[Joint House and Senate Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


114th Congress                                  Printed for the use of the
2nd Session               Commission on Security and Cooperation in Europe
__________________________________________________________________________

INTERNET FREEDOM IN THE AGE OF DICTATORS AND TERRORISTS





                   MARCH 3, 2016
              
              
              
                  Briefing of the
    Comission on Security and Cooperation in Europe  
__________________________________________________________________________

                  WASHINGTON : 2016




	       Commission on Security and Cooperation in Europe
		      234 Ford House Office Building
		         Washington, DC 20515
			   202-225-1901
		         [email protected]
		         http://www.csce.gov
			  @HelsinkiComm
			  

	        Legislative Branch Commissioners

              HOUSE				SENATE
CHRISTOPHER H. SMITH, New Jersey 	ROGER WICKER, Mississippi,			
          Chairman			  Co-Chairman
ALCEE L. HASTINGS, Florida		BENJAMIN L. CARDIN. Maryland
ROBERT B. ADERHOLT, Alabama	        JOHN BOOZMAN, Arkansas
MICHAEL C. BURGESS, Texas		RICHARD BURR, North Carolina
STEVE COHEN, Tennessee		        JEANNE SHAHEEN, New Hampshire
ALAN GRAYSON, Florida		        TOM UDALL, New Mexico
RANDY HULTGREN, Illinois	        SHELDON WHITEHOUSE, Rhode Island
JOSEPH R. PITTS, Pennsylvania
LOUISE McINTOSH SLAUGHTER, 
          New York
                        
                
                     Executive Branch Commissioners
                     
                     
                           DEPARTMENT OF STATE
                           DEPARTMENT OF DEFENSE
                           DEPARTMENT OF COMMERCE
                                  (II)


    The Helsinki process, formally titled the Conference on Security 
and Cooperation in Europe, traces its origin to the signing of the 
Helsinki Final Act in Finland on August 1, 1975, by the leaders of 33 
European countries, the United States and Canada. As of January 1, 
1995, the Helsinki process was renamed the Organization for Security 
and Cooperation in Europe (OSCE). The membership of the OSCE has 
expanded to 56 participating States, reflecting the breakup of the 
Soviet Union, Czechoslovakia, and Yugoslavia.
    The OSCE Secretariat is in Vienna, Austria, where weekly meetings 
of the participating States' permanent representatives are held. In 
addition, specialized seminars and meetings are convened in various 
locations. Periodic consultations are held among Senior Officials, 
Ministers and Heads of State or Government.
    Although the OSCE continues to engage in standard setting in the 
fields of military security, economic and environmental cooperation, 
and human rights and humanitarian concerns, the Organization is 
primarily focused on initiatives designed to prevent, manage and 
resolve conflict within and among the participating States. The 
Organization deploys numerous missions and field activities located in 
Southeastern and Eastern Europe, the Caucasus, and Central Asia. The 
website of the OSCE is: .


    The Commission on Security and Cooperation in Europe, also known as 
the Helsinki Commission, is a U.S. Government agency created in 1976 to 
monitor and encourage compliance by the participating States with their 
OSCE commitments, with a particular emphasis on human rights.
    The Commission consists of nine members from the United States 
Senate, nine members from the House of Representatives, and one member 
each from the Departments of State, Defense and Commerce. The positions 
of Chair and Co-Chair rotate between the Senate and House every two 
years, when a new Congress convenes. A professional staff assists the 
Commissioners in their work.
    In fulfilling its mandate, the Commission gathers and disseminates 
relevant information to the U.S. Congress and the public by convening 
hearings, issuing reports that reflect the views of Members of the 
Commission and/or its staff, and providing details about the activities 
of the Helsinki process and developments in OSCE participating States.
    The Commission also contributes to the formulation and execution of 
U.S. policy regarding the OSCE, including through Member and staff 
participation on U.S. Delegations to OSCE meetings. Members of the 
Commission have regular contact with parliamentarians, government 
officials, representatives of non-governmental organizations, and 
private individuals from participating States. The website of the 
Commission is: .

 
          INTERNET FREEDOM IN THE AGE OF DICTATORS AND TERRORISTS


                             March 3, 2016


                        COMMISSION STAFF PRESENT

                                  Page
    Shelly Heald Han, Policy Advisor for Economics, Environment, 
Technology and Trade, Commission on Security and Cooperation in Europe

