December 2019, weforum.org/docs/WEF_Trade_Policy_Data_Flows_Report.pdf; “Internet Way of Networking Use Case: Data Localization,” Internet Society, September 30, 2020, internetsociety.org/resources/doc/2020/internet-impact-assessment-toolkit/use-case-data-localization/ Yet in the past few years alone, more than 70 countries have passed or amended their laws to include some form of data localization.70“Global Data Governance – Part One: Emerging Data Governance Practices,” Foreign Policy, May 13, 2020, https://foreignpolicy.com/2020/05/13/data-governance-privacy-internet-regulation-localization-global-technology-power-map/
Data localization mandates that affect people’s personal data, specifically, raise substantial and systemic human rights concerns because they ensure that such data is kept within the jurisdictional reach of their national law enforcement and state security services—potentially weaponizing it as a tool for repression. If the country demanding the localization of data has an independent judiciary, rule of law, and enshrined privacy rights, then the potential adverse human rights impacts of such data localization may be lessened—although not necessarily eliminated.71See generally Allie Funk, Andrea Hackl, and Adrian Shahbaz, “User Privacy or Cyber Sovereignty: Assessing the Human Rights Implications of Data Localization,” Freedom House, July 2020, freedomhouse.org/report/special-report/2020/user-privacy-or-cyber-sovereignty In countries that do not have a strong legal framework for rights protection, the risks are heightened.
This is particularly the case for governments that criminalize peaceful dissent or otherwise suppress freedom of expression—making these databases potential treasure troves for the discovery of “crimes” involving dissenting speech or opinion. Even access to other forms of data—when and where a certain picture was taken, who uses their internet during a religious holiday and who doesn’t, who were the last five people the activist messaged before their arrest—are potent tools for surveillance and repression. Freedom House, which produced a major analysis of data localization’s human rights effects in 2020, concluded that it was no coincidence that “Some of the most stringent data localization requirements can be found in countries with poor human rights records and restrictive information environments.”72Allie Funk, Andrea Hackl, and Adrian Shahbaz, “User Privacy or Cyber Sovereignty: Assessing the Human Rights Implications of Data Localization,” Freedom House, July 2020, freedomhouse.org/report/special-report/2020/user-privacy-or-cyber-sovereignty; see also Alexander Plaum, “The impact of forced data localisation on fundamental rights,” Access Now, June 4, 2014, accessed May 11, 2021, accessnow.org/the-impact-of-forced-data-localisation-on-fundamental-rights/
Yet these risks are not limited to authoritarian governments alone. “The core issue determining the status of people’s digital rights is the laws and regulations that guarantee people’s privacy rights and the enforceability of those laws and regulations,” Megha Rajagopalan, a tech reporter for Buzzfeed, told PEN America. “And the current status quo is that the majority of countries around the world have not developed laws and regulations that are sufficient to safeguard people’s privacy rights and the rights to free speech.”73Interview with Megha Rajagopalan, International Correspondent, Buzzfeed News, November 11, 2020.
Data localization regulations may also grant governments further powers that may enable abuse—for example, the ability to put pressure on the companies hosting their data within the country to comply with other demands (a phenomenon we examine further in Section III of this report), the ability to cut off access to the data from outside the country, or the ability to funnel data streams through local service providers, providing yet another access point for government surveillance. Some data localization mandates also seek to undermine the efficacy of encryption, by either compelling companies to store encryption keys within the country (as is the case in China),74Samm Sacks, “Data Security and U.S.-China Tech Entanglement,” Lawfare, April 2, 2020, lawfareblog.com/data-security-and-us-china-tech-entanglement or mandating that companies maintain the local data in an unencrypted form (as Pakistan has recently imposed).75Asad Hashim, “Pakistan to ‘review’ controversial internet censorship rules,” Al Jazeera, January 26, 2021, aljazeera.com/news/2021/1/26/pakistani-government-says-will-review-internet-censorship-rules
Whatever the impacts, the motivations for data localization run the gamut: from ensuring residents’ digital privacy from foreign governments , as a form of economic protectionism to advantage local technology companies that can more easily develop local data centers or access datasets, to facilitate law enforcement access to data, or under national security rationales.76Ethan Loufield and Shweta Vashisht, “Data Globalization vs. Data Localization,” Center for Financial Inclusion, February 6, 2020, accessed May 12, 2021, centerforfinancialinclusion.org/data-globalization-vs-data-localization The motivations of ‘law enforcement access’ and ‘national security’ raise obvious red flags for any human rights-minded observer, but government officials can also easily publicly suggest one rationale while downplaying another.77Allie Funk, Andrea Hackl, and Adrian Shahbaz, “User Privacy or Cyber Sovereignty: Assessing the Human Rights Implications of Data Localization,” Freedom House, July 2020, freedomhouse.org/report/special-report/2020/user-privacy-or-cyber-sovereignty (“National security interests often co-opt arguments for greater data privacy to justify an expansion of censorship and surveillance powers.”)
‘Gbenga Sesan, Executive Director of the digital advocacy group Paradigm Initiative, gave PEN America an example of how this dynamic has played out in the data localization conversations in sub-Saharan Africa. “Some of the push for data localization has been from the technology private sector, with companies saying to their governments, ‘Google and Facebook are eating our lunch. Why don’t we have some protectionism? If we store data locally, then these companies will have to work with us local players.’ So that’s one conversation. But the second conversation is between security officials and their government higher-ups, saying ‘if we store the data here, we can get a back door to that data.’ And when you look at the trends in this conversation [around data localization], and you look at the countries that are talking about it–you look at Kenya, South Sudan, Rwanda, Zimbabwe, Zambia, and Nigeria, to mention some examples–there are only one or two countries where the conversation is not about governmental control.”78Interview with ‘Gbenga Sesan, Executive Director, Paradigm Initiative, February 23, 2021.
In sum, personal data localization mandates—regardless of whether they are motivated by valid sovereign interests or by anti-democratic or repressive machinations—inevitably open the door to new possibilities for governmental abuse. What is sorely needed is a global approach to the hosting of data that insists on all countries meeting human rights standards for the protection and privacy of such data, rather than one which carves up this data among national jurisdictions. As Freedom House’s Adrian Shahbaz summarized, “The framing around data privacy shouldn’t be around where data is physically located, but rather, whether it’s stored securely and protected from government surveillance and corporate malfeasance.”79Interview with Adrian Shahbaz, Director for Technology and Democracy, Freedom House, November 9, 2020.
Section II: Government Efforts to Undermine the Global Internet
Perhaps the most world-changing attribute of the internet is that it is global–a person can travel across the world and still read their emails, visit websites, and have fundamentally the same online experience. This is an oversimplification, of course: national laws may affect what websites you can visit, or which online speech is censored before you have the chance to view it. Yet the global internet can still be conceived of, broadly, as a unitary project.
This is due, first and foremost, to the fact that the internet is designed to be globally interoperable—with shared foundational technical protocols making it possible for any device, anywhere, to connect to the internet and digitally interact with each other.80Bennett Cyphers and Cory Doctorow, “A Legislative Path to an Interoperable Internet,” Electronic Frontiers Foundation, July 28, 2020, https://www.eff.org/deeplinks/2020/07/legislative-path-interoperable-internet; Becky Chao and Ross Schulman, “Promoting Platform Interoperability,” New America, las updated May 13, 2020, https://www.newamerica.org/oti/reports/promoting-platform-interoperability/interoperability-is-fundamental-to-the-internet/ This interoperability underlies the internet as a place where cultures connect, where ideas and identities and freedoms that would not otherwise be possible become so, and where the “unhampered transmission of thought within each nation and between all nations”81“PEN International Charter,” PEN International, pen-international.org/who-we-are/the-pen-charter can be a day to day lived reality for billions. Yet this global interoperability is increasingly threatened, by governments working to either enable themselves to separate from the global internet, or to take over the foundational underpinnings which render the global internet interoperable.
The Authoritarian Pursuit of a National Internet
National internets—in which the domestic populace is cut off or largely removed from access to the global internet—have traditionally been understood as exceptions in an increasingly connected world. Apart from China, countries that had cut themselves off from the World Wide Web prior to the last decade included only North Korea, Cuba, and pre-2011 Myanmar.82Ronald Deibert et al., eds., Access Denied: The Practice and Policy of Global Internet Filtering, (Cambridge: The MIT Press, 2008), MIT Press Direct, direct.mit.edu/books/book/2312/Access-DeniedThe-Practice-and-Policy-of-Global; Max Fisher, “Yes, North Korea has the internet. Here’s what it looks like.” Vox, March 19, 2015, vox.com/2014/12/22/7435625/north-korea-internet; Nancy Scola, “Wait, Cuba Has its Own Internet?” The Washington Post, December 19, 2014, washingtonpost.com/news/the-switch/wp/2014/12/19/wait-cuba-has-its-own-internet/ Today however, Russia and Iran are pioneering new models for internet nationalization, laying the legal and technical groundwork for independent, centrally-controlled, and nationalized internets. In its ultimate expression, which both countries are actively working toward, this nationalized internet would allow their governments to sever the country’s domestic internet from the global one. Russia and Iran’s efforts have major implications for the future, in part because each of these efforts may provide a blueprint for other governments looking to do the same.
Under President Putin, Russia has aggressively pursued an authoritarian set of digital sovereignty policies over the past decade.83See e.g. Andrei Soldatov, “Security First, Technology Second: Putin Tightens his Grip on Russia’s Internet –with China’s Help,” DGAPkompakt, March 2019, dgap.org/system/files/article_pdfs/2019-03-dgapkompakt.pdf These efforts include the creation of a country-wide online content filtering system in 2012;84See e.g. Andrei Soldatov, “Security First, Technology Second: Putin Tightens his Grip on Russia’s Internet –with China’s Help,” DGAPkompakt, March 2019, dgap.org/system/files/article_pdfs/2019-03-dgapkompakt.pdf the ongoing development of a Russian surveillance ‘back door’ to the internet known as the System of Operative-Search Measures, or SORM–originally modeled off of KGB wiretapping technology;85See e.g. Chris Meserole and Alina Polyakova, “Exporting digital authoritarianism: The Russian and Chinese models,” The Brookings Institution, accessed May 13, 2021, brookings.edu/wp-content/uploads/2019/08/FP_20190827_digital_authoritarianism_polyakova_meserole.pdf and the passage of the “Yarovaya Law” in 2016, which imposed new requirements on technology companies to collect and store data within Russia, mandated that online service providers provide security services with backdoor access to encrypted content, and compelled providers to provide law enforcement access to data upon request.86See e.g. Matthew Bodner, “What Russia’s New Draconian Data Laws Mean for Users,” The Moscow Times, July 13, 2016, themoscowtimes.com/2016/07/13/what-russias-new-draconian-data-laws-mean-for-users-a54552; See also: Andrei Soldatov, “Security First, Technology Second: Putin Tightens his Grip on Russia’s Internet –with China’s Help,” DGAPkompakt, March 2019, dgap.org/system/files/article_pdfs/2019-03-dgapkompakt.pdf; Chris Meserole and Alina Polyakova, “Exporting digital authoritarianism: The Russian and Chinese models,” The Brookings Institution, accessed May 13, 2021, brookings.edu/wp-content/uploads/2019/08/FP_20190827_digital_authoritarianism_polyakova_meserole.pdf. The law took effect in 2018: “Russia’s ‘Big Brother’ Law Enters Into Force,” The Moscow Times, July 1, 2018, themoscowtimes.com/2018/07/01/russias-big-brother-law-enters-into-force-a62066 In 2018, Russian regulators attempted, largely unsuccessfully, to block the popular encrypted messaging program Telegram, after the company refused to hand over its encryption keys to the government.87Michael Grothhaus, “Russian court orders ban on secure messaging app Telegram,” Fast Company, April 13, 2018, fastcompany.com/40558676/russian-court-orders-ban-on-secure-messaging-app-telegram; See also Leonid Bershidsky, “Russian Censor Gets Help From Amazon and Google,” Bloomberg, May 3, 2018 bloomberg.com/opinion/articles/2018-05-03/telegram-block-gets-help-from-google-and-amazon; Matt Burgess, “This is why Russia’s attempts to block Telegram have failed,” Wired, April 28, 2018, wired.co.uk/article/telegram-in-russia-blocked-web-app-ban-facebook-twitter-google; Sean Gallagher, “Google disables “domain fronting” capability used to evade censors,” Arstechnica, April 19, 2018, arstechnica.com/information-technology/2018/04/google-disables-domain-fronting-capability-used-to-evade-censors/
Russia’s most significant step in expanding its control over the internet came in 2019,
with the passage of its Sovereign Internet Law legalizing the government’s reach into nearly every corner of its domestic internet infrastructure. Some observers have analogized this law as a step towards Russia’s own “Great Firewall.”88Andrew Roth, “Russia’s great firewall: is it meant to keep information in – or out?” The Guardian, April 28, 2019, theguardian.com/technology/2019/apr/28/russia-great-firewall-sovereign-internet-bill-keeping-information-in-or-out Technically a series of amendments to preexisting regulations, the Sovereign Internet Law both creates a legal framework and mandates construction of the technological infrastructure for the government to close down Russians’ access to the global internet.89“Russia: New Law Expands Government Control Online,” Human Rights Watch, October 31, 2019, hrw.org/news/2019/10/31/russia-new-law-expands-government-control-online#; Alena Epifanova, “Deciphering Russia’s Sovereign internet Law: Tightening Control and Accelerating the Splinternet,” German Council on Foreign Relations (DGAP), January 16, 2020, dgap.org/en/research/publications/deciphering-russias-sovereign-internet-law It provides the legal basis for the Russian government to route web traffic through state-controlled chokepoints; censor content without due process or public disclosure; block popular encrypted messaging apps like Telegram; and create a ‘kill switch’ that could shut off internet traffic into and out of the country whenever the government deems necessary.90“Russia: New Law Expands Government Control Online,” Human Rights Watch, October 31, 2019, hrw.org/news/2019/10/31/russia-new-law-expands-government-control-online#; Alena Epifanova, “Deciphering Russia’s Sovereign internet Law: Tightening Control and Accelerating the Splinternet,” German Council on Foreign Relations (DGAP), January 16, 2020, dgap.org/en/research/publications/deciphering-russias-sovereign-internet-law
The Sovereign Internet Law even enables the construction of a new infrastructure for a separate, national, Domain Name System (DNS), a foundational element of internet architecture that is managed globally by the non-governmental Internet Corporation on Assigned Names and Numbers (ICANN). This separate DNS infrastructure would lay down foundational protocols for a Russian internet that would be technologically separate from the global internet.91“Russia: New Law Expands Government Control Online,” Human Rights Watch, October 31, 2019, hrw.org/news/2019/10/31/russia-new-law-expands-government-control-online#; Alena Epifanova, “Deciphering Russia’s Sovereign internet Law: Tightening Control and Accelerating the Splinternet,” German Council on Foreign Relations (DGAP), January 16, 2020, dgap.org/en/research/publications/deciphering-russias-sovereign-internet-law
It should be acknowledged that the legislation enabling this level of control is separate from the actual technical implementation necessary for Russia to achieve the law’s stated goals. Analysts following Russia’s digital path have noted that, in order to accomplish this digital separation, Russia would be largely reliant on Chinese technological assistance and cooperation—something that Putin has laid the groundwork for over the past several years through several high-level bilateral agreements to cooperate on digital policy.92See e.g. Alena Epifanova, “Deciphering Russia’s Sovereign internet Law: Tightening Control and Accelerating the Splinternet,” German Council on Foreign Relations (DGAP), 8–11, January 16, 2020, dgap.org/en/research/publications/deciphering-russias-sovereign-internet-law; see Andrei Kolesnikov and Leonid Kovachich, “Digital Authoritarianism With Russian Characteristics?” Carnegie Moscow Center, April 21, 2021, carnegie.ru/2021/04/21/digital-authoritarianism-with-russian-characteristics-pub-84346 noting that Russia’s security sector has demonstrated concerns about close cooperation with Chinese government and corporate entities in this area.
