Can the Global Network Initiative Embrace the Character of the Net?
Introduction
When Yahoo! became interested in building upon the surprise success of its services in Vietnam, it was not simply a matter of finding an established partner or setting up local servers, but began with a human rights impact assessment. This process sought to anticipate the potential risks to freedom of expression and privacy in Vietnam that might result from expanded operations, and to develop strategies to mitigate them. What could happen if the Vietnamese authorities determined a blog post to be illegal and demanded its removal, also requesting the author’s name? Ultimately, Yahoo! decided to make its data harder to reach by hosting servers offshore (in Singapore), to reduce vulnerability to external pressure by minimizing the number and responsibilities of staff (hiring only a local sales team, rather than people with operational control), and to implement a series of other policies intended to limit avenues used by government to abridge human rights.1
Although the decisions implied slower service and less robust operations, Yahoo! placed those costs in perspective of previous very difficult and public lessons, most notably, the ugly aftermath of having provided Chinese authorities with information used in the 2005 imprisonment of Chinese journalist Shi Tao.2 This trade of near-term profits for principles (and hopefully, long-term gain) was informed—and required—by a nascent multistakeholder effort called the Global Network Initiative (GNI),3 of which Yahoo! is a founding member. Participants evaluate human rights risks and seek opportunities to mitigate them when considering whether and how to enter a new market. Yahoo!’s motivations were likely diverse, but the actions were aligned with their mission, corporate health and profitability,4 and the preferences of at least some shareholders.5
GNI’s collaborative approach to compensating for the lack of effective legal and policy measures to protect and advance online privacy and expression extends far beyond these assessments, recognizing that genuine progress requires a context of conscious corporate commitment to meaningfully integrate the protection of freedom of expression and privacy into both business practice and corporate culture. For its part, in 2008, Yahoo! created the Business and Human Rights Program, supported by corporate leadership, guided by principles and internal process, staffed by cross-functional teams, tracking an inventory of rights issues, informed by stakeholder engagement, and subject to outside monitoring and accountability.6 These internal developments are complemented, informed, and reinforced by Yahoo!’s participation in the GNI.
From recent postelection violence in Kenya and Moldova facilitated by mobile devices to vibrant online expression in Vietnam, ongoing battles over culturally sensitive (and legally prohibited) imagery online in Turkey and Thailand, and the record proportion of online journalists detained worldwide in 2008, digital tools are associated with voice and power, and governments realize it. Whether as part of the normal sociopolitical milieu or in a moment of crisis, they are increasingly aware not only of the power of new media, but also of the role of private companies in providing—and potentially limiting—that power.
Governments also seem to be more cognizant of the unique characteristics of the Net as compared to traditional media, not only in terms of how these traits might allow it to threaten the status quo, but also where associated weaknesses can lie. However mistakenly, many people have come to understand this vulnerability of information and communication technologies (ICT) companies to government interference as the China Problem, owing in large measure to publicized instances in which Microsoft, Yahoo!, and Google have failed to adequately protect their users’ rights to freedom of expression and privacy. Unfortunately, similar challenges are emerging around the world, oftentimes at the hands of democratic governments, and not only in the Global South, but also in the West.7
In response to these tensions and understanding the complexity of resolving them, a group of companies, civil society organizations, investors, and academics spent over two years creating a collaborative approach to protect and advance freedom of expression and privacy in the ICT sector, and formed an initiative to take this work forward. Proposed by my colleagues John Palfrey and Jonathan Zittrain in the book Access Denied and elsewhere,8 the GNI released foundational documents in October 2008 and publicly launched in December 2008 on the 60th anniversary of the Universal Declaration of Human Rights. The group includes Google, Microsoft, and Yahoo!, along with numerous noncompany participants, such as Human Rights Watch, Human Rights in China, Committee to Project Journalists, Human Rights First, Calvert Investments, Center for Democracy and Technology (CDT), and the Berkman Center for Internet and Society, where I work.
The process has been rewarding and challenging, seeking to move beyond mistrust, hostility, and competition, drawing upon human rights experiences in sectors as far afield as labor and security, and balancing the perspectives and needs of the diverse participants. It began as three separate processes, driven respectively by companies, scholars, and non-governmental organizations. In early 2006, a group of companies first met to draft an industry code of conduct under the joint facilitation of Business for Social Responsibility (BSR) and the Berkman Center. That spring, Orville Schell and Xiao Qiang of the University of California-Berkeley’s Graduate School of Journalism initiated the creation of a code of conduct by academics, in collaboration with the Berkman Center. Meanwhile, CDT convened a third set of actors to deepen understanding, raise issue awareness, and seek solutions. Participants from the three processes met in Oxford in July 2006 and soon agreed to work together.
This chapter examines the context in which GNI has emerged, describes its structure and intentions, explores some concerns, and highlights some of the challenges GNI must address to fulfill its intended purpose. Issues that will impact success include the tensions among structure and flexibility, aspiration and practicality, and refining known approaches and creating new ones. While these considerations play into many elements of the initiative, they are particularly salient with respect to accountability and governance. I offer these thoughts as objectively as possible, recognizing my personal participation throughout the process, to support collective understanding of both this process and emerging institutional approaches to governance in the knowledge society.
Government and Business Collide: Expression and Privacy at Risk
All over the world, companies in the ICT sector face increasing government pressure to comply with domestic laws and practices in ways that conflict with both core elements of their business and their users’ fundamental rights to privately impart and access information and communication. Whether law enforcement officials request a user’s personal information for unknown reasons or a takedown of content that is acceptable in other jurisdictions, companies find themselves in an untenable position in which they must balance their obligation to respect local law with their responsibility to protect the rights of their users. Companies know that resisting a government is costly, perhaps placing their operating license and local employees at risk, but that acceding blindly can have terrible implications for them and their users, and that this tension is ever more part of their business. A (more) sustainable solution is essential.9
Described most comprehensively by Palfrey and Zittrain in Access Denied and informed by the OpenNet Initiative’s research, the problem has been framed in many ways, whether as an ethical issue, a reckless drive for appealing markets, an international legal question, a matter of Internet governance, a trade barrier,10 or an organizational deficit. It is clear that ICT companies (broadly interpreted) face very real challenges with respect to freedom of expression and privacy. Left unchecked, governments seem likely to chip away at these fundamental freedoms, potentially leading companies into a proverbial race to the bottom, with a possibly daunting impact upon these liberties and the other rights they help to protect. Responsible international companies might also choose to withdraw from such markets in order to protect themselves against complicity, thereby further limiting the options of local users and sacrificing the opportunity to engage troublesome governments constructively.