1

                              PARTICIPANTS

    Rebecca MacKinnon, Director, Ranking Digital Rights

2

    Lisl Brunner, Director of Policy and Learning, Global Network 
Initiative

5

    Tim Maurer, Associate, Carnegie Endowment for International Peace

8

                                APPENDIX

    Prepared Statement of Lisl Brunner

25

    Prepared Statement of Tim Maurer

29



INTERNET FREEDOM IN THE AGE OF DICTATORS AND TERRORISTS
                              ----------                              

                             MARCH 3, 2016




    The briefing was held at 10 a.m. in room 2255, Rayburn House Office 
Building, Washington, DC, Shelly Heald Han, Policy Advisor for 
Economics, Environment, Technology and Trade, Commission on Security 
and Cooperation in Europe.
    Panelists present:  Rebecca MacKinnon, Director, Ranking Digital 
Rights; Lisl Brunner, Director of Policy and Learning, Global Network 
Initiative (GNI); and Tim Maurer, Associate, Carnegie Endowment for 
International Peace.
    Ms. Han. OK, it's 10:00 and we'll get started. Good morning, and 
welcome to the Commission on Security and Cooperation in Europe's 
briefing on Internet Freedom in the Age of Dictators and Terrorists.
    About a decade ago, when the Internet was spreading like wildfire 
around the world, and Gmail, Facebook, and Twitter were taking off, I 
and a lot of other people jumped on the Internet freedom bandwagon, and 
hailed the Internet as a game changer for spreading democratic ideals 
to places that were closed off to traditional media and information. It 
was precisely because it was so powerful that the Internet moved into 
the crosshairs of governments because, to put it in simplistic terms, 
the autocrats fear that it can be used to usurp their power, and the 
democracies fear it because it might be used by criminals and 
terrorists.
    Congressman Chris Smith, who's the chairman of our Commission in 
this Congress, first introduced the Global Online Freedom Act in 2007, 
in recognition of this threat to online users, particularly in closed 
societies, like China. And since 2007, we've seen the China model of 
Internet control spread throughout the world. And while several years 
ago, most of our fears about Internet freedom centered on foreign 
governments, in the post-Snowden world the debate has also shifted to 
what the U.S. Government is doing with our online information, the 
Apple versus FBI case being the most recent example.
    Although it is often phrased as a privacy versus security issue, I 
think it is really a security versus security issue, particularly in 
the Apple case; the security of our online user information and the 
Internet infrastructure versus the overall security environment against 
terrorist threats. So the question becomes, again, a question that 
we've been asking a lot over the years, particularly since 9/11, is 
where do we draw the line? Should we strive to know every bit of 
communication that passes between potential terrorists? And if so, at 
what cost?
    So today, while I do want to talk about U.S. law enforcement 
demands, I think it is also just as important to remember that there 
are countries like China and Russia that have the technical capability 
and the political means to do much worse. Here in the United States we 
have the mechanism for a substantial political debate, public 
discussion, court cases, et cetera. Those options do not exist for the 
citizens of many, many other countries, where the Internet is both 
heavily censored and heavily surveilled.
    So I'd like to turn to our panelists for their expert perspectives. 
First, we have Rebecca MacKinnon, who is the director of the Ranking 
Digital Rights Project which works to set global standards for how 
companies in the information and communications technology sector, and 
beyond, respect freedom of expression and privacy. She's also the 
author of this great book that I recommend to everyone, ``The Consent 
of the Networked,'' which came out in 2012 and was really one of the 
first books to take a close look at the issue of users and their 
consent and what is happening online with that information. She 
currently serves on the board of directors of the Committee to Protect 
Journalists, and was a founding member of the Global Network 
Initiative.
    Next, we'll hear from Lisl Brunner, who is responsible for GNI's 
policy development and learning program. Most recently, she was a 
facilitator for the telecommunications industry dialogue at GNI, where 
she coordinated a group of telecommunications operators and vendors, 
addressing freedom of expression and privacy rights in the context of 
the U.N. guiding principles on business and human rights.
    And then finally, we'll have Tim Maurer, who's an associate at the 
Carnegie Endowment for International Peace. His work focuses on 
cyberspace and international affairs, with a concentration on global 
cybersecurity norms, human rights online, Internet governance, and 
their interlinkages. He is writing a book on cybersecurity and proxy 
actors. So we're particularly interested in how Tim addresses the 
export control issues that have been recently discussed in the news.
    So, Rebecca, we'll start with you. Thank you.
    Ms. MacKinnon. Thanks so much, Shelly. It's really great to be back 
here in the Rayburn Office Building to talk about Internet freedom. And 
I need to commend you, Shelly, who, I think, you along with some other 
members of Congress and staffers have been continuously and tirelessly 
calling attention to Internet freedom issues, and doing everything you 
can to keep these issues on the radar screen and in an institution 
that's dealing with an awful lot of things. [Laughs.] So I really 
commend you for your tireless work on these issues.
    As you know, the Internet has obviously brought tremendous benefits 
to people, companies, economies all over the world. We've seen events 
in the past, particularly around the Arab Spring, but also at other 
points of time in a range of countries, where people have used social 
media and other network technologies to organize political movements 
and demand accountability of their governments. And this is obviously 
still a very important aspect.
    Connectivity is growing fast according to the study by McKinsey on 
digital globalization and global data flows. Just think about this--the 
use of Internet bandwidth across borders has increased 45-fold since 
2005. That's a lot. That's a lot of bandwidth that the Internet is 
burning, and that the cross-border connectivity of the Internet has 
brought. And another, I think, really interesting statistic in that 
study, 900 million people around the world communicate with other 
people outside their countries on social media.
    And obviously, for every type of reason imaginable--some that we 
would define as good, some that we would define as silly, and some that 
we would define as rather bad. That's been the subject of conversation 
at other hearings. But nonetheless, this interconnectivity and the role 
of companies in bringing people together is really important. Three 
hundred and sixty million around the world are taking part in cross-
border e-commerce, not just e-commerce within their own borders. So the 
importance of this is that we need a globally interconnected Internet.
    At the same time, in 2014, as Internet connectivity is growing, 
more than 213 million people around the world went online for the first 
time in 2014, most of them not in the West but in countries 
concentrated, in greatest numbers, India, Nigeria, South Africa, 
Russia, Egypt, Philippines. But what's really important to understand 
is that the massive increase in cross-border digital communication has 
not made the world more free in aggregate. And in fact, the Internet 
itself, in terms of people's ability to speak freely, to use it to 
organize, to use the Internet to carry out investigative journalism, is 
diminishing.
    According to research by Freedom House, which produces the annual 
Freedom on the Net Index, which I recommend to you, new users have less 
freedom to speak their minds, freely access information, or organize 
around civil, and political, or religious interests. Even worse, 
according to their 2015 Freedom on the Net report, Internet freedom 
levels have declined steadily over the past five years, as they've 
examined the policies and practices of national governments around the 
world.
    And there is a growing epidemic of laws that criminalize behavior 
online, also holding companies legally accountable for what their users 
are doing all over the world, and the passage of a growing number of 
cybercrime laws in countries where crime is defined to include 
activities critical to the government or investigative journalism. 
You're seeing more and more journalists being arrested on terrorism 
charges in a number of countries with the help, sometimes, of companies 
to track them down.
    And Freedom House observed that a growing number of governments are 
not only censoring information in the public interest, but they're 
placing greater demands on the private sector to take down offending 
content and track users. Shelly mentioned China. And we have seen China 
sort of as the model for how this started over a decade ago. The 
Committee to Protect Journalists just came out with a report this 
morning detailing how one of China's major social media companies works 
with government authorities to censor and track users. And I suggest 
you go to CPJ.org to see that.
    But an interesting thing to point out is that a decade ago, when 
people first started talking about Internet censorship and Internet 
freedom, everybody was focused on the blocking of websites, right? You 
know, Facebook is blocked in China and Twitter is blocked in China, 
and, there's a lot of what we call filtering or blocking. But that's 
only one layer of the story. What we're seeing in China is a very 
sophisticated collaboration between domestic companies and governments, 
saying, well, if you don't collaborate with us, we're going to block 
you.
    So there is a sophisticated system of taking down content on 
platforms, not just blocking it at the Internet service level. And that 
type of practice has spread all over the world, in all kinds of 
political systems. It's certainly not limited to authoritarian 
countries like China. You know, a Russian woman was recently sentence 
to hard labor for reposting on social media critiques of Russian 
actions in Ukraine. We're seeing a lot of blocking--not only blocking 
in Russia, but people being tracked down and arrested. And this is done 
with the help of the companies.
    So we're seeing this trend--and it can feel quite depressing at 
times. But I do want to point to some positive things. Frankly, I think 
the situation would be a lot worse today if the major U.S. Internet 
companies that operate around the world had not stepped up and made 
some commitments to respect their users' freedom of expression and 
privacy, particularly in relation to government demands that they're 
getting. And we saw--and, again, I need to commend Shelly and a number 
of members of the House and Senate, and their staffers, for really 
shining a light on some of the problems that we were seeing with U.S. 
Internet companies operating around the world--the case of Shi Tao in 
China with Yahoo and so on, and really pushing companies to step up to 
the plate; and the formation of the Global Network Initiative in 2008 
with Google, Yahoo, and Microsoft initially on board. And we now have 
Facebook hooked in, and, you know, some European telecommunications 
companies are joining as observers. And I think Lisl will talk about 
the details of the commitments that these companies are making, their 
commitment that they ought to make not only to certain principles but 
also to engage with human rights groups, to engage with other 
stakeholders, to advocate for better policies, and also to be assessed 
on whether they're actually carrying out their commitments.
    But one of the problems is that only a small number of companies 
have actually stepped up. And we are seeing some companies--like, for 
instance, Apple is not a member of the Global Network Initiative. They 
stood up for their users on encryption, but there are a lot of 
questions about other things that they may or may not be doing, and how 
consistently they are adhering to their commitments in other markets, 
such as China.
    That is one of the reasons I decided to start a new project that's 
really complementary to the Global Network Initiative, called Ranking 
Digital Rights. I have some materials outside about the corporate 
accountability report that we just released. But I felt we needed to 
compare more companies against one another, and how their policies and 
practices stack up, and also to get a sense of the extent to which GNI 
membership and the commitments through GNI are affecting companies' 
performance.
    And one of the things we did find, in fact, is that GNI member 
companies are showing more consistent transparency, more consistent 
policy implementation around the world. Not that anybody's perfect, but 
particularly when it comes to human rights impact assessments to 
engaging with stakeholders in a consistent way, to institutionalizing 
commitments and showing evidence that they've institutionalized their 
practices across their companies, there's a real difference being made.
    There's a much longer list of companies that are much more 
inconsistent. So I would point out for instance, just to make a couple 
of examples, again, Apple--you know, I commend them for what they're 
doing in response to U.S.Government demands recently. It's not clear 
whether they've ever carried out a human rights impact assessment on 
their business in China. And so I think, you know, with a company such 
as that, I would like to see them all be more consistent across the 
board.
    Twitter has been standing up to a number of government demands 
around the world. They're very good on transparency reporting. But, 
again, to what extent have they institutionalized their practices? They 
themselves do not carry out human rights impact assessments. So there's 
some inconsistencies. AT&T, which has started to expand into Latin 
America, doesn't do human rights impact assessments. And so it would 
be, I think, good to find a way to encourage more companies to step up 
alongside the small number of very powerful, but yet still limited, 
number of companies in the GNI.
    I'm running out of time so I would just point out that we also have 
a broader problem that you spoke to, Shelly. We need governments around 
the world, particularly democratic governments, to step up and 
recognize that when you're regulating in your own jurisdiction there 
are global implications. There are global implications to the 
technology. There are global implications in terms of the legal 
frameworks you're putting in place.
    We need to see clearer commitments from the United States, from 
Europe, from the governments that have joined the Freedom Online 
Coalition, which is part of the State Department's Internet Freedom 
Initiative, to really say: OK, yes, we need to fight terrorism, we need 
to fight crime, we need cybersecurity. But at the same time, we need to 
find out--we need to commit to a set of principles for how we're going 
to do this in a way that does not make it easier for repressive regimes 
to entrench their surveillance practices, to entrench the way--the 
legal mechanisms that they use to pressure companies to hand over user 
information, to privatize the censorship of discourse that is taking 
place around the world.
    And right now, I think part of the problem we have is that we have 
a lot of urgent problems. And governments are kind of focusing on 
solving one problem without thinking about what are the broader 
international human rights impacts, what are the broader impacts on a 
globally free and open Internet? Because if we do not maintain a 
globally free and open Internet, if the human rights situation in 
developing, transitional countries becomes worse, in part because 
people cannot use technology to its full advantage, we're not going to 
be secure in the long run.
    There's going to be more disenfranchised and disillusioned people 
out there on the planet. And so we really need to step up and say we 
care about protecting ourselves, but we care about the human beings on 
this planet, their security, their freedoms. And it is in our long-term 
interests to work towards that, both in terms of our policies and in 
terms of corporate commitment.
    Ms. Han. Thanks, Rebecca. That's a great way to start off the 
discussion. Lisl, do you want to go next?
    Ms. Brunner. Sure. Thank you to Chairman Smith, to co-Chairman 
Wicker, to Shelly, and to the members of the Helsinki Commission for 
giving us the opportunity to provide an overview of the Global Network 
Initiative today, and some of its policy priorities. The Global Network 
Initiative, as Rebecca mentioned, is an international, multi-
stakeholder collaboration between information and communications 
technology companies, civil society organizations, academics and 
investors. We were formed in 2008 and our mission is to promote human 
rights by creating a global standard for companies that supports 
responsible decisionmaking and by being a leading voice in policy 
debates to advance freedom of expression and privacy rights in the ICT 
sector.
    Our company members include Facebook, Google, LinkedIn, Microsoft, 
and Yahoo. Non-company members include the Berkman Center for Internet 
& Society, Rebecca MacKinnon, Human Rights Watch, the Center for 
Democracy and Technology, Bolo Bhi in Pakistan, the Center for Internet 
& Society in India, and the Church of Sweden, among many others. We've 
also been collaborating over the past three years with companies 
participating in the telecommunications industry dialogue. And recently 
seven of those global telecommunications companies became observers 
with the GNI, with a view to becoming full members next year. Those 
companies include Vodafone, Orange, and Nokia.
    The GNI works in four areas. It provides a framework for 
responsible company decision making and action, it fosters 
accountability through company commitment to an independent assessment 
process to evaluate implementation principles, it promotes policy 
engagement, and it enables shared learning among our participants. In 
the first area, GNI's principles and implementation guidelines were 
developed through a multi-stakeholder process, and they're based on 
international human rights standards. Our guidelines are influenced by 
and are compatible with the U.N. guiding principles on business and 
human rights, and the protect, respect, and remedy framework. The GNI 
framework helps companies to respect and protect the freedom of 
expression and privacy rights of their customers and users when they 
respond to government demands, laws, and regulations. And companies 
worldwide can use this framework to implement their responsibility to 
respect human rights.
    In terms of accountability, GNI members undergo a biannual 
assessment of their implementation principles, conducted by 
organizations that are accredited by the GNI's multi-stakeholder board, 
and which meet independence and competency criteria. In addition to 
reviewing the GNI members' policies and procedures, and interviewing 
its staff members, the assessor selects case studies which determine 
how the company has responded to government demands involving freedom 
of expression and privacy. The assessor then prepares a report which is 
reviewed by the GNI board, and the board determined whether the 
companies are complying with the companies. And this means that in the 
board's view, the company is making a good-faith effort to implement 
and to apply the GNI principles and to improve over time. In 2013, the 
GNI completed assessments for its three founding companies, and we're 
currently underway in our second round of assessments for all member 
companies. In terms of policy priorities, the GNI determines its policy 
priorities by identifying the challenges facing its member companies--
both through its assessment process, and through its ordinary 
activities, and through the headlines, as you can imagine. The multi-
stakeholder nature of the GNI gives us a deep capacity for informed and 
credible engagement with governments, intergovernmental organizations, 
and international institutions. And the GNI generally advocates for 
laws that are consistent with international human rights standards, and 
the principles of legality, necessity, and proportionality. At present, 
we're focusing our policy efforts on five issues of priority.
    First, the GNI's concerned by the adoption of broad laws 
prohibiting extremist content and promotion of terrorism. The GNI 
acknowledges the legitimate national security and law enforcement 
obligations of governments, but at the same time there continues to be 
no internationally agreed-upon definition of terrorism. Across the 
world, counterterrorism laws have led to the criminalization of speech 