Even short of full implementation, the law is a powerful statement of the Russian government’s intent and a highly visible model for other states to follow. Russia’s regional neighbors, in particular, have copied-and-pasted their own digital regulations from Russia before. Kyrgyzstan’s unpopular 2020 Law on Manipulating Information,93Gulshat Asylbaeva, “The draft Law of the Kyrgyz Republic ‘On Manipulation of Information’ is being submitted for public discussion from May 14, 2020,” Supreme Council of the Kyrgyz Republic, May 14, 2020, accessed May 11, 2021, kenesh.kg/ru/article/show/6770/na-obshtestvennoe-obsuzhdenie-s-14-maya-2020-goda-vinositsya-proekt-zakona-kirgizskoy-respubliki-o-manipulirovanii-informatsiey (Russian: депутат Жогорку Кенеша Г.Асылбаева, “На общественное обсуждение с 14 мая 2020 года выносится проект Закона Кыргызской Республики «О манипулировании информацией»,” ЖОГОРКУ КЕНЕШ Кыргызcкой Республики, May 14, 2020, accessed May 11, 2021, kenesh.kg/ru/article/show/6770/na-obshtestvennoe-obsuzhdenie-s-14-maya-2020-goda-vinositsya-proekt-zakona-kirgizskoy-respubliki-o-manipulirovanii-informatsiey) for example, was largely modeled after Russia’s Yarovaya Law.94Supreme Council of the Kyrgyz Republic, “The draft Law of the Kyrgyz Republic ‘On Manipulation of Information’ is being submitted for public discussion from May 14, 2020.”
With the Sovereign Internet Law, the German Council on Foreign Relations’ Alena Epifanova explained, “Russia is creating more than a legal framework. It’s also creating a precedent. The good news is that Russia’s neighbors don’t have the money or the technology to move towards a sovereign internet as well or as quickly as Russia can. The bad news is that they will keep on trying.”95Interview with Alena Epifanova, Research Fellow, International Order and Democracy, German Council of Foreign Relations, October 6, 2020.
Iran is another state that has pushed over the past decade towards this digital isolationism. In 2005, the Iranian government announced its intent to develop a National Information Network (NIN).96“Iran’s intranet: a master plan for internet censorship,” Iran News Wire, October 30, 2020 irannewswire.org/irans-intranet-a-master-plan-for-internet-censorship/ Iranian leaders then argued that the network was necessary to secure the country’s national security interests. This argument gained currency within the country after an American-Israeli cyberattack substantially damaged Iran’s nuclear program in 2010.97Mahsa Alimardani, “Iran Declares ‘Unveiling’ of its National Intranet,” Global Voices Advox, September 2, 2016, advox.globalvoices.org/2016/09/02/iran-declares-unveiling-of-its-national-intranet/ Another motivation for the project arose from the 2009-2010 Green Movement protests, a series of massive, peaceful, demonstrations over the contested 2009 elections that highlighted the potential of social media as a tool for both organizing and amplifying protesters’ visibility in the global media.98Jared Keller, “Evaluating Iran’s Twitter Revolution,” The Atlantic, June 18, 2010, https://www.theatlantic.com/technology/archive/2010/06/evaluating-irans-twitter-revolution/58337/ In the aftermath of the protests, which the government put down with systemic violence against protesters alongside thousands of arrests and over 100 executions,99“Iran: Halt the Crackdown,” Human Rights Watch, June 19, 2009, https://www.hrw.org/news/2009/06/19/iran-halt-crackdown; Robert Tait, “Iran election anniversary protests face severe crackdown,” The Guardian, June 9, 2010, https://www.theguardian.com/world/2010/jun/09/iran-election-demonstration-green-repression; “Iran: Violent Crackdown on Protesters Widens,” Human Rights Watch, June 23, 2009, https://www.hrw.org/news/2009/06/23/iran-violent-crackdown-protesters-widens ; “Iran: Events of 2009,” Human Rights Watch, https://www.hrw.org/world-report/2010/country-chapters/iran; Hamid Dabashi, “What happened to the Green Movement in Iran?”, Al Jazeera, June 12, 2013, https://www.aljazeera.com/opinions/2013/6/12/what-happened-to-the-green-movement-in-iran officials increasingly viewed western social media as a threat to their regime, one which the NIN would counter.100See e.g. Citizen Lab, “After the Green Movement: Internet Controls in Iran, 2010-2012,” OpenNet Initiative, February 2013, https://opennet.net/sites/opennet.net/files/iranreport.pdf ; Evgeny Morozov, The Net Delusion: The Dark Side of Internet Freedom, Public Affairs, New York, NY (2011), (“Suddenly, the Iranian authorities no longer saw the Internet as an engine of economic growth or as a way to spread the word of the prophet. All that mattered at the time was that the Web presented an unambiguous threat that many of Iran’s enemies would be sure to exploit. Not surprisingly, once the protests quieted down, the Iranian authorities embarked on a digital purge of their opponents.”) The government officially began the NIN project in 2013, and its development is still ongoing.101Behrang Tajdin, “Will Iran’s national internet mean no world wide web?” BBC, April 27, 2013, bbc.com/news/world-middle-east-22281336; see also “Tightening the Net: internet Security and Censorship in Iran (Part 1: The National internet Project),” Article 19, 2016, article19.org/data/files/The_National_internet_AR_KA_final.pdf; asl19, “Iran’s National Information Network,” The Citizen Lab, November 9, 2012, citizenlab.ca/2012/11/irans-national-information-network/; Golnaz Esfandiaria, “Iran to work with China to create National Internet System,” RadioFreeEurope/RadioLiberty, September 4, 2020, https://www.rferl.org/a/iran-china-national-internet-system-censorship/30820857.html
Once complete, the NIN would enable the Iranian government to cut off domestic access to the global internet without disrupting the country’s critical domestic digital infrastructure—such as, for example, the online operations of its hospitals.102Ryan Grace, “Shatter the web: Internet fragmentation in Iran,” Middle East Institute, December 14, 2020, mei.edu/publications/shatter-web-internet-fragmentation-iran To understand the repressive potential of such a system, one can look at the events of November 2019, when Iran’s government shut off the populace’s access to the global internet in the midst of a wave of anti-government protest.103See Mahsa Alimardani, “Iran Declares ‘Unveiling’ of its National Intranet,”; Ryan Grace, “Shatter the web: internet fragmentation in Iran,” Middle East Institute, December 14, 2020, mei.edu/publications/shatter-web-internet-fragmentation-iran; “Iran: Internet deliberately shut down during November 2019 killings – new investigation,” Amnesty International, November 16, 2020, amnesty.org/en/latest/news/2020/11/iran-internet-deliberately-shut-down-during-november-2019-killings-new-investigation/; Michael Safi, “Iran’s digital shutdown: other regimes ‘will be watching closely’,” The Guardian, November 21, 2019, theguardian.com/world/2019/nov/21/irans-digital-shutdown-other-regimes-will-be-watching-closely By shutting off global internet access, officials were able to substantially dampen international awareness and coverage of the protests, in which hundreds of protesters were reportedly killed by security forces.104“Iran: Details of 304 Deaths in Crackdown on November 2019 Protests,” Amnesty International, August 2020, amnesty.org/download/Documents/MDE1323082020ENGLISH.PDF; “A web of impunity: The killings Iran’s internet shutdown hid,” Amnesty International, 2020, accessed May 12, 2021, iran-shutdown.amnesty.org/; David Gilbert “Iran Turned Off the Internet to Shut Down Protests, and No One Knows When It’s Coming Back On,” Vice News, November 19, 2019, vice.com/en/article/xwejmn/iran-turned-off-the-internet-to-shut-down-protests-and-no-one-knows-when-its-coming-back-on
With a fully functioning NIN, the economic and administrative costs for such an internet shutdown in response to protests would be minimized—all the political benefits of cutting one’s citizenry off from the world, with few of the drawbacks.
“Iran’s National Information Network is designed to make disconnection easier,” noted Kaveh Azarhoosh, an Iranian digital rights researcher who has long monitored the Network’s development. “It is a means to an end, and the end is further controlling Iran’s digital borders.”105Interview with Kaveh Azarhoosh, Digital Rights Policy and Advocacy Lead, Small Media, October 27, 2020. Azarhoosh concluded that if Iran succeeds at fully disconnecting itself, it “would be a blueprint for a lot of other countries seeking to emulate them. I can guarantee you that Turkey is looking at what Iran is doing. I can guarantee you that Lebanon is looking, that Iraq is looking, that Russia is looking.”106Interview with Kaveh Azarhoosh, Digital Rights Policy and Advocacy Lead, Small Media, October 27, 2020.
Governments may attempt to justify these proposals through appeals to national security; but a separated and nationalized internet, by design, empowers them to cut their citizenry off from the outside world—isolating them from the global free flow of digital information and empowering the state over its own people. Such isolationism would represent a boon for regimes that have chosen to engage in systemic digital censorship, making it far more difficult for citizens to visit websites hosted within another country. Russia and Iran’s efforts toward such a nationalized internet threaten to pave the way for other repressive governments to follow, posing chilling implications for freedom of expression, privacy rights, and civic discourse.
The Dangers of Internet Fragmentation and the “Splinternet”
As the Internet Society’s Konstantinos Komaitis has noted, “The internet was not designed to recognize physical boundaries or to comply with only one actor’s rules.”107Konstantinos Komaitis, “Splintering the internet: The Unintended Consequences of Regulation,” Internet Society, October 18, 2018, internetsociety.org/blog/2018/10/splintering-the-internet-the-unintended-consequence-of-regulation/#:~:text=The%20internet%20was%20not%20designed,with%20only%20one%20actor’s%20rules.&text=Extra%2Dterritorial%20application%20of%20laws,a%20fractured%2C%20less%20resilient%20internet Governments’ attempts “to make the internet fit within national borders or to make it comply with one nation’s regulatory thinking for the sake of maintaining some sense of control” only threaten to fracture and weaken the internet—a phenomenon that experts have dubbed “digital fragmentation.”108Konstantinos Komaitis, “Splintering the internet: The Unintended Consequences of Regulation,” Internet Society, October 18, 2018, internetsociety.org/blog/2018/10/splintering-the-internet-the-unintended-consequence-of-regulation/#:~:text=The%20internet%20was%20not%20designed,with%20only%20one%20actor’s%20rules.&text=Extra%2Dterritorial%20application%20of%20laws,a%20fractured%2C%20less%20resilient%20internet The risk of fragmentation is triggered not only by governments undermining the interoperability of the internet through the construction of national internet networks, but by efforts to enforce one state’s national digital regulations beyond their own borders, or to block information from freely crossing national boundaries.109Jonah Force Hill, “Internet Fragmentation,” John F. Kennedy School of Government, 2012, 46, belfercenter.org/sites/default/files/legacy/files/internet_fragmentation_jonah_hill.pdf The extent to which this fragmentation has already occurred or is likely to occur in the near future is debated, a debate complicated by the fact that “digital fragmentation” has no single definition; like digital sovereignty, it describes both a political and a technological reality.
