 Good morning everybody. If folks could take their seats, we're going to get started in just a minute or so. Do you know if it works? Good morning. Can I ask everyone to sit and we would like to start? So good morning everyone here joining us in D.C. But also to all of you who are joining us via the webcast from around the world. My name is Judith Lichtenberg. I'm the Executive Director of the Global Network Initiative. I would like to welcome you to our 20,018 Learning Forum entitled New World Borders, How Jurisdiction Affects Human Rights Online. But I would like to begin by saying a word of thanks to our hosts at New American Open Technology Institute and also our co-organizers from the Association of American Law, the Interest Group on International Law and Technology, ASL. Let me also say a few words about the Global Network Initiative for those of you who are new to our work. GNI is a multi-stakeholder organization. It was launched in 2018. We bring together internet, telecommunication and vendor companies, civil society organizations, academics and investors from around the world to forge a common approach to freedom of expression and privacy online. And our growing alliance currently we have more than 60 members work together to implement the GNI principles. These principles are rooted in international human rights law and provide guidance for companies grappling with free expression and privacy challenges. We have a collaborative and confidential approach to working through these challenges that includes accountability, shared learning and also engagement on public policy. Moving to today's topic, sharing and transferring data across different jurisdictions is a fundamental byproduct of the global interoperable internet. But it can also result in pressures on existing legal systems that were designed for the pre-internet age. And we are concerned that efforts to assert authority across borders or limit the free flow of data can also impede free expression and privacy and may also undermine the open internet. So thank you again for joining us here today. I look forward to a fruitful and interactive discussion. So please feel free to ask questions and participate in the discussion. And we also invite you to stay on afterwards for our networking lunch. So now I would like to introduce Sharon Bradford Franklin from New Technologies OTI. Thank you. Good morning. I'm Sharon Bradford Franklin. I'm director of surveillance and cybersecurity policy here at New America's Open Technology Institute. I have the opportunity to moderate the first panel, so I will save most of my talking for then. But I just wanted to take this moment to say two things. First, OTI as a relatively new member of GNI is so glad to be able to cosponsor today's learning forum with GNI and with the American Society for International Law. OTI works to promote an internet that is both open and secure and also rights protective. And both of today's panels cover issues that are important to OTI's work. So we really appreciate the opportunity and ability to work with and through the GNI multi-stakeholder process to promote policies that protect freedom of expression and privacy online. And second, on behalf of New America's OTI, I want to welcome everybody and thank you all for attending those in person despite the weather and also welcome all of you watching the live stream of today's panels. Thank you. Good morning. In the last of our rotating cast before we actually get to the substance, my name is Wes Rist. I'm the deputy executive director of the American Society of International Law. It's my great pleasure to be here representing the society and to officially take the credit for co-sponsoring this. But in reality, I want to point out that Arturo Carrillo, the co-chair of the interest group on international law and technology for the society, did all of the hard work and heavy lifting on this. He'll be speaking on one of the panels in this afternoon. The society is a 112-year-old professional membership association for international lawyers. We are non-advocacy and non-partisan. So part of our goal is being space in especially DC, but in the rest of the world as well, where we can have conversations about really difficult topics and about the complicated issues that arise regarding international law and politics, especially as it comes to things like where the law is not perhaps keeping up with technology as today's discussion will address. If you're interested in more about the society, please feel free to talk to Arturo. Unfortunately, I can't stay throughout the day, even though I'm definitely on the geek side of things in international law. So this is my kind of field and topic. I'd love to be here. But please do ask any questions that you might have about the society. And we especially welcome those of you who are not lawyers or international lawyers specifically. The society is interdisciplinary in its nature as well. So we have space for those who bring different perspectives to talk in our events and our panels and the like as well. Thank you all very much and especially Arturo, thank you for putting all the hard work and effort into this. He told me his ETA. Okay, so I think I'm live. And welcome. I think our final panelist is just going to get mic'd up while I start talking, but he doesn't need to hear the introduction. And he will join us on stage in plenty of time to talk. So thank you all again for joining us today. As I mentioned before, I'm Sharon Bradford Franklin, Director of Surveillance and Cybersecurity Policy here at New America's Open Technology Institute. And I appreciate you're joining us for our panel here on cross-border access to data. So in our interconnected world today, we are seeing growing numbers of situations where law enforcement officials in one country want to seek access to data that is held, electronic