in political contexts and to the restrictions of large amount of 
content in places like Tajikistan. Similarly, some authorities have 
proposed that ICT companies should face criminal liability for failing 
to delete content praising terrorism from their platforms.
    And this brings me to our second area of priority, which is 
legislation on intermediary liability and calls for service providers 
to police user content and communications, at times under broad and 
vague standards of which content is considered illegal.
    Third, the GNI advocates for laws that regulate government access 
to user data in a way that protects the right to privacy. We have 
engaged with and provided input to the U.K. government on its 
investigatory powers bill recently, for example. And the GNI has also 
urged governments to support strong encryption and not to subvert 
security standards.
    Fourth, the GNI has advocated for reforms to the Mutual Legal 
Assistance regime, which is the dominant method for managing lawful 
government-to-government requests for data across jurisdictions. The 
regime has not been updated to keep track with the globalized data, 
which makes the process inefficient and opaque. And so requests to the 
U.S. Government take an average of 10 months to fulfill. As a result, 
authorities from other governments sometimes take drastic measures. 
These include demanding that their domestic laws apply 
extraterritorially, issuing mandates to localize data, and demanding 
the compromise of digital security of individuals. All of these 
measures would be harmful to an open, robust, and free Internet.
    So the GNI had identified a series of practical and legal reforms 
that policymakers could adopt in order to reform the current mutual 
legal assistance regime. We also support efforts to develop a new 
international legal framework, which enables foreign law enforcement 
authorities to have efficient access to information, when this access 
is consistent with international norms and with the right to privacy. 
The GNI supports reforms that would allow governments to make requests 
for data from providers, as long as stringent human rights requirements 
apply and the process is characterized by robust transparency, 
accountability, and international credibility.
    Fifth, the GNI has advocated for governments to take steps to be 
more transparent about the laws and legal interpretations that 
authorize electronic surveillance or content removal. And we urge 
governments and intergovernmental organizations to take a multi-
stakeholder approach when they debate laws and policies that impact 
freedom of expression and privacy of global Internet users, and to 
ensure that these are subject to public debate.
    Finally, in terms of learning, the GNI provides opportunities for 
its members to work through complex issues with other participants in a 
safe and confidential space. We've commissioned reports that examine 
challenges facing governments and technology companies as they balance 
their rights to freedom of expression and privacy with law enforcement 
and national security responsibilities. And we've held public learning 
forums to discuss these challenges in the United States, Brussels and 
Geneva.
    I'll just conclude briefly with a few of our achievements. Through 
the GNI assessment process, we've seen improvements to company policies 
and procedures. We've seen more companies adopting and strengthening 
human rights impact assessments as part of the way that they do 
business. And we've seen enhanced company transparency with users and 
with the public at large. The implementation of the GNI principles has 
reduced the amount of content that has been removed and the amount of 
personal data that is released as a result of government requests 
around the world. And we've successfully encouraged governments to 
increase transparency and public debate on surveillance laws, and to 
improve their policies and practices in this regard. We've gotten 
commitments from Freedom Online Coalition member governments, and we've 
seen reforms of surveillance laws and intermediary liability laws 
around the world.
    Thank you so much, and I'm happy to answer your questions.
    Ms. Han. Thanks, Lisl. Tim.
    Mr. Maurer. Thank you, Shelly. And thanks to Chairman Smith, and 
Co-Chairman Wicker, and the members of the Commission for this 
opportunity to speak about the important role of export controls in the 
context of Internet freedom today.
    In December 2013, the 41 member states of the Wassenaar Arrangement 
on Export Controls for Conventional Arms and Dual-Use Goods and 
Technologies agreed to create two new controls focusing on 
cybersecurity items. The proposed implementation of these two controls 
by the U.S. Government last year sparked significant controversy, which 
touched on four dimensions that I think are important to consider: the 
growing empirical evidence of technology sold by companies in North 
America and Europe to customers and countries that use them to violate 
human rights; the benefit of these technologies for legitimate law 
enforcement and intelligence activities; the benefit of these 
technologies for cybersecurity, for example, to test and improve 
defenses; and the risks of these technologies for cybersecurity, for 
example, by providing more sophisticated hacking tools to actors who 
will use them for offensive purposes.
    My remarks will focus on this first dimension, controlling exports 
of technologies that can be used to violate human rights in the context 
of Internet freedom, given the focus of this briefing. The controversy 
over the past year, and the significant pushback against the U.S. 
Government's proposed implementation of these new controls, are signs 
that the process that was used needs to be improved, in addition to the 
substantial challenges of implementing the new controls. Only two days 
ago, Secretary Pritzker announced in a letter that the U.S. Government 
will go back to Wassenaar to propose eliminating part of the language 
of the two new controls. Secretary Pritzker's letter is laudable for 
saying that the U.S. Government commits to engaging the public, getting 
the human rights community, industry, and the cybersecurity research 
community an opportunity to participate through the notice and comment 
process of the proposed rule.
    So as we end this new phase, following Secretary Pritzker's letter, 
I'd like to offer the following observations and recommendations for 
moving forward. It is clear that addressing the underlying human rights 
problem that led to these new two controls can only be successful if 
they are coordinated multilaterally and if they're informed by 
technical analysis. U.S. leadership on this issue, and full investment 
in striking the right balance, can have a significant impact and help 
shape the standard internationally. One of the positive outcomes of the 
controversy of the past several months is the heightened awareness 
among all of the actors involved that the underlying human rights 
problem that led to the development of the new two controls has yet to 
be addressed. Export controls can be an effective tool to influence 
corporate behavior. The challenge is designing them in a way so that 
they only target the type of behavior deemed of concern, without 
affecting the rest.
    Weighing these interests and weighing human rights and security 
concerns is not a novelty in the context of our export controls, 
especially in the context of DOD's technologies. However, this specific 
topic, and this new and growing industry, faces a limited amount of 
data, and therefore makes it much more difficult to find that right 
balance. So in terms of moving forward, I recommend focusing on the 
following two strategic priorities: increasing transparency and an 
efficient, and effective, and inclusive process.
    There is a great need to increase the transparency in this field 
because one of the main challenges that we're all facing is that there 
is a lack of data, and there's a lack of data about the market, the 
products involved, and the trading. Greater transparency can be 
accomplished through voluntary action by company, but it can also be 
complemented by the notification requirements of the export control 
issue, without necessarily imposing a licensing requirement. You can 
use this data to then review again the export control regime in a few 
years, and tailor it according to the data that you've received, and 
the better picture we will gain with regard to the market.
    The second priority, on focusing on establishing an efficient and 
effective and inclusive process, is based on the controversy that we 
saw over the past year. The U.S. Government's decision to request 
public feedback is a promising sign to solicit input beyond the 
existing standing Technical Advisory Committees of the Department of 
Commerce. This is particularly important to reach communities such as 
the cybersecurity research community. The further improvement of this 
process could consist of the government hosting more consultations at 
some of the major security research and Internet freedom conferences, 
with a host of representatives from different government agencies. More 
overt representatives from the human rights community must be invited 
to these discussions at all, including the highest, levels.
    With regard to the immediate task of implementing the two controls 
in the United States, I recommend two parallel tracks. The first track 
is reviewing the language of the two controls and exploring how the 
language could be improved in a process involving the human rights 
community, the cybersecurity community, as well as industry. Following 
Secretary Pritzker's letter, it is now clear that at least part of the 
language of the two controls will be reviewed by Wassenaar.
    However, this is likely to encounter several challenges, including 
the tradeoff between keeping the language that's fairly broad, but can 
take into account future technological developments, and therefore 
without a need of having to be updated soon, compared to narrowing the 
language and therefore the scope of the control, but requiring the 
revisions sooner than the broader language. The former requires more 
trust in the government not to abuse to the broad language for stricter 
implementation policies. Also, major revisions of the language are not 
really feasible, given that the majority of the Wassenaar membership 
has not only agreed, but already implemented the new controls in their 
national frameworks. And these are only two of many items that are 
discussed at Wassenaar every year.
    The second track would focus on how to implement and develop a 
licensing policy for the language to apply only to those technologies 
sold by companies to specific end users in countries with known human 
rights problems. This will require a nuanced approach, combining the 
technology-focused controls with the existing or potentially new 
country charts that Department of Commerce is already using for other 
export control items. This also needs to include developing FAQs to be 
issued by the U.S. Government to clarify its interpretation of the 
language. In terms of the process, it is important to include industry, 
the cybersecurity research, and human rights community for all parties 
to develop a shared understanding of the interpretation of the language 
and implementation.
    One option for implementing the two controls more narrowly, in 
addition to taking into account others' recommendations about 
possibility exemptions, will be only for exports of technologies to 
countries with systemic human rights violations. Only these exports 
would be subject to review or approval or denial by the U.S. 
Government, with a presumption of denial policy in place for those 
countries with empirical data of past human rights violations involving 
such technologies. Export of technologies that fall under the two 
controls to other countries will only trigger a notification 
requirement, providing details about the export--type of product, 
customer, et cetera--to the government to increase transparency, but 
will not be subject to the approval regime.
    At the multilateral level, it's become clear that while the 41 
member states agreed to the same language in December 2013, the 
implementation of the actual controls and national frameworks has 
varied widely. Therefore, it is necessary for the U.S. Government to 
work with other Wassenaar members based on the data that is now 
becoming available, to ensure that the implementation of the new 
controls is consistent across its membership in order for the controls 
to be effective, and in order for controls not to create competitive 
disadvantage. And in my written statement, you will find some examples 
of what countries and specific companies this refers to.
    The U.S. Government should also collaborate with countries that are 
not members of the Wassenaar Arrangement, but that focus on building an 
industry in this area, for example India, to engage them early on in 
building a broad regime with common standards. One country particularly 
worth paying attention to in this context is Israel. Israel is not a 
member of the Wassenaar Arrangement, yet implements Wassenaar controls 
voluntarily. Israel is therefore also implementing the two new 
controls--in fact, has even broadened the language. This is 
particularly noteworthy given Israel's significant cybersecurity 
industry, the Israeli Government's having made growing this industry a 
national priority, and the unique security threats Israel is facing. 
The government's approach to implement the new control is likely to 
provide further insight into how to strike an appropriate balance 
between these various interests.
    Export controls are only one mechanism in the toolkit to 
effectively address the underlying human rights problem. They will need 
to be part of the mix, but we also need to consider other tools--for 
example, corporate self-regulation and corporate social responsibility. 
And a voluntary approach driven by industry could include sharing best 
practices for implementing the know-your-customer practices, to raise 
the standard across industry. This also includes becoming a member and 
active participant in industry groups focusing on the intersection of 
business and human rights, such as the Global Network Initiative, and 
working with human rights NGOs and research organizations, like EFF, 
The Citizen Lab, Privacy International, or New America's Open 
Technology Institute to increase transparency to help name and shame.
    Another option would be to consider expanding the GHRAVITY 
executive order. In April 2012, the Obama administration issued an 
executive order to address the provision of technologies to Iran and 
Syria that can be used for surveillance. Expanding the GHRAVITY 
executive order would be another potential avenue to pursue, but does 
not have the same type of regime and consultative processes in place 
that the export control regime already has.
    Looking ahead--these are my concluding remarks--it will be 
important to make these new controls meaningful and effective. 
Otherwise, governments could rely on other existing controls, namely 
encryption controls, as a substitute to address the unresolved, 
underlying human rights problem. This is noteworthy given that another 
objective of many civil society and industry actors is the further 
liberalization of encryption controls in the future. Further 
liberalizing encryption controls will become a lot more complicated and 
harder to disentangle if encryption controls will also be used to 
protect human rights in the future.
    Relatedly, if encryption controls will be used as a substitute for 
an effective implementation of these two new controls, some companies 
might start developing products without encryption automatically being 
built into them to avoid export controls that might--and technologies 
that might still be of concern from a human rights perspective. In 
short, we have yet to address the underlying human rights problem, and 
it's likely to get worse than better if action is not taken soon.
    Thank you, and I look forward to your questions.
    Ms. Han. Great. Thanks, Tim. I want to go back in a minute to talk 
about one of your proposals about using the human rights controls--
country-by-country controls on that, because that's something that's in 
the Global Online Freedom Act. But first, I'm going to ask a broader 
question. And just so the audience knows, we will have a chance for 
people in the audience to ask questions. I'm going to start off asking 
a few questions, but then others will be able to ask. If you have a 
burning question, or want to think of a burning question, please do so.
    I want to talk about the issue of Balkanization of the Internet. I 
think this has been touched on a little bit, in the sense that because 
governments are feeling threatened by information that's coming from 
all the interaction that Rebecca mentioned between users around the 
world, we've seen a movement toward countries looking to put up walls 
around their Internet. China specifically, but also we've seen it in a 
lot of other places as well. And I think there's been more interest in 
doing so as potential technologies become available to make that more 
possible. I think a few years ago people kind of laughed at the idea of 
it, but as I mentioned before, China's paved the way for a lot of other 
countries in creating the technologies and the mechanisms to do that.
    I want to talk about the issue of that, and what does it mean for 
U.S. companies who have traditionally been the companies that run the 
Internet, or have the most stake in--the largest companies, basically. 
What does that mean for U.S. companies and their operations? What does 
that mean for people in these other countries that will be behind 
firewalls?
    And Tim, you mentioned the whole idea of encryption and how that 
could also become--it's always been an issue, but how it's going to 
continue to be an issue, with the role of encryption in possibly either 
creating or breaking through those walls. So maybe if each of you could 
address it from your own perspectives, that would be great.
    Ms. MacKinnon. I'm happy to start. I know both the other speakers 
have some strong expertise on that as well. But as you alluded to, sort 
of what we call the Balkanization of the Internet is happening really 
from different motivations coming from different types of 
governments.You have governments like the Chinese Government, really 
championing the idea of Internet sovereignty, that sovereign 
governments have the right to impose whatever rules they want on the 
Internet within their borders. And so you've seen increasingly strict 
rules coming from China, but also coming out of Russia as well, 
requiring that companies host data inside the borders if they want to 
serve customers in that country, and comply with law enforcement 
requests and requirements in that country, in order to even access that 
market.
    But you're also seeing from a number of democratic countries other 
motivations that sort of have a Balkanizing effect. There's a lot of 
concern, particularly in the wake of the Snowden revelations, about a 
country's population being vulnerable to surveillance from other 
governments, and wanting to have more control over the data and privacy 
of their own citizens, and discussing requirements for multinational 
companies to host user data within their own borders if they want to 
service those markets. The motivation of feeling that they're operating 
in the public interest by doing that, but posing some serious problems 
in terms of multinational Internet companies actually being able to 
service a global user base who want to communicate with one another 
across borders, and doing so in a way that doesn't just result in 
making it harder for cross-border communications, and making it harder 
for cross-border innovation and small companies to actually reach 
global audiences.
    And so this is a new challenge. And I think it speaks to what Lisl 
was talking about, about the need for a global coordination around 
norms that will be based in human rights standards, so that we don't 
willy-nilly have countries acting in their self-interest. And 
sometimes, you know, believing that they're acting in the interest of 
their own public and their own domestic public's rights, in a way 
that's really going to destroy the value of the Internet commercially, 
as well as in terms of Internet freedom. And so there's kind of these 
two different sets of motivations at play that could end up having 
similar results if we're not careful.
    Ms. Han. Before you all weigh in, could I just note that, for 
example, Kazakhstan put out a notice that they were going to start 
requiring security certificates for every website or something to be 
signed in the country, as an example, similar to what you see in China, 
where because China has not only the technical capability but a certain 
amount of power to block so much information, and also essentially to 