Under the guidance of the Special Representative of the Secretary-General of the United Nations on business and human rights, John Ruggie, the United Nations has developed the Protect, Respect, and Remedy Framework: “Each principle is an essential component of the framework: the state duty to protect because it lies at the very core of the international human rights regime; the corporate responsibility to respect because it is the basic expectation society has of business; and access to remedy, because even the most concerted efforts cannot prevent all abuse, while access to judicial redress is often problematic, and non-judicial means are limited in number, scope, and effectiveness. The three principles form a complementary whole in that each supports the others in achieving sustainable progress.”11
Ruggie’s work recognizes the tremendous power of business but points out that markets work best when they exist in the context of rules and institutions. While he identifies governance gaps created by globalization as a root cause of the often uneasy and sometimes negative relationship between business and human rights, he also notes that most businesses do not actually have systems to know when they are causing harm.
Government Steps In: Policy and Regulatory Responses
While business has focused its requests on the executive branch, requesting bilateral assistance in individual cases and on trade issues, civil society has been more likely to call for proscriptive legal solutions, spurring significant legislative interest.12 Such approaches face many challenges, including law’s tendency to trail technology because of its rapid pace of change, evolving business models, unanticipated user behavior, and unpredictable government action, to say nothing of the cultural differences and juris-dictional issues associated with globalization and the Internet. These factors, combined with the desire to support continued innovation and creativity in the ICT space, suggest that specific legal interventions or policy prescriptions may be premature, or may even risk taking a step backward.
A varied group of supporters within the U.S. Congress has harnessed members who are rights supporters and China-watchers, liberals and conservatives, to raise issue awareness. Holding frequent hearings and considering the Global Online Freedom Act (GOFA)13 annually for the past three years, their actions may occur at the intersection of policy and politics, but they have created invaluable urgency for companies to take action. Amid many other legitimate concerns, CDT has criticized GOFA for creating an adversarial relationship with companies, rather than a collaborative one.14 For its part, the U.S. Department of State created the Global Internet Freedom Task Force to track the issue and engage with foreign governments, but along with the Department of Justice, the State Department also expressed concern over GOFA.15 The shortest version of our analysis at the Berkman Center is that GOFA is simply too blunt, impractical, and inflexible: although the GNI may provide the basis for law over time, we simply do not yet have a clear enough sense of the answers to mandate any particular approach, let alone the proposed one.16
European policymakers have likewise been active on issues related to online expression and privacy on both the substantive and the political fronts. The Council of Europe has offered actionable insights, including fostering understanding and developing useful guidance for the interactions between ICT service providers and law enforcement17 and providing clear and detailed guidance on human rights issues for ICT providers.18 The European Parliament weighed in on security and freedom online, calling for sustained engagement and expressing interest in developing a multistakeholder initiative.19 It has also recommended the creation of a code of conduct for freedom of expression.20 Parliamentarians from across Europe also introduced a version of GOFA,21 leading Viviane Reding, European Commission Lead Member on the Information Society, to express concern over the “heavy” nature of the instruments (including the prospect of forcing companies to withdraw and leave markets to less scrupulous competitors) and to place promise in the GNI.22
Sadly, even as some governments seek to address this problem globally, numerous competing government efforts are under way that will abridge the human rights others are seeking to preserve.23 While problems in developing and transitioning countries first caught the public eye, it is the disconcerting legislation among early Internet adopters that has received attention recently. From proposals for national filtering in Australia to the South Korean government’s requirement for real name registration, efforts to rein in perceived Internet dangers represent troubling examples for countries that are just beginning their policymaking efforts related to the Internet.
Stakeholders Unite: Global Network Initiative
Recognizing profound challenges associated with the broad spectrum of laws and practices related to freedom of expression and privacy in states around the world, as well as the laws and standards of home countries, employees, shareholders, and the international community, some ICT companies decided not to continue down this path in isolation. The initial framing was inspired substantially by the Sullivan Principles,24 introduced in 1977 as a code of conduct for U.S. companies doing business in apartheid South Africa. An industry-code approach offered the potential to set a higher standard than if companies were left to fend for themselves, allowed them to benefit from the strength of their numbers, and it recognized the need for even dread competitors to unite around certain values—all while retaining control of the expectations.
But given the complexity of the current situation—that it is not simply about companies following the law (or divesting), but also about companies understanding when and how to challenge the law and avoiding conflicts and mitigating risk in the first place—increased expectations alone would have limited impact. Gaining a deeper and wider understanding of the pressures, developing supportive internal process and structure, advancing global transparency, and engaging other stakeholders were judged equally important—and best accomplished collectively. The perspective was not based simply on altruism, but established by recognizing the broader business case, including the fundamental social obligations of which companies have been clearly reminded by human rights organizations, academics, investors, shareholders, and U.S. and European policymakers through protest, legislation, shareholder resolutions, and public criticism. Ultimately, the companies recognized that they faced a serious business problem with profound implications for all human rights.
Conversations about developing a response began in early 2006, with a consensus emerging that underscored the importance of collaboration across sectors, each recognizing that it required the other for understanding, implementation, legitimacy, experience, access, and so on. There was consensus that law and regulation were not currently attending to the challenges that individual companies confronted in seeking to respond responsibly to government requests. An unlikely family was born, including former colleagues, current competitors, and long-time critics, and in which each group needed the other to accomplish its goals and across which there was (perhaps) surprising overlap. There was also a great diversity of views, in particular, on how best to achieve those goals, what to take as givens, and so on.