communications data that is held by a provider in another country. And at present, these kinds of requests for cross-border data are generally handled through a Mutual Legal Assistance Treaty, or MLAT, between the two countries, the country of the requesting law enforcement and the country of the provider. But growing numbers of requests have led to pressure in many countries for new legal systems to streamline these processes and overcome the delays that have been associated with them. And as our panel will discuss in more detail, there are three of these new legal structures in particular. First, here in the United States, our Congress enacted something called the U.S. Cloud Act last March. Sort of a clever acronym, stands for Clarifying Lawful Overseas Use of Data. And efforts are now underway and probably coming to completion very soon to negotiate and put out there the first bilateral agreement under that Cloud Act structure between the U.S. and the U.K. Second, the European Commission has developed its e-evidence proposal and held a public consultation for that over last summer. And G&I actually filed comments in that process. And third, there's a closed process through the Budapest Convention on Cyber Crime to develop an additional protocol. And that process began last fall and is scheduled as we understand it to come to completion by the end of 2019. So our panelists here today will discuss each of these legal structures, how they may improve the situation, concerns that they raise for protection of rights, and particularly privacy and freedom of expression online. So I'm going to start this with some individual questions to set the stage from each of our panelists, providing their, you know, particular area of expertise. Then I'll ask a number more questions to engage them in conversation. And finally, I will open up to you for your audience questions. So we're going to start with Jennifer Daskell, who is Associate Professor of Law at American University's Washington College of Law. And Jen, I'm going to ask you to please set the stage for us and provide us with an overview of the existing MLAT system, the problems leading to the current efforts to develop new legal structures, and a description of each of these three processes that I've described, the Cloud Act, the evidence proposal, and the Budapest Convention. Great, great. So thank you, thank you for being here, and thank you for inviting me to participate on this panel. It's really a pleasure. So the MLAT system is the, is the kind of traditional system that applies when one country seeks evidence that's located in another country. And it's worked fairly well with respect to tangible evidence where somebody in law enforcement in, in the UK is seeking evidence that happens to be stored in Chicago. And they make them, they make a request instead of, we don't want UK law enforcement to just barging into somebody's home in Chicago. So instead of the processes, they go and they make a request to the Department of Justice. The Department of Justice then reviews it and sees whether it's lawful. And if it is, they send it down to a U.S. Attorney. A U.S. Attorney goes and gets a warrant on behalf of this foreign government. They then execute the search, they get the material back, and they ultimately send it back to the foreign government. What's happened, however, with digital evidence is that the volume of these requests for assistance have increased exponentially, in part because there's not always a logical relationship between where the data of interest happens to be stored and the investigation. So in my example, the UK could very well be investigating a crime that occurred in London involving perpetrators, witnesses, victims, all in London. And the data of interest happens to be stored across the border, say in Chicago or say in LA or say in some part of the United States. And increasingly foreign governments are finding themselves in the situation where they have to access data relevant to a local domestic investigation that's across international borders. And it's putting a lot of pressure on the system because of the time that it takes to execute these requests. You think about all the steps that I just laid out and the fact that foreign governments often are frustrated that they have to seek the assistance of a foreign government when they're investigating purely domestic matters. And so this has led to a number of the innovations that Sharon just mentioned. And so I will talk through each of them briefly because we've got a lot to cover here, but just to provide some background. So the Cloud Act, as Sharon mentioned, was passed in March of 2018. It was moved through Congress relatively quickly in large part to moot what was then a pending Supreme Court case called Microsoft Ireland for short. In that case, the U.S. government had sought emails from Microsoft in the investigation of a drug investigation. And Microsoft said, no, those emails are stored in Ireland, in Dublin, and they're outside of the territorial boundaries of the United States. And therefore your warrant authority doesn't extend to emails outside the territorial boundaries of the United States. Go to Ireland and ask Ireland for help. And the U.S. government said, that's crazy. You guys, Microsoft, have access. You guys can control from Washington where these emails are held. You have custody of them. You have control over them. We're serving the warrant on you. You're a U.S.-based company. You can control access. Turn them over to us. And so the case went all the way up to the Supreme Court, and there was oral argument in the Supreme Court. The Second Circuit had ruled in favor of Microsoft, and probably a couple of months before the Supreme Court ultimately would have ruled Congress stepped in and basically more or less ruled in favor of the government. And the rule as a result is that if a compelled disclosure order for data held by a U.S.