create this walled community. For activists, what are the stakes? And 
do you think other countries are going to be able to emulate that sort 
of model?
    Ms. MacKinnon. Yeah, that's a good question. I think very few 
countries--with the exception of, let's say, Russia, really have the 
internal industry to have domestic versions of Twitter, domestic 
versions of Facebook and YouTube, so that people really don't feel they 
need the outside services. Which is one reason why China has been so 
effective. But you know, Chinese and Russian companies are becoming 
increasingly global. So you could see a situation where a government 
says: We're only going to let companies in that want to play by our 
rules. And you could have a situation where, let's say, the Western 
companies decline, but the Chinese and Russian companies might be quite 
willing to do that, because they're doing it at home anyway and have 
the infrastructure to model it. I mean, you could potentially see that.
    And you definitely see that already with hardware around the world, 
and networking equipment in the developing world, where certain 
authoritarian governments feel much more comfortable working with 
Huawei or ZTE rather than Cisco because they can get more of what they 
want. So that's a potential issue to look out for. But for instance, 
Iran--they're starting to try and foster some domestic industry, but 
unlike in China where the CPJ is reporting that Weibo, the Chinese 
version of Twitter, is really completely under the thumb of the 
government. And Twitter is blocked. People don't really need it, 
though, for anything except for political activity, and the government 
has been successful at thwarting circumvention tools. So that's kind of 
a troubling model that I think we can see duplicated even if global 
industries themselves aren't as robust in every single country.
    Ms. Han. So, Lisl, can you talk about what the discussions are 
within the GNI companies about sort of this rock and hard place that 
they're coming up against in countries where they definitely want to 
play a role and be in the market, but they're also being pushed to do 
things that wouldn't comport with their own human rights standards, or 
their own ideals? Some companies may not have those hesitations, but 
from the GNI perspective what are you seeing?
    Ms. Brunner. Sure. Just in general, you know, the two challenges 
that face all of these companies in their global operations are laws 
that are not consistent with international standards--so, for example, 
as I mentioned earlier, laws that criminalize support for, 
glorification of, praise for terrorism in extremely raw terms, which 
are applied in ways that often target political speech, and government 
practices that are not consistent with the principles of legality, 
necessity, and proportionality. So we see some governments, for 
example, blocking all of YouTube because there's a single video that 
they determine violates their law.
    So in many circumstances companies don't have the prerogative to 
refuse to comply with a lawful order. But when that law is not 
consistent with international standards, what do they do? So the GNI 
and its principles provide them with a framework. And often, we've 
found that when companies say we have a policy in place, we have human 
rights impact assessments and due diligence measures in place, that 
makes a difference. Companies can try to minimize the impact of the 
demand. They can push back and ask for clarification. They can 
challenge the demand in court occasionally when that appears to be the 
most prudent thing to do.
    And we found that often, or sometimes, the government doesn't come 
back when it's asked to clarify the request. Companies often receive 
requests that don't even comply with that law. And so when they point 
to a policy, or they point to the presence of stakeholders in their 
home country who are holding them accountable to these policies, to 
these principles and say, you know, we need for your request to comply 
with your law, at the very least, that sends a message to governments.
    And it means that those requests are more often consistent with the 
protection of the right to privacy and to freedom of expression. And 
again, it minimizes sometimes the impact of those requests. It means 
they don't come back a second time, or they come back and they're 
correct. The company can keep track of them, can be transparent with 
the public. And so that's the standard that we would hope that all ICT 
companies will want to follow.
    Ms. Han. And can you talk about, are U.S. companies, because of 
this potential for losing market share in other countries if they don't 
want to participate in markets where it's increasingly becoming more 
restrictive, do you think there's a role for trade agreements, either 
within the WTO or the Trans-Pacific Partnership or TTIP that might be 
useful? Are companies talking about that, about how we could use -or 
something that fits more neatly within the trade world, or is there 
some other way that we could create more international norms?
    Ms. Brunner. We haven't been discussing the WTO or the TTIP 
recently at GNI, but the movement toward data localization affects most 
profoundly the users, who know that by using services that perhaps 
store their information on servers in the United States or elsewhere, 
they're subject to more robust privacy protections. And moving those 
protections impacts their ability to engage in the kind of speech 
that's critical of the government than they would do otherwise, impacts 
their feeling when they're communicating privately with others. And it 
also impacts the small- and medium-sized businesses that might arise 
and provide services to many different countries, and provide more 
outlets for global expression.
    There are many motives for countries increasingly adopting measures 
that look like data localization. But one of them is frustration in not 
being able to get data in a timely manner from U.S. providers when they 
seek it. And so that's why mutual legal assistance reform is high on 
our agenda. Reforming that system, you know, both through practical 
means such as increasing funding to the Department of Justice Office of 
International Affairs, providing training for law enforcement officials 
in the United States and abroad, making the system electronic, are 
simple kind of first steps that we could take, and then taking a 
broader approach to reforming the international legal framework for 
mutual legal assistance is, I think, urgently needed in the longer 
term.
    Ms. Han. That's interesting. The original Global Online Freedom Act 
in 2007 used the MLAT process as the mechanism for trying to cut down 
or decrease the opportunity for governments to misuse users' data. It 
directly related to the Yahoo Shi Tao case in China. But then, because, 
as you mentioned, there are lot of MLAT process, there are some 
countries that don't have agreements, but there's some where it's just 
doesn't function very well. So I think it's useful to look at that 
process going forward. But it does provide a nice legal framework that 
is kind of missing right now in how the data's being used.
    Tim, if you could talk about encryption, in the context of the 
Balkanization issue, and where you see discussions in encryption going 
with Wassenaar or domestically? And then, also, the importance of 
encryption for security.
    Mr. Maurer. So I think encryption is another fascinating example 
for how this is affecting the debate about the fragmentation. And I 
think there are a couple of pieces, looking at this from an analytical 
perspective. One, that not all fragmentation or specific actions that 
are taken are necessarily bad, because the technical experts also 
sometimes have reasons for localizing data in a specific territory. But 
that's driven by the technical needs, and not a political motive. And 
as Rebecca pointed out, this is such a nuanced problem, starting with 
China and Russia that Rebecca already mentioned, but we've also seen 
this come up in the context of Brazil. We've also seen this in Germany, 
where the term technological sovereignty is actually part of the 
coalition agreement of the current government.
    So it's not black and white really anymore. It's a lot more 
complicated, with countries, including democracies in other countries, 
that are actively pursuing this, and for very different reasons. The 
MLAT process is one reason. Encryption is another. And I think as 
Rebecca pointed out, from a systemic level, either at the root of the 
current international system's inadequacy to deal with the new 
technology and data flows. And you can either go the route of trying to 
internationalize and update those processes like the MLAT process; if 
that process is not fast enough to keep up with the evolution of the 
technology, it's not a surprise that countries will default to the 
sovereignty approach and nationalizing it.
    I think it's a very natural reaction. And it'll come down to which 
of these two different trends is faster. With regards to encryption, I 
think you have all of these pieces come together, but the trend of the 
technology has been that encryption is going to be increasingly a big 
risk. There's a reason why the U.S. Government decided in the 1990s to 
remove encryption from the munitions control list, and moved it over to 
the dual use list. And now with the Apple case it's clear that 
encryption will continue to be, I think, more widely available. And 
both industry players, as well as human rights organizations, are 
pushing for further liberalization.
    And I think, also talking to people in government agencies and the 
technical experts, there is only so much you can do with regard to an 
overarching technological trend. So in terms of looking at some of the 
older techniques in terms of law enforcement methods that are more 
reliant upon human intelligence and informants, I think, are things 
that we ought to be looking into. And the Wassenaar Arrangement, at a 
very general level, raises another question: To what extent encryption 
controls, or also the two new controls that were created specifically 
for technology that can be used for surveillance, ought to be part of 
that regime that was created to deal with arms during the Cold War, or 
whether we should be looking into a new regime that specifically deals 
with digital technologies and with the transfer of these technologies.
    Ms. Han. Yes, you had mentioned in your statement about the issue 
ofthe human rights aspect of these controls, and that the U.S. already 
has a crime control regime which is under the dual-use export controls, 
which gets at items that can be used for torture. This was back--I 
think it was the early 1990s, the U.S. decided that we didn't want to 
be exporting instruments of torture to certain governments who might 
use them against their own citizens. So there's this country chart 
which specifies where they can't go. And there's an X--we can't send 
thumbscrews to Indonesia, or something like that.
    And so what the Global Online Freedom Act does is also create this 
new country chart for items that could be used for surveillance or--you 
know, essentially equating some of these surveillance and censorship 
tools as similar to instruments of torture. Obviously, you can't equate 
them, but it's basically, in a simplistic term, using them in that way. 
The Wassenaar Arrangement came somewhat close to that, but because 
Wassenaar really only gets at national security controls, the Commerce 
Department didn't go that extra step and create what we would call a 
human rights control for them, even though ostensibly the reason for 
having them controlled is that, I think.
    Could you just comment on whether it would be simpler to do what we 
have, to just create a country chart and say, OK, these items--which 
some of them really do have actual good uses, which is why most items 
are on the commerce control list, because they're dual use. They 
actually have a legitimate commercial use. But they also could be used 
for nefarious purposes. So if we just created basically a human rights 
control for these items, do you think that would get around some of the 
issues that have been raised over the past year with the new rule, or 
new regulation?
    Mr. Maurer. Yes and no. I think we are right now at a point with 
the letter where it's kind of like a reset and we're going back to four 
years ago. The reason why I'm not quite sure that that will happen is 
because this has not been very much in the debate and the hearings 
about the export control. That in addition to the human rights angle, 
there's actually a significant interest from the national security 
community within government to also have these two new controls, 
because they're--as you said, and I wasn't involved in this, certainly 
involved in this three years ago--the initial impetus for this was the 
human rights concern that remains unaddressed.
    But what then happened is that professionals of the national 
security community also noticed that a lot of these products that have 
been used for spying on citizens in certain countries, these products 
can be used to hack and actually be used to undermine cybersecurity. So 
this is why this is such a complicated problem and you have a lot of 
the cybersecurity industry being very concerned about the impact of 
this on their own cybersecurity products, and testing software, and 
other technologies that given the broad interpretation of the language 
might now be swept under the consumer controls, are necessary for 
cybersecurity.
    But some of the products that we're concerned with, and the very 
companies that have exported them to countries where they've been used 
to violate human rights, could actually be used to undermine 
cybersecurity. And that piece of the argument--that has been somewhat 
missing. And I think it is an important reason. So going down the route 
of using the crime controls of just the human rights aspect I think 
would be right to address one of the problems of this, but might not 
necessarily address some of the others.
    And maintaining the flexibility by, I think, trying to use first a 
country-based chart, as pointed out in GOFA, and new lists specifically 
to the human rights concerns. But then using the notification 
requirements strategically to gain more data about the type of products 
and where they're going to I think will be helpful to then refine the 
regime further down the road. But I think what has become clear in the 
last year is that the process was not set up. And having to go back to 
this now, after everything that happened this year, would be even more 
challenging than three years ago.
    Ms. Han. So just one more clarification, then I'm going to open it 
up for questions from the audience. You mentioned that some of the 
other members of Wassenaar have already implemented that rule. Is Italy 
one of them? [Laughter.] And can you talk about Hacking Team exports, I 
think, to Egypt that recently came into the news.
    Mr. Maurer. Hacking Team is a company based in Italy that was one 
of the companies that's been most in the news as an example of a 
company based in a democratic country that has been exporting a product 
to countries where it's been used for human rights violations. Italy 
has implemented the new controls, but as Cheri McGuire actually pointed 
out in her hearing as one of the reasons why the industry's so 
concerned about this, is the way Italy implemented the control was that 
it implemented it very broadly, and essentially still allowed Hacking 
Team to continue to operate its business.
    The very reason why these controls were created, from a human 
rights perspective, and one of the companies it was meant to apply to, 
the government that's responsible for it now decided to implement the 
control in a way that it actually is no longer effective. And that's a 
problem. And I think Cheri McGuire is very right to point to that it's 
not just about adopting an agreement to the language. It's also 
important to then have a uniform sense of how are you actually 
implementing it.
    And one more note, because I think this is an interesting insight. 
An employee of Hacking Team responded to an email I sent when I was 
writing an article for Slate at one point. And the question was to what 
extent companies like Hacking Team still have control over their 
product once it's been sold to a customer. And once a human rights 
violation becomes known, to what extent they have an ability to still 
have any influence over the customer. And the response by the employee 
of Hacking Team was--and he was OK with my publishing this--was that 
once the product is sold, the company still provides service to keep 
the product up to date, et cetera, as part of the contract.
    So once you find the human rights violation, technically the 
company still has an ability to then actually terminate that 
relationship and also take effect in terms of disabling the product, if 
there is that mechanism to do so. But I thought that was interesting, 
because it shows, again, like export controls can actually be an 
interesting tool if they're narrowly tailored and have an impact on 
human rights.
    Ms. Han. Great, thank you. OK, I'm now going to open it up for 
questions from the audience. Jacob has a microphone, so raise your 
hand, and if you could identify yourself. Yes, Alex.
    Q: Hi. I'm a journalist from Azerbaijan. I want to ask a question 
related to Azerbaijan. Azerbaijan is a country where there is an 
Internet, but there is no freedom. How to protect Internet freedom in 
Azerbaijan? There is lots of talk about how much they provide access to 
Facebook. But there's also self-censorship that, you know, people--they 
keep arresting people for their posts, and that creates another 
problem. And so how to address that self-censorship in dictatorships? 
Thank you.
    Ms. Han. That's a great question. And I think it's also interesting 
that in Azerbaijan the telecommunications infrastructure is owned by 
the president's family. So even though they may allow Facebook, or 
allow Gmail, et cetera, they basically have access to everything. 
Rebecca, you want to start?
    Ms. MacKinnon. Sure. I mean, it's really difficult. And actually, 
related to the telecommunications infrastructure, a Swedish company, 
TeliaSonera, came under fire for its presence in Azerbaijan----
    Ms. Han. And Uzbekistan.
    Ms. MacKinnon. ----and Uzbekistan, and the kind of assistance that 
the company might have been compelled to give. And it's my 
understanding they're sort of winding down their businesses in those 
areas for a number of reasons, including some of these concerns. But 
then you're just left with the state-owned telecommunications 
companies. So it's tough. If the government is criminalizing online 
speech, there's a real question, you know, so what can people outside 
of that country do, other than sort of support groups outside of the 
country who are trying somehow to get alternative information in, and 
to support strong encryption so that people in such countries can 
actually communicate and evade surveillance, and make themselves more 
secure.
    But it's really tough. And this is a trend we're seeing all over 
the world, attacks on civil society, and not just online but also 
offline, just the criminalization of civil society, cutting off of 
their funding, the increasing squeeze on any kind of independent 
journalism in a range of countries. And so this is why it's just really 
incredibly important for democratic countries to stand up for 
consistent application of laws, to set the example of what a human 
rights-compatible legal regime looks like, what human rights-compatible 
corporate practices look like, what an accountable technology kind of 
ecosystem looks like that's human rights compatible.
    If we don't set the right example in democracies, it's going to be 
harder and harder for people in places like Azerbaijan and many other 
countries to point to a model of where the country needs to go. A lot 
of these governments are saying, well, you know, all these other 
democracies are doing the same thing in different ways. And obviously 
it's not equivalent if you don't have rule of law or independent press, 
but nonetheless we're not doing a good enough job at providing models 
that people around the world can advocate for. And we need to do a 
better job.
    Ms. Han. Lisl, can you talk about how companies view working in 
countries like Azerbaijan, where there may ostensibly be very little 
censorship, and the typical programs--you know, Facebook, Twitter, et 
cetera, are available in those countries, but in practice you could say 
that there's very little Internet freedom. What you say online or what 
you--even when you communicate what you think is privately, is 
potentially viewable to the government. So how are companies looking at 
that?
    Ms. Brunner. Sure. And I'll just add to Rebecca's point. I think 
the GNI sees that the Freedom Online Coalition is kind of a positive 
step in the direction of democracies setting standards for Internet 