Beginnings
As the group moved from research and brainstorming to drafting, clear questions emerged. What was the proper balance between aspiration (as manifest in documents and language) and realistic, operational, and evaluable results? How high should the bar be set? How would the noncompany partners (and the world) know whether the company partners were implementing (and maintaining) their commitments? What was the scope of the effort, in terms of company types, technologies, and business models? Should focus go beyond freedom of expression and privacy, extending to other rights, or to rule of law? What were the primary activities in which the group could begin to see results in the near term and create value over time?
The group was able to exploit its institutional and individual differences, using them to flesh out alternatives and implications, and to identify the intersections of ambitious, realistic, meaningful, and sustainable solutions, based on interests and compromise, rather than positions and claiming. Many of these key tensions are discernible within the structure and letter of the GNI, some largely resolved, others to be informed by future learning—an expectation built into the GNI. While the participants brought a wealth of knowledge and experience to the process, our collectively limited understanding was also acknowledged and is reflected in GNI’s adaptive stance.
Beyond identifying common cause, reaching rough consensus for an operating approach was essential for the development of supportive strategies and tactics. These positions are apparent in the documents, both by their presence and their absence. As with the rest of the group decisions, they do not necessarily represent agreement, except in the collaborative context of the GNI. The consensus included support for corporate engagement, the development of tools that accounted for the complexity of the situation, and the notion that we would actively develop understanding and responses over time.
The group, for instance, took the perspective that on balance it was better to have companies operating responsibly even in potentially repressive markets, both in terms of services rendered and the leverage of positive engagement (around transparency and rule of law, in particular). Platforms that many consider self-indulgent or worse, including Twitter (and its 140-character “what are you doing?”), Facebook, and YouTube, have proven to be powerful platforms for activists. (Indeed, in the lead-up to the 20th anniversary of the Tiananmen Square protests, these and others were blocked in China.25) The tools they provide to potentially advance social, economic, and political democracy are especially important in information- and communications-poor settings, as artfully argued by my colleague Ethan Zuckerman.26
Just as we note the power of new technologies to support human rights, it is equally essential to recognize the potential influence of company relationships and process on government behavior. After Microsoft removed Michael Anti’s blog based on a less-than-formal request from Chinese law enforcement, for instance, the company implemented new policies with respect to content takedowns. In addition to limiting removal to the local jurisdiction, Microsoft began requiring “legally binding notice from the government indicating that the material violates local laws,” as well as requiring assurance “that users know why that content was blocked, by notifying them that access has been limited due to a government restriction.”27 Google’s launch of Google.cn, criticized by many for its willingness to censor results, also initiated the practice of appending a warning to filtered search results that notes the removal of certain results according to local law, subsequently instituted by Microsoft and Yahoo!, and later followed by Chinese services including market-leader Baidu.28 Moving forward, strong corporate process may indeed be a great resource for supporting rule of law and fostering increased transparency on free expression and privacy.
Participants
Global Network Initiative participants include ICT companies, nongovernmental organizations, investors, and academics. The founding group of companies comprises Google, Microsoft, and Yahoo!. Academic participants in the GNI are Annenberg School for Communication (University of Southern California); Deirdre Mulligan, Berkeley School of Information (University of California); Berkman Center for Internet and Society (Harvard University); Rebecca MacKinnon, Journalism and Media Studies Centre (University of Hong Kong); and Research Center for Information Law (University of St. Gallen). Investors participating in the GNI are Boston Common Asset Management, Calvert Group, Domini Social Investments LLC, F&C Asset Management, KLD Research & Analytics, Inc., and Trillium Asset Management. Nongovernmental organizations participating in the GNI are Center for Democracy and Technology, Committee to Protect Journalists, Electronic Frontier Foundation, Human Rights First, Human Rights in China, Human Rights Watch, International Business Leaders Forum, Inter-news, and World Press Freedom Committee. The United Nations Special Representative to the Secretary General on business and human rights enjoys observer status. The drafting group also included Amnesty International, Reporters Without Borders, France Telecom, Teliasonera, and Vodafone, none of whom continued to participate in the GNI after launch.
Foundational Elements
The structure and overall approach that emerged from the multiyear process are largely defined by three documents: the Principles,29 the Implementation Guidelines,30 and the Governance, Accountability, and Learning Framework,31 which were released in October 2008 and will be supplemented by the Governance Charter, slated for final approval in September 2009. At the most fundamental, aspirational, and stable level lie the Principles, which express overarching support for international standards centered on expression and privacy, and a commitment to act upon them. The associated Implementation Guidelines provide concrete guidance to companies regarding the realization of the Principles in practice and are intended to reflect developing institutional knowledge and respond to the challenges companies and users face. The Framework describes the initial expectations regarding a supporting organization and the general design of the accountability and learning regime, which both ensures that companies are complying with the Principles and fosters learning within and across GNI participants.
Principles
While implementation will surely prove to be the greatest challenge, the audacious first task of the 20-odd participating organizations—and the essential first step toward orienting the Initiative’s values and goals—was to articulate a common understanding of global principles for freedom of expression and privacy online. In doing so, the GNI drew heavily upon the Universal Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR), and the International Covenant on Economic, Social, and Cultural Rights (ICESCR), which together constitute the International Bill of Human Rights.32 Within this broad frame, the document highlights the undergirding role of government in respecting, protecting, and promoting human rights, along with the complementary responsibility—and opportunity—of ICT companies to do likewise.
The Principles include a preamble and sections on freedom of expression; privacy; responsible company decision making; multistakeholder collaboration; and governance, accountability, and transparency. The structure and tone balance lofty statements with more actionable commitments within each of these areas, acknowledging the elements of aspiration and implementation in the GNI.
While the GNI limits its explicit focus to online expression and privacy, the Principles recognize the interdependence of all human rights. They call out the particularly important role of expression and privacy in realizing other rights and as guarantors of human dignity. On the more active side, GNI participants commit to protect expression and privacy rights both generally and in the face of laws and government demands that seek to undermine them.