-based company is issued by the United States, be it a warrant or some other form of compelled disclosure order, on a U.S.-based company, that company is obliged now explicitly under statutory law to turn over that data regardless of where that data happens to be stored. Now, I've argued, and I'm happy to talk about why I think that's a good result, and I'm sure we'll get into that more in the discussion, but there's also a potential risk. And the risk is that that leads to a conflict of laws with the U.S. saying, give us this data. And another country saying, wait a second, data held in our country is subject to our laws, and we have restrictions on when you can transfer data out. So Congress also recognized that, and it created a new statutory mechanism that allows a provider, in albeit very limited situations, to raise a conflict of laws if the U.S. government is seeking the data of a foreigner located outside the United States and if certain other agreements are in place. Now, currently there's no such of these relevant agreements in place, so the statutory mechanism is basically not applicable at all. But Congress also, in a savings clause, but it still think that it's important, mentioned that providers still have the right and the opportunity to raise what are known as common law, comedy claims, which is a very legal term, but basically, same idea. If there's a conflict of laws, and if the provider will be stuck in a bind by having to comply with one law in the U.S. and another law in another country, and those laws conflict, providers can go back to the judge and move to have the order modified or clashed. So that's part one of the Cloud Act. Part two of the Cloud Act deals with another provision of U.S. law that says U.S.-based companies are prohibited from turning over communications content directly to foreign governments. So anytime the U.K. law enforcement in my initial example wants emails of a U.K. citizen in the investigation of U.K. crime, they have to go through that kind of long, laborious, and lapsed process that I just laid out at the beginning. That's become a huge source of frustration for foreign governments. And so the second part of the Cloud Act seeks to alleviate that to some extent. What it does is it authorizes the U.S. government to enter into executive agreements with foreign governments. And pursuant to those executive agreements, those foreign governments would be able to bypass the MLAT system when they are seeking the data of foreigners outside the United States and subject to a number of specific requirements and be able to make requests directly to U.S.-based providers without having to go to the U.S. government. There are a number of requirements set out in the statute that these requirements, I want to be very clear, set a minimum floor of what these executive agreements have to include. There is nothing in the legislation that doesn't, that precludes the United States from establishing executive agreements that have heightened protections in the actual executive agreement. But in terms of the minimum protections that are set out in the statute, there are things like the, first of all, the countries themselves have to be evaluated for meeting rule of law and basic human rights standards. And then each request has to be particularized. It has to be legal, meaning that it has to be authorized by law. It's only for serious crimes. There's a requirement to review or oversight by a judge. There is a mechanism that basically requires the government to allow the U.S. to do some sort of auditing of the request to make sure that these requirements are complied with. And there's minimization requirements that the government has to meet that are designed to protect against the dissemination and undue retention of U.S. person, meaning U.S. citizen, and legal permanent residence data. That's the Cloud Act. Very quick, lots of information. I apologize if I'm going too fast, but there's a lot to kind of get through on this. Soon thereafter, the EU have completed totally independently its own process, and this led to drafts. Now, these again are drafts. They're not law like the Cloud Act. A draft E-evidence regulation and a draft E-evidence directive. And these seek to address the analogous problem within the EU that EU member countries were increasingly finding themselves having to make requests across borders within the EU to get evidence. And so they authorized an issuing judge or in some cases an issuing prosecutor in state A to go directly to a provider in state B and make a request for data. The rules divide up the world into four different categories of data. So there's subscriber data, a category called access data, transactional data, and content data. There's slightly different rules depending on what kind of data you're talking about. Providers are obliged under this draft to respond within 10 days in normal circumstances or six hours in cases of an emergency. And there are as well in the draft E-evidence proposals a mechanism for providers to object based on a conflict of laws. Interestingly in the E-evidence proposals, if the objection is based on a fundamental right or with a fundamental interest of a foreign government, although that's not clearly defined, then a court is obliged to get to notify that third party government and give that third party government an opportunity to object. So it provides a mechanism for hearing from another government as well, which is something I think that's interesting and different than the cloud act. And it also requires all providers that basic or most providers that do business in the EU or service EU residents to put in place a legal representative, which then ensures that the EU can issue legal process on providers who don't actually currently have a physical