In recent years, however, analysts and advocates have stepped up their concerns over digital fragmentation, to the point that they have begun warning of “the balkanized internet,” “the Westphalian Web,” and, most succinctly, “the splinternet.”110Katherine Maher, “The New Westphalian Web,” Foreign Policy, February 25, 2013, foreignpolicy.com/2013/02/25/the-new-westphalian-web/; see also Tim Collins, “Rise of the ‘splinternet’: Experts warn the world wide web will break up and fragment as governments set their own rules to filter and restrict content,” Daily Mail/AFP, April 9, 2019, dailymail.co.uk/sciencetech/article-6905695/Breaking-internet-new-regulations-imperil-global-network.html; Shanthi Kalanthil, Jessica Ludwig, and Christopher Walker, “Cutting Edge of Sharp Power,” Journal of Democracy 31, no. 1 (January 2020): 130, muse.jhu.edu/article/745959 (the idea of a nationally-partitioned internet “used to be dismissed as a dictator’s pipe dream. Now tech titans and opinion leaders almost take for granted a splintered internet that essentially hews to this vision, with access for citizens of authoritarian regimes curtailed by censorship, surveillance, internet shutdowns, and the like.”); Department for Exiting the European Union, “The Exchange and Protection of Personal Data: a Future Partnership Paper,” Government of the United Kingdom, August 24, 2017, gov.uk/government/uploads/system/uploads/attachment_data/file/639853/The_exchange_and_protection_of_personal_data.pdf (the British government’s reference to “the Balkanisation of the internet”). The splinternet is a dystopian prediction: As countries increasingly seek to raise digital boundaries around their domestic internet, the global internet will increasingly fragment to the point where it no longer makes much sense to speak of a single internet at all. The ability of writers, journalists, and others to communicate across national boundaries will be subject to political diktats, online communities will fracture, and a new toolbox for state repression will open. Authoritarian and illiberal leaders would especially celebrate this development, as a means toward enforcing greater information control over their own populaces, and advancing their ability to shut their people off from the rest of the world.111See e.g. “Free Speech Project: So Long Internet, Hello Internets,” New America, September 30, 2020, newamerica.org/future-tense/events/online-free-speech-project-so-long-internet-hello-internets/ (Panelist Katherine McKinnon: “The Balkanization of the internet will result in a less secure internet for individuals.”).
Proponents of an authoritarian digital sovereignty framework are actively pursuing digital fragmentation as a political goal, including through advocacy on the global stage. They are doing so, in large part, not only in furtherance of their goal of accruing new powers over their own domestic internets, but to fundamentally restructure the global internet, rebalancing it in favor of sovereign governments and normalizing the idea that such sovereign powers are both necessary and acceptable.
Under the current, long-standing, model of internet governance, key internet protocols are managed not by the United Nations or by individual states, but by non-governmental and multi-stakeholder groups of experts. This includes groups like the Internet Corporation for Assigned Names and Numbers and its affiliated Internet Assigned Numbers Authority (IANA), which manage the Internet Protocol (IP) address protocols and the Domain Name System of the internet.112“Homepage,” Internet Corporation for Assigned Names and Numbers (ICANN), accessed April 28, 2021, icann.org/; “Internet Assigned Number Authority,” Internet Assigned Number Authority (IANA), accessed April 28, 2021, iana.org/ DNS and IP are two foundational elements of the infrastructure of the internet, essentially providing the series of digital addresses that situate each website or digital device within the world wide web. Non-governmental stewards of the internet also include groups like the Internet Engineering Task Force (IETF) and its affiliated Internet Society, the Internet Architecture Board, and the World Wide Web Consortium, which each play a major role in both creating and promoting global standards for how these and other foundational underpinnings of the internet should be managed.
Governments pushing for greater control over the internet have proposed new foundational structures for the internet that would cut out these non-governmental groups, replacing them with governmental actors.113See e.g. Adam Segal, “China’s Vision for Cyber Sovereignty and the Global Governance of Cyberspace,” The National Bureau of Asian Research, August 25, 2020, 85–100, nbr.org/wp-content/uploads/pdfs/publications/sr87_aug2020.pdf In November 2017, public reporting revealed that Russia’s Security Council had instructed the country’s Ministry of Communications and the Ministry of Foreign Affairs to develop a proposal for a new DNS root server system for the BRICS countries—Brazil, Russia, India, China, and South Africa.114“Russia’s Security Council tells the government to develop a separate Internet for the BRICS,” Meduza, November 28, 2017, meduza.io/en/news/2017/11/28/russia-s-security-council-tells-the-government-to-develop-a-separate-internet-for-the-brics This plan appears to have gone nowhere in the years since, and many digital experts say that such an ambitious technological idea is far easier proposed than executed. Still, had it been implemented, such a proposal would have put approximately half of the world’s population under a new internet infrastructure, with government officials acquiring broad new powers over which websites people could access or even locate. It is particularly worth noting that four out of the five BRICS governments, all but South Africa, are ranked as ‘not free’ or ‘partly free’ on the 2020 Freedom House measurement index for Digital Freedom. The most powerful BRICS country—China—ranks dead last.115“Internet Freedom Status,” Freedom House, accessed May 12, 2021, freedomhouse.org/explore-the-map?type=fotn&year=2020
In 2018, delegates from Huawei, the Chinese telecommunication giant, introduced a similar splintering proposal to radically reorient the foundational structures of the internet. At a meeting of the International Telecommunications Union (ITU), the UN body that plays—alongside the aforementioned multi-stakeholder groups—a major role in setting intergovernmental standards for internet protocols, Huawei proposed the creation of a New Internet Protocol (New IP) to replace the current privately-regulated model with a “top-down,” centralized internet infrastructure. Huawei representatives, along with representatives of China Mobile, China Unicom, and China’s Ministry of Industry and Information Technology, continued to push the idea of a New IP in 2019, submitting a proposal that September to the Telecommunication Sector Advisory Group—a working group within the ITU—reiterating their call for an overhaul of the IP system.116Hascall Sharp and Olaf Kolkman, “Discussion Paper: An analysis of the “New IP” proposal to the ITU-T”, Internet Society, accessed May 6, 2021, internetsociety.org/wp-content/uploads/2020/04/ISOC-Discussion-Paper-NewIP-analysis-29April2020.pdf
This new protocol would have laid the technical foundation for governments to enjoy broad, comprehensive powers over the internet in their own countries—giving them the ability to block apps, silence activists online, impose online censorship, and surveil internet users.117Anna Gross and Madhumita Murgia, “China and Huawei Propose Reinvention of the internet,” Financial Times, March 27, 2020, ft.com/content/c78be2cf-a1a1-40b1-8ab7-904d7095e0f2 The Financial Times, the only major English-language media outlet to report in depth on the proposal, cited ITU representatives sharing their fears that “if New IP was legitimised by the ITU, state operators would be able to choose to implement a western internet or a Chinese one . . . The latter could mean that everyone in those countries would need permission from their internet provider to do anything via the internet — whether downloading an app or accessing a site — and administrators could have the power to deny access on a whim.”118Anna Gross and Madhumita Murgia, “Inside China’s Controversial Mission to Reinvent the internet,” Financial Times, March 27, 2020, ft.com/content/ba94c2bc-6e27-11ea-9bca-bf503995cd6f
Like the Russian proposal, Huawei’s proposal has so far failed to gain traction. But Beijing’s efforts to advance the idea of a New IP on the global stage is representative of its larger, deliberate efforts toward digital fragmentation. “Beijing,” as one analysis from the European Council on Foreign Relations puts it, “wants to see a series of interconnected national internets rather than a global infrastructure, with each national internet governed by the laws and values of its home state.”119Carla Hobbs, ed., “Europe’s Digital Sovereignty: From Rulemaker to Superpower in the Age of the US-China Rivalry,” European Council on Foreign Relations, July 2020, ecfr.eu/archive/page/-/europe_digital_sovereignty_rulemaker_superpower_age_us_china_rivalry.pdf
Mehwish Ansari, head of the Digital Team at the free expression organization ARTICLE 19, has monitored internet regulatory development at the ITU and elsewhere for the past several years. Ansari believes that resistance from expert communities, opposed governments, and other stakeholders who recognize the dangers of such fragmentation make it unlikely that proposals like the New IP will succeed any time soon. But, she cautions, “What I am more concerned about is the normative impact of these types of proposals, even if they aren’t going to be standardized and implemented at this time. I’ve heard the same concern from government delegates to the ITU and from academics, for years. It’s not that these proposals are necessarily going to change the internet today or tomorrow. By introducing these proposals in spaces like the ITU, the architectural principles and values that are embedded in them can and will be normalized, so that if these same ideas are reintroduced by the same or different actors as part of the next wave of innovation, whether it’s an evolution of the internet or even the emergence of a new communication medium after the internet, they may not be so staunchly opposed. That’s what I’m concerned about.”120Interview with Mehwish Ansari, Head of Digital, Article 19, November 17, 2020.
A future internet that is fragmented and siloed across political lines would represent a step backward for human rights, freedom of expression, and intercultural connection on a global scale. The concept of the nationalized internet, in particular, threatens to dramatically expand governmental control over the online information that people within a given country can access and the activities they can participate in. Such control would enable systematic censorship, preventing residents from publishing, seeking out or stumbling upon online information that their government has declared off-limits. And it would dramatically expand opportunities for government surveillance. Rights advocates and policy makers alike must recognize the destructive potential of this vision, so they can both resist its encroachment on the global stage and ensure that their own regulatory approach does not contribute to internet fragmentation.
Section III: When ‘Accountability’ Goes Wrong: Governmental Tactics to Coerce Corporations into Aiding Repression
Globally, there is a rising call for corporate accountability online, prompting proposals for greater state controls over the behavior of corporations, including social media companies, whose platforms represent a de facto digital public square for billions of people in nearly every country; internet providers, which connect users to the internet at large; website hosts; and other major corporations in the digital space such as Google, Amazon, and Alibaba. Social media and digital advertising companies have driven a global wave of concern over how such corporations scrape and utilize user data, how they monetize their services, how they wield their power, how they can impact democratic discourse or even societal perceptions of truth, and, most fundamentally, to whom they are accountable. In response to these concerns, states are weighing new regulatory approaches designed to address some of these real, substantive issues. But, as with other calls to increase their sovereign power over the internet, states can exploit these issues to advance ‘solutions’ that not only fail to protect their citizens, but may actively undermine their human rights—with freedom of expression and privacy rights potentially the first casualties.
Repressive Governments are Increasing their Leverage over Corporations
Internet service providers, social media companies, and other online service providers frequently have a major say in how governments exercise control over the internet, because the parameters of this control are often settled through negotiation between the state and the company or in multilateral fora that include state and corporate representatives.121See e.g. Kate Klonick, “The New Governors: The People, Rules, and Processes Governing Online Speech,” 131 Harvard Law Review 1598, April 10, 2018, https://harvardlawreview.org/2018/04/the-new-governors-the-people-rules-and-processes-governing-online-speech/ Yet international law places comparatively few obligations on such corporations to refuse compliance with a domestic law that will foreseeably lead to human rights abuses. The most authoritative declaration of these obligations, the UN Guiding Principles for Business and Human Rights, lacks the status of binding international law, and merely calls upon businesses to respect human rights principles “to the greatest extent possible in the circumstances” when in conflict with domestic laws enabling abuse.122“Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect, and Remedy’ Framework,” United Nations, 2011, accessed May 12, 2021, ohchr.org/documents/publications/guidingprinciplesbusinesshr_en.pdf (Principle 23, Commentary.)
As a result, corporations are largely self-governed in this area, relying on their own internal policies as well as agreed-upon but non-binding norms such as those created by multi-stakeholder organizations. The multi-stakeholder Global Network Initiative (of which PEN America is a member), for example, has laid out a set of Principles on Free Expression and Privacy as well as implementation guidelines to which participating companies commit themselves, and last year, it released additional guidance on how companies should apply these principles when local law conflicts with human rights.123“The Operation of the GNI Principles when Local Law Conflicts with Internationally Recognized Human Rights,” Global Network Initiative, accessed May 12, 2021, globalnetworkinitiative.org/operating-difficult-jurisdictions/ Such guidance similarly lacks the status of law, and moreover apply only to companies that commit to them.124For a full list of GNI members, see globalnetworkinitiative.org/ Often the greatest moment of agency for an online service provider is when they decide whether or not to do business within a given state in the first place.
Recognizing this leeway, autocratic and illiberal governments are quickly adopting a new set of laws to increase their leverage over social media platforms and other online service providers operating in their countries, in an effort to corral or coerce them into aiding governmental repression. These laws may include strict data or personnel localization mandates as well as content-removal obligations. While such laws may appear neutral and technocratic, when adopted by repressive governments, such requirements put pressure on companies to hand over a bargaining chip: an employee who could be arrested, data that could be seized, or corporate infrastructure that could be appropriated. They also reduce the companies’ options for how to respond in cases of either abusive government orders or the passage of new laws that further downgrade the atmosphere for digital rights within the country. Some digital rights advocates have even begun referring to personnel localization requirements from rights repressive authoritarian or illiberal states as a new “hostage model” tactic for digital control.125Email correspondence with Sherwin Siy, Lead Public Policy Manager, Wikimedia Foundation, April 22, 2021.