They also acknowledge “narrow” but potentially substantial exceptions to the rights outlined in the ICCPR, including “actions necessary to preserve national security and public order, protect public health or morals, or safeguard the rights or reputations of others,”33 related interpretations issued by international human rights bodies, and the Johannesburg Principles on National Security, Freedom of Expression, and Access to Information.
The sections that describe the key elements of the GNI’s approach—including responsible company decision making; multistakeholder collaboration; and governance, accountability, and transparency—include reference to both higher-level vision and operational commitments. Companies agree to integrate the Principles within their mission, decisions, and culture, and to that end, commit to senior-level involvement, to anticipate risks and opportunities centered on expression and privacy, and to make best efforts to encourage partners and related businesses to also implement the Principles. In recognition of the novel challenges associated with ICT, the Principles point to the value of collaborative strategies that reach across sectors, and agree to engage jointly to advance expression and privacy. The final, and perhaps most notable, element is the commitment to public transparency and accountability in implementation of the Principles—including independent assessment and evaluation of compliance.
Implementation Guidelines
While accounting for the limitations of the GNI’s current incipient understanding of effective strategies and tactics, the Guidelines promise actionable steps for ICT companies that constitute compliance with the Principles and provide an initial framework for collaboration among participants. Drawing upon collective experience to date, they are designed as a starting point, prepared to incorporate lessons as the GNI and its participants discern them.
The expectations cover roughly the same terrain as the Principles, but place “responsible company decision making” first, suggesting the overall frame within which the activities occur. Companies are expected to form internal cross-functional teams to lead implementation, to train employees (and the board) on approaches and procedures, to provide whistle-blowing mechanisms for employees, and to encourage business partners and others to adopt the Principles.
With a priority placed on preventing incidents, participants will undertake human rights impact assessments to identify circumstances when expression and privacy rights may be jeopardized or advanced (e.g., entering new markets; designing and introducing new technologies, products, or services; selecting partners; responding to policy change) and develop steps to mitigate risks and to leverage opportunities. Companies will elaborate procedures and policies that govern these occurrences and the possible issues that arise within them.
The Guidelines state that authorities seeking to limit expression or privacy will be expected to do so in writing along with the legal basis for the restriction and the name of the requesting official, and that when required by governments to limit access to information and ideas, companies will interpret laws and requests narrowly and communicate actions to users when legally permissible. When they are confronted with a practice that appears inconsistent with domestic law and procedures or international human rights laws and standards on expression or privacy, companies will challenge it. Companies will document these requests and demands to permit tracking and review.
Governance, Learning, and Accountability Framework
Much of the value of the collective is created by means of the activities described in the Framework, which include the GNI’s organizational structure and responsibilities, along with those of the participating companies and the independent assessors. The Framework covers basic institution-building responsibilities including recruiting of new participants and outreach, fostering learning and collaboration on policy issues, offering a communications channel for external parties and users, publishing an annual report, and creating an accountability mechanism.
Independent monitoring, which begins with an orientation toward process and becomes increasingly comprehensive over the GNI’s first five years (ultimately including incident review), supports corporate accountability, remediation where necessary, development of good practice among participants, and continued evolution and refinement of the GNI. The accountability process moves from capacity building (2009-2010), to independent process review (2011), and independent process and case review (2012 and beyond). The phasing process was designed to accommodate the lack of existing capacity to conduct monitoring and assessment in the ICT space, with the recognition that assessment would have to parallel a gradual learning process, evolving alongside the GNI and company implementation. During the first phase, the board develops independence and competence criteria for monitor selection as well as operational guidance for assessors, while the companies initiate implementation of the Principles, and the organization focuses on learning and outreach.
The second phase expects the companies to have fully implemented the Principles and provided a detailed report of its internal processes to the organization. Based on this report, an assessor (or team, more likely) who meets the GNI’s criteria and is selected by a company will review that company’s processes in operation. In preparing their report, assessors draw upon other relevant materials from the company, except in cases of reasonable legal limits to disclosure, preservation of attorney-client privilege, or protection of trade secrets.
In addition to facilitating the assessment process, the organization will review the accountability process with an eye to necessary improvements, while also informing the board of the results of individual assessments. In conjunction with GNI participants, the organization develops “clear, achievable guidelines” for compliance with the next phase of assessment based on experience to date.
In the third phase, the board accredits a pool of eligible assessors, identifying any concerns related to independence for particular companies, and companies draw from this pool, with the board resolving any resulting concerns. With GNI’s guidance, the assessor goes beyond process, examining actual incidents and company responses to government requests, providing recommendations for improvement and a detailed report to the GNI on the company’s implementation of the Principles. Based on this and accounting for any changes the company has made in response to the findings, the board will determine whether the company meets GNI expectations and share that finding publicly.
As in the previous phase, companies may choose to withhold certain information based on legal limitation (as in the case of a national security letter), for the preservation of attorney-client privilege, or to protect trade secrets, but will be expected to provide as much information as possible as to any specific limitations on their responses. Withholding and the reasoning behind it will be reported and factored into the findings and may render the assessor unable to certify compliance.
Criticisms and Challenges
Lackluster Participation
As varied as the group is in many respects, the Global Network Initiative clearly lacks culturally and geographically diverse participation, and is likewise limited in terms of the range of participating organizations within sectors, and companies in particular, which is surprising given the expectation of diverse corporate approaches to business and technology and the avoidance of techno-deterministic solutions. For instance, with the tremendous influence of telecommunications companies and recent issues to date (e.g., warrantless wiretaps or TOM-Skype surveillance),34 their absence represents an important and missing piece of the puzzle. Their participation throughout the drafting process suggests that the model should be fairly well suited to their interests, and yet they chose not to continue. Likewise, given the potential for explosive growth and expansion within the ICT space, the lack of small companies is notable—and troubling. From a strategic perspective, their inclusion is important to ensure diversity of perspective and practicability of approach, to say nothing of orienting them to human rights issues at the stages when integration with corporate functioning may be easier.