presence, but serve EU residents. So it's an attempt to kind of expand its jurisdictional reach to some extent as well. Finally the Budapest Convention, there is a ongoing process as Sharon mentioned to draft an additional protocol that would deal with again these questions of accessing data across borders. It's a pretty opaque process. It's not exactly clear what's happening in that process. They're supposed to be done by the end of December 2019. The mandate includes consideration of things like international production orders of the idea, a similar idea that one country would be able to serve kind of a production order directly to a provider in another country, improved streamlined MLAP provisions, and a variety of other things designed to address this particular issue. And that process is ongoing as well. So too much information probably, but an overview and an explanation of how much is going on in this space. And I think it's an area where we're going to continue to see a lot of developments and a lot of growth. I should say finally that once an executive agreement is reached between the U.S. and a foreign government pursuant to the provisions of the Crowd Act, it has to be submitted to Congress and then there's a 180-day waiting period during which Congress has an opportunity to object through a specified mechanism. If they do, then the executive order does not go into effect, but if not, if there's no objection, then it does. There's been no executive order yet agreed to, so there's been no executive order submitted to Congress. That said, there are several reports suggesting that an agreement between the U.S. and the U.K. is likely to be finalized within the coming weeks. Thanks, Jen. Okay, so for our part two of setting the stage, I'm going to turn to Greg Nojine, who is Senior Counsel and Director of the Freedom, Security, and Technology Project at the Center for Democracy and Technology. And Greg, if you would provide us with a society for developing legal structures for handling cross-border data requests. Our principal concern is that in facilitating cross-border data demands by governments, that there will be a race to the bottom, an erosion of rights that results from trying to accommodate the different legal systems that would need to be accommodated in order to facilitate those cross-border data demands. There's kind of a natural tendency when the governments negotiate among themselves to go for minimum standards and to make it so that if a country meets the minimum standards, then it's okay for that country to make the demands. So I look at the current system as pretty good. It's pretty protective. Foreign government demands data from a U.S. provider. If it's content, that demand goes through the Department of Justice. The Department of Justice will weed out cases where to comply would violate a person's free expression rights or other rights. It doesn't respond to a lot of demands from countries that have extremely poor human rights records. And then it goes to the government that makes the demand and says, give us some evidence. Give us enough evidence to show that this data is necessary for your investigation. Let it meet a high evidentiary standard. If you don't give us that evidence, we can't take your demand in front of a U.S. judge and get permission to disclose that data. That's a pretty protective system. And what we're doing is cutting out the U.S.-based checks and balances and substituting for them whatever system the foreign government has. That's the big picture. And the reason I'm giving this from kind of a U.S. perspective is because a lot of the data that is being sought is held by U.S. providers under this current U.S. regime for which there will be substitutes under the different mechanisms that are being put in place. I look at it from a rights perspective. Will there be judicial authorization? There is now. In fact, there's almost, in some cases, there's double judicial authorization. Foreign government has to go through its process, which may require judicial authorization. U.S. government goes through its process, which does require judicial authorization for the content. Cloud Act does not clearly require judicial authorization. The most that can be said of the Cloud Act is that it requires an independent review before the demand is enforced. That's far different from requiring there to be a judicial authorization before the demand is made on the provider. The factual showing, in the U.S., the probable cause standard is very high. In fact, most of the demands made by foreign governments that are turned down are turned down because they don't meet that high evidentiary standard. We are substituting for it a very vague standard in the Cloud Act, and it's being interpreted in the U.K., for example, in pending legislation to require only that the information, the disclosure of the information be in the public interest, and basically a reasonableness standard attached to that. I'm concerned about notice. In the current system, notice is limited, I would say. It mostly depends on what's happening in the foreign government, but the Cloud Act is silent on permitting the providers to provide notice, and it's silent on requiring that the foreign government provide notice to the data subject. Another thing that's happening is that for the first time under the Cloud Act, foreign governments would be able to engage in real-time surveillance through the facilities, through the assistance of U.S. providers. That has never been the case. If a foreign government today was to engage in wiretapping, it would be a crime. Instead, we are authorizing that through the Cloud Act and permitting the foreign governments to engage in real-time surveillance with the assistance of U.S. providers. The Cloud Act also has an insufficient protection for free expression. A lot of demands from foreign governments