New legislation being considered in Congress would prevent US companies from aiding the censorship and surveillance operations of repressive foreign governments. The Global Online Freedom Act (GOFA), sponsored by Chris Smith (R-NJ), would track foreign Internet monitoring and blocking efforts under a new Office of Global Internet Freedom and would prevent US tech firms from handing over sensitive user information to so-called Internet-Restricting Countries. (Internet Restricting Countries, or IRCs, would be those that were “directly or indirectly responsible for a systematic pattern of substantial restrictions on Internet freedom.” China would be included, of course, but what about Australia or Finland?) On balance, GOFA would help the cause of Internet freedom, or at least provide a better understanding of surveillance worldwide. Yet some of the provisions are misguided, and could actually hurt the cause GOFA aims to further.
Let’s focus on Section 201, which would prevent US companies from “locating” sensitive user information within Internet-Restricting Countries. Just what “locating” means here is not entirely clear: is a Chinese GMail subscriber’s email located on her own computer, in Mountain View, California, or on one of the many routers in between? Regardless, the goal here would be to make it more difficult for Internet-restricting governments to claim jurisdiction over, and gain access to, user data.
Unfortunately, as the Center for Democracy and Technology makes clear (pdf), Sec. 201 would almost certainly fail to achieve its objective, and might actually cause more harm than good. If US companies couldn’t place important servers within IRCs they would be forced to degrade some low-latency services (e.g. IM) and discontinue others (e.g. VoIP). This would discourage US investments in these countries and encourage less scrupulous foreign companies to take their place.
More importantly, Section 201 would be unlikely to impact IRCs jurisdictional claims. As Internet law rapidly evolves, countries have repeatedly and successfully demanded that information be controlled or monitored, even when that information is hosted outside their borders. Forcing US companies to locate their servers outside IRCs would only make their services less reliable; it would not make them less regulable.
If the goal of GOFA is to discourage US companies from violating human rights, then it will probably be successful. But if the goal of the Act is to make the Internet more free and more safe, and not just push rights violations on foreign companies, then more must be done. Here are three suggestions that together might accomplish what Sec. 201 aims to do:
- Publicize privacy restrictions: If companies are clear with their users that they intend to follow the laws of IRCs, users will be less likely to put dangerous content online. Many of the largest ICT firms are already working in coordination with the Berkman Center to create an industry standard for disclosing their privacy policies.
- Push privacy protection to the edges: By giving users in IRCs access to privacy protection technologies like Tor or Anonymizer, users will be able to protect their own privacy without government mandates.
- Make that push to the edges possible: Protections against surveillance are pointless if content is automatically filtered. Congress can mandate export controls against IRCs, preventing US companies from selling filtering technologies to these countries. In fact, GOFA begins the process of mandating just such export controls.
GOFA is, on balance, a step in the right direction. But the problems with Sec. 201 show that the government cannot protect the Internet openness by itself. These suggestions would shift some of that responsibility for protecting freedom and innovation towards interested individuals and responsible companies.
-Brendan Ballou