Vietnam and China’s similar Cybersecurity Laws are two useful examples of regulations which strengthen the government’s ability to compel compliance from social media and other technology companies in contexts where broad categories of speech and peaceful dissent are routinely criminalized,126Adam Bemma, “Vietnam’s battalions of ‘cyber-armies’ silencing online dissent,” Al Jazeera, January 17, 2020, aljazeera.com/news/2020/1/17/vietnams-battalions-of-cyber-armies-silencing-online-dissent political censorship is systemic,127Justin Sherman, “Vietnam’s Internet Control: Following in China’s Footsteps?,” The Diplomat, December 11, 2019, thediplomat.com/2019/12/vietnams-internet-control-following-in-chinas-footsteps/ government surveillance is largely unchecked,128Justin Sherman, “Vietnam’s Internet Control: Following in China’s Footsteps?,” The Diplomat, December 11, 2019, thediplomat.com/2019/12/vietnams-internet-control-following-in-chinas-footsteps/ and meaningful domestic constraints on security services’ ability to seize private data do not exist.129Reuters, “Vietnam to enforce tough new cybersecurity law that would require Google, Facebook to store personal data locally, stifling online dissent,” South China Morning Post, October 11, 2018, scmp.com/news/asia/southeast-asia/article/2167999/vietnam-enforce-tough-new-cybersecurity-law-would-require
China’s Cybersecurity Law, which took effect in 2017, makes data localization mandatory for any company wishing to operate within the country—and companies like Apple, LinkedIn, and Airbnb have already complied, placing millions of Chinese users’ data within reach of the government.130Doug Young, “Airbnb, Apple & LinkedIn amongst foreign companies to host information in China in accordance with strict censorship laws,” Caixin, November 7, 2016, business-humanrights.org/fr/derni%C3%A8res-actualit%C3%A9s/airbnb-apple-linkedin-amongst-foreign-companies-to-host-information-in-china-in-accordance-with-strict-censorship-laws/ Contrast this acquiescence with the reaction to Beijing’s imposition of the Hong Kong Security Act on the semi-autonomous region of Hong Kong in June 2020. The Act created several new categories of national security crimes and gave the government broad new powers, essentially imposing mainland China’s system of criminalization of political dissent onto a city whose “one country, two systems” framework had previously prohibited such draconian restrictions. Companies including Facebook, Google, and Twitter all suspended their compliance with the Hong Kong government’s requests for user data, recognizing that such data could be used for the newly-legalized repression of HongKongers.131Katie Paul, “U.S. tech giants suspend review of Hong Kong data requests, TikTok to pull out,” Reuters, July 6, 2020, reuters.com/article/uk-facebook-whatsapp-law-hongkong-idUKKBN2471E5
This was easily the right decision from the perspective of safeguarding the human rights of HongKongers whose data could have been used by authorities to monitor protesters, punish pro-democracy supporters’ free speech, surveil its critics, and commit a host of other abuses. Such a principled stance, however, is only possible for corporations that store user data outside of Hong Kong, and thus outside of Hong Kong law enforcement’s immediate jurisdiction and control. It is far harder for a corporation to refuse law enforcement requests to access its user data if the data is already stored within the territory—as China’s Cybersecurity Law now requires for companies offering their services within the mainland.
In a telling example of how quickly repressive digital governance strategies can spread, Vietnam’s Cybersecurity Law, implemented in 2019, is largely modeled off China’s Law.132Justin Sherman, “Vietnam’s internet Control: Following in China’s Footsteps?” The Diplomat, December 11, 2019, thediplomat.com/2019/12/vietnams-internet-control-following-in-chinas-footsteps/; Trinh Huu Long, “Vietnam’s Cybersecurity Draft Law: Made in China?” The Vietnamese, November 8, 2017, thevietnamese.org/2017/11/vietnams-cyber-security-draft-law-made-in-china/; see also Timothy McLaughlin, “Under Vietnam’s new cybersecurity law, U.S. tech giants face stricter censorship,” The Washington Post, March 16, 2019, washingtonpost.com/world/asia_pacific/under-vietnams-new-cybersecurity-law-us-tech-giants-face-stricter-censorship/2019/03/16/8259cfae-3c24-11e9-a06c-3ec8ed509d15_story.html Both laws include mandatory data localization requirements, along with requirements that social media companies comply with governmental takedown requests and that service providers disclose user data to authorities even absent a court order.133“Vietnam: Big Brother Is Watching Everyone,” Human Rights Watch, December 20, 2018 hrw.org/news/2018/12/20/vietnam-big-brother-watching-everyone#:~:text=Under%20the%20Law%20on%20Cyber,to%20produce%20a%20court%20order.&text=%E2%80%9CIf%20this%20law%20is%20enacted,Vietnam%20will%20have%20zero%20privacy.%E2%80%9D; “Government Responses to Disinformation on Social Media Platforms: China,” Library of Congress, December 30, 2020, accessed May 13, 2021, loc.gov/law/help/social-media-disinformation/china.php#II; Jack Wagner, “China’s Cybersecurity Law: What You Need to Know,” The Diplomat, June 1, 2017, thediplomat.com/2017/06/chinas-cybersecurity-law-what-you-need-to-know/; Timothy McLaughlin, “Under Vietnam’s new cybersecurity law, U.S. tech giants face stricter censorship,” The Washington Post, March 16, 2019, washingtonpost.com/world/asia_pacific/under-vietnams-new-cybersecurity-law-us-tech-giants-face-stricter-censorship/2019/03/16/8259cfae-3c24-11e9-a06c-3ec8ed509d15_story.html Even before the Cybersecurity Law, Vietnam’s government had demonstrated its willingness to use domestic regulations as a tool to force Western tech companies like Facebook, Google and Apple to comply with its censorship strictures, successfully pressuring them to cut off Vietnamese users’ access to prohibited content—such as thousands of “malicious” videos, hundreds of websites with “anti-governmental content,” and even video games that contained “distortions of Vietnamese history.”134Chau An, “142 illegal games removed from Apple, Google app stores in Vietnam,” VnExpress, July 17, 2019, e.vnexpress.net/news/news/142-illegal-games-removed-from-apple-google-app-stores-in-vietnam-3953610.html; “FREEDOM ON THE NET 2020: Vietnam,” Freedom House, accessed May 5, 2021, freedomhouse.org/country/vietnam/freedom-net/2020; Hoang Thuy, “Vietnamese should clean up their cybertrash: information minister,” VnExpress, June 6, 2019, e.vnexpress.net/news/news/vietnamese-should-clean-up-their-cybertrash-information-minister-3934752.html
Facebook and YouTube especially play an outsized role in Vietnam’s online civic space, and digital rights and democracy activists commonly stress that these platforms offer Vietnamese users a way to share their views without going through a government-controlled publishing outlet. As Vietnamese artist/activist Mai Khoi told The Washington Post, “The cybersecurity law is an attempt by the government to control the only space where people can talk freely.”135Timothy McLaughlin, “Under Vietnam’s new cybersecurity law, U.S. tech giants face stricter censorship,” The Washington Post, March 16, 2019, washingtonpost.com/world/asia_pacific/under-vietnams-new-cybersecurity-law-us-tech-giants-face-stricter-censorship/2019/03/16/8259cfae-3c24-11e9-a06c-3ec8ed509d15_story.html The Law’s data localization and data-disclosure demands are particularly frightening when considering the government’s relentless targeting of dissident bloggers, with courts commonly handing down years-long prison sentences for online speech that it deems traverses vaguely defined and arbitrarily enforced national security crimes such as “anti-state propaganda.”136See PEN America’s Freedom to Write 2020 Index for further analysis of Vietnam’s criminalization of peaceful online speech it deems threatening.
Reviewing the Law in 2019, journalist Timothy McLaughlin concluded that the legislation “could serve as a model for other repressive governments of how to control information and suppress dissent online while at the same time continuing to grow a vibrant tech sector.”137Timothy McLaughlin, “Under Vietnam’s new cybersecurity law, U.S. tech giants face stricter censorship,” The Washington Post, March 16, 2019, washingtonpost.com/world/asia_pacific/under-vietnams-new-cybersecurity-law-us-tech-giants-face-stricter-censorship/2019/03/16/8259cfae-3c24-11e9-a06c-3ec8ed509d15_story.html Sure enough, on February 9, 2021, Myanmar’s military junta, days after overthrowing the country’s elected government and in the midst of a brutal crackdown meant to consolidate power, proposed a draft cybersecurity law aiming to secure powers similar to those outlined in the Vietnamese and Chinese laws.138“Myanmar: Scrap Sweeping Cybersecurity Bill,” Human Rights Watch, February 12, 2021, hrw.org/news/2021/02/12/myanmar-scrap-sweeping-cybersecurity-bill#
Turkey provides another example of how rights-repressive governments can ratchet up the pressure on international corporations, including through the “hostage model” of regulation. On October 1, 2020, the government implemented a set of amendments to its social media law, implementing new data localization measures as well as creating new levels of domestic accountability for social media companies.139The Cube, “Turkish law tightening rules on social media comes into effect,” Euronews, January 10, 2020, euronews.com/2020/10/01/turkish-law-tightening-rules-on-social-media-comes-into-effect; Begüm Yavuzdoğan Okumuş and Direnç Bada, “Turkish Data Localization Rules in Effect for Social Media Companies,” Gün + Partners, October 14, 2020, gun.av.tr/insights/articles/turkish-data-localization-rules-in-effect-for-social-media-companies Under the newly amended Internet Law No. 5651, major social media companies are forced to appoint Turkish citizens to serve as their legal representatives within the country—something which increases the government’s leverage over their employers.140Kayahan Cantekin, “Turkey: Parliament Passes Law Imposing New Obligations on Social Media Companies,” Library of Congress, August 6, 2020, loc.gov/law/foreign-news/article/turkey-parliament-passes-law-imposing-new-obligations-on-social-media-companies/ These representatives would be charged with resolving the Turkish government’s content removal demands within 48 hours, or the company would face heavy fines.141Begüm Yavuzdoğan Okumuş and Direnç Bada, “Turkish Data Localization Rules in Effect for Social Media Companies,” Gün + Partners, October 14, 2020, gun.av.tr/insights/articles/turkish-data-localization-rules-in-effect-for-social-media-companies To put teeth to its legislation, the Turkish government began fining platforms that failed to appoint such representatives, including Facebook, Instagram, TikTok, Twitter, and Youtube—once, in November 2020, to the tune of 10 million Turkish lira (approx. $1.3 million), and again in December 2020, for 30 million Turkish lira (approx. $3.8 million).142“TikTok joins social media platforms appointment representatives in Turkey,” Daily Sabah, January 8, 2020, dailysabah.com/business/tech/tiktok-joins-social-media-platforms-appointing-representatives-in-turkey
The new rules closely followed a speech by President Tayyip Recep Erdoğan that called for a “cleaning up” of social media platforms after users insulted his daughter and son-in-law on social media.143The Cube, “Turkish law tightening rules on social media comes into effect,” Euro News, October 1, 2020, euronews.com/2020/10/01/turkish-law-tightening-rules-on-social-media-comes-into-effect Some of those who allegedly posted these insults were detained by police.144“Turkey: Erdogan vows social media controls over insults to family,” Al Jazeera, July 1, 2020, aljazeera.com/news/2020/7/1/turkey-erdogan-vows-social-media-controls-over-insults-to-family Erdoğan has previously been vocal about his desire to control social media platforms’ presence in the country, seeing their potential for mobilizing protests as a threat to his power.145“Turkey: Erdogan vows social media controls over insults to family,” Al Jazeera, July 1, 2020, aljazeera.com/news/2020/7/1/turkey-erdogan-vows-social-media-controls-over-insults-to-family
“Turkey already had in place expansive criminalizations of online speech,” Deniz Yüksel, a Turkey advocacy specialist at Amnesty International USA, wrote in one review of the new mandate. “It’s a country where judicial independence has been steadily undermined, and censoring the web has traditionally been a domestic and legalistic affair . . . Moreover, the blocking of online content critical of the government and the prosecution of individuals expressing dissenting opinions on social media has increased in recent years under the ruling Justice and Development Party (AKP).” Yüksel added that this aggressive intrusion on digital dissent has only increased during the COVID-19 pandemic, and that the new law will foreseeably “further squeeze Turkey’s battered civil society.”146Deniz Yuksel, “Turkey’s Government Wants Silicon Valley to Do Its Dirty Work,” Lawfare, December 9, 2020, lawfareblog.com/turkeys-government-wants-silicon-valley-do-its-dirty-work
