Our conventional understandings of policy and our abilities to affect change in national discourses tend to rely on a single-state deliberative process. Increasingly, however, the dynamics of policy-making are changing alongside other phenomena such as trans-national communications networks, globalisation of social and economic activities, and international and substate threats of crime and terrorism.
We need to study the dynamics of modern policy development, particularly focussing on policy laundering, modelling, and forum shifting, while attempting to engage these policies and their proponents. Policy laundering is a practice where policy-makers make use of other jurisdictions to further their goals, and in so doing they circumvent national deliberative processes. Modelling occurs when governments, overtly through calls of harmonization or subtly through quiet influence and translating of concepts, shape their laws based on laws developed in other jurisdictions. Forum shifting occurs when actors pursue rules in inter-governmental organisations (IGOs) that suit their purposes and interests, and when opposition and challenges arise, shift to other IGOs or agreement-structures.
There are two implications of these new policy dynamics. First, national consultative processes disappear or are weakened, as important policy decisions take place outside of democratic institutions. For example, frequent calls for 'harmonisation' through treaty ratification and perceived international obligations inhibits the likelihood and effectiveness of traditional national deliberation, while these treaties are negotiated in closed environments. And second, policies are shaped by foreign interests and foreign processes. As an example, the European Union privacy practices are under review because of the influence of recent U.S. laws on travel documentation and procedures.
The activity of inter-governmental organizations appears, in many cases, to lead the way in developing policy in the 'age of globalisation'. If our policy challenges are international in nature, and the infrastructure of trade and communications is also global, then, as the logic goes, we need global solutions developed by international fora. And these international fora are eager to be active and relevant.
This is best illustrated by the response to the terrorist events of September 2001. The United Nations responded with Resolution 1368 calling on increased cooperation between countries to prevent and suppress terrorism. The North American Treaty Organisation (NATO) invoked Article 5, claiming an attack on any NATO member country is an attack on all of NATO. The Council of Europe (CoE) condemned the attacks, called for solidarity, and also called for increased cooperation in criminal matters. Later the CoE Parliament called on countries to ratify conventions combating terrorism, lift any reservations in these agreements, extend the mandate of police working groups to include "terrorist messages and the decoding thereof." The European Union responded similarly, pushing for a European arrest warrant, common legislative frameworks for terrorism, increasing intelligence and police cooperation, freezing assets and ensuring passage of the Money Laundering Directive. The Organization for Economic Cooperation and Development (OECD) furthered its support for the Financial Action Task Force on Money Laundering and, along with the Group of Eight Industrialised Nations (G8) and the European Commission (EC), called for the extension of its mandate to combat international terrorist financing. Without a pause, these fora were trying to be relevant whilst extending their mandates.
Cooperation between countries is a complex legal affair; when this cooperation is enshrined within multilateral agreements, the complexity only increases. When these multilateral agreements are created within closed fora of discussion within these IGOs, matters are only more difficult. With this difficulty and complexity comes risks to existing legal systems and practices. As countries prepare to ratify the Council of Europe Convention on Cybercrime and continue to create, sign, and ratify other such agreements, the public debate must be informed of the obligations that these conventions and agreements entail, and the risks that may arise.
An alarming, yet key, component of the recent activities of IGOs and their treaties and conventions is the creation broad mutual legal assistance agreements. If law enforcement agencies from ratifying states are to cooperate, the implications need to be appreciated. Understanding how mutual legal assistance regimes are established, how the treaties function traditionally, and their implications is key to informing decision-makers, policy-experts, civil society, and the general public.
Cooperation is particularly problematic as 'modern' agreements convention try to do away with traditional concerns for dual criminality; in fact, these conventions tend to dissuade and sometimes prevent countries from refusing assistance to another country on these grounds. The few grounds for refusal to cooperate are ambiguous and uncertain, e.g. what constitutes a 'political offence' and the notion of 'national sovereignty' is interpretively flexible. These agreements may create situations were a country will be required to collect evidence on an individual without any contravention of domestic law.
The IGOs are rushing to the lowest barrier, however. The Council of Europe was once circumvented in the 1980s because it insisted on dual criminality; so state actors went elsewhere. In the late 1990s as the CoE developed its Convention on Cybercrime, it had learned from this earlier failure to appease its more interested members and clients: this broad convention does not require dual criminality, and in some cases, argues against the notion.