today that are turned down, even if they meet the probable cause standard, are turned down because they don't meet free expression standards, both the U.S. standard and internationally recognized standards. The U.K., which is first up for one of these Cloud Act agreements, has a number of statutes that raise very serious free expression concerns. It's a crime to send grossly offensive information over the Internet. What's offensive to one person might not be offensive to another. And besides kind of going through life, there's a lot of offense going on. That could shut down half of Twitter. It's also a crime to disclose official secrets. An official secret is something that the government believes is secret, but that the person who makes the disclosure who could be a journalist might regard as news. And that person needn't ever have promised not to disclose secrets. So it's not like you've signed an agreement where you will protect classified information. It's that you're a journalist. Somebody's leaked information to you and you want to disclose it because it's important to the public debate. In the U.K., that can be a crime of violating the Official Secrets Act. The last thing that I want to mention is that there is a problem in the current system that is not being addressed in the systems that are being put in place, except so far in the EU evidence context. And that problem is this. When it comes to non-content under U.S. law, U.S. providers can volunteer that data to any government that asks for it, to anyone who asks for it. And it can volunteer that data even though if the U.S. government seeks it, there has to be a court order and there has to be a showing of an intermediate level of proof. Traffic data can be very sensitive. It can be who you emailed and who emailed you. It can be where you're located, where you're located over time. The U.S. law permits U.S. providers to volunteer that information to foreign governments. The Cloud Act does not address this problem. It leaves it in place. To its credit, EU evidence does. EU evidence says that there has to be a court order and it has to be based on a showing under European rules, the necessary and proportionate rules, in order to gain access to traffic data. I think that's something that we should be considering and I think it's a good development. For our final part of our setting the stage, I'm going to turn to Sincela Nivec, who is Vice President of Group Sustainability for the Telenoor Group. And I want to ask you, from a telecom company perspective, if you could share, what do you expect these new legal regimes to mean for your company in practice and any concerns you have? Yeah. So I work for a telecom operator and we're just one piece of this big puzzle that's being put together. So I'm going to address this from a very practical perspective. We would be the ones who receive these kinds of requests. And in all telecoms operators, we regularly receive requests. There's no question that the police shouldn't have evidence to investigate serious crime or anything like that. No one's questioning that that's important. The thing that is important though is that that is done not only in a legitimate way, and it needs to be necessary and proportionate, but also reflecting human rights standards. So when we receive a request we typically get in the telecoms world requests for type historical data. That would be the data that you get when you make a call. We need to log where it was made from and where it's going to be able to connect that call to begin with, and you need to log perhaps how long that is to bill the right amount for that call. Those things go into what we call call data records and are stored for a certain amount of time, according to the legal requirements in the country you're in. And that would be one kind of data that authorities would ask for. Another one was already touched upon is lawful intercept or real time surveillance. That is also something police or others can ask for, to be set up in the markets you're in. And then there are other requests which probably aren't as relevant in this international context, cross-border data context to, for example, block websites or shut down networks or access to certain platforms or things like that. Those typically happen locally. So from a telecoms operator perspective that's the kind of request that comes to us. And when the evidence came up we started some discussions internally to see okay what does this really mean for us. And I spent a lot of time talking to particularly our European colleagues or Scandinavian colleagues in the Telner group, how does this work in practice today and what will this mean going forward. And they said, all of them really, that when we receive a request through or an international one today it doesn't take very long for us to give that data out. But that's because that comes through our local judicial authority or like your national criminal investigation service or some central authority that receives that from abroad does the assessment of whether that is compatible with our laws and international laws and forwards that in a format that we can process. So at our end there was a little bit of, or people were a bit puzzled because they said it's not necessarily the delay, the delay isn't at our end. We actually give that data out fairly quickly. So then the question becomes okay so if you really want to address evidence being moved faster maybe loading all of that responsibility on the operators isn't making it faster but isn't making it slower. So that's one of the things that we've spent a lot of time discussing. So you have on one hand the sort of principal things about you know legitimacy and necessity proportionality and also of course oversight but then you have the very practical realities. And for us if any government in the EU can come directly