Several of the world’s largest corporations have already accepted Turkey’s new demand. In December, Google indicated that it would comply with the order to appoint local representatives, while insisting that the law would not change its response to content removal requests, nor its management of Turkish users’ data.147“YouTube says to appoint Turkey representative in line with new law,” Reuters, December 16, 2020, reuters.com/article/us-turkey-socialmedia-youtube/youtube-says-to-appoint-turkey-representative-in-line-with-new-law-idUSKBN28Q1T2 TikTok and Facebook both quickly followed suit, publicly acknowledging that they would consent to the order in January 2021.148“TikTok joins social media platforms appointment representatives in Turkey,” Daily Sabah, January 8, 2020, dailysabah.com/business/tech/tiktok-joins-social-media-platforms-appointing-representatives-in-turkey; Zeynep Bilginsoy, “Facebook bows to Turkish demand to name local representative,” Associated Press, January 18, 2021, apnews.com/article/turkey-media-social-media-6f2b1567e0e7f02e983a98f9dc795265 These decisions will presumably set a dangerous precedent: not only for social media operations but also for other digital service providers; and not only in Turkey but also in other countries that hope to exert pressure on foreign tech companies and limit their citizens’ ability to express dissent.149Human Rights Watch, “Turkey: YouTube Precedent Threatens Free Expression,” news release, December 18, 2020, hrw.org/news/2020/12/19/turkey-youtube-precedent-threatens-free-expression
Another example of newly-adopted “hostage model” tactics comes from India, the world’s largest “digital decider” state, which has seen a democratic backslide under Prime Minister Narendra Modi, and which has increasingly imposed political censorship on social media companies under the guise of imposing democratic accountability.150Karan Deep Singh and Paul Mozur, “As Covid Outbreak Rages, India Orders Critical Social Media Posts to Be Taken Down,” The New York Times, April 25, 2021, nytimes.com/2021/04/25/business/india-covid19-twitter-facebook.html; “India: Freedom in the World 2021 Country Report,” Freedom House, accessed May 11, 2021, freedomhouse.org/country/india/freedom-world/2021 (downgrading India from “free” to “partly free”). In February, the government implemented a set of new rules for online content that grant the government substantial additional leverage over social media and other online companies.151Manish Singh, “Facebook, Twitter. WhatsApp face tougher rules in India,” TechCrunch, February 25, 2021, techcrunch.com/2021/02/25/india-announces-sweeping-guidelines-for-social-media-on-demand-streaming-firms-and-digital-news-outlets/; Mujib Mashal and Hari Kumar, “India’s News Upstarts Challenged Modi. New Rules Could Tame Them.,” The New York Times, March 27, 2021, nytimes.com/2021/03/27/world/asia/india-modi-media.html Under the rules, online platforms must appoint a local “grievance officer” to quickly address content takedown requests from complainants, with a government-appointed body having final authority on whether the platform must delete or change content. These local grievance officers must also share their names and contact details with government officials.152Manish Singh, “Facebook, Twitter. WhatsApp face tougher rules in India,” TechCrunch, February 25, 2021, techcrunch.com/2021/02/25/india-announces-sweeping-guidelines-for-social-media-on-demand-streaming-firms-and-digital-news-outlets/; Mujib Mashal and Hari Kumar, “India’s News Upstarts Challenged Modi. New Rules Could Tame Them.,” The New York Times, March 27, 2021, nytimes.com/2021/03/27/world/asia/india-modi-media.html These new requirements are particularly dangerous when paired with India’s Information Technology Act, which enables the government to impose a sentence of up to seven years imprisonment on company officials who fail to comply with government takedown orders issued on the grounds of subversion or threat to public order or national security.153Tariq Ahmad, “Government Responses to Disinformation on Social Media Platforms: India,” Library of Congress, December 13, 2020, loc.gov/law/help/social-media-disinformation/india.php#II; see also Karan Deep Singh, “Twitter Blocks Accounts in India as Modi Pressures Social Media,” The New York Times, February 10, 2021, nytimes.com/2021/02/10/technology/india-twitter.html
Officials have claimed the new rules will help prevent “internet imperialism” by major social media platforms.154Ravi Shankar Prasad (@rsprasad), “India is proud to have a strong base of social media users. The social media intermediaries are free to do business in India. It has empowered ordinary Indians…”, Twitter, March 18, 2021, twitter.com/rsprasad/status/1372467550416637956 Yet, the government itself has acted more and more imperiously in wielding content takedown orders to silence political criticism. In February, before the new rules were implemented, officials compelled Twitter to remove from view within India dozens of accounts criticizing New Delhi’s heavy-handed response to farmer protests that have swept the country. Twitter had originally attempted to largely resist the order, citing its commitments to free speech, but reversed course after receiving a no-compliance order threatening potential jail time for its employees.155Manish Singh, “India warns Twitter over lifting block on accounts and noncompliance of order,” TechCrunch, February 3, 2021, techcrunch.com/2021/02/03/india-sends-warning-to-twitter-over-lifting-block-on-accounts-and-noncompliance-of-order/; Manish Singh, “Twitter suspends over 500 accounts in India after government warning,” TechCrunch, February 9, 2021, techcrunch.com/2021/02/09/twitter-takes-actions-on-over-500-accounts-in-india-amid-government-warning/ In April, the government ordered Twitter, Facebook, and Instagram to remove from view hundreds of social media posts criticizing its response to the COVID-19 pandemic.156Karan Deep Singh and Paul Mozur, “As Outbreak Rages, India Orders Critical Social Media Posts to Be Taken Down,” The New York Times, May 1, 2021, nytimes.com/2021/04/25/business/india-covid19-twitter-facebook.html “In India,” one journalist reporting on the orders summarized, “companies face a stark choice: follow laws and risk suppressing political debate, or ignore them and face harsh punishments, including prison time for local employees, in a potentially huge growth market.”157Karan Deep Singh and Paul Mozur, “As Outbreak Rages, India Orders Critical Social Media Posts to Be Taken Down,” The New York Times, May 1, 2021, nytimes.com/2021/04/25/business/india-covid19-twitter-facebook.html
Social media companies are not the only targets of new laws meant to make corporations tow the government line. In Russia, almost simultaneous with the passage of its Sovereign Internet Law in 2019, Russian legislators passed a ban on the sale of smartphones, computers, and TVs that did not have certain Russian apps pre-installed.158Anna Kovalenko, “The State Duma approved a ban on the sale of smartphones without Russian software,” The Bell, November 5, 2019, thebell.io/gosduma-odobrila-zapret-na-prodazhu-smartfonov-bez-rossijskogo-po; “Bill No. 757423-7,” Legislative Support System, accessed May 11, 2021, sozd.duma.gov.ru/bill/757423-7 Backed by the Putin administration, the ban has been informally dubbed “the law against Apple,” given its apparent aim to compel Apple specifically to shed its rules against pre-installing applications.159Peter Mironenko and Valeria Pozychanyuk, “”Law against Apple”: new restrictions could force the company to leave Russia,” The Bell, November 5, 2019, thebell.io/zakon-protiv-apple-novye-ogranicheniya-mogut-zastavit-kompaniyu-ujti-iz-rossii In March 2021, Apple partially conceded, adding a setup screen to its iPhones sold in Russia that prompts users to download apps from Russian developers.160Lily Hay Newman, “Apple Bent the Rules for Russia—and Other Countries Will Take Note,” Wired, March 17, 2021, wired.com/story/apple-russia-iphone-apps-law/ While not a complete concession to the law, Apple’s move still may serve as a greenlight to other repressive regimes wishing to force technology companies to serve as vectors for government-approved digital apps that they can better surveil or censor.161Lily Hay Newman, “Apple Bent the Rules for Russia—and Other Countries Will Take Note,” Wired, March 17, 2021, wired.com/story/apple-russia-iphone-apps-law/
These government efforts to force technology giants into doing their bidding serve to demonstrate how the re-balancing of power between states and corporations can go terribly wrong. As countries across the globe determine how to impose accountability on the corporations that mediate our digital speech, there is substantial potential for this “accountability” to instead take the form of coercive measures designed to enlist these same corporations in political repression.
Governments are Increasingly Compelling Internet Shutdowns
These new tactics fit within a larger sphere of digitally-repressive actions, taken in the name of a government’s sovereign interests, for which these governments may require corporate compliance. Of these actions, none are more aggressive than a state shutting down users’ access to the internet within the country. Government-ordered internet shutdowns are commonly used to provide cover for acts of state violence, such as crackdowns on peaceful protests, or to quash public mobilization.162Anita R. Gohdes, “Pulling the Plug: Network Disruptions and Violence in Civil Conflict,” Journal of Peace Research 52, no. 3 (February 12, 2015): 352-367, doi.org/10.1177/0022343314551398; see also UN (United Nations) Human Rights Committee, September 17, 2020, General comment No. 37 (2020) on the right of peaceful assembly (article 21), CCPR/C/GC/37, available at undocs.org/CCPR/C/GC/37 (emphasizing that hindering internet connectivity to impede peaceful assembly violates international law).
The tactic is not new, but it is increasingly a go-to tool for governments, including many of the digital deciders that are in the process of determining the future framework of their internet governance. #KeepItOn, an international coalition of civil society organizations (including PEN America) that monitor and protest internet shutdowns, has annually documented the number of shutdowns since 2016, noting a three-year upswing: from 75 shutdowns in 2016, to 106 shutdowns in 2017, to 196 shutdowns by 25 countries in 2018, to 213 shutdowns by 33 countries in 2019.163“#KeepItOn 2019 Report,” AccessNow, June 22, 2019, accessnow.org/cms/assets/uploads/2020/02/KeepItOn-2019-report-1.pdf (which includes its numbers for previous years). Of those 33 countries, eight fall within the “digital decider” camp.164Sri Lanka, Iraq, India, Jordan, Democratic Republic of the Congo, Ecuador, Indonesia, Pakistan. Robert Morgus, Justin Sherman, and Jocelyn Woolbright, “The Digital Deciders: How a group of often overlooked countries could hold the keys to the future of the global internet,” New America, October 23, 2018, newamerica.org/cybersecurity-initiative/reports/digital-deciders/ India, the world’s largest democracy and perhaps the most significant digital decider, has emerged as the world’s leader in imposing shutdowns, blocking some portion of its population 121 times in 2019 alone.165“#KeepItOn 2019 Report,” AccessNow, June 22, 2019, accessnow.org/cms/assets/uploads/2020/02/KeepItOn-2019-report-1.pdf. The seven digital decider countries are Kenya, Iraq, Jordan, India, Kyrgyzstan, Pakistan, Ecuador. Robert Morgus, Justin Sherman, and Jocelyn Woolbright, “The Digital Deciders: How a group of often overlooked countries could hold the keys to the future of the global internet,” New America, October 23, 2018, newamerica.org/cybersecurity-initiative/reports/digital-deciders/ In 2020, the most recent year studied, there was a downturn in these numbers—155 shutdowns from 29 countries, including seven digital deciders.166Robert Morgus, Justin Sherman, and Jocelyn Woolbright, “The Digital Deciders: How a group of often overlooked countries could hold the keys to the future of the global internet,” New America, October 23, 2018, newamerica.org/cybersecurity-initiative/reports/digital-deciders/ But #KeepItOn researchers warn that this reduction does not appear to be connected to any overall expansion of global digital rights.167“#KeepItOn 2020 Report,” AccessNow, March 2021, accessnow.org/cms/assets/uploads/2021/03/KeepItOn-report-on-the-2020-data_Mar-2021_3.pdf
As Section II of this report examines, authoritarian leaders have pushed to either fragment the internet into more nationalized spheres or to build their own regulatory and technological infrastructure for a national internet, both of which risk lowering the costs and technological barriers of triggering such a shutdown. Some states, like Ethiopia, rely entirely on state-owned providers, making it far easier to order these providers to shut down their services.168Isabel Linzer, “An Explainer for When the Internet Goes Down: What, Who, and Why?,” Freedom House, July 29, 2019 freedomhouse.org/article/explainer-when-internet-goes-down-what-who-and-why Yet in most cases, a government that wishes to trigger a shutdown requires the assent or assistance not only of purely domestic (state-owned or private) corporations but also of international corporations that may be major internet providers within the country.