For a number of years, two international bodies were developing agreements for international co-operation for 'high-tech' or 'cybercrime'. The Group of Eight industrialised countries (G8) has been meeting regularly to discuss harmonizing methods, creating new investigative powers, and means of co-operation. Similarly, the Council of Europe, the 43 member state international treaty-making body has laboured to create the Convention on Cybercrime.
Both bodies are aiming to ensure harmonisation to enable investigative agencies to investigate and surveil communications and other data without constraint of neither time and space. The constraints of space are regulated through international co-operation for these investigative powers: states must respond to requests of assistance from other states. The constraint of time is regulated through expeditious co-operation: in some cases, states may not be told what the co-operation is for, while service providers may be forced to disclose personal information immediately, to foreign police.
The benefit of creating international agreements is that the threat of regulatory arbitrage is diminished: all companies within all of these countries will have similar laws and procedures, producing a fairly distributed set of burdens.
Individuals can be monitored and prosecuted with little regard to borders. Once one country requests co-operation from another, the requested government must respond. An American may be investigated by French authorities if the French have reason to do so; and may request the assistance of the U.S. government and/or the U.S. communications service provider. It matters very little if the conduct being investigated is legal or illegal in the U.S.; once the French make a request, the U.S. is expected to respond.
There are three rights of refusal to international co-operation, generally. The first is that for particularly sensitive surveillance, i.e. interception of communications, this should only be done for 'serious' crimes. That every country has a different regard for what is 'serious' is disregarded.
Second, countries may refuse to assist if the suspected crime is 'political'; that each country has a differing interpretation of 'political' is also disregarded. Finally, refusal may occur if it prejudices the sovereignty or essential interests of the state.
Again, the CoE has 43 member states, and even within the G8 countries; each has different laws and regards for these legal terms. Although there may be some consideration of proportionality and adequate protection of human rights, since the 'war on terrorism', what is 'proportional' and 'adequate' is up for interpretation.
In August 2001, the FBI apprehended Zacarias Moussaoui and his computer. A request for a warrant to search his computer was rejected by the Department of Justice as the evidence was weak. Being a French national, the FBI planned an extradition to France where his computer could be searched under weaker French protections. On September the 11th, this plan was abandonned as the evidence grew.
Another example involves a declaration by Germany in late August 2002, as reported by the BBC, that German authorities would withhold evidence against Moussaoui from the United States unless they can be assured that it will not be used to secure a death penalty. Around this time, it emerged that the U.S. and the EU were negotiating in secret a co-operation scheme that would deal with such situations.
On October 16 2001, the President Bush sent a letter to the President of the European Commission requesting assistance in the international effort against terrorism. Among the list of proposed actions included 'overcoming dual criminality obstacles', 'revise draft privacy directives to permit data retention for a reasonable period', and 'establish adequate capabilities for investigating terrorism cases that involve use of the internet'. This was a call for increased surveillance capabilities to an extent that does not even exist within the U.S., and a reduction of any rights of refusal to international co-operation.
This creates a situation of regulatory arbitrage for governments. That is, if they are constrained by their own laws, judges, and constitutions, they may seek assistance from other countries, using the intricacies of international legal cooperation to their advantage. France had a lower threshold for accessing computer data, so the idea of sending Moussaoui there was considered. The United Kingdom does not require judicial authorisation of interception warrants; the Europeans generally feel that hate speech is criminal; even national security and terrorism is defined differently; recently the Spanish considered redefining terrorism to encompass 'violent urban youthful radicalism'.
We are seeing a situation where investigations are increasing, but the grounds for the investigation are decreasingly being divulged, and the legal obligation to do so across borders is disappearing. Once an act can be defined as criminal or terrorist, even the strongest constitutional protections appear to be weakend by regulatory arbitrage. The myth was that our technology and communications are global. The reality is that the world is filled with overlapping jurisdictions; the new myth is that our rights our protected within this new environment. The regulatory burden about to be placed on ISPs as they are forced to respond to a multitude of requests from abroad with little required justification or reason may be inescapable. Regulatory arbitrage is a power being reserved to governments.
Cybercrime, terrorism, and transnational organized crime are now, together or separate, a part of our policy landscape. In turn, policies arising from this landscape appear to follow a number of trends.