to us then would we then have to sit and assess okay is this request legal in say Norway where Tallinnor is headquartered? Is it or is it not is it legal in the country that's sending this? Even more practical is the authority that's sending this to us the right authority can they actually send it to us? And then if they are how do we send the information back? Remember we're talking about very sensitive information how do you ensure that that is sent in a secure channel from the right place to the right recipient? A lot of that responsibility is very overwhelming for an operator to be quite honest because when it goes through a national criminal investigation service or something like that at least there is oversight and the system and someone making sure that it comes from the right place and goes to the right place. So those are the kind of concerns and considerations that we've been discussing in our end. And I think to be very clear no one is arguing that we don't want a faster system I don't think that's the problem at all we're more asking is this the right medicine for the pain we're experiencing? And I think there is a real risk if the proposal at least for the evidence stands that it is today that the objective of more legal clarity actually is more legal confusion and that you are wanting this to move faster actually means delays at least at the end of the operator. So that that's a real challenge and there's also the added complexity in Europe that there is already something called European investigation order directive in place which just only sort of came into force last year and isn't fully implemented so a lot of processes are already in place for that but it isn't fully implemented so people are asking why can't we wait and see how that works or and potentially improve that one instead of coming up with a completely new regulation that would be automatically introduced into all EU member states. So those are some of the concerns that we have. Thank you. So unfortunately various scheduling concerns prevented any of the government representatives from the US or other countries were joining us on this panel and I don't want to purport to speak for what a government perspective might be but certainly one concern that issue that we've heard presented from the government speakers is to sort of use the core example that Jen provided of if you have the UK law enforcement seeking data about a suspect in the UK facts of a crime committed in the UK and simply that suspect happened to use a US email server like Google you know so very minimal contacts with the other country why are we also concerned about that other country the US or whatever the country the data host is about imposing its notion of rights all of our panelists have talked about are these regimes sufficiently rights protective but why should whatever the country is of the data host with the limited contacts to this alleged crime seek to impose its standards on these data requests so if all three of you could speak to that question what is the argument Greg do you want to you seem to want to start Greg's ready to go that's the that's the strongest case for departing from the current system okay that's the strongest case and one might say well what's the US interest in looking out for the rights of the British person whose government is seeking his or her data it's very limited and I would say that if the UK had come to the United States and said we'd like to be able to address this case it would make sense I would like more sense in that context to yield to that demand and say okay UK your democratic country your people have chosen your representatives your representatives have chosen what laws will apply to your people we're going to be sympathetic to this case and allow those laws to apply certainly we want to have the highest standard as we can we've criticized the UK laws for not being sufficiently protective in fact the groups in the UK characterize the leading legislation there is the snoopers charter so that battle can be fought out in the UK I'm worried about the other scenario though because UK did not come to the United States and ask for that permission it said we want to apply our snoopers charter worldwide how do they do that by getting access to the worldwide user base of the US tech companies so this is not just about that domestic holy domestic scenario where I think there's a sympathy that it could be involved it's about the UK and in other countries getting cloud act agreements making demands for data under their own laws for people around the world for anyone anywhere except under the cloud act for an American or for a person in the United States so I think you have to look at it through that perspective because that's what the law says it doesn't say this is to address the holy domestic case do either of you want to add on to this one or sure yeah no I think I mean I will defend the UK a little bit in response and defend the perspective the governmental perspective here a little because I do think that two things I think that the problem of countries investigating domestic crime is a huge problem and it is and the ability to access digital evidence in a timely matter which is important to the vast majority of basically every kind of case now is also a huge constraint in being able to investigate and it's not and I also think we should be clear that these rules apply in situations where partnering governments are investigating a criminal offense that has been committed over which they have jurisdiction that is defined as a serious offense so it's not as if governments are given permission to just kind of willy-nilly access data of anybody around the world that said and as we've talked about I think it's very important to put in place protections that set rules about when and how these this type of evidence can be obtained