A recent example comes from Belarus, which since August 2020 has experienced the largest anti-government protests in its history, protesting the political repression and evident electoral fraud of President Alexander Lukashenko and his administration.169Andrei Makhovsky and Tom Balmforth, “Internet blackout in Belarus leaves protesters in the dark,” Reuters, August 11, 2020, reuters.com/article/us-belarus-election-internet/internet-blackout-in-belarus-leaves-protesters-in-the-dark-idUSKCN2571Q4 The government has responded not only with systematic and repressive violence, but also with waves of internet shutdowns designed to undermine the organizing and the visibility of the protests. Belarusian authorities ordered service provider A1 Belarus—a subsidiary of the Austrian company A1 Telekom Austria Group—to comply with their shutdown orders, and A1 Belarus dutifully acquiesced.170“Shutdowns in Belarus: Austrian telco must denounce actions and commit to accountability,” Access Now, November 4, 2021, accessnow.org/austrian-telco-must-denounce-internet-shutdowns-in-belarus/ An executive of A1 Belarus, justifying the decision, said that the Austrian parent company was “deeply concerned” about the shutdowns but argued that its communication services were largely reliant on state-controlled infrastructure, and cited its need to comply with “local and regulatory requirements.”171Nikolay Bredelev, Unitary Enterprise A1, October 29, 2020, accessnow.org/cms/assets/uploads/2020/11/A1_Belarus_Response.pdf
The invocation of “local requirements” as a rationale for compliance, however, offers little consolation to protesters facing the brunt of their government’s cruelty under cover of digital darkness. Franak Viačorka, a Belarusian journalist and opposition activist, is one of the many Belarusians who reacted with anger at A1’s decision, saying at a December 2020 event that A1 specifically is “the biggest telecommunication provider in Belarus. And the authorities of Belarus, when they needed to block the internet, they didn’t do it with their own hands, but they ordered the foreign Austrian company to do it . . . We have been trying to put pressure on the company in Vienna, saying, ‘You shouldn’t do this. You shouldn’t help a dictator.’ But they say, ‘We cannot say no, since we are limited by law, and when the government forces us, we have to limit the internet.’”172Franak Viačorka, panelist comments, “The Future of internet Freedom: Policy, Technology, and Emerging Threats: Part One” American University, December 1, 2020, video available online at youtube.com/watch?v=UL2f4GzYy-c&t=3836s
Another recent, and ongoing, example involves Myanmar, where hours after seizing power the leaders of the February 2021 military coup ordered a country-wide internet shutdown.173Miriam Berger, “Myanmar’s military shuts down Internet, two months after coup,” The Washington Post, April 1, 2021, washingtonpost.com/world/2021/04/01/myanmar-military-internet-shutdown-bloodbath/ Companies complying with the order included not only state-owned internet service providers, but also international companies such as Telenor Myanmar, a subsidiary of the Norwegian Telenor Group, and Ooredoo Myanmar, a subsidiary of the Qatari Ooredoo Group.174Catherine Shu, “Internet connectivity drops in Myanmar after the military detains Aung San Suu Kyi and other leading politicians,” Tech Crunch, February 1, 2021, techcrunch.com/2021/01/31/internet-connectivity-drops-in-myanmar-after-the-military-detains-aung-san-suu-kyi-and-other-leading-politicians/; “Myanmar internet providers block Facebook services after government order,” Reuters, February 3, 2021, reuters.com/article/us-myanmar-politics-facebook/myanmar-internet-providers-block-facebook-services-after-government-order-idUSKBN2A32ZE; Doug Madory, “Myanmar goes offline during military coup,” Kentik, February 1, 2021, https://www.kentik.com/blog/myanmar-goes-offline-during-military-coup/ This shutdown remained in place even as military forces gunned down hundreds of demonstrators demanding the return of their democracy.175Miriam Berger, “Myanmar’s military shuts down Internet, two months after coup,” The Washington Post, April 1, 2021, washingtonpost.com/world/2021/04/01/myanmar-military-internet-shutdown-bloodbath/ ; see generally “As Myanmar marks 101 days of internet shutdowns, the #KeepItOn coalition urges full restoration of internet access,” Access Now, September 30, 2019, accessnow.org/as-myanmar-marks-101-days-of-internet-shutdowns-the-keepiton-coalition-urges-full-restoration-of-internet-access/ In an open letter to mobile operators and internet service providers operating in Myanmar, a group of Myanmar civil society organizations pointed out that, by complying with the military junta’s directives, these companies were “essentially legitimizing” the military’s stolen authority, and called on these companies to take “every action possible” to appeal these illegitimate orders.176“Myanmar civil society appeals to ISPs for connectivity, protection of rights,” Access Now, February 6, 2021, accessnow.org/myanmar-isp-appeal/
When responding to internet shutdown demands, internet service providers and mobile operators have opportunities to respond in ways that mitigate the human rights impacts of compliance. David Sullivan, Program Director at the Global Network Initiative, has laid out five actions corporations can take, either before or in response to an internet shutdown order:177David Sullivan, “Five Ways Telecommunications Companies Can Fight Internet Shutdowns,” Lawfare, August 23, 2020, lawfareblog.com/five-ways-telecommunications-companies-can-fight-internet-shutdowns
- Clarify their legal obligations, including by seeking legal advice from outside counsel, rather than passively accepting the government’s interpretation of its own legal authority to compel a shutdown
- Document everything, in order to ensure full corporate visibility on the scope and severity of the shutdown
- Narrow disruptions as much as possible in order to reduce their impact;
- Provide transparency, including by notifying users about government-imposed disruption; and
- Collaborate with allies, including civil society organizations, to better resist and respond to such shutdowns.
These steps, and in particular the step of narrowing disruptions as much as possible, are not merely options for these companies, but actions that—under the UN Guiding Principles for Business and Human Rights—they are expected to take in keeping with their human rights responsibilities.
In the case of Belarus, on October 1, #KeepItOn issued an open letter—to which PEN America was a signatory—to leaders of A1 Belarus and its Austrian parent company, laying out a similar series of steps that the corporation could take to resist the government shutdown demand while still remaining in compliance with national law. Specifically, the signatories exhorted A1 to:
- Publicly denounce the internet shutdown;
- Preserve evidence and reveal any demands from the Belarusian government;
- Publicly disclose details about the extent, scope, and status of the shutdown;
- Contest the legality of the internet shutdown order; and
- Consult civil society groups and rally peer companies to jointly push back against the shutdown178“Joint letter to A1 Belarus calling on telecom service providers in Belarus to be transparent and resist internet shutdowns,” #KeepItOn, October 1, 2020, accessnow.org/cms/assets/uploads/2020/10/KeepItOn-A1-Telekom-Austria-open-letter-signed.pdf; See generally Yola Verbruggen, “Litigators target national internet shutdowns,” International Bar Association, September 4, 2020, ibanet.org/Article/NewDetail.aspx?ArticleUid=67C5E909-83D5-4776-BD7D-BF4A22C1E886 for information on the rise of such litigation.
Internet service providers have power, and under international law they are expected to use it to uphold human rights to the greatest possible extent. But so much more is needed, particularly given that internet shutdowns are on the rise. All internet service providers and mobile operators must develop policies and procedures to ensure that, upon receiving such a demand, they have a more meaningful response than meek compliance. Meanwhile, corporations, civil society, and rights-respecting governments must act affirmatively to stop the normalization of internet shutdowns, and must push back forcefully against any invocation of sovereignty that seeks to legitimize shutdowns as a legitimate tool for governmental regulation.
Section IV: Envisioning a New Digital Democratic Multilateralism
In grappling with how governments committed to an open and human rights-anchored internet can act to safeguard it, some commentators have begun calling for a new model of democratic multilateralism for internet governance, driven by a coalition of established democracies. The British government reportedly approached Washington last year to propose the creation of a “D10,” a group of 10 democracies that would collaborate on supplying 5G equipment and other digital technologies.179Aditi Khana, “UK Plans New 5g Club of 10 Democracies, Including India: Report,” mint, May 29, 2020 livemint.com/news/india/uk-plans-new-5g-club-of-10-democracies-including-india-report-11590759252503.html; Lucy Fisher, Downing Street Plans New 5G Club of Democracies, The Times, May 29, 2020 thetimes.co.uk/article/downing-street-plans-new-5g-club-of-democracies-bfnd5wj57 Over the past year alone, experts at institutions such as Stanford’s Cyber Policy Center, the Brookings Institution, the German Marshall Fund’s Alliance for Securing Democracy, and the Council on Foreign Relations have all proposed some variant of this idea—a digital democratic club, one that would help set democratic norms for the development of new technologies and digital governance, and to serve as a counterpoint to the Digital Silk Road and other efforts to export a repressive approach.180“How Democracies Can Claim Back Power in the Political World,” Technology Review, September 9, 2020, technologyreview.com/2020/09/29/1009088/democracies-power-digital-social-media-governance-tech-companies-opinion/; Tyson Barker and Marietje Schaake, “Democratic Source Code for a New U.S.-EU Tech Alliance,” Lawfare, November 24, 2020, lawfareblog.com/democratic-source-code-new-us-eu-tech-alliance; Lindsay P. Gorman, “A Future Internet for Democracies: Contesting China’s Dominance in 5G, 6G, and the Internet-of-Everything,” Alliance for Securing Democracy at The German Marshall Fund of the United States, October 27, 2020, securingdemocracy.gmfus.org/wp-content/uploads/2020/10/Future-Internet.pdf; Robert K. Knake, “Weaponizing Digital Trade: Creating a Digital Trade Zone to Promote Online Freedom and Cybersecurity,” Council on Foreign Relations, September 2020, cdn.cfr.org/sites/default/files/report_pdf/weaponizing-digital-trade_csr_combined_final.pdf; Tom Wheeler, “Time for a U.S.—EU digital alliance,” The Brookings Institution, January 21, 2021, brookings.edu/research/time-for-a-us-eu-digital-alliance/
This idea is gaining particular traction within U.S. policy circles, particularly as Washington policymakers respond to the rise in tensions between the United States and China. Global internet and telecommunication infrastructure is quickly becoming a new front for competition between the two powers, with the United States taking increasingly aggressive action to excise telecommunications equipment and infrastructure produced by the Chinese telecommunications giant Huawei—as well as similar Chinese companies such as the partially-state-owned ZTE181The Chinese government owns nearly half of Zhongxingxin Telecom, the controlling shareholder of ZTE Corporation. “Annual Report 2020,” ZTE Corporation, April 8, 2021, 75, zte.com.cn/mediares/zte/Investor/20210408/E2.pdf; Dan Strumpf, “ZTE’s State Owner to Cut Its Stake,” The Wall Street Journal, March 13, 2019, wsj.com/articles/ztes-state-owner-to-cut-its-stake-11552477396—from the global supply chain.
Huawei is the world’s largest producer of telecommunications equipment and 5G infrastructure, as well as the world’s second-largest producer of smartphones.182Paula Gilbert, “Is the World Turning on Huawei?” ITWeb, January 30, 2019, itweb.co.za/content/PmxVEMKXd64qQY85 Although Huawei is privately owned, it is widely viewed by experts as closely aligned with the Chinese government.183See Lindsay Maizland and Andrew Chatzky, “Huawei: China’s Controversial Tech Giant,” Council on Foreign Relations, August 6, 2020, https://www.cfr.org/backgrounder/huawei-chinas-controversial-tech-giant Huawei infrastructure has underlaid much of the world’s internet connectivity, including the majority of Africa’s 4G infrastructure,184Amy MacKinnon, “For Africa, Chinese-Built Internet is Better than No Internet At All,” Foreign Policy, March 19, 2019, foreignpolicy.com/2019/03/19/for-africa-chinese-built-internet-is-better-than-no-internet-at-all/ as well as that of some rural U.S. communities drawn to the technology by its low price point.185Colin Lecher, “Ripping Huawei Out of US Networks Could Be a Nightmare for Rural Providers,” The Verge, June 5, 2019, theverge.com/2019/6/5/18652769/huawei-china-security-rural-internet-rip-replace; William Yuen Lee, “With U.S. Restrictions on Huawei and ZTE, Where Will Rural America Turn?” Center for Strategic and International Studies, December 10, 2020, csis.org/blogs/new-perspectives-asia/us-restrictions-huawei-and-zte-where-will-rural-america-turn Yet U.S. national security experts have warned that Huawei 5G technology could be used to give the Chinese government access to Americans’ data, and caution that in case of a conflict between the two countries, the company could shut down its telecommunications infrastructure within the country on orders from Beijing, or serve as a vector for malicious software that could compromise the United States’s digital connectivity both within and beyond U.S. borders.186See generally “The Backlash to Huawei’s Global 5G Expansion,” Carnegie Endowment for International Peace, accessed May 12, 2021, carnegieendowment.org/publications/interactive/huawei-timeline
The Trump Administration had made increasingly-aggressive action against Huawei and other Chinese telecommunications companies a cornerstone of both its tech policy and its trade war with China. Under Trump, in August 2020 the State Department unveiled its Clean Network Program, designed to commit both governments and companies to excising these telecoms from their supply chains in order to be treated as trusted partners.187David Shepardson and Karen Freifeld, “Trump extends U.S. telecom supply chain order aimed at Huawei, ZTE,” Reuters, May 13, 2020, reuters.com/article/us-usa-trade-china-trump/trump-extends-u-s-telecom-supply-chain-order-aimed-at-huawei-zte-idUSKBN22P2KG Efforts to limit Huawei’s reach within the United States and to excise it from American infrastructure first began under the Obama administration,188Jim Wolf, “U.S. lawmakers seek to block China Huawei, ZTE U.S. inroads,” Reuters, October 7, 2012, reuters.com/article/us-usa-china-huawei-zte/u-s-lawmakers-seek-to-block-china-huawei-zte-u-s-inroads-idUSBRE8960NH20121008 and have emerged as an area of rare bipartisan consensus: Congress passed the Secure and Trusted Communications Act in 2020 to stop telecoms from using government funds to buy Huawei or ZTE equipment, and to mandate the removal of equipment already in place within the United States.18947 U.S.C., congress.gov/bill/116th-congress/house-bill/4998; see also Laura H. Phillips and Qiusi Y. Newcom, “Congress Enacts the Secure and Trusted Communications Networks Act, Spurring Efforts to Identify, Remove and Replace Covered Telecommunications Equipment and Services,” Faegre Drinker Biddle & Reath LLP, April 1, 2020, faegredrinker.com/en/insights/publications/2020/4/congress-enacts-the-secure-and-trusted-communications-networks-act
The Biden Administration has continued these efforts, putting new limits on Huawei suppliers in March 2021.190Karen Freifield, “Biden Administration Adds New Limits on Huawei Suppliers,” Reuters, March 11, 2021, reuters.com/article/us-usa-huawei-tech/biden-administration-adds-new-limits-on-huaweis-suppliers-idUSKBN2B3336 U.S. allies, including India, Australia, the United Kingdom, and Japan have also taken action to limit Huawei technology or excise it from their national infrastructure.191See generally “The Backlash to Huawei’s Global 5G Expansion,” Carnegie Endowment for International Peace, accessed May 12, 2021, carnegieendowment.org/publications/interactive/huawei-timeline There is a hot debate amongst digital policy experts and digital rights advocates as to whether such measures are a justifiable response to fears of Chinese government surveillance and shutdown capabilities,192Daniel Wagner, “Why U.S. Concerns About Huawei are Justified”, International Policy Digest, April 6, 2019, intpolicydigest.org/why-u-s-concerns-about-huawei-are-justified/ or an unnecessary maneuver that will only exacerbate internet fragmentation.193“Internet Society Calls the US Clean Network Program a Political Act, A Push Towards ‘Splinternet,’” CircleID, August 2020, circleid.com/posts/20200811-internet-society-calls-us-clean-network-program-a-political-act/
This climate of suspicion and uncertainty creates a strange dilemma for U.S. policymakers who espouse a commitment to a free and open internet. On the one hand, the Chinese government has worked aggressively to influence global norms for digital technology, to proselytize an authoritarian framework of digital sovereignty, and to develop and export digital technologies that facilitate repression.194Robert Greene, “Will China Control the Global Internet Via its Digital Silk Road?” May 28, 2020, Carnegie Endowment for International Peace, carnegieendowment.org/2020/05/08/will-china-control-global-internet-via-its-digital-silk-road-pub-81857 These are all clear threats to the future of the internet as a space for the free and uninterrupted flow of ideas and information, and they necessitate a response. On the other hand, U.S. efforts to counterbalance these pressures by excising Huawei and pushing other countries to do the same, particularly if mishandled, risk reinforcing this digital partition and transforming the issue of digital privacy into merely another political football between the two powers.