freedom around the world. We'd like to see the Freedom Online Coalition 
make more progress in this regard, perhaps create some model laws that 
other countries can implement, perhaps be more of a spokesperson for 
global Internet freedom in concrete ways.
    Yes, we've worked with TeliaSonera over the past few years, which 
was present in Azerbaijan and many of the countries in that region. And 
it is definitely a challenging situation. You know, it's important to 
have a human rights policy, to have a clear procedure in place, to 
train your employees on what that policy is so that they have a basis 
for interacting with government officials. The company has taken quite 
a few measures towards transparency, or trying to be as transparent as 
possible about its interactions with the government. In the end, as 
Rebecca mentioned, for a variety of reasons it has determined that 
withdrawal from that region is the best plan, for other reasons as 
well.
    And that is, I think, a decision that we can respect. At the same 
time, who's going to go into Azerbaijan once they leave? And is that 
going to be a win for human rights, if that's a company that does not 
have a human rights policy, that is not in constant communication with 
its stakeholders, with its government, with those who champion Internet 
freedom?
    Ms. Han. OK. Any other questions from the audience? Yes.
    Q: Hi. Steven Rashtushen [ph], House Foreign Affairs Committee, 
Asia-Pacific Subcommittee.
    My question is about how specifically with the Wassenaar 
Arrangement countries could implement certain ways to ensure that 
certain data has to be in the United States or other countries that 
would uphold human rights, such as Adobe or Microsoft changing their 
services, rather than selling technology, licensing it out. Is there a 
possible way that corporations and government would be amenable to 
having certain of these services based in countries that they control, 
and potentially police these human rights violations?
    Ms. Han. Tim, go first, or . . . ?
    Mr. Maurer. To be honest, I don't have the insight to be able to 
answer that question. I'd give you more details but, I don't.
    Ms. MacKinnon. I'd be happy to address it a little bit. We've seen 
quite a lot of instances, particularly with companies--you know, there 
are a number of companies, including U.S. companies, that store most if 
not all of their user data in the United States, particularly somewhat 
smaller companies that have large user bases. Or chose from their data 
centers, you know, actually kind of do some evaluation in where to put 
data centers.
    What we're finding, though, is sometimes even with companies whose 
data is outside of a particular jurisdiction, if they have any 
employees in that jurisdiction then the problem isn't solved. So it's 
not just a matter of where the data is, it's what are your other 
vulnerabilities. One case in point is with Facebook and what's 
happening in Brazil. A Facebook executive was jailed for about 24 
hours--fortunately he was released after a higher judge kind of decided 
it was ridiculous.
    But it was because WhatsApp, which is now owned by Facebook, 
wouldn't hand over user data in a drug investigation case. WhatsApp--
not only do they not host data in Brazil anyway, but they have rolled 
out end-to-end encryption. And so WhatsApp, the company, didn't have 
access to the data even in the United States. You know, it's just not 
physically possible to hand over that data.
    But then countries are still trying to find ways to basically 
coerce companies. Or they'll just say, if you don't comply with our 
request, we're going to block you completely from our market. And so 
you see a lot of cases where the data is hosted doesn't solve the 
entire problem.
    It can help in some circumstances, particularly with the most 
oppressive situations--for instance, with the user data in China, if 
it's physically in China there's no way you can refuse to hand it over, 
whereas there might be -if it's not in China, there are ways to avoid 
doing that. But it doesn't go the whole way, particularly in markets 
like Brazil, which are democracies, which are countries that these 
companies feel they need to be in, they need to have staff. But then 
they get coerced in really strange ways. So it's tough.
    Ms. Han. Any more questions? Yes.
    Q: I'm an intern from China, so I have experience with what you're 
saying just now. So it is true that we cannot use Facebook, Google, or 
Twitter, or other social media in China, because I think--because our 
government cannot control those companies. So, for example, if I post 
something or express my opinion online, on the policies of our 
government, I will be banned, or my opinion will be deleted online.
     I think--you know, the most important reason for this phenomenon 
is because our Chinese Government is not very confident of its 
democracy, and it's afraid that people in China will be influenced by 
democratic awareness in the Western countries, which may, you know, 
overthrow the Chinese Government. But the Chinese market is a very 
profitable market because China has an enormous population. I wonder 
whether those companies like Facebook, Google, they will compromise 
their principles and seek collaboration with Chinese Government, or do 
you have some specific or detailed ideas or suggestions that can 
pressure the Chinese Government to change its rules or regulations?
    Ms. Han. That's a really great question. Rebecca, you want to 
start?
    Ms. MacKinnon. Sure. And Lisl can talk about some of the principles 
that GNI member companies apply. But more broadly, I mean, it's my 
opinion--just because I've spent some time in China and looking at the 
Chinese Internet over the years--I've sort of concluded that it's going 
to be difficult to get--I think foreigners trying to convince the 
Chinese Government to change is not going to be very successful, for 
lots of reasons.
    I tend to feel that we're only going to see change when Chinese 
companies themselves begin to view their own commercial interests as 
different from--basically that complying with censorship and 
surveillance in a blanket way hurts their business. If Chinese 
companies become more global, they might need to actually demonstrate 
to users, if they're trying to grow their user base around the world, 
that they're upholding some principles. And if we eventually do see a 
little bit more distance between the interests of Chinese companies and 
the interests of the government, maybe that's where we might end up 
seeing a bit of change.
    But it's been my observation generally with these issues around the 
world, when you get a change of law in a positive direction, or when 
you get a change of policy in a positive direction, or if a bad law is 
stopped, or sort of a bad practice is stopped, usually it's because 
there's some kind of coalition that forms between civil society, in the 
case of Internet sort of user groups and so on, and some part of 
industry, and then some part of government that actually ends up seeing 
it in their interest to move in that direction.
    So in some countries there might be some part of the government 
that really cares about global science and technology, or something. 
And there might be some politicians who see it in their long-term 
political interest to advocate a particular position, and ally 
themselves in that way. But you know, I think China right now is a long 
way from seeing that. But I think if we're really going to see a sea 
change in terms of how the government and companies work together, it's 
going to have to come from within China. There's going to have to be 
some kind of alliance of interests. And it's going to take a long time.
    But we certainly have seen--Google used to have a censored searched 
engine in China because they wanted the business. They pulled out. 
Facebook is still blocked in China. They still haven't gone in. What 
they're going to do in the future it's hard to know. Other companies 
have made other choices. You know, Microsoft is in China pretty 
extensively. There are many non-GNI companies that are in China quite 
extensively, including Apple.
    And you know, different companies, I think, are--you know, there 
are sometimes also situations where there's no perfect choice in terms 
of what the user's interest is. And so sometimes companies end up 
having to weigh a number of different options, none of which are great, 
and choose between sort of least-bad solutions. Because I do think that 
if companies sort of just refuse to engage anywhere and provide any 
service anywhere unless there's a policy environment that's perfect--I 
don't think that's going to be good for the world's Internet users 
either. So it is a complex picture. But Lisl can talk more.
    Ms. Han. Just let me just further clarify what I'd like for you to 
talk to, just if you don't mind. This whole issue of what a company's 
motivation is, either for market share or reputation, they're kind of 
constantly balancing this. And what is a company's motivation to care 
about transparency, or to care about--it usually has to come from 
users--you know, their consumer base, right? It very rarely is 
something internal to the company.
    You know, Google started out with ``don't be evil.'' [Laughter.] 
But I think they've kind of lost their way on that one. But with Apple, 
talking about that motivation, certainly in this case that we see right 
now, I think what their motivation in fighting this case is, they're 
worried about security. They're worried about the security of their 
data and their users. I don't think they have really any compunction 
against helping the FBI get information. I don't think that's an issue. 
This is more a fundamental security issue for them and their product.
    This doesn't apply to Android phones, because it's a completely 
different business model. So I think it would be interesting to talk 
about why do companies like Facebook make decisions whether or not to 
go in, and their brand. If we go back to right after 1989, Levi Strauss 
famously pulled out of manufacturing in China because it hurt their 
brand. Here's an American jean company that was--they weren't going to 
be made by prison labor in China. But they eventually made the decision 
to go back even though labor issues in China hadn't necessarily 
changed.
    So if you could talk to motivation, and do you think that a lot of 
the companies in GNI, are they--is this really a user-generated need 
for them to do this, or what's their motivation for going into a market 
or not?
    Ms. Brunner. Well, that's a complex question, the motivation for 
going into a market. I mean, I think it's difficult to be a global 
information and communications technology company and exclude a billion 
users in China and millions of users elsewhere. I think, yes, with the 
GNI companies and many Western companies, it's the desire of the users 
to be part of a company with service that is transparent that operates 
in a way that is consistent with the U.N. guiding principles on 
business and human rights. And as Rebecca said, the GNI framework is 
meant not only to apply to companies doing business in easy situations, 
but to give them some tools for doing business in difficult 
situations--and in the most difficult situations.
    So the principles and the implementation guidelines dealing with 
specific requests, the types of actions that companies can take. They 
can say, please clarify this request and tell us exactly where in your 
law it gives you the authority to ask for this. It allows them to go 
back to requests and say, actually, we interpret the law differently 
and we don't think that you need all of that data, you just need this 
little part of the data. The human rights due diligence process is to 
ask questions such as, is the way that we can modify this product, or 
introduce a different product that will enhance privacy or add extra 
privacy protections?
    And then just being able to discuss these opportunities, these 
options with people like Rebecca MacKinnon, who's an expert in China 
and other organizations that have contacts on the ground there, that 
have expertise in these different areas, is incredibly valuable. And 
that's something that will support our companies as they make these 
decisions.
    Ms. Han. We have time for one more question, if anybody wants to 
ask something?
    OK, I just want to wrap up and ask sort of a 30,000-foot question. 
Where do you think we go from here? Because we're kind of at the hard 
spot right now, I think, with where the Internet is going, where online 
freedom is going. And it seems like it's moving to where the telecom 
sector is or has been for a long time, whatever the governments want 
them to do, they do. But I think that there's still space and there's 
still so much innovation that's happening within the Internet industry 
that we still have opportunities. So I'm just wondering if each of you 
could talk about where you think we might be going in your respective 
areas.
    Lisl, you want to start? Or, Tim, you're ready? OK.
    Mr. Maurer. So with regard to the export control issue, I think 
what we've seen in the last year, and even the discussion since 2013 is 
only the beginning of this, because I think, both from the human rights 
perspective, but also from the cybersecurity, national security 
perspective, this was kind of more of a wake-up call that export 
controls might be a useful tool. And there's now a much greater 
sensitively and awareness around it, which will hopefully translate 
into a more productive process, where we can actually find some 
language and then an implementation policy that's sensible to what is 
being--[inaudible]. But mine is--I would guess that this was just the 
beginning, and these two controls might not be limited to also only 
what we see in this space.
    Ms. Brunner. I can speak from the perspective of the GNI. In many 
ways, we've kind of come out of version 1.0, which was consolidating 
the organization, conducting the first round of assessments. And now 
that we've learned those lessons, I think we're in version 2.0, which 
is taking the lessons from those assessments and translating them into 
public conversations, into policy engagement, promoting things such as 
the distribution of alternative messages, rather than the restriction 
of content when things like terrorist content, glorification of 
terrorism are used to try and restrict content, and promoting solutions 
such as mutual legal assistance as alternatives to things like data 
liberalization mandates. And as we can, kind of take those practical 
lessons and get those messages out to the right people, I think that 
will advance the debate.
    Ms. MacKinnon. I think, as I was saying before, we need policy 
leadership. We need the United States to lead. We need the democratic 
world to lead. We need to see commitments that, yes, the democratic 
world is facing some real challenges with terror and use by terrorists 
of the technologies. But we need to understand that and say, this is a 
hard problem. Knee-jerk solutions, short-term solutions are not, in the 
long run, going to solve the problem or make us more secure. And we 
need to subject our policy solutions to a broader assessment of what is 
their global human rights impact, what is their impact on the ability 
of the Internet to be free and open and secure for all of its users, 
and really subject policy measures and proposals to that kind of test.
    And to see coordination amongst democratic governments about 
building best practices, to be creative on policy solutions around 
cross-border law enforcement and how trade rules and sanctions are 
meant to work or not work. I think with the Freedom Online Coalition, I 
would love to see to the extent possible if Congress can kind of push 
to see more accountability amongst the Freedom Online Coalition 
governments. You know, the United Nations has something called the 
Universal Periodic Review, where governments--on human rights--where 
governments report to the Human Rights Council on what they're doing to 
protect human rights in their countries.
    I would like to see some reporting coming from the members of the 
Freedom Online Coalition of what have these governments done to advance 
online freedom around the world--not just made commitments. And there 
are some good things--like, there's a fund to support human rights 
defenders in some of the most problematic countries. But what are 
democratic governments doing to really exercise policy leadership on 
the planet right now, and to see evidence of that and to see a plan for 
doing that, and coordinating on counter terror, law enforcement, and 
all these kinds of things. And to the extent we can push to have that 
happen, I think it would be really helpful.
    I think that the Global Network Initiative has added real value, 
and I think made a real difference. And there may not be perhaps enough 
public understanding of the extent to which it's made a difference with 
some of the world's most powerful Internet companies. And we do need 
accountability frameworks. And we have seen over the past 50 years, 
accountability frameworks around labor standards, around environmental 
standards. They have really emerged through a combination of 
legislation, but also from investors stepping up and applying standards 
to companies, and asking questions of corporate boards. And we're just 
starting to develop what the standards should be to evaluate Internet 
and telecommunications human rights practices that can give investors 
some levers.
    We need companies to be sort of reporting more on what it is they 
are doing. We need greater transparency, a greater commitment, and 
greater mechanisms to hold them accountable. I think there may be some 
cases where law can help. There are other cases where the issues are so 
complex that it might be hard to legislate, but there are a number of, 
I think, initiatives that can be supported, taking place in the private 
sector and civil society to really strengthen accountability. I know 
the Global Online Freedom Act and its evolution over time has examined 
different approaches to requiring company reporting.
    There is a question of should it be to the Security and Exchange 
Commission, or maybe the FTC that might have more expertise on this to 
evaluate company disclosure. I do think that providing leadership is 
important, and recognizing that this is really a global problem, and a 
global issue, and setting standards for how companies need to handle 
their relationships with governments, how they need to treat their 
users, you know, and making those truly global standards is important.
    And Congress has a role to play. I think the executive branch has a 
role to play in providing leadership on this. I think the private 
sector, civil society, academia, just the need for more research in 
terms of cause and effect and what's going on, and what is effective 
and what's not in terms of interventions is really important, because I 
think sometimes with some of the funding that goes towards efforts, 
we're not quite sure what's effective and what's not, so it's really 
good to have more evaluation of that as well.
    I think the good news is, having worked in this space for the past 
10 years, is that 10 years ago there weren't that many people working 
on these issues. And I remember being here on the Hill, in, what was 
it, like 2006, when a number of companies were called in to explain 
themselves and their practices in China. And the language they used was 
quite appalling. It was sort of like, ``well, there's nothing we can 
do'' kind of language. You don't hear that anymore.
    You hear a very different tone, a very different set of 
commitments. The discourse around these issues got much more 
sophisticated. I think there's an understanding of the role everybody 
needs to play. I think there's now a community working on these issues 
that didn't exist, with the exception of a few small groups, 10 years 
ago. And that's really thanks to the leadership in Congress and 
elsewhere in the government supporting the growth of this community, 
continuing to shine a light on these issues, continuing to make global 
Internet freedom part of U.S. policy. No matter how imperfect it is, 
it's an important pillar of U.S. policy. That needs to be continued and 
needs to be supported.
    So, I kind of want to end on an optimistic note. Despite the tough 
problems we face out there, and the individuals who are really facing 
threats, we've seen a lot of progress in terms of the work that's being 
done. And it would be a lot worse if this community of different 
stakeholders--government, private sector, NGOs, academics--hadn't 
stepped up.
    Ms. Han. And a lot of that is thanks to you, Rebecca, because from 
starting the GNI, and now doing Ranking Digital Rights, you've been the 
trailblazer in that. So thank you for doing it. And thank you for being 
here. Tim, thank you. Lisl, thank you. I appreciate everyone for being 
here. And we're adjourned. [Applause.]
    [Whereupon, at 11:35 a.m., the briefing ended.]