and I also think and Greg and I have had a long-standing just agreement about this that and and it's at this point it's it's almost it's when the cloud acts pass so it's it's kind of moot at this point but the but my view has long been that there is absent something like the cloud act or other ways to alleviate pressure whether it's e-evidence or something better than e-evidence on the table that you really incentivize countries mandating localization as a means of ensuring access and control over data and once that happens countries like the US and country and groups like like gregs and a lot of the groups that are represented in this room in this table in this room right now have very little leverage in terms of the rules that apply and there is an opportunity here to use the fact that the US is host to so much data of interest to the world to set standards that have the opportunity of elevating rights protections rather than lowering lowering them so that's just an empirical dispute that Greg and I have as to whether or not we don't have a dispute about whether there needs to be a solution we've accepted that the current system is not going to scale to meet the demands and that foreign governments have legitimate interests we don't have a dispute about that the dispute is whether the cloud act meets international human rights standards and in our view it comes up short and in our view it's a step backwards from the current standards that apply and just I just want to just emphasize one last point which is the cloud act sets minimum standards that these agreements have to meet so each executive agreement has to be negotiated separately and so there are opportunities if to to to demand that the protections that are deemed critical are put in place as part of those executive agreements okay I want to turn to another area where I think we have more agreement where I want to start with Cecella which is one of the concerns that both civil society and companies have raised both with the cloud act and with the evidence proposal is to make sure that when a foreign country sends a demand directly to a tech company in another country that that demand contains enough information on its face so the company can understand is this legal does it comply with the existing you know rules in place so if you could start us off first of all what kinds of information do you want to make sure are in those requests and improvements that you might want to make sure are implemented that are not necessarily on the face of the cloud act or the evidence proposal and then why is that so important so if you'd start us off and then Greg and Jen may want to chime in on that as well yeah and just to sort of take one step back ideally we would like there to be a some sort of facility that does that evaluation because there's a fundamental question should companies make that judgment or shouldn't they how much information should a company have or not obviously we need a certain amount of information to process and and today under our requirements of course that is about obviously the right legal basis so you need to know that the complication comes in when you get that from a different jurisdiction than your own and when you can get that from multiple jurisdiction what kind of capacity and knowledge do you need to have inside the company to make that judgment just on the legality piece and then on top of that of course is the human rights concerns the international standards concerns so we're concerned that companies will be overwhelmed and because as we see it today it is a good thing both for the users and for companies that there's a central authority that makes these kinds of judgments and has that kind of capacity and that could then serve all the companies now you would have a potentially a system where each and every single company needs this capacity in house which is very overwhelming and I'm not entirely sure that that will further human rights it remains to be seen how this will work in practice but there's a real risk there that it may not so so it's a really good question evidence says that the company will get a very bare bones demand and it's not going to get the facts behind the demand it's going to know what statute is being pursued and we'll be able to I think check whether it qualifies as a serious crime under the evidence rules but it's going to be very bare bones the Microsoft came out with a very strong statement last week saying we want to have enough information in the demands so that we know whether complying with the demand is going to violate our users rights that's a very strong statement suggests a willingness to step in and fill this void that's been left by basically writing out the second check the second court check the way he evidence works is the demanding government will make the demand on the provider the provider will make the disclosure or not the provider does not make the disclosure the provider is expected to fight that out in the court of the demanding country and then the if the court in the demanding country affirms the demand then the provider then the demand if the provider still resists the demand is taken to the court of the country where the provider's representative is and that court is required to in that court makes the decision about whether to make the final order compelling the disclosure why is this important what's important is that that court in the compelling country what information will it get and will it get enough information to make the assessment about whether the company is right and compliance would violate the rights of its user or the company is wrong right now the evidence says that that court in the enforcing country has to look at just the four corners of the demand and as I said earlier right now it's very bare bones so one of our efforts has been to make it so that that