These deficits do not necessarily reflect a lack of GNI commitment to identifying additional partners and are likely a result of some combination of its early stage of organizational development, a market reaction, and limited outreach capacity. In each case, however, GNI must ask what it needs to do to attract these groups, and also whether their absence has some larger significance. Legislators, shareholders, and other stakeholders should also consider whether they offer a sufficiently ample reward—and urgency—for companies to make the investments necessary to participate in GNI. Given that neither non-Western nor start-up companies took part in the drafting process (a path passively taken and reluctantly accepted by the group for expediency), it seems possible that some adaptation of the GNI may be necessary to facilitate their participation, especially those in markets less welcoming to the GNI.
Accommodations could conceivably take many forms, whether some manner of on-boarding or associate membership for those unable to implement the principles immediately, or a private form of participation, either to avoid government scrutiny or to simply focus on collective activities rather than make a public statement. While these types of arrangements might extend participation, they might also diminish the GNI brand and its value to current participants, and will require careful consideration.
Accountability
While Internet companies are new to accountability (perhaps reflecting their libertarian outlook, propensity for confidentiality, and relative corporate immaturity), a reasonable, meaningful, and ambitious approach to accountability was widely viewed within GNI as essential to its success and was a necessity for retaining the diverse coalition that comprises the GNI. Participants were deeply aware of Ruggie’s observation, “The Achilles heel of self-regulatory arrangements is to date their underdeveloped accountability mechanisms. Company initiatives increasingly include rudimentary forms of internal and external reporting....But no universally—or even widely—accepted standards yet exist for these practices....Beyond certain multi-stakeholder systems, like the Fair Labor Association, or third-party verification processes, such as Social Accountability 8000, social audits currently enjoy only limited credibility among external stakeholders.”35 With the credibility of the GNI, and the importance of accountability for learning and behavior change, the GNI spent a great deal of energy examining diverse voluntary initiatives and industry practices, and developing its own regime.
Taking inspiration from researchers36 and practitioners37 who have identified the limits to accountability and proposed a more integrated model, the GNI has sought not to be an organization that is primarily based on accountability, but one that integrates a strong regime alongside and in conjunction with other activities. Only as reports and information are generated, however, will we learn what this means in practice.
Beyond the more common challenges of nonexistent metrics (although relevant ones are perhaps now on offer),38 various needs for confidentiality, and resistant corporate culture, the process is made more complex by GNI’s particular characteristics and the unique attributes of the risks it seeks to mitigate—these include the tension between evaluating aspiration and implementation, the scale and scope of the Internet, and the expectation that responsible companies will sometimes need to resist the law, rather than comply with it. (Companies will choose to comply on some occasions, based on the context, implications, and likelihood of success.) Moving forward, these issues will remain in discussion, because the solutions—whether best or only good practices—do not yet exist. Thus, the accountability process cannot only compare behavior with the model, but must go deeper to separate company implementation of the Principles from the outcome, because the former may have limited efficacy.
As the structure that undergirds the GNI by informing learning and earning public trust, the accountability regime has rightly received a good deal of attention. Indeed, it is complex and important enough that discussions are ongoing within the GNI and will likely be a significant internal focus for years to come. There are specific critiques: the Electronic Frontier Foundation (EFF), Amnesty International, and Reporters Without Borders have publicly questioned whether a company will have undue influence on its assessment teams and whether the companies will withhold potentially damaging information from assessors. The companies are uncomfortable, concerned with the prospect of allowing outsiders to access and share intimate secrets, and eager to find trustworthy and competent assessors. There is broad consensus that it will not be a “gotcha” process, wherein the assessors are trying to “catch” the company, but one in which they work together to identify and address issues over time to keep the company in compliance. The current approach seeks to achieve balance by having the board set independence criteria for the assessors and the GNI assist in resolving concerns, likely along with an elaborate contracting and compensation scheme, but only in implementation will fears be deemed justified or overblown. Indeed, at present, nobody has ever done such assessments, and it is not at all clear who might be both able and interested in doing them.
Ultimately, each of these concerns (and others like them) must be addressed by the accountability regime, as independent monitors report initially on company process and then on actual incidents, in evaluating a company’s implementation of the Principles. This process will be complex, with the assessor needing to determine not only the more straightforward elements of compliance such as whether a training program is in place, but also the difference between lackluster recruitment efforts and GNI flaws. The matters only get weightier, in the case of bad outcomes, discerning between irresponsible company actions and good faith decisions, for instance, if the actions following a human rights impact assessment were sufficient or ill considered, in light of the impact.
The constraint on the accountability platform is that not only must it earn the public trust, but it must do so in a relatively lightweight, scalable, and affordable fashion that reinforces learning across the GNI. As participants, online activity, and government interventions all increase, the regime will need to evolve with the Internet. If it is unable or if it cannot be effective without being overly onerous, ICT companies will not embrace the GNI.
Public Communication and Remedy
As suggested by empirical experience and proposed in Ruggie’s Protect, Respect, and Remedy Framework, offering transparent channels of communication and the potential for remedy is essential to addressing business and human rights concerns, and the GNI views them as essential for the purposes of information gathering and for its own credibility. A means for individual users and other parties to reliably access and communicate with the nascent GNI is still in the design phase and likely to be pilot tested in 2009-2010. While all GNI participants recognize the need for channels for communication, query, and complaint, the sheer number of Internet users is intimidating, and is orders of magnitude different from the equivalent community in the labor or extractive industries, for instance. The participatory expectations common to Internet culture further increase the likelihood of public interaction with the GNI (noting the grass-roots creation of a GNI Facebook group upon launch), suggesting the incorporation of a Web 2.0 approach that not only accepts complaints, but develops and shares information, perhaps even in real-time.
The GNI must be able to consider, review, utilize, or redirect large numbers of external submissions and do its best to keep contributors informed of the progress of their concerns. The GNI recognizes that it faces potential user submissions on any number of general topics, from critiques to requests for participation in GNI. Relevant distinctions must be made between those communications and submissions that concern noncompliance with the Principles. Problems may arise when, for example, poor service, terms-of-service violations (often interpreted as censorship), or the desire for an avenue of appeal is perceived as noncompliance.