                           A P P E N D I X



    Chairman Smith, Co-Chairman Wicker and Members of the U.S. Helsinki 
Commission, thank you for the opportunity to provide an overview of the 
Global Network Initiative and its policy priorities.
    The Global Network Initiative is an international, multi-
stakeholder collaboration between information and communications 
technology (ICT) companies, civil society organizations, investors, and 
academics. Formed in 2008, our mission is to promote human rights by 
creating a global standard for companies that supports responsible 
decision-making, and by being a leading voice in policy debates to 
advance freedom of expression and privacy rights in the ICT sector.
    The GNI's company members are Facebook, Google, LinkedIn, 
Microsoft, and Yahoo, and its non-company members include the Berkman 
Center for Internet & Society, the Center for Democracy and Technology, 
Human Rights Watch, Bolo Bhi of Pakistan, the Centre for Internet & 
Society of India, and the Church of Sweden, among many others. \1\ For 
the past three years, the GNI has collaborated with companies 
participating in the Telecommunications Industry Dialogue. Seven of 
these global companies recently became observers to the GNI with an aim 
to become full members in March of next year.
---------------------------------------------------------------------------
\1\  A complete list of participants is available at http://
globalnetworkinitiative.org/participants/index.php.

---------------------------------------------------------------------------
The GNI works in four areas:

    1) It provides a framework for responsible company decision-making 
and action;

    2) It fosters accountability through company commitment to an 
independent assessment process to evaluate their implementation of the 
Principles;

    3) It promotes policy engagement; and

    4) It enables shared learning among our participants.

Responsible company decision-making

    In the first area, the GNI's Principles and Implementation 
Guidelines were developed through a multi-stakeholder process and are 
based on international human rights standards. \2\ Our guidelines are 
influenced by, and are compatible with, the UN Guiding Principles on 
Business and Human Rights and the `Protect, Respect, and Remedy' 
framework. The GNI framework helps member companies to respect and 
protect the freedom of expression and privacy rights of their customers 
and users when they respond to government demands, laws and 
regulations. Companies worldwide can use this framework to implement 
their responsibility to respect human rights.
---------------------------------------------------------------------------
\2\  The GNI Principles and Implementation Guidelines are available at 
http://globalnetworkinitiative.org/corecommitments/index.php.

---------------------------------------------------------------------------
Accountability

    In terms of accountability, GNI member companies undergo a biennial 
assessment of their implementation of the GNI Principles, conducted by 
organizations that are accredited by the GNI's multi-stakeholder Board 
and which meet independence and competency criteria. In addition to 
reviewing the GNI company's policies and procedures and interviewing 
staff members, the assessor selects case studies that determine how a 
company has responded to government demands involving freedom of 
expression and privacy. The assessor prepares a report that is reviewed 
by the GNI Board, and the Board determines whether the companies are 
complying with the Principles, which means that in the Board's view, 
the company is making a good faith effort to implement and apply the 
GNI Principles and to improve over time.
    In 2013, the GNI completed assessments for its three founding 
companies, \3\ and its second round of assessments for all member 
companies is currently underway. The experiences shared through the 
assessment process are channeled into shared learning and policy 
efforts.
---------------------------------------------------------------------------
\3\  The Global Network Initiative, Public Report on the Independent 
Assessment Process for Google, Microsoft, and Yahoo (January 2014), 
available at: http://globalnetworkinitiative.org/sites/default/files/
GNI%20Assessments%20Public%20Report.pdf

---------------------------------------------------------------------------
Policy engagement

    In terms of policy engagement, the multi-stakeholder nature of GNI 
gives us a deep capacity for informed and credible engagement with 
governments, intergovernmental organizations and international 
institutions. The GNI generally advocates for laws that are consistent 
with international human rights standards and with the principles of 
legality, necessity, and proportionality. At present, we are focusing 
our policy efforts on five issues of priority.
    First, the GNI is concerned by the adoption of broad laws 
prohibiting extremist content and the promotion of terrorism. The GNI 
acknowledges the legitimate national security and law enforcement 
obligations of governments. At the same time, there continues to be no 
internationally agreed upon definition of terrorism, and across the 
world, counterterrorism laws have led to the criminalization of speech 
in political contexts and to the restriction of large amounts of 
content in countries like Tajikistan. Similarly, some authorities have 
proposed that ICT companies should face criminal liability for failing 
to delete content praising terrorism from their platforms. \4\
---------------------------------------------------------------------------
\4\  See, The Global Network Initiative, Extremist Content and the ICT 
Sector: Launching a GNI Policy Dialogue (July 2015), available at: 
http://globalnetworkinitiative.org/sites/default/files/
Extremist%20Content%20and%20the%20ICT%20Sector.pdf.
---------------------------------------------------------------------------
    This is related to a second area of policy priority, which is 
legislation on intermediary liability and calls for service providers 
to police user content and communications, at times under broad and 
vague standards of what content is considered illegal.
    Third, the GNI advocates for laws that regulate government access 
to user data in a way that protects the right to privacy. Recently, for 
example, we have engaged with the U.K. government and provided input to 
consultations on its Investigatory Powers Bill. \5\ The GNI has also 
urged governments to support strong encryption and not to subvert 
security standards. \6\
---------------------------------------------------------------------------
\5\  Global Network Initiative, Written Evidence to the Joint Committee 
on the Draft Investigatory Powers Bill, December 21, 2015, available 
at: http://globalnetworkinitiative.org/sites/default/files/
Written%20evidence%20- %20Global%20Network%20Initiative.pdf.
\6\  Global Network Initiative, Submission to the UN Special Rapporteur 
on the promotion and protection of the right to freedom of opinion and 
expression (February 2015), available at: http://
globalnetworkinitiative.org/sites/default/files/
GNI%20Submission%20on%20Encryption.pdf.
---------------------------------------------------------------------------
    Fourth, the GNI has advocated for reforms to the Mutual Legal 
Assistance (MLA) regime, which is the dominant method for managing 
lawful government-to-government requests for data across jurisdictions. 
The regime has not been updated to keep pace with globalized data, 
making the process inefficient and opaque, and requests to the U.S. 
government take an average of 10 months to fulfill. As a result, 
authorities from other governments sometimes resort to drastic 
measures. Some states have attempted to demand that their domestic laws 
apply extraterritorially, have proposed data localization measures, and 
have sought to compromise the digital security of individuals. All of 
these measures would be harmful to an open, robust, and free Internet.
    The GNI has identified a series of practical and legal reforms that 
policymakers could adopt in order to reform the current MLA system. \7\ 
We also support efforts to develop a new international legal framework 
to enable foreign law enforcement authorities to have efficient access 
to information when this access is consistent with international norms 
on human rights and privacy. The GNI supports reforms that would allow 
governments to make requests for data from providers, as long as 
stringent human rights requirements apply and the process is 
characterized by robust transparency, accountability, and international 
credibility.
---------------------------------------------------------------------------
\7\  Andrew K. Woods, Data Beyond Borders: Mutual Legal Assistance in 
the Internet Age, The Global Network Initiative (January 2015), 
available at: https://globalnetworkinitiative.org/sites/default/files/
GNI%20MLAT%20Report.pdf.
---------------------------------------------------------------------------
    Finally, the GNI has advocated for governments to take steps to be 
more transparent about the laws and legal interpretations that 
authorize electronic surveillance or content removal. Similarly, we 
urge governments and intergovernmental organizations to take a 
multistakeholder approach when debating laws and policies that impact 
the freedom of expression and privacy of Internet users globally and to 
ensure that these are subject to public debate. \8\
---------------------------------------------------------------------------
\8\  See, e.g., Global Network Initiative, Submission to the Office of 
the UN High Commissioner for Human Rights on ``The Right to Privacy in 
the Digital Age'' (April 1, 2014), available at: http://
globalnetworkinitiative.org/sites/default/files/
GNI%20submission%20OHCHR%20April%201%202014.pdf

---------------------------------------------------------------------------
Learning 

    In terms of learning, the GNI provides opportunities for its 
members to work through complex issues with other participants in a 
safe, confidential space. We have commissioned reports that examine the 
challenges facing governments and technology companies as they balance 
the rights to freedom of expression and privacy with law enforcement 
and national security responsibilities. And we have held public 
learning forums to discuss these challenges in the United States, 
Brussels, and Geneva.

Conclusion 

    In conclusion, I would like to highlight a few of the GNI's 
achievements. The GNI's independent assessment process has yielded 
tangible changes and improvements in company policies and practices. 
These include the adoption of human rights impact assessments and the 
development of enhanced company transparency with customers, users and 
the wider public. The application of GNI Principles has reduced the 
amount of content removed and personal data released as a result of 
government requests. We have also successfully encouraged governments 
to increase transparency and public debate around their surveillance 
laws, policies and practices, securing commitments on judicial 
oversight from the almost 30 governments in the Freedom Online 
Coalition and reforms of surveillance and intermediary liability laws.
    Thank you again for the opportunity to give an overview of the GNI 
and its activities.

The Global Network Initiative is an international multi-stakeholder 
organization that brings together information and communications 
technology companies, civil society (including human rights and press 
freedom groups), academics and investors to work together to forge a 
common approach to protecting and advancing free expression and privacy 
around the world. GNI members commit to, and are independently assessed 
on GNI principles and guidelines for responding to government requests 
that could harm the freedom of expression and privacy rights of users. 
For media inquires, please contact Kath Cummins, 
[email protected].