The issues surrounding jurisdiction and globalisation are confusing and sometimes quite constrictive to governments and other actors. A solution is to foster and generate co-operative regimes and structures. Sometimes this co-operation occurs under Mutual Legal Assistance Treaties, other times it occurs under quasi-rules; either way problems may arise.
The current landscape for international co-operation involves, generally, bi-lateral treaties amongst countries. In recent years we have seen the emergence of some multilateral instruments negotiated at Intergovernmental Organisations and other international fora, that since 2001, have seen increasing adoption. However, all countries have different legal systems; how co-operation is to occur within these varying legal systems remains to be investigated in sufficient detail.
National policy discourses before September 2001 at best involved a very rich set of discussions, and a number of problematic policies were laid to rest. The Council of Europe convention on cybercrime had been criticised heavily by both industry and civil society; industry and government negotiations at the G-8 had suffered from a lack of agreement; and a number of privacy invasive technologies had been set aside as their risks were exposed.
In our current policy environment, a number of these policies have re-emerged. The G8 and the Council of Europe policies and instruments are now moving forward with greater momentum; the former released new policy instruments at the 2002 G-8 summit in Canada, and the latter's instrument was signed in November 2001 by over 30 countries. ID cards are proposed in countries despite previous resistance; biometrics and face recognition technologies implemented regardless of reports of their risks and faults; and profiling is re-introduced as a solution to preventing and pursuing criminal and terrorist activity despite known legal problems.
A common trend to the new legislation emerging from September 2001 onwards is the reduction of authorisation and oversight requirements prior to the use surveillance. A number of countries allowed for ministerial warrants for the interception of communications, or reduced the conditions to the use of invasive investigative methods. Some countries are finding that international instruments are useful for this purpose; one such method will be seen in the fourth trend.
A common articulation for governments that are making changes to their surveillance regimes is that new technology has forced the 'updating' of older laws. For example, the interception of communications laws in a number of countries speak of postal and telephone systems; updates are presumably required to include mobile and internet communications.
One policy strategy used in this updating is technology-neutral policy. Rather than having to create new laws for each new technology that comes about, technology-neutral laws attempt to deal with all technologies equivalently under law. The problem arises, however, that all technologies are eventually treated like the telephone system or some other older infrastructure, despite large differences.
In the U.S., laws previously protected the privacy of an individual's cable television viewing habits because their viewing habits were considered sensitive information. Telephone traffic data, however, is often treated differently: records of who you call and for how long you spoke for are considered less invasive, and thus protected minimally under law. In the USA-PATRIOT Act, passed into law in October 2001, the U.S. government reduced the protection of internet traffic data to the level of telephone traffic data, arguing that technology-neutral law was ideal; despite obvious differences in the sensitivity of this data. Traffic data involving internet devices can include location data, domain names and Universal Resource Locators (i.e.. www.computer.tld/file.html), search parameters, telephone numbers, etc.
Meanwhile, the United Kingdom in its Regulation of Investigatory Powers Act 2000 acknowledged the differences in traffic data, and recognised after a rich discourse that some data may in fact be sensitive. Canada is currently considering updating its own laws on lawful access to data, while proposing to ratify the Council of Europe convention on cybercrime. In its current proposals, the Canadian government is arguing that all traffic data should be treated similar to existing law on telephone traffic. Canada is also considering treating all communications service providers the same, whether they are internet service providers, mobile phone service providers, and telephone service providers. It may be said that technology-neutral law, therefore, reflects the interests of the policy-makers.
As countries move to ratify the Council of Europe convention on cybercrime and implement the G-8 policies on high-tech crime, it is important to note that the majority of the substance within the convention and the policy instruments do not deal with cybercrime. Generally they deal with ensuring surveillance capabilities and other procedural powers, and ensuring for international application of these powers. The cybercrime content of these instruments is actually quite low.
One may hazard to say that anti-terrorism laws are not necessarily about terrorism either. The substance of many proposed laws around the world have included the creation of new powers that are not limited to terrorist matters. In the United States, for example, an oversight court filed a complaint in May 2002 against the Department of Justice finding that the DoJ previously used anti-terrorism powers previously to investigate criminal activity; benefitting unjustly from greater powers and reduced oversight requirements.
Just as every legal system has differences amongst one another, as countries adopt international instruments to harmonise their national laws and legal procedures, they will all interpret these instruments differently. Canada's interpretation of the CoE convention is quite different to the content of the convention itself; and surely different to the powers already established within the UK, and even within the U.S. From differing definitions of the technologies, to differences in penalties, oversight and authorisation requirements; these differences create an uncertain landscape for the safeguarding of civil liberties.