According to the Governance Framework, the GNI complaints process should not be triggered until company channels are exhausted, and is for extraordinary circumstances. Complainants may also choose to seek redress through noncompany participants, which may or may not have systems in place to address such inquiries, potentially overloading them or yielding referrals to GNI without sufficient investigation. Given what are likely to be modest resources on the part of GNI, a robust system will be imperative to maintain public trust and access to the system. The pilot program will develop a mechanism that is credible, practical, and effective, while anticipating the challenges posed by the potential scale of complaints and the diversity of end users and issues.
Learning and Understanding
Limited knowledge of current practice among ICT companies and empirical understanding of the problems they face related to online free expression and privacy, in conjunction with the ceaseless changes in business, user behavior, and government responses, mean that learning is perhaps the greatest contribution that GNI can make for participants and other stakeholders. The GNI should leverage the tremendous collective resources and expertise of its participants, but will face the task of finding realistic ways to access and combine them—a task made difficult by legal concerns, secrecy, intellectual property, and other competing agendas. From the development of human rights impact assessments (a process long under way in the GNI) to the generation of useful data to identify emerging issues and trends, to the creation of relevant metrics to help track the state of expression and privacy online worldwide, the Initiative has the capacity to create novel outputs that can inform company and user behavior, as well as government intervention. While more attention has been paid to other areas of GNI, this zone holds the greatest potential to attract new participants and to change behavior in the long term.
Scope and Specificity
While the GNI has been cautiously welcomed, the participants in the process and others outside it have expressed a range of concerns. In many cases, it is simply too early to tell whether these apprehensions will be borne out by experience, but they serve as valuable markers for GNI guidance and evaluation. While all are of consequence, some relate to the core functioning of the initiative, while others relate to significant, but not necessarily essential, details. The EFF, for instance, has noted that the Principles lack a commitment by companies to develop technologies that support privacy and circumvent censorship, a practice that seems to be a reasonable extension of the GNI commitments.39 A host of other such issues were left out for a variety of reasons, including data retention, user-notification on data storage locations and risks, statistics on government requests, and circumvention methods, which have technological, legal, practical, and business implications, and were deemed to be either outside GNI’s scope or too involved to address within its initial phase.
As the GNI’s capacity grows with the hiring of a dedicated staff, the inclusion of additional participants, and the development of robust systems, participants will need to revisit these ideas in greater depth. For those that remain outside its purview, the hope is that the GNI will be able to foster cross-fertilization among a variety of different forums, including governments, advocacy groups, and international organizations. Can EFF’s ideas on technology tools, for instance, be taken up in a joint technology development group?
Of more cross-cutting concern, Amnesty International and Reporters Without Borders40 point to language that they consider too open to interpretation, including companies’ commitment to using “best efforts” to foster GNI adoption among joint ventures, subsidiaries, and the like, as well as the discretion afforded to companies to determine when and how to resist government requests. Responsible company behavior in each is of the utmost importance, and while the language was intended to be realistic and to provide companies with a degree of flexibility (e.g., not all suppliers are relevant, oral requests may be acceptable in cases of imminent harm, fighting every single government request is impractical), it most certainly also provides them with an escape clause, which underscores the role of the accountability process.
Criteria for Success
In order to accomplish the goals of the GNI, there are broad traits present in the design phase that should be retained over time. As the structure, process, and organization develop and respond to existing and emerging concerns, it will be essential to periodically revisit the values that inform the overall approach, especially with respect to its efficacy, adaptability, scalability, transparency, legitimacy, neutrality, and sustainability.
Efficacy Does the operationalization of the Principles recognize that expecting companies to resist government requires balance with respect for the legitimate aspects of government power over expression and privacy, including a spectrum of national standards? Will the accountability regime provide the correct incentives, encouraging company attention to specifics as well as larger and more aspirational activities?
Adaptability With the entire landscape shifting continually, presenting new challenges, opportunities, modes, and pressures, can the GNI create sufficient process to meet current needs while maintaining its flexibility to adapt and improve alongside, or ahead of, the path ahead? Will the organization be caught responding to the new terrain with the methods for traversing that of the past decade, whether in accountability, learning, or public remedy? Can the GNI adjust its vision and mode as the participants—and their needs and perspectives—change?
Scalability Does the approach scale alongside increasing users and uses of ICT, as well as the apparently concomitant increase in government affronts on expression and privacy? How will the GNI attract greater participation? How will the GNI’s internal systems represent the interests of the current 1.6 billion Internet users41 and 4 billion mobile subscribers,42 and what will happen as those numbers grow?
Transparency With an accurate understanding of the issues essential for effective intervention on the part of the policymakers, advocacy organizations, business, and ultimately users (who decide what, if anything, they do online), will the GNI be capable of widely and faithfully conveying what is actually happening? Will statements be supported by data and directly informed by company experience, rather than by anecdote, to promote understanding of systemic issues and trends, contributing to a chain of accountability and building understanding of new/potential pressure points as they emerge over time?
Legitimacy Will the organization earn and keep the public’s trust? Are the accountability processes perceived as both robust and reasonable, are there open channels for communications with the public, is the information shared with the public adequate? How does the GNI distinguish between the progress of the participants and its own advances? How will these developments be evaluated?
Neutrality Can the GNI become a truly global standard, and not be viewed as being unduly influenced or dominated by the interests of any nation, culture, or organization? Will its interventions or recommendations take into account cultural nuance and local knowledge while continuing to uphold high international standards for human rights?
Sustainability Will the GNI and its participants be able to generate the collective and internal resources necessary for implementation and ongoing effectiveness? Will the organization be able to sustain the level of activity to which it has committed, or come up with creative ways that involve others in this work?
Conclusion
The story has not yet ended for the GNI or for Yahoo!. In December 2008, the Vietnamese government passed a law limiting online political speech and requiring online service providers to report violators, publicly stating its expectations that Google and Yahoo! would contribute to a “healthy” Internet.43 How the situation develops— whether government rests on rhetoric or actually seeks to enforce the new law, and how Yahoo! (and Google and non-GNI companies) responds—will inform company and government strategy in Vietnam44 and suggest the capacity of a self-governing initiative to require its participants to not comply with the law when it conflicts with international human rights standards.