    Chairman Smith, Co-chairman Wicker, Members of the Commission,
    It is an honor to testify before you today. Thank you for the 
opportunity to address the important issue of the role of export 
controls and internet freedom.
    I am an associate at the Carnegie Endowment for International 
Peace, where I co-lead Carnegie's Cyber Policy Initiative. For the last 
six years I have been working at the intersection of human rights, 
cybersecurity, and internet governance. I currently serve as a member 
of the Freedom Online Coalition's cybersecurity working group ``An 
Internet Free and Secure,'' am a member of the Research Advisory 
Network of the Global Commission on Internet Governance.
    Export controls are among the most complicated policy issues to 
address. Export controls combine law, technology, and policy with 
national- and international-level implications and in this case also 
sit directly at the intersection of human rights, security, and 
business. Striking the right balance between benefits and costs is a 
common challenge across all export control categories for dual-use 
items. This is especially difficult in the context of new technologies 
and emerging markets which still lack comprehensive empirical data.
    In December 2013, the 41 member states of the Wassenaar Arrangement 
on Export Controls for Conventional Arms and Dual-Use Goods and 
Technologies agreed to create two new export controls focusing on 
``cybersecurity items.''\1\he proposed implementation of these two new 
controls by the U.S. government sparked significant controversy last 
year and touch on four dimensions that are important to consider:

      Growing empirical evidence of technologies sold by 
companies in North America and Europe to customers in countries that 
use them to violate human rights
      The benefit of these technologies for legitimate law 
enforcement and intelligence activities
      The benefit of these technologies for cybersecurity, for 
example, to test and improve defenses
      The risks of these technologies for cybersecurity, for 
example, by providing more sophisticated hacking tools to actors who 
will use them for offensive purposes

    My remarks will focus on the first of these four dimensions, 
controlling exports of technologies that can be used to violate human 
rights in the context of Internet Freedom, given the focus of this 
briefing but each of them raises important questions and challenges 
worth exploring further. In addition to the substantive considerations, 
process is another important factor to consider. The controversy over 
the past year and the significant pushback against the U.S. 
government's proposed implementation of the two new controls are signs 
that processes need to be improved. Only two days ago, Secretary 
Pritzker announced in a letter that

``In response to these concerns. . .the United States has proposed in 
                    this year's Wassenaar Arrangement to eliminate the 
                    controls on technology required for the development 
                    of `intrusion software'. We will also continue 
                    discussions both domestically and at Wassenaar 
                    aimed at resolving the serious scope and 
                    implementation issues raised by the cybersecurity 
                    community concerning remaining controls and 
                    hardware tools for the command and delivery of 
                    `intrusion software.' ''

    As we enter this new phase in this discussion following Secretary 
Pritzker's letter, it is helpful to start by looking back at the 
original problem that led to these new controls. This is worth 
highlighting because this history and underlying human rights problem 
were occasionally lost in the controversy over the past year and has 
yet to be addressed. It is also worth noting that export controls are 
only one mechanism among a variety of tools to effectively address this 
first dimension but an important one which is why this briefing is 
particularly timely.

Introduction: The Emergence of a Difficult Problem 

    The driving force originally pushing for updated export controls 
were human rights groups who had grown increasingly concerned \2\ that 
repressive governments were using new technologies to spy on their 
citizens.\3\ These new technologies can be used for different purposes 
and have been sold on an emerging and growing market. This market first 
entered into the spotlight after the 2011 Arab uprisings; when the 
archives of fallen Arab regimes opened to the public, they provided a 
unique insight into those regimes' inner workings and trade 
relationships. This included shedding light on companies in North 
America and Europe who had exported technologies to security and 
intelligence agencies in countries ranging from Muammar Gadhafi's Libya 
\4\ to Bahrain.\5\ In 2011, the Wall Street Journal published a catalog 
\6\ shedding light on this burgeoning industry.
    One particularly prominent example of the type of company and 
products that have been at the center of this debate is Hacking Team, 
an Italy-based company selling technologies designed to access computer 
networks and collect data. On July 5, 2015, Hacking Team was hacked. 
The intruder not only changed the firm's Twitter account to ``Hacked 
Team'' but exposed some 400Gb of proprietary data to the public. 
Subsequent media analysis shed light on Hacking Team's client 
relationships with security agencies in more than 20 countries, 
including some with dubious human rights records such as Sudan.\7\ 
Another example illustrates that certain governments use these 
technologies not only within their own borders. A federal court in 
Washington is currently weighing a lawsuit \8\ alleging that the 
Ethiopian government remotely spied on a U.S. citizen in Maryland. To 
do so, the Ethiopian government used commercial internet-based 
technology sold by Gamma International, a company based in the United 
Kingdom and Germany. This activity was discovered not by the U.S. 
government, but by Citizen Lab, an academic research center based at 
the Munk School of Global Affairs at the University of Toronto.
    These news reports and research publications also revealed that 
existing export control regulations did not cover some of the 
technologies of concern to human rights advocates. Therefore, the 
French \9\ and British governments, which were both particularly 
criticized for allowing the export of technologies to authoritarian 
governments that eventually used them for surveillance, each submitted 
a proposal to amend the list of the Wassenaar Arrangement leading to 
the adoption of two new controls by its full membership in December 
2013.

Background: Wassenaar Arrangement 

    The creation of these two new controls set a precedent by adding a 
human rights component to the Wassenaar Arrangement. The stated mission 
of the Wassenaar Arrangement is ``to contribute to regional and 
international security and stability, by promoting transparency and 
greater responsibility in transfers of conventional arms and dual-use 
goods and technologies, thus preventing destabilizing accumulations.'' 
\10\ Unlike its predecessor, the Cold War-era Coordinating Committee 
for Multilateral Export Controls (COCOM), the Wassenaar Arrangement 
does not target any state or group of states, nor can members exercise 
veto power over other members' export decisions. Rather, the 
arrangement aims to create a framework for harmonizing national 
approaches to export controls and to offer a forum for information-
sharing.\11\
    In December 2013, Wassenaar signatories, including the United 
States, the member states of the European Union, Japan, and Russia, 
reached a consensus on adding the two new aforementioned export 
controls focusing on ``intrusion software'' and ``IP network 
surveillance systems'' to the arrangement's list of regulated 
technologies. These are technologies used to gain access and to monitor 
data. Some \12\ have described this addition as an attempt to bring 
``cyberweapons'' into the fold of international arms-control agreements 
and the U.S. government would later describe them as ``cybersecurity 
items.'' \13\
    Because the Wassennaar Arrangement is voluntary and nonbinding, it 
has no direct effect on national or international law; states must 
integrate its terms into their respective national frameworks for 
controlling exports. Over the nearly two years since the passage of the 
2013 amendments, the 41 signatory states have focused on implementing 
the change. So far, implementation across these 41 states remains 
uneven and while the majority of the membership including Japan and the 
member states of the European Union implemented the new controls, 
implementation by the U.S. has been lagging behind.

Analysis of Post-2013 Events and Proposed Implementation in the United 
States

    Because the Wassenaar Arrangement is updated annually, its 
signatories have generally well-established mechanisms to implement any 
amendments, and the United States is no exception. Usually the U.S. 
interagency process takes six months to implement changes agreed to in 
the multilateral Wassenaar dual-use-technologies export-control list 
given the consultative process with industry beforehand through the 
Department of Commerce's Technical Advisory Committees.\14\ However, 
this time it took until May 2015, nearly three times longer than usual, 
for the U.S. government to publish its decision through the Department 
of Commerce's Bureau of Industry and Security.
    This long delay occurred for two reasons. First, there was a 
prolonged interagency discussion about the implementation of these two 
new controls. The outcome was not, as it usually is, a final rule but a 
proposed rule, which enabled the public to provide feedback during a 
two-month period. This was unusual and an encouraging demonstration of 
the government's willingness to engage the public. In fact, Secretary 
Pritzker's letter now states that this practice will become 
institutionalized and a standard mechanism moving forward, a decision 
to be applauded. This can produce more effective outcomes in the future 
and help build trust among the actors involved, as long as it is used 
to meaningfully engage in dialogue rather than used to block action.
    The second reason for the delay was that despite the 
administration's long internal deliberations, the proposed rule for 
implementing the new controls met with stiff resistance from major 
multinational companies as well as from members of the cybersecurity 
research community once it was made public. During the subsequent two-
month public comment period following the publication of the proposed 
rule, many businesses, industry groups, and security researchers argued 
that the bureau's proposal interpreted the Wassenaar language too 
broadly, echoing more general concern over the wording the Wassenaar 
Arrangement itself. Companies including Google,\15\ Cisco and 
Symantec,\16\ and firms under the umbrella Coalition for Responsible 
Cybersecurity \17\ organized against the government's formulation. They 
expressed concern about the potential cost to the industry, the 
potential effect of slowing down cybersecurity information sharing, and 
the uneven implementation of the new controls across the Wassenaar 
membership. Even some of the civil society organizations who had been 
advocating for an update of export controls \18\ voiced concern about 
the possible effects of the changes and broad language on cybersecurity 
research offering specific recommendations for how to narrow and tailor 
their implementation.
    The reaction made clear that addressing the problem and updating 
the export-control regime would be complicated for both historical and 
technical reasons. Historically, much of this debate is reminiscent of 
the heated discussions around the Computer Fraud and Abuse Act (CFAA) 
and encryption controls, known as the ``Crypto Wars'' of the 1990s, 
which left scars and entrenched positions among those involved. 
Moreover, in several cases over the past two decades, federal 
prosecutors stretching the law's language have used the CFAA to pursue 
harsh court sentences.\19\ Cybersecurity researchers worry that an 
overly vague or broad regulation could be similarly used in the future. 
It is therefore no surprise that the U.S. government's proposed 
implementation of the new controls resurfaced old grievances and 
revealed significant levels of mistrust among some of the actors 
involved.
    Moreover, the proposed rule exceeded the original language of the 
2013 amendment to the Wassenaar Arrangement. That wording had focused 
more narrowly on network-surveillance systems and intrusion software 
that is usually developed by companies for sale to governments, not by 
individual researchers. By contrast, the U.S. proposal outlines a 
policy of ``presumptive denial'' and is therefore inclined to deny 
rather than approve exports and specifically references ``zero-day 
exploits,'' the vulnerabilities in software that remain undetected and 
have been known for zero days. Cyber researchers often seek out such 
vulnerabilities to test a system's security and to alert developers to 
weaknesses. There are also so-called bug bounty programs and an active 
market where such vulnerabilities are traded. As the Electronic 
Frontier Foundation \20\ argues, ``the only difference between an 
academic proof of concept and a 0-day for sale is the existence of a 
price tag.'' The concern is that the new regulations could have a 
chilling effect on researchers fearful of being found in violation of 
the letter of the law, even though their objective is the exact 
opposite. Department of Commerce representatives have stated \21\ that 
the proposed controls are not intended to limit security research or 
even the legal trade in zero-day vulnerabilities, but critics worry 
that such a chilling effect will occur.
    As a result of this feedback, the Department of Commerce, in an 
unusual departure \22\ from its normal implementation process, first 
indicated that it would revise its proposal \23\ and eventually the 
U.S. government followed up with the aforementioned letter by Secretary 
Pritzker on March 1, 2016.

Moving Forward and Recommendations 

    It is clear that addressing this problem can only be successful if 
coordinated multilaterally and informed by technical analysis.\24\ 
Initially, human rights groups expected that the United States would be 
a leader in implementing these export controls given its prominent 
Internet Freedom agenda. Now, the United States is part of the minority 
of countries that have yet to implement the new controls and is 
reacting to other countries' implementation rather than proactively 
shaping the standard itself. As others have already observed, the 
United States is ``home to most of the world's cybersecurity companies, 
holding the number one provider position in the global market--which 
topped $75 billion in 2015 and could reach $170 billion by 2020.'' \25\ 
U.S. leadership on this issue and full investment in striking the right 
balance can therefore have a significant impact and set an example for 
others. One of the positive outcomes of the controversy of the past 
several months is a heightened awareness among all actors involved. The 
underlying human rights problem that led to the development of the new 
controls has yet to be addressed.
    Export controls can be an effective tool to influence corporate 
behavior.\26\ The challenge is designing them so they only target the 
type of behavior deemed of concern without affecting the rest. Weighing 
these interests and weighing human rights and security concerns is not 
a novelty in the context of export controls especially for dual-use 
technologies.\27\ However, this is a new and growing industry with a 
limited amount of data available therefore making this process more 
complicated.

Moving forward, I therefore recommend focusing on the following two 
strategic priorities:

      Increasing transparency: a major challenge to addressing 
this problem effectively and to tailoring export controls accordingly 
is the lack of information about this market, its players, and the 
trade of products. Greater transparency can be accomplished through 
various avenues including voluntary action by companies. In addition, 
the notification requirements of the export control regime can be a 
useful mechanism for the government to get a better picture about the 
market without necessarily imposing a licensing requirement. The data 
can then be reviewed after a few years to develop a tailored export 
control regime based on more reliable data.

      Establishing an efficient and inclusive process: The 
controversy of the past year shows that the process to develop, adopt, 
and implement new export controls needs to be improved. The U.S. 
government's decision to request public feedback is a promising sign to 
solicit input beyond the existing standing Technical Advisory 
Committees. This is particularly important to reach communities such as 
the cybersecurity research community. A further improvement of the 
process could consist of the government hosting more consultations at 
some of the major security research and Internet Freedom conferences 
composed of representatives from different government agencies. 
Moreover, representatives from the human rights community must be 
invited in these discussions at all, including the highest levels.