These risks were particularly apparent during the Trump Administration, which conflated a diverse set of concerns when justifying its actions against Huawei—citing data privacy and national security issues broadly while simultaneously playing up its efforts to counter China specifically. As Graham Webster, a scholar at the Stanford Cyber Policy Center, described it, the Clean Network Program has suffered from a fundamental framing issue wherein “the only things deemed unclean are Chinese things, tying some legitimate questions about tech security and governance to a maximalist frame and familiar racist trope against Chinese people.”195Graham Webster, “Transpacifica is back. What’s next in China policy? 2020.11.13,” Transpacifica, November 13, 2020, transpacifica.net/2020/11/2120/
This disjointed approach was also evident in the Trump Administration’s attempts to block Chinese social media apps TikTok and WeChat, with President Trump in August 2020 issuing executive orders threatening to expel both platforms unless they separated from their Chinese parent companies.196Nikki Carvajal and Caroline Kelly, “Trump issues orders banning TikTok and WeChat from operating in 45 days if they are not sold by Chinese parent companies, CNN, August 7, 2020, cnn.com/2020/08/06/politics/trump-executive-order-tiktok/index.html While Trump cited national security concerns over access to Americans’ data, the move was largely derided as “security theater” by experts,197See Zachary Karabell, “Trump’s TikTok Policy Is Just a New Kind of ‘Security Theater,’” Politico, September 15, 2020, politico.com/news/magazine/2020/09/15/trumps-tiktok-policy-is-just-a-new-kind-of-security-theater-415088; Graham Webster, “App bans won’t make US security risks disappear,” MIT Technology Review, September 21, 2020, technologyreview.com/2020/09/21/1008620/wechat-tiktok-ban-china-us-security-policy-opinion/ (“The Trump administration’s actions against the two Chinese-owned social-media platforms are driven more by politics and an effort to seem tough on China than by actual privacy, safety, or national security concerns.”) and subsequently blocked by the courts.198Bobby Allyn, “Federal Judge Blocks Trump Administration’s U.S. WeChat Ban,” NPR, September 20, 2020, npr.org/2020/09/20/914983610/federal-judge-blocks-trump-administrations-u-s-wechat-ban; Kim Lyons, “Judge again blocks Trump administration push to ban WeChat in the US,” The Verge, October 23, 2020, theverge.com/2020/10/23/21531154/judge-denies-trump-administration-ban-wechat-tencent-china; Bobby Allyn, “U.S. Judge Halts Trump’s TikTok Ban, The 2nd Court To Fully Block The Action,” NPR, December 7, 2020, npr.org/2020/12/07/944039053/u-s-judge-halts-trumps-tiktok-ban-the-2nd-court-to-fully-block-the-action These threats represented both a disturbing willingness by a U.S. president to unilaterally shut down an entire platform for speech and a troubling adoption of a techno-nationalist viewpoint by a U.S. administration—threatening to validate China’s authoritarian and isolationist framework towards internet regulation even while claiming to combat it.199Joshua Keating, “The Trump administration is sealing the end of cyberspace,” Slate, August 12, 2020, slate.com/technology/2020/08/trump-china-tiktok-internet-cyberspace.html. For similar commentary, see also “Beijing unlikely to block ByteDance deal with Oracle, says experts,” Financial Times, September 16, 2020, ft.com/content/a9dc9865-b399-4a38-a5b9-d759c079a766; Paul Mozur, Ana Swanson, and Raymond Zhong, “Trump’s Attacks on TikTok and WeChat Could Further Fracture the Internet,” The New York Times, August 17, 2020, nytimes.com/2020/08/17/technology/trump-tiktok-wechat-ban.html (Trump’s Executive Actions “signaled a new willingness to adopt Beijing’s exclusionary tactics,” adding that the Administration’s efforts on this issue “herald a new, more invasive American philosophy of tech regulation, one that hews closer to China’s protectionist one . . .If more countries follow Mr. Trump by basing digital controls on diplomatic allegiances, protectionist aims or new concerns about the security of their citizens, the internet could become more of a patchwork of fiefs as varied as the visa policies that fragment world travel.”); Mike McQuade, “Trump’s TikTok battle heralds the ugly birth of a new splinternet,” Wired, September 21, 2020, wired.co.uk/article/tiktok-china-trump (“Trump’s TikTok battle heralds the ugly birth of a new splinternet”); Katrina Northrop, “Kaiser Kuo on How China Threatens the U.S. Self-Conception,” The Wire China, October 11, 2020, thewirechina.com/2020/10/11/kaiser-kuo-on-how-china-threatens-the-u-s-self-conception/ (“the Trump administration and its moves against companies like Tencent’s WeChat and Bytedance’s TikTok were clearly never about national security. They were never about data privacy . . . I worry about the United States accepting [a fractured internet] as a norm and simply going along with it and imposing these same types of objectionable ideas that run so counter to our core values. I think the impact of it is not so much economic as it is moral, and it would be a betrayal of our values to embrace this.”); Lindsay P. Gorman (@LindsayPGorman), “Never a good sign when Chinese media is touting and promoting the TikTok restructuring as a model for what should happen globally. What’s clear is that the US…” tweet, September 20, 2020, twitter.com/LindsayPGorman/status/1307855504094433281
For its part, Beijing responded to the Clean Network Program by doubling down on its vision of digital sovereignty on the global stage. In September of 2020, in a move widely interpreted as a direct response to the Program, Foreign Minister Wang Yi, proposed a new set of global standards on data security. Dubbed the “Global Initiative on Data Security,” these standards would “Strengthen the notion of digital sovereignty and data isolation across all States, [and] encourage States to respect and abide by the internet regulations of other States.”200“Global Initiative on Data Security,” Ministry of Foreign Affairs, the People’s Republic of China, September 8, 2020, fmprc.gov.cn/mfa_eng/zxxx_662805/t1812951.shtml; Chun Han Wong, “China Launches Initiative to Set Global Data-Security Rules,” The Wall Street Journal, September 8, 2020, wsj.com/articles/china-to-launch-initiative-to-set-global-data-security-rules-11599502974; “China’s Global Initiative on Data Security has a message for Europe,” Merics, September 24, 2020, merics.org/en/analysis/chinas-global-initiative-data-security-has-message-europe
Already, observers have begun warning of a “digital iron curtain” falling between Washington and Beijing,201Elsa B. Kania et al., “Is an Iron Curtain Falling Across Tech?” Foreign Policy, February 4, 2019, foreignpolicy.com/2019/02/04/is-an-iron-curtain-falling-across-tech/ with the battle over internet infrastructure increasingly forcing digital deciders to choose a side. Those who ascribe to this view include influential voices in Washington who are urging policymakers to accept this division as the new normal. In the fall of 2020, an informal “China Strategy Group” of DC policy experts and U.S. tech industry leaders issued a report that, while stressing “multilateralism” and global cooperation, came to the bleak conclusion that “some degree of [technical] disentangling [with China] is both inevitable and preferable . . . Trends in both countries—and many of the tools at our disposal—inherently and necessarily push toward some degree of bifurcation.”202China Strategy Group, “Asymmetric Competition: A Strategy for China & Technology,” Axios, 2020, documentcloud.org/documents/20463382-final-memo-china-strategy-group-axios-1;%20; Bethany Allen-Ebrahimian, “Former Google CEO and others call for U.S.-China tech ‘bifurcation,’” Axios, January 26, 2020, axios.com/scoop-former-google-ceo-and-others-call-for-us-china-tech-bifurcation-46fa8ca1-a677-4257-8b22-5e7fe1b7e442.html (The report’s most prominent author, ex-Google CEO Eric Schmidt, had previously predicted this US-China bifurcation in 2018); Laura Kolodny, “Former Google CEO predicts the internet will split in two — and one part will be led by China,” CNBC, September 20, 2018, cnbc.com/2018/09/20/eric-schmidt-ex-google-ceo-predicts-internet-split-china.html The Strategy Group report has reportedly been well received within the Biden Administration.203Bethany Allen-Ebrahimian, “Former Google CEO and others call for U.S.-China tech ‘bifurcation,’” Axios, January 26, 2020, axios.com/scoop-former-google-ceo-and-others-call-for-us-china-tech-bifurcation-46fa8ca1-a677-4257-8b22-5e7fe1b7e442.html
It is against this backdrop that U.S. congressional leaders have begun seriously exploring the creation of a digital alliance of democracies, or at least a more formal and substantial U.S. commitment to a digital democratic multilateralism. In the first half of 2021, lawmakers proposed several bills that would take steps towards this goal, each of which were framed as partially or primarily in response to China’s growing influence over the internet.
The bill that has most comprehensively envisioned a new digital alliance is the Democracy Technology Partnership Act (DTPA), backed by a bipartisan group of senators, which would create a State Department office to “lead in the creation of a new partnership among the world’s tech-leading democracies.”204“Text – S.604 – 117th Congress (2021-2022): Democracy Technology Partnership Act,” Congress.gov, March 4, 2021, congress.gov/bill/117th-congress/senate-bill/604/text?q=%7B%22search%22%3A%5B%22Democracy+Technology+Partnership+Act%22%5D%7D&r=1&s=1 This new partnership organization would, among other things, coordinate on technology policies and standards; adopt shared data privacy, data sharing, and data archiving standards; create shared policies around export controls and technology transfer; and coordinate on operation of supply chains in critical technology areas.205“Text – S.604 – 117th Congress (2021-2022): Democracy Technology Partnership Act,” Congress.gov, March 4, 2021, congress.gov/bill/117th-congress/senate-bill/604/text?q=%7B%22search%22%3A%5B%22Democracy+Technology+Partnership+Act%22%5D%7D&r=1&s=1 In the bill’s introductory language, the senators make clear that they have proposed such a partnership primarily in response to Chinese efforts in this arena.206“Text – S.604 – 117th Congress (2021-2022): Democracy Technology Partnership Act,” Congress.gov, March 4, 2021, congress.gov/bill/117th-congress/senate-bill/604/text?q=%7B%22search%22%3A%5B%22Democracy+Technology+Partnership+Act%22%5D%7D&r=1&s=1
Other recent bills have not gone as far as proposing a new international partnership, but have included provisions aimed at strengthening U.S. multilateral engagement on these same issues.207A related bill is the Endless Frontier Act, which similarly deals with digital supply chain issues, but does not include specific steps towards building out a democratic digital multilateralism and for that reason is not included in this analysis. “Text – S.1260 – 117th Congress (2021-2022): Endless Frontier Act,” Congress.gov, April 20, 2021, congress.gov/bill/117th-congress/senate-bill/1260/text?q=%7B%22search%22%3A%5B%22endless+frontier+act%22%5D%7D&r=1&s=3 These bills include:
- The Strategic Competition Act of 2021,208“Text – S.1169 – 117th Congress (2021-2022): Strategic Competition Act of 2021,” Congress.gov, May 10, 2021, congress.gov/bill/117th-congress/senate-bill/1169/text?q=%7B%22search%22%3A%5B%22Strategic+Competition+Act%22%5D%7D&r=1&s=5 which would direct the Secretary of State to form a Digital Connectivity and Cybersecurity Partnership to engage with other countries on the issues of internet access and digital infrastructure; promote internet regulations that foster an open, interoperable, and secure internet; and encourage the exportation of US technologies, as well as adopt some of the major components of the DTPA
- The Cyber Diplomacy Act of 2021,209“Text – H.R.1251 – 117th Congress (2021-2022): Cyber Diplomacy Act of 2021,” Congress.gov, April 22, 2021, congress.gov/bill/117th-congress/house-bill/1251/text?q=%7B%22search%22%3A%5B%22Cyber+Diplomacy+Act%22%5D%7D&r=1&s=2 which would create a State Department Bureau of International Cyberspace Policy to promote democratic ideals in the global digital realm
- The STRATEGIC Act (Strengthening Trade, Regional Alliances, Technology, and Economic and Geopolitical Initiatives concerning China),210“Text – S.687 – 117th Congress (2021-2022): STRATEGIC Act,” Congress.gov, March 10, 2021, congress.gov/bill/117th-congress/senate-bill/687?q=%7B%22search%22%3A%5B%22STRATEGIC+Act%22%5D%7D&r=1&s=4 which would create a State Department program to facilitate regulatory dialogue between the United States and partner countries as well as a presidential working group to strengthen U.S. leadership in international standards-setting bodies
On June 8, shortly before this report went to press, the Senate passed the United States Innovation and Competition Act of 2021, an omnibus bill aimed at positioning the U.S. to counter China’s economic and military growth.211Tony Romm, “Senate approves sprawling $250 billion bill to curtail China’s economic and military ambitions,” The Washington Post, June 8, 2021, https://www.washingtonpost.com/us-policy/2021/06/08/senate-china-science-technology/ The bill, numbering over 1400 pages, incorporates the Strategic Competition Act, including its mandate that the Secretary of State create a Digital Connectivity and Cybersecurity Partnership.212The text of the bill (as of June 9) can be found at https://www.democrats.senate.gov/imo/media/doc/DAV21A48.pdf. As of the publication of this report, it remains to be seen how the House of Representatives will respond to the bill.