As the GNI moves ahead, observers will rightly ask what to expect—how we will know we have begun to impact company behavior, government approaches, and user conduct online. Perhaps most importantly, they will ask what success will look like. These are hard questions. The GNI was designed by a relatively small group with limited resources, and the fact that it has come this far in a relatively short period of time is objectively impressive, but only when it is tested in the marketplace will the appropriateness of its design begin to become apparent. Initially, beyond reporting on basic commitment, output measures will help, such as growth in participants, creation of data and other learning resources, and policy engagement. Individual examples may also be helpful, for instance, if GNI helps a company address a tough decision or anticipate an emerging issue.
Over time, we must expect positive outcomes, but with so many factors affecting the protection and advancement of free expression and privacy—and the GNI—the causes of success and failure will not always be clear. Measuring impact is difficult in part because the GNI will be successful precisely when it avoids problems and goes unnoticed. Some useful proxies may be increased public awareness of the issues, enlightened government action, and ideally metrics for takedowns and information requests that suggest a combination of waning government abuse and avoidance of increased corporate restrictions.
We are caught between the proverbial rock and a hard place, particularly as society undergoes the complicated process of integrating, adapting, and shaping the role of new media. As it becomes integrated into our lives and livelihoods, the potential for both good and harm continues to grow, along with the responsibility of the businesses providing these services. Thus far, this adoption of the Internet and related technologies has brought not only new challenges, but new tools for addressing them. Rather than resisting change, we need to consider how to guide it using a combination of past experience and innovative approaches.
While there are other broad changes and trends with much deeper social, economic, and political importance, the combination of reach, speed, and accessibility of new media render it a poignant—and challenging—frontier for an increasingly globalized world. The particular contours may well be indicative of other pressing (or emerging) challenges, suggesting that our approach to addressing these challenges may also hold broader lessons for new kinds of institutions and new approaches to policymaking at the nexus of sectors and nations, economics and politics, culture and identity.
1. Michael Samway, “A Wired—and Safe—Vietnam,” Yodel Anecdotal, March 12, 2009, http://ycorpblog.com/2009/03/12/a-wired-and-safe-vietnam/.
2. Rebecca MacKinnon, “Yahoo! Execs Called Moral ‘Pygmies’ in Congress,” RConversation Blog, November 8, 2007, http://rconversation.blogs.com/rconversation/2007/11/yahoo-execs-cal.html.
3. Global Network Initiative, “Global Network Initiative,” http://www.globalnetworkinitiative.org/.
4. Reo Research, Managing Access Security and Privacy in the Global Digital Economy (F&C Investments, January 2007), http://www.business-humanrights.org/Documents/FandC-study-tech-risks -Jan-2007.pdf.
5. Elinor Mills, “Pension Fund Nudges Google, Yahoo on Censorship,” CNET News.com, December 14, 2006, http://news.cnet.com/8301-10784_3-6143860-7.html.
6. Michael Samway, “Business and Human Rights,” Yodel Anecdotal, May 7, 2008, http://ycorpblog.com/2008/05/07/business-and-human-rights/.
7. Rebekah Heacock, “Australia’s Conroy Named Internet Villain of the Year,” OpenNet Initiative Blog, July 13, 2009, http://opennet.net/blog/2009/07/australias-conroy-named-internet-villain -year.
8. Jonathan Zittrain and John Palfrey, “Reluctant Gatekeepers: Corporate Ethics on a Filtered Internet,” in Access Denied: The Practice and Policy of Global Internet Filtering, ed. Ronald J. Deibert, John Palfrey, Rafal Rohozinski, and Jonathan Zittrain (Cambridge, MA: MIT Press, 2008), 103-122.
9. Jeffrey Rosen, “Google’s Gatekeepers,” New York Times Magazine, November 28, 2008, http://www.nytimes.com/2008/11/30/magazine/30google-t.html?_r=l.
10. Tim Wu, “The World Trade Law of Internet Filtering” (working paper, Columbia University, Law School, May 3, 2006) http://ssrn.com/abstract=882459; Jack Goldsmith and Tim Wu, Who Controls the Internet? Illusions of a Borderless World (New York, NY: Oxford University Press, 2006).
11. United Nations Human Rights Council, Promotion and Protection of All Human Rights, Civil, Political, Economic, Social and Cultural Rights, Including the Right to Development— Protect, Respect and Remedy: A Framework for Business and Human Rights, April 7, 2008, http://www.reports-and -materials.org/Ruggie-report-7-Apr-2008.pdf.
12. Arvind Ganesan, “Viewpoint: Why Voluntary Initiatives Aren’t Enough.” Leading Perspectives, Spring 2009, http://www.bsr.org/reports/leading-perspectives/2009/LP_Spring_2009_Voluntary _Initiatives.pdf.
13. U.S. Congress, H.R. 275 [110th]: Global Online Freedom Act of 2007, 2d sess., Rep 110-481, February 22, 2008, http://www.govtrack.us/congress/bill.xpd?bill=hl 10-275.
14. Center for Democracy and Technology, “Analysis of the Global Online Freedom Act of 2008 [H.R. 275]: Legislative Strategies to Advance Internet Free Expression and Privacy Around the World,” May 2, 2008, http://www.cdt.org/international/censorship/20080505gofa.pdf.
15. U.S. Department of State, “State Summary of Global Internet Freedom Task Force,” December 20, 2006, http://www.america.gov/st/freepress-english/2006/December/ 20061220173640xjsnommis0.7082331.html.
16. John Palfrey, “Testimony on Internet Filtering and Surveillance,” John Palfrey Blog, May 20, 2008, http://blogs.law.harvard.edu/palfrey/2008/05/20/testimony-on-internet-filtering-and -surveillance/.
17. Council of Europe, Directorate General of Human Rights and Legal Affairs, Guidelines for the Cooperation between Law Enforcement and Internet Service Providers against Cybercrime, April 2, 2008, http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/cy_activity_Interface2008/ 567_prov-d-guidelines_provisiona12_3Apri12008_en.pdf.