With regard to the immediate task of implementing the two new controls 
in the United States, I recommend two parallel tracks:

      A first track reviewing the language of the two new 
controls and exploring how the language could be improved in a process 
involving the human rights and security research communities as well as 
industry.\28\ Following Secretary Pritzker's letter, it is now clear 
that at least part of the language of the two new controls will be 
reviewed at Wassenaar. However, this process is likely to encounter 
several challenges including the trade-off between (i) keeping language 
that's fairly broad but can therefore take into account future 
technological developments without having to be updated or (ii) 
narrowing the language and therefore scope of the control but likely to 
require revisions sooner. The former requires more trust in the 
government not to use broad language for overly strict implementation 
policies. At the same time, major revisions to the language are not 
feasible given that the majority of the Wassenaar membership has not 
only agreed to but already implemented the new controls and these are 
only two of many items to be reviewed and discussed overall.
      A second track focusing on how to implement and develop a 
licensing policy for the language to apply only to those technologies 
sold by companies to specific end users in countries with known human 
rights problems. This will require a nuanced approach combining the 
technology-focused controls with existing or potentially new country 
charts. This also needs to include developing FAQs to be issued by the 
U.S. government to clarify its interpretation of the language. In terms 
of process, it is important to include industry, the cybersecurity 
research and human rights communities for all parties to develop a 
shared understanding of the interpretation of adopted language and 
implementation. One option for implementing the two new controls more 
narrowly in addition to taking into account others' recommendations 
\29\ about possible exemptions is:

      Only exports of technologies to countries with systemic 
human rights violations will be subject to a review for approval or 
denial by the U.S. government with a presumption of denial policy in 
place for those countries with empirical data of past human rights 
violations involving such technology \30\
      Export of technologies that fall under the two controls 
to other countries will only trigger a notification requirement 
providing details about the export, type of product, customer etc. to 
the government to increase transparency but will not be subject to an 
approval review

    At the multilateral level, it has become clear that while the 41 
member states agreed to the same language in December 2013, 
implementation of the new controls has varied widely.\31\ As Cheri 
McGuire, vice president for global government affairs & cybersecurity 
policy at the Symantec Corporation has pointed out in her testimony on 
January 12, 2016, ``[t]he Hacking Team's public business model was to 
sell offensive intrusion and surveillance capabilities --the exact 
technology the Wassenaar Arrangement attempted to target with the new 
controls. However, the Italian export authorities granted a blanket 
global license to the Hacking Team allowing them to freely export their 
products around the world to many of the countries that the Wassenaar 
rule is trying to prevent from obtaining these tools.''\32\ Moreover, 
Gamma's actions in Switzerland are a powerful reminder that companies 
are likely to shop for favorable jurisdictions, and that the global 
impact of export controls will remain limited without a multilateral 
regime with uniform and global implementation. Therefore, I recommend:

      the U.S. government to work with other Wassenaar members 
based on data that is now becoming available to ensure that the 
implementation of the new controls is consistent across its membership 
in order for the controls to be effective and in order for the controls 
not to create a competitive disadvantage.
      the U.S. government to collaborate with countries that 
are not members of the Wassenaar Arrangement but focus on building an 
industry in this area, for example, India, to engage them early on in 
building a broader regime with common standards.

One country particularly worth paying attention to in this context is 
Israel. Israel is not a member of the Wassenaar Arrangement yet 
implements Wassenaar controls voluntarily. Israel is therefore also 
implementing the two new controls, in fact, it has even broadened the 
language.\33\ This is particularly noteworthy given Israel's 
significant cybersecurity industry, the Israeli government's having 
made growing this industry a national priority including support from 
Prime Minister Benjamin Netanyahu at the top,\34\ and the unique 
security threats Israel is facing. Israel's approach to implementing 
the new controls is likely to provide further insight into how to 
strike an appropriate balance between these various interests.

Export controls are only one mechanism in the tool kit to effectively 
address the underlying human rights issue, as I pointed out at the 
beginning. They will need to be part of the mix but we also need to 
consider other tools, namely:

      Corporate self-regulation and corporate social 
responsibility: The strong reactions from industry have produced a 
heightened awareness. Translating this heightened awareness into action 
addressing the underlying human rights problem will require leadership 
and support from responsible industry leaders to impose peer pressure 
on industry members with lower standards of due diligence. For example, 
Jerry Lucas, president of the company that organizes the Intelligence 
Support Systems conferences that have become known for showcasing 
surveillance and censorship technology, demurs responsibility. ``That's 
just not my job to determine who's a bad country and who's a good 
country,'' he has said. ``That's not our business, we're not 
politicians, we're a for-profit company. Our business is bringing 
governments together who want to buy this technology.'' \35\ A 
voluntary approach driven by industry could include

      Sharing best practices for implementing Know-Your-
Customer to raise the standard across industry (the Electronic Frontier 
Foundation has done some groundbreaking work in this area); \36\
      Becoming a member and active participant in industry 
groups focusing at the intersection of business and human rights such 
as the Global Network Initiative; \37\
      Working with human rights NGOs and research organizations 
like EFF, the Citizen Lab, Privacy International, or New America's Open 
Technology Institute to increase transparency and help name and 
shame.\38\

      Expansion of ``GHRAVITY'' executive order: In April 2012, 
the Obama administration issued Executive Order Blocking The Property 
And Suspending Entry into the United States of Certain Persons with 
Respect to Grave Human Rights Abuses by the Governments of Iran and 
Syria Via Information Technology \39\ to address the provision of 
technologies to these two countries that can be used for surveillance. 
The European Union established \40\ a similar ban on exports to Syria. 
Expanding this ``GHRAVITY'' \41\ Executive Order is another potential 
avenue to pursue. However, unlike the export control system, this 
approach has a much less mature system to include and engage with 
stakeholders outside of government, an issue that will only increase in 
importance as the technology evolves creating a need to update the 
language and scope of such regulation. Exploring this option therefore 
requires particular investment in establishing procedures to engage 
with and consult experts in industry as well as the cybersecurity 
research and human rights communities.

Looking ahead, it will be important to make these new controls 
meaningful and effective. Otherwise, governments could rely on other 
existing controls, namely encryption controls, as a substitute to 
address the unresolved underlying human rights problem. Given that 
another objective of many civil society and industry actors is a 
further liberalization of encryption controls in the future building on 
the historic tend, further liberalizing encryption controls will become 
significantly more complicated and harder to disentangle if encryption 
controls will also be used to protect human rights in the future. 
Relatedly, if encryption controls will be used as a substitute some 
companies might start developing products without encryption 
automatically built into them to avoid export controls that might still 
be of concern from a human rights perspective.

Endnotes 

        \1\ https://www.gpo.gov/fdsys/pkg/FR-2015-05-20/pdf/2015-
11642.pdf
        \2\ https://static.newamerica.org/attachments/3936-
uncontrolled-global-surveillance-updating-export-controls
-to-thedigital-age/
Uncontrolled_Surveillance_March_2014.26e1226c08774594bd8a93d5638e8a75.pd
f
        \3\ Parts of this written statement are based on previous 
publications I have written and co-authored, for example: http://
www.worldpoliticsreview.com/authors/1798/tim-maurer http://
www.isn.ethz.ch/Digital-Library/Articles/Detail/?id=182246
        \4\ http://www.wsj.com/articles/
SB10001424053111904199404576538721260166388
        \5\ http://www.bloomberg.com/news/articles/2011-08-22/torture-
in-bahrain-becomes-routine-with-help-
from-nokiasiemens-networking
        \6\ http://graphics.wsj.com/surveillance-catalog/
        \7\ http://motherboard.vice.com/read/here-are-all-the-sketchy-
government-agencies-buying-hacking-teams-
spy-tech
        \8\ https://www.eff.org/cases/kidane-v-ethiopia
        \9\ http://business-humanrights.org/en/amesys-lawsuit-re-libya-
0#c18496
        \10\ http://www.wassenaar.org/introduction/index.html
        \11\ https://www.gpo.gov/fdsys/pkg/FR-2015-05-20/pdf/2015-
11642.pdf
        \12\ http://www.npr.org/sections/alltechconsidered/2015/07/20/
424473107/commerce-department-tighter-controlsneeded-for-cyber-weapons
        \13\ https://www.gpo.gov/fdsys/pkg/FR-2015-05-20/pdf/2015-
11642.pdf
        \14\ https://tac.bis.doc.gov/
        \15\ https://googleonlinesecurity.blogspot.com/2015/07/google-
wassenaar-arrangement-and.html
        \16\ http://passcode.csmonitor.com/wassenaar-comments#chapter-
235070
        \17\ http://www.responsiblecybersecurity.org
        \18\ https://cdt.org/files/2015/07/JointWassenaarComments-
FINAL.pdf
        \19\ https://www.eff.org/de/issues/cfaa
        \20\ https://www.eff.org/deeplinks/2015/05/we-must-fight-
proposed-us-wassenaar-implementation
        \21\ http://www.bis.doc.gov/index.php/policy-guidance/
faqs#subcat200
        \22\ http://digital-era.net/unusual-re-do-of-us-wassenaar-
rules-applauded/
        \23\ http://www.reuters.com/article/2015/07/29/us-software-
exports-regulation-idUSKCN0Q32OQ20150729
        \24\ http://www.cyberdialogue.ca/2013/03/against-hypocrisy-
updating-export-controls-for-the-digital-age-by-daniellekehl-and-tim-
maurer/
        \25\ http://www.csoonline.com/article/2946017/security-
leadership/worldwide-cybersecurity-market-sizingand
projections. html
        \26\ Eric Rabe, the chief communications counsel for Hacking 
Team, provided the interesting insight stating in an email to me that 
Hacking Team attempts to learn about any possible abuse by vetting 
clients, monitoring reports of abuses, ``require[ing] certain behaviors 
which we outline in our contract,'' and ``may decided [sic] to suspend 
support for that client's system rendering it quickly ineffective.'' 
His latter comment suggests that it is possible for some products to 
render such technology ineffective quickly even after the delivery of 
the system when the customer is found to contribute to human rights 
violations. See also: http://www.slate.com/articles/technology/
future_tense/2014/05/wassenaar_arrangement_u_s
_export_control_reform_keeping_surveillance_tech.html
        \27\ http://www.theguardian.com/world/2012/jul/13/arms-trade-
arab-and-middle-east-protests
        \28\ https://langevin.house.gov/press-release/langevin-
statement-obama-administrations-decision-renegotiate-wassenaarintrusion
        \29\ https://cdt.org/files/2015/07/JointWassenaarComments-
FINAL.pdf
        \30\ An alternative to creating this new list would be 
selecting or combining existing lists from the Commerce Country Charts: 
https://www.bis.doc.gov/index.php/forms-documents/doc--view/14-
commerce-country-chart
        \31\ http://www.worldpoliticsreview.com/authors/1798/tim-maurer 
https://oversight.house.gov/wp-content/uploads/2016/01/McGuire-
Symantec-Statement-1-12-Wassenaar.pdf
        \32\ https://oversight.house.gov/wp-content/uploads/2016/01/
McGuire-Symantec-Statement-1-12-Wassenaar .pdf
        \33\ https://www.lawfareblog.com/can-export-controls-tame-
cyber-technology-israeli-approach
        \34\ http://mfa.gov.il/MFA/InnovativeIsrael/ScienceTech/Pages/
PM-Netanyahu-addresses-5th-International- Cybersecurity-Conference-23-
Jun-2015.aspx
        \35\ http://www.guardian.co.uk/technology/2011/nov/01/
governments-hacking-techniques-surveillance
        \36\ https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-
know-your-customer-standards-sales-surveill
anceequipment
        \37\ https://www.globalnetworkinitiative.org/
        \38\ Yet, as long as there are companies whose business does 
not depend on brand reputation and who refuse to follow due diligence 
with respect to human rights, three is need for a regulatory framework 
to provide a legal basis for governments to act if necessary.
        \39\ http://www.whitehouse.gov/the-press-office/2012/04/23/
executive-order-blocking-property-and-suspending-entryunited-states-cer
        \40\ http://eur-lex.europa.eu/LexUriServ/
LexUriServ.do?uri=OJ:L:2012:016:0001:0032:EN:PDF
        \41\ https://www.treasury.gov/resource-center/sanctions/OFAC-
Enforcement/Pages/20120423--33.aspx
 



                              ----------                                



This is an official publication of the Commission on
Security and Cooperation in Europe.

< < < 

This publication is intended to document
developments and trends in participating
States of the Organization for Security
and Cooperation in Europe (OSCE).

< < < 

All Commission publications may be freely reproduced,
in any form, with appropriate credit. The Commission
encourages the widest possible dissemination of its
publications.

< < < 

http://www.csce.gov       @HelsinkiComm

The Commission's Web site provides access
to the latest press releases and reports,
as well as hearings and briefings. Using the
Commission's electronic subscription service, readers are
able to receive press releases, articles, and other
materials by topic or countries of particular interest.

Please subscribe today.