In recent weeks, a Brazilian court ordered the nation-wide blocking of Elon Musk’s X (formerly Twitter), while a French court ordered the detention of Telegram’s CEO, Pavel Durov. These cases are high profile examples of the kinds of increasingly bold actions that even democratic, law-abiding states are willing to take against social media platforms. And they represent the latest twists in a much larger narrative—one that appears to be heading toward a pivotal and potentially climactic moment as the United Nations (U.N.) considers a U.N. Convention Against Cybercrime, which would facilitate law enforcement access to private data. That treaty, the result of a years-long Russia-led effort, would put the privacy, data, and safety of dissidents, journalists, and activists around the world at risk. This poses a clear challenge to the democratic vision for a free, open, interoperable Internet, putting the United States and its allies on the spot.
Background
Efforts to regulate communication online have been around since the beginning of the commercial Internet. Like other technologies before it, the Internet destabilized existing communication and power dynamics, causing gatekeepers to seek levers and leverage to control it. But the Internet, due in part to its open protocols, multistakeholder governance, and economic impacts, has proven difficult to control.
The tactics and technologies of control have evolved over time. As detailed in company transparency reports, governments around the world have issued a staggering and increasing number of legal and extralegal demands to access user data and/or censor certain content. These demands often fail. Sometimes that is because companies do not have a physical presence in the requesting jurisdiction, or because they take principled positions to avoid complying with inappropriate demands. There are also blocking statutes that can create conflicts of laws for these companies. In other cases, failure stems from the inability or unwillingness of states that have jurisdiction over the data/content to compel such transfers. In response, governments have expanded their toolkit, deploying blunt techniques like network shutdowns and employing technical tools such as interception or filtering to get around tech companies.
For many years, a broad cross-section of companies, advocates, academics, and investors have insisted that the right way to distinguish legitimate exercises of state authority over tech companies and the data and content they control is to evaluate them through the principles established under international human rights law. These principles have unassailable legitimacy and establish a consistent, global baseline of application that bolsters the free flow of communication and data across borders, while allowing for narrowly-tailored and proportionate regulation to address discrete and demonstrated harms.
The X and Telegram Cases
When seen through the human rights lens, a few aspects of the X and Telegram cases are worth emphasizing. First, it is notable that both are unfolding in countries that are democratic and largely rule-of-law abiding. There doesn’t seem to be any serious argument that the laws and processes being used are illegitimate. For instance, the French prosecutor’s underlying investigation, its resulting demands, and the charges for willfully neglecting them appear to be appropriate (assuming the charges are factually accurate). But greater transparency about the nature of the case against Telegram and the authority used to detain its CEO would help reassure worried critics. Furthermore, the inclusion of additional, arguably unnecessary charges of failing to register and deposit the source code of the app’s encryption protocol under an obscure French law have touched on a raw nerve.
Notwithstanding persistent grumbling from law enforcement, most stakeholders agree that the security and privacy costs of protecting strong encryption outweigh the benefits of weakening it to facilitate prosecutions. As others have pointed out, among major messaging services, Telegram actually deploys encryption quite infrequently. Given this, the decision to include those charges has been seen by some as an opportunistic attempt to establish a much broader executive power and precedent whose impact would resonate far beyond the case, platform, and country at hand.
Similarly, the case against X is based on Brazil’s heralded Internet legal framework, and the ruling for failure to comply with legitimate orders seems straightforward. However, Brazilian Supreme Court Justice Alexandre de Moraes’ confounding determination that X does not have standing to appeal his decision to block accounts on its platform seems dubious. And his widely criticized orders to block Virtual Private Networks (VPNs) across the country and levy severe fines against anyone in Brazil who attempts to circumvent the ban through them are clearly disproportionate, as de Moraes’ himself partially acknowledged by rescinding the former aspect of his ruling. Over the weekend, it was reported that X has agreed to comply with the orders against it. However, the appeals brought by other actors against various aspects of the orders remain active.
Going Forward
While these cases are emblematic of the high stakes legal challenges that government demands can generate, most of these interactions take the shape of private, sometimes even secret orders. Those daily, lower profile demands are the ones likely to be impacted most by the U.N. Convention Against Cybercrime, a new international treaty that passed with little fanfare out of a bizarre U.N. process known as the Ad-Hoc Committee on Cybercrime. This process, which was initiated and has been heralded by Russia, has produced an agreement that would strengthen the hands of governments trying to use digital evidence to prosecute a broad range of crimes. The draft has been strongly criticized by industry associations and civil society organizations alike, in part due its broad scope and provisions that require states to implement laws compelling companies to “collect or record” traffic data and content, and disclose “previously unknown vulnerabilities, private encryption keys, or proprietary information like source code.” Despite laudable efforts by democratic states to insert safeguards, the resulting text has failed to satisfy critics, setting up a critical vote later this year at the U.N. General Assembly. If the treaty is passed by the General Assembly, it will only take 40 ratifications to bring the treaty into effect and situate it within the canon of international law.
If that happens, it will serve as a green light for non-democratic governments to mimic their Brazilian and French counterparts, although using less legitimate laws and fewer rule-of-law safeguards. At the same time, the existence of this broad “U.N. treaty” will make it even harder for companies, civil society, and governments to push back when prosecutors and judges push tech companies to roll over on their users’ rights. While strong democratic countries can be expected to hold the line, this treaty creates a permission structure for smaller or less democratic countries (for instance Serbia or Thailand) to comply when Chinese or Russian authorities press them to “follow international law” and assist their efforts. Most of those cases won’t involve tech executives with expensive lawyers and millions of social media followers. Instead, we can expect repressive countries to use this treaty to support transnational repression efforts, pressing others to give up data on dissidents and human rights defenders. Without confidence that companies or other governments will stick up for them, even the threat of prosecution is likely to create significant chilling effects on the exercise of freedom of expression, assembly, and association.
A Call to Action
The United States initially opposed the process to develop this treaty, but later decided to engage. While material improvements have been made along the way, the final outcome has failed to satisfy critics and the overarching approach it represents is inconsistent with the Biden Administration’s recently announced cyberspace and digital policy strategy, which positions the United States in direct opposition to the Chinese and Russian “vision of global Internet governance that centers on domestic control and top-down, state-centric mechanisms over the existing bottom-up multistakeholder processes.” The United States nevertheless welcomed the final draft, indicating that narrow law enforcement interests may have trumped broader human rights concerns along the way.
The Biden administration should reconsider that position. Rights-respecting governments led by the United States and its allies, together with those representing the activists, journalists, and company personnel who most frequently suffer the consequences of government overreach, can stand up and stop this initiative. A strong cross-section of opposition will signal to other governments that the right way to prosecute cyber crimes and build trust with their citizens, international partners, and tech companies is to pursue narrow and focused investigations within the parameters of international human rights law, with robust mechanisms for increased transparency and accountability in place.