18. Council of Europe, Directorate General of Human Rights and Legal Affairs, Human Rights Guidelines for Internet Service Providers,2008, http://www.coe.int/t/dghl/standardsetting/media/ Doc/H-Inf(2008)009_en.pdf.
19. European Parliament Committee on Civil Liberties, Justice and Home Affairs, “Proposal for a European Parliament Recommendation to the Council on Strengthening Security and Fundamental Freedoms on the Internet,” June 1, 2009, http://www.europarl.europa.eu/meetdocs/2004 _2009/documents/pr/755/755000/755000en.pdf.
20. European Parliament, “European Parliament Resolution on Freedom of Expression on the Internet,” July 6, 2006, http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA +P6-TA-2006-0324+0+DOC+XML+V0//EN&clanguage=EN.
21. Jules Maaten et al., “Proposal for a Directive of the European Parliament and of the Council Concerning the EU Global Online Freedom Act,” 2008, http://www.julesmaaten.eu/_uploads/ EU%20GOFA.htm.
22. Viviane Reding, “Freedom of Speech: ICT Must Help, Not Hinder” (speech presented at the Event on the Idea of an EU “GOFA” EP Plenary Session, Strasbourg, February 3, 2009), http://ec.europa.eu/commission_barroso/reding/docs/speeches/2009/strasbourg-20090203.pdf.
23. Art Brodsky, “Global Internet Freedom—What a Concept for America,” TPMCafé, May 26, 2008, http://tpmcafé.talkingpointsmemo.com/2008/05/26/global_internet_freedom_what_a/.
24. John Palfrey and Jonathan Zittrain, “Perspective: Companies Need Guidance to Face Censors Abroad,” CNET News.com, August 14, 2007, http://news.cnet.com/Catalysts-for-corporate -responsibility-in-cyberspace/2010-1028_3-6202426.html.
25. Rebecca MacKinnon, “China Blocks Twitter, Flickr, Bing, Hotmail, Windows Live, etc. Ahead of Tiananmen 20th Anniversary,” RConversation Blog, June 2, 2009, http://rconversation.blogs .com/rconversation/2009/06/china-blocks-twitter-flickr-bing-hotmail-windows-live-etc-ahead-of -tiananmen-20th-anniversary.html.
26. Ethan Zuckerman, “The Cute Cat Theory Talk at ETech,” My Heart’s in Accra, March 8, 2008, http://www.ethanzuckerman.com/blog/2008/03/08/the-cute-cat-theory-talk-at-etech/.
27. Jack Krumholtz, “Congressional Testimony: ‘The Internet in China: A Tool for Freedom or Suppression’?” Committee on International Relations, Subcommittee on Africa, Global Human Rights and International Operations and the Subcommittee on Asia and the Pacific, February 16, 2006. http://www.microsoft.com/presspass/exec/krumholtz/02-15WrittenTestimony.mspx.
28. Nart Villeneuve, “Perspectives on Transparency,” Nart Villeneuve: Internet Censorship Explorer, June 26, 2008, http://www.nartv.org/2008/06/26/perspectives-on-transparency/.
29. Global Network Initiative, “Principles,” 2008, http://www.globalnetworkinitiative.org/ principles/index.php.
30. Global Network Initiative, “Implementation Guidelines,” 2008, http://www.globalnetworkinitiative.org/implementationguidelines/index.php.
31. Global Network Initiative, “Governance, Accountability and Learning Framework,” 2008, http://www.globalnetworkinitiative.org/governanceframework/index.php.
32. United Nations General Assembly, The International Bill of Human Rights,1948, http://www.unhchr.ch/html/menu6/2/f s2.htm.
33. Global Network Initiative, “Principles,” 2008, http://www.globalnetworkinitiative.org/ principles/index.php.
34. Nart Villeneuve, “Breaching Trust: An Analysis of Surveillance and Security Practices on China’s TOM-Skype Platform” (Information Warfare Monitor/ONI Asia, October 1, 2008), http://www.nartv.org/mirror/breachingtrust.pdf.
35. John G. Ruggie, “Business and Human Rights: The Evolving International Agenda” (working paper, Corporate Social Responsibility Initiative, John F. Kennedy School of Government, Harvard University, 2007), http://www.hks.harvard.edu/m-rcbg/CSRI/publications/workingpaper_38 _ruggie.pdf.
36. Richard Locke and Monica Romis, “Beyond Corporate Codes of Conduct: Work Organization and Labor Standards in Two Mexican Garment Factories” (working paper, MIT Sloan School of Management, 2006), http://mitsloan.mit.edu/newsroom/pdf/conduct.pdf.
37. Fair Labor Association, “2007 Annual Report,” November 2007, http://www.fairlabor.org/ images/WhatWeDo/2007_annualpublicreport.pdf.
38. Derek E. Bambauer, “Cybersieves,” Duke Law Journal,59 (2009), http://ssrn.com/abstract =1143582.
39. Danny O’Brien, “Sign on Letter,” Electronic Frontier Foundation, http://www.eff.org/files/ filenode/gni/signon_letter.txt.
40. Reporters Without Borders, “Why Reporters Without Borders Is Not Endorsing the Global Principles on Freedom of Expression and Privacy for ICT Companies Operating in Internet-Restricting Countries,” October 28, 2008, http://www.rsf.org/article.php3?id_article=29117.
41. Miniwatts Marketing Group, “World Internet Usage Statistics News and World Population Stats,” InternetWorldStats.com, March 31, 2009, http://www.internetworldstats.com/stats.htm.
42. International Telecommunications Union, “Press Release: Worldwide Mobile Cellular Subscribers to Reach 4 Billion Mark Late 2008,” September 25, 2008, http://www.itu.int/newsroom/ press_releases/2008/29.html.
43. Radio Free Asia, “Vietnam to Police Blogs,” December 9, 2008, http://www.unhcr.org/ refworld/docid/496234c3c.html.
44. Douglas MacMillan, “Yahoo’s Delicate Dance in Vietnam,” BusinessWeek, May 28, 2009, http://www.businessweek.com/technology/content/may2009/tc20090528_660986.htm.