Technology is not separate from society: the internet is not something that is separate from us, it is, at least to some extent, part of our daily lives. Treating it as a unique space that must be regulated may be problematic; but at the same time ignoring its constitution and its interaction with law may be hazardous. In fact, doing so may meet the interests of the policy makers.
Technology-neutral policies on lawful access to traffic data, for example, increase the powers of law enforcement by expanding the breadth of application of this power, while access to this data will increase the intrusion into the private life of the individual with only minimal protections and safeguards. As a result, technology policy must be specific in the forms of data collected and accessed, and how it is used.
Just because a problem is international, such as the regulation of global data flows or the pursuing of criminal activity across borders, does not mean that every international solution that appears is ideal. The G-8 and the Council of Europe policies have serious problems including their general lack of regard to the interests of other actors including civil society and industry; as a result I caution against the blind implementation of these instruments into national policy. These also suffered from insufficient discourse with non-state actors such as industry, law societies, technological experts, and so forth; we must now foster appropriate dialogue with these actors at this very late stage, even if little change can be effected.
The challenges presented here all surround the nature and quality of the policy discourse: as we must question whether it is sincere, informed, and wonder about its richness.
As countries move to ratify and implement policies agreed at international governmental organisations like the OSCE, CoE, and G8, the role of national NGOs comes into question. NGOs are for the most part focused on national policy developments, and are busy enough at that level. Now they have to monitor the processes and outputs of IGOs that do not always operate openly. The Council of Europe, during the formulation of the cybercrime convention, argued that consultation is ideally a national process, and not the duty of the CoE itself; while this may be true with respect to its current mandate, the national policy discourses at times of ratification may not be the ideal time to discuss serious problems with the convention once there is already a felt-need to adjust national law accordingly. IGOs must change their mandates to include consultation, perhaps through requiring national consultation prior to the negotiation of charters, agreements, and treaties; otherwise the sincerity of the political discourse is highly questionable.
Even as the CoE convention is not really about cybercrime, many within civil society have been ignoring the convention because of its apparent focus on technology and high-tech crime. Governments need to reach out to civil society to interact with and educate them on the implications of the policy changes, as the policy discourse is conducted in a technology-specific way; or otherwise governments may need to reach out to more technology-aware NGOs that may have a more specific mandate but less of a constituency.
In previous policy discourses, industry representatives and other actors played large roles. They seem to be disappearing from the discussions, however, as they may not be as willing to raise their concerns. Governments and IGOs need to reach out to other actors such as epistemic communities (law societies, engineering associations and task forces, scientists and researchers) as well as industry organisations.
The current discourses are framed as balances between civil liberties and public security; the very notion of a balance is a myth, a false dichotomy. The more actors that are included within the discourse the more the notion of balance will disappear as a fuller set of ideas and idealogies are presented, and more interests arise, and more possible alternative solutions may emerge. Otherwise, the policy discourse will suffer, and the policy outcome will be surely problematic.
The policy landscape is thus transformed, and not in favourable shape for national action by national NGOs who have little regard for technology and international legal issues, and little infrastructure for co-operation with other NGOs, industry, and other actors.
Unless capacities are developed, these dynamics will diminish our capacity to act. Policy laundering occurred with data retention in the EU based on pressure from the U.S., but that was surely not unwelcome by some within the EU, of course. The modelling of laws involves the adoption of international agreements and calls for harmonization to allow national laws to change with decreased accountability and national discourse. Finally, forum shifting forced the CoE to abandon dual criminality, and when the CoE did not include data retention in the convention on cybercrime, governments went to the G8 and then to the EU.
Keeping track of all these activities is work left for the reader. The goal keeps on shifting, the policies keep on being transplanted, and the calls for harmonization and international cooperation increase; and yet we don't appear to be interrogating these claims and following the match too well. We need to pay attention to these dynamics to understand where the game is being played. Then we can to create new structures of accountability for the players.
Gus Hosein is a Senior Fellow with Privacy International, and a Visiting Fellow in the Department of Information Systems at the London School of Economics and Political Science. More information can be found at http://is.lse.ac.uk/staff/hosein
This piece was originally published in Spreading the Word on the Internet, published by the Organisation for Security and Cooperation in Europe, Vienna.