As 2013 draws to a close, it is clear one of the crucial issues facing the world generally, and the ICT sector specifically, is that of privacy and security of electronic communications. The Snowden revelations regarding the extensive surveillance operations of the US National Security Agency, and subsequent revelations that other governments conduct similar activities are very disturbing because they undermine the fundamental precepts of privacy, trust and confidence that are necessary to sustain electronic relationships and commerce. Any failure of trust and confidence in information systems, in terms of their ability to maintain the confidentiality, integrity and availability of the information therein, represents a serious challenge to efficiency, productivity, growth and development enabled by information technologies.
Hence, it is incumbent on the ICT industry, globally, to have a clear statement of policy in response to this confidence threat.
Leadership is already in place through the open letter sent by 8 information technology firms to the US President, and Members of Congress, initiating the Reform Government Surveillance campaign. This is a campaign that should be extended to all the world’s governments.
WITSA is responding to this issue, and will develop a policy statement to guide related actions by WITSA members for use in discussions with their governments. WITSA’s public policies are evidence and principle-based, and the following are some principles relating to information privacy, security and surveillance, upon which we are seeking feedback:
- All people of the world have a right to privacy and confidentiality, which means to control access to themselves and certain information about themselves that maintains their dignity.
- They have a right to request that information affecting their privacy be treated confidentially when circumstances require disclosure of such information to a third party.
- Third parties receiving such information have a fundamental obligation to maintain the confidentiality of such private information shared with them, and only to share such information with the express permission of the person from whom the information was collected.
- Any breach of the confidentiality of private information held by third parties must be immediately notified to the persons affected, and all reasonable steps taken to re-secure the information holdings henceforth.
- The only exceptions to this are those that arise in clearly serious circumstances, such as an imminent risk to the person or another, or where there are overwhelming legal or societal interests.
- Governments must openly acknowledge and codify the privacy rights of their citizens and residents, the importance of maintaining trust and confidence in the free flow of information both within and across national borders, and avoid taking any actions that, without reasonable and specified cause, may undermine the confidentiality, integrity and availability of such information.
- In order to maintain the rule of law, we acknowledge governments need to undertake surveillance in an effort to detect and remove clear and present risks of terrorism and other criminal activity, but this activity is expressly limited in scope and scale, which should be articulated clearly and transparently in legal statute(s) reviewed by democratic processes. These activities are expressly limited by their reasonableness, relationship, and relevance, i.e., that the surveillance contemplated:
- arises from generally accepted concepts of reasonable suspicion and due cause, based upon by independent judicial authorization;
- relates directly to that basis and purpose; and
- is a relevant means of surveillance in the circumstances.
- The activities of intelligence and law enforcement agencies in conducting surveillance activities as set out above should be undertaken within a transparent legal framework, where actions are subject to timely, independent judicial review to ensure full accountability of the agencies for their actions.
- All government surveillance activities should be reported transparently, publicly and promptly in terms of their frequency, mode of surveillance, timing and location. All requests for surveillance cooperation or access placed on corporations and organisations should similarly be reported promptly, and at least annually, and there should be no restriction on corporations and organisations themselves reporting on requests received in similar terms.
- Governments must work together to develop a robust, principled, and transparent framework to administer requests for data across jurisdictions through mutual legal assistance treaties. Where conflicts of laws arise across jurisdictions, governments must work together, reasonably and openly, to resolve them.
What do you think? Do these principles cover the field? What suggestions, additions and modifications do you have? Please contribute by commenting below.
You may also direct any comments directly to WITSA at firstname.lastname@example.org.