Regardless, the active legislative landscape on this issue makes it clear that U.S. lawmakers are seriously evaluating the creation of such a digital democratic alliance—or, at the very least a much more assertive approach toward building a democratic multilateralism around digital policy.
Forming this alliance would not necessarily require a new multilateral body. Marietje Schaake, a former member of the European Parliament and international policy director at Stanford’s Cyber Policy Center who has proposed a new “U.S.-E.U. Tech Alliance,” has pointed to the Biden Administration’s intended Summit for Democracies as a potential forum to develop new shared guidelines and standards on issues such as data protection and accountability in automated decision-making. The Global Network Initiative’s Jason Pielemeier has argued that U.S. policymakers should instead re-commit to and expand the scope of operations of the Freedom Online Coalition, an intergovernmental grouping of 32 democratic states—including the United States—established in 2011 to collaborate on supporting internet freedom and protecting digital rights.213“Aims and Priorities,” Freedom Online Coalition, accessed May 11, 2021, freedomonlinecoalition.com/about-us/about/
PEN America sees this rise in interest from U.S. policymakers toward a new—or reinvigorated—model of democratic digital multilateralism as encouraging, with important caveats. There is an obvious and urgent need for new digital norms and standards that safeguard the promise of an open and free internet predicated on respect for human rights, and we welcome any possibility for greater coordination among democracies to develop these standards. Further, the prospect of joining a digital democratic group, if handled correctly, could incentivize digital deciders to adopt more rights-friendly approaches to digital governance.
Yet there are risks to such an approach, particularly if not managed well. Firstly, there is the likelihood that any such multilateral grouping would further entrench the digital divide between the United States and China, further politicizing the issue of digital governance and adding to the fragmentation of the internet. This likelihood may be particularly severe with a formal alliance, prompting a similar effort by authoritarian nations to counterbalance such efforts. To a certain extent, such politicization may be inevitable—but it is also highly dependent on the attitudes and aspirations that policymakers bring with them when coming to the table. It is also dependent on the approach that such a multilateral grouping takes towards the “digital deciders”—how forcefully it pushes such countries to ‘choose a side’ on the issue of digital infrastructure, for example. These are complex considerations which must be weighed carefully.
U.S. policymakers in particular must commit to a multilateral framework that is more proactive and principled than simply countering China’s efforts in this space. Beijing’s policies are indeed aimed at tilting the overall development and operations of the internet and other digital technologies toward an authoritarian path, which demands a unified response. Yet, issues of global governance over our digital space cannot be neatly boiled down into a U.S.-China binary. Instead, any new model for democratic digital multilateralism must focus itself on adopting and prioritizing global standards for digital governance that can be widely adopted by countries, offering a proactive vision that will encourage digital deciders to move towards a more open internet. This would include robust standards for data protection, both domestically and when such data crosses borders. It would also include rights-protective standards for newly developing digital technologies—such as facial recognition, biometrics, and algorithmic analysis tools—as well as the creation of new, binding standards to strictly regulate the development of digital technologies that can be employed for the purpose of repression. These standards should be clear and actionable, offering any “digital decider” country or technology corporation a clear path towards adopting and implementing them. Similarly, such standards should be more than mere ‘best practices,’ with a system of incentives for countries and companies to not only adopt such standards, but to commit to keeping them.
US policymakers must also move forward with humility and a commitment not just to resisting digital authoritarianism abroad, but to responsibly reducing U.S. hegemony over the internet and to correcting digital governance deficiencies at home. A first step toward accomplishing this would involve the domestic development and implementation of more robust data privacy protections—in the face of both government and corporate access—which would raise the confidence not only of other governments but of everyday people both domestically and abroad.
Secondly, there is the risk that any new governmental alliance would, by design or in practice, degrade the central role of non-governmental stewards of the internet—groups like ICANN and the IETF. As this report notes, authoritarian governments looking to deliberately advance internet fragmentation have worked to cut these stewards out of the conversation and diminish their role. It would be a grave mistake if a new democratic alliance, in the name of safeguarding the internet, did the same. Any new democratic digital multilateral initiative must commit to working in tandem with, not usurping the role of, these non-governmental groups. Without a clear framework for collaboration and an explicit commitment to respecting these non-governmental foundations of the internet, such an initiative may pose more risk than reward.
To this end, any democratic digital grouping must ensure substantial space and agency for non-governmental actors, such as issue experts and civil society, to participate in the process of developing digital norms and standards. This multi-stakeholder engagement could potentially include corporations, but the framework for private sector engagement will require substantial thought, potentially including limits—for example, limiting companies to technical consultation as opposed to policy consultation.
Finally, U.S. policymakers should pursue a multilateral digital alliance in service of, not in lieu of, a broader U.S. commitment to a global internet. If the U.S. government simply accepts the contention that bifurcation is inevitable, it risks a self-fulfilling prophecy. The way we define the internet matters, and any sign of giving up on the internet as a global project will cede crucial rhetorical ground to authoritarian and illiberal actors who are pushing for ever more control over their populations. It is the ideal of the global internet, for example, that undergirds the expectation that technology companies will resist complicity in censorship and human rights abuses. Any new multilateral commitments should come in addition to, not in place of, a re-investment in global decision-making spaces for the internet—such as the United Nations and its affiliated forums and bodies. That is where authoritarian nations have forcefully pushed to undermine the global internet, and this ground should not be ceded.
Advocates of an open and free internet should support the idea that democratic countries can proactively promote a global framework in which the internet remains open and free, and where digital technologies and standards maintain human rights protection and promotion at their core. Such a framework must, however, be predicated on principles and not on politics. Only from there can a responsible and rights-respecting vision for a future internet emerge.
As governments re-negotiate the bounds of their power over the internet—in relation to international corporations, other states, and even their own citizens—the frameworks they develop will deeply impact and potentially transform the realization of our digital rights: our rights to freely and safely express ourselves online, our right to be free from intrusive surveillance, our right to access and share information and opinion, and our right to communicate across national borders. As such, considerations of human rights must be fundamental for all actors—governments, corporations, experts, and advocates—who play a role in determining our digital future. To this end, PEN America offers the following recommendations.
Governments Must Re-Center Human Rights in Digital Regulation, and Reject Authoritarian Notions of Sovereignty
Governments must develop their digital regulatory policies within a framework that acknowledges the limits of governmental control, centers human rights, shares power with non-governmental actors, and accepts and values the global and interconnected nature of the internet.
Accordingly, PEN America calls upon all governments to:
- Develop strong legal, regulatory, and policy frameworks for the protection of personal data, including rights-respecting international frameworks for protecting such data across national jurisdictions;
- Promote affirmative standards for the protection of people’s rights against both corporate and state power online;
- Affirm a commitment to the global and interoperable nature of the internet and the right of people to communicate and share information across national borders as a fundamental organizing principle for digital regulation;
- Refuse the accrual of governmental powers over the internet—through either technological or regulatory policy—that contradict international guarantees of human rights; and
- Center regulatory policy around the rights of individuals rather than the prerogatives of governments.
Any government that chooses to invoke digital sovereignty as a rationale for digital regulation, or for its regulatory attitude towards the internet more generally, should accept a special obligation to:
- Clearly articulate how their understanding of sovereignty is predicated on acceptance of international law, norms, and standards, and enshrine this rights-respecting foundation in any law, regulation, or policy advanced in the name of such sovereignty; and
- Explicitly reject any formulation of digital sovereignty that prioritizes governmental control over individual agency.
Governments Should Require Human Rights Impact Assessments for New Digital Laws and Regulations
Founding director of Ranking Digital Rights Rebecca MacKinnon, among others, have argued that all states should require that all proposed legislation or administrative action to regulate the internet—including but not limited to data localization and personnel localization proposals—be subject to rigorous human rights impact assessments prior to their adoption.214Conversation with Rebecca MacKinnon, founding director, Ranking Digital Rights, May 7, 2021. PEN America believes such a step, if adopted, would help ensure that such laws and regulations comport with states’ human rights obligations, and help promote rights-centered decision-making as states develop their internet governance frameworks.
Accordingly, PEN America calls upon all states to adopt legal requirements to conduct human rights impact assessments (HRIAs) on all internet regulatory proposals that pose a potential impact on human rights, including but not limited to: data storage and data privacy proposals, proposals designed to regulate the conduct or activities of internet corporations, and proposals that affect the government’s ability or authority to shut down or impede internet connectivity. Such HRIAs should be
- Impartially conducted by qualified experts;
- Made publicly available upon their completion;
- Meaningfully incorporated into the corporate decision-making process; and
- Given substantial weight in the decision-making process. Specifically, an HRIA finding that a given regulatory proposal would foreseeably violate international human rights law, norms, or standards, should be treated as a bar against such proposed regulation, necessitating its amendment or rejection.
Corporations Must Resist Complicity In Digital Repression
Corporations have a crucial role to play in resisting complicity in digital repression and all too often are shirking it. Overall, and at the bare minimum, all internet and telecommunication corporations must commit to—and develop processes for—resisting government requests that are inherently or foreseeably injurious to human rights, including privacy and free expression rights. Such operational principles are reflected in the UN Guiding Principles on Business and Human Rights, as well as in the Global Network Initiatives Principles, but are unevenly adopted or meaningfully adhered to by digital service providers.
PEN America calls upon all corporations in the digital space—including internet service providers, mobile operators, social media platforms, and other major technology corporations—to:
- Adopt and publish human rights policies that explicitly commit to respecting human rights standards, including those formalized within the Guiding Principles on Business and Human Rights as well as the Global Network Initiative Principles;215In March 2021, PEN America offered its analysis of Facebook’s first Corporate Human Rights Policy, released that month, which offers additional guidance on how to develop such policies. Matt Bailey, “Facebook’s Inch-Deep, Mile-Wide Human Rights Policy,” PEN America, March 30, 2021, pen.org/facebooks-inch-deep-mile-wide-human-rights-policy/ and
- Develop and implement comprehensive human rights due diligence processes around all decisions regarding compliance with national regulations governing corporate conduct that may foreseeably impact human rights. This would include, but is not limited to: data storage, providing or facilitating authorities’ access to data, content takedowns or other decisions affecting access to digital content, personnel localization measures, and restrictions on internet access or other internet services.
Such human rights due diligence processes should:
- Include the development of actionable steps to prevent—or at minimum, mitigate to the greatest possible extent—human rights impacts that may occur as a result of company compliance with national law, policy, or regulatory mandates;
- Involve meaningful consultation with civil society, human rights defenders, and other relevant stakeholders;
- Include public transparency around the processes themselves, with documents made publicly available in multiple languages;
- Include specific, public commitments regarding companies’ refusal to comply with mandates that violate human rights or are otherwise inconsistent with human rights law, norms, or standards; and
- Include baseline human rights standards for the circumstances under which a company would conduct—or refuse to conduct—business within a specific national market, including a commitment to conduct Human Rights Impact Assessments prior to entry.
Internet service providers and mobile operators, specifically, should have pre-existing developed processes for how to respond to an internet shutdown or slowdown order, including processes to:
- Evaluate the legality of such an order, including its conformity with international human rights standards and with the corporation’s obligations to respect human rights;
- Promote transparency regarding such orders and company compliance with them, including how, when, where, and to what extent such orders will affect internet access; and
- Coordinate with other corporations, advocacy groups, civil society, and human rights defenders to resist such orders to the fullest possible extent.
This report was written by James Tager, research director at PEN America, with substantial drafting and editing contributions from Matt Bailey, program director for digital freedom. PEN America’s senior director for Free Expression Programs, Summer Lopez, reviewed and edited the report, as did interim Washington, D.C. director Dokhi Fassihian. Veronica Tien, program assistant at Free Expression Programs, provided additional editorial support and assistance. Report layout by Lisa Atenasio, online project manager. PEN America would also like to thank the interns whose research, fact-checking, and proofreading contributed significantly to this report: Sophie Ann Bryant and Sophie Craver.
PEN America extends special thanks to the following experts for providing invaluable input on the draft report: Jason Pielemeier, director for policy and strategy at the Global Network Initiative; Sherwin Siy, lead public policy manager at the Wikimedia Foundation along with Sukhbir Singh, senior site reliability engineer at the Wikimedia Foundation; and Alena Epifanova, research fellow in the international order and democracy program at the German Council on Foreign Relations. Research for this report was generously supported by the Fritt Ord Foundation.