review will be more meaningful it's important because not all courts in all countries in Europe are equal there are outliers and there are outliers in terms of rights protections and independence of the of the judiciary and and the companies can basically choose the enforcing forum by putting their representative in that forum they don't have to choose an outlier they can choose a rights protective enforcing forum and if they are allowed to do that if they do that and there's enough evidence for that court to make that determination and I think we have a more rights protective system so as we've already been discussing the cloud act is in law we're anticipating that the first bilateral agreement will be at least released to the public and presented to congress potentially within weeks but as we look for who's next right the cloud access to the structure it's supposed to be with a foreign government under the text of the law and one of the questions that folks have been debating has been what about Europe what about the EU the text of the cloud access a foreign government can or should the EU develop negotiate with the US for some kind of overarching framework what would that look like how would that comply with the text of the cloud x so I wanted to ask our panelists for your thoughts on this is this a good idea for there to be some kind of EU overarching framework how would it work what are concerns that that raises and we'll start with Jen sure so so as Sharon pointed out there's there's a potential conflict between the text of the cloud act and the desire to have an EU wide agreement partially because the text talks about foreign governments but also and this is important each individual partner government has to be evaluated to ensure that they meet they're certified as meeting adequate human rights and rule of law friendly standards and so from my perspective the way an EU US agreement would would have to work would be basically in the form of some sort of framework agreement where the EU and the US negotiate a framework agreement that specifies how all these agreements would work and and establishes a standard set of rules and practices and and requirements in terms of auditing and minimization requirements and and certain and a range of protections and then each individual country would have to basically be evaluated to determine whether or not they met the standards that would allow them to participate one of the things one of the benefits of this type of agreement might be that you could envision mandating some sort of and this addresses some of the points that were made earlier some sort of centralized issuing authorities within each of these countries which would then facilitate the ability to monitor and audit and to ensure that the requests meet the requirements both in the cloud act and the additional requirements that are laid out in the agreements as well so it's something that's of interest to the to the European Commission there's been discussions about whether or not it's possible and it seems at least from my perspective that the best way for it would be some sort of framework agreement on the other reason why this is important and relates to the first part of the cloud act that I talked about earlier which is the provision that allows the US government to issue compelled disclosure orders to the United States for data regardless of where it's located that provision also potentially runs into a conflict with another piece of EU law the general data protection regulation which prohibits transfers of data outside the EU unless certain exceptions apply one of the key exceptions is some sort of international agreement so an EU US framework could help ensure the smooth transfer of information in those situations where the US has obtained a warrant based on probable cause and there's a legitimate basis for the US government accessing data that happens to be US held as well anyone else want to comment on that so so there there won't be an agreement a cloud act agreement between the United States and the EU because the cloud act doesn't permit that there could be a separate agreement pursuant to which the countries in the EU would be considered for cloud act certification the I see you know I see a possibility and a risk in all the EU going at once if you will the the risk is that the EU will say well it's all countries or none we want you us to certify all countries and these are the and that's the deal that's the deal that we are entering into with you and that as I said earlier creates this problem where there's some outlier countries in the EU that don't have the same rights protections particularly judicial protections for data demands the other possibility though is that a framework approach would make it so that those outlier countries would have to put in place additional protections in order to meet the standards that are agreed to in the framework agreement between the United States and the EU so it could work out in a good way it's too soon to say how that will whether which which approach will be taken but I see a possibility of a downside and an upside until you mentioned a concern for centralizing requests how do you feel about this idea well obviously from a company perspective legal clarity is helpful and and the more clarity you have the better but I don't know whether a EU agreement or country agreement is the best way to go you could potentially look at it say that bilateral agreements will set the standard and then the others will follow the same that's possible or you could have Greg's option here that he could work out well or not so well with an EU wide agreement but it's hard from an operator perspective to say one would work best but you know the more common the rules are the easier it is for us to then make our assessments and do it the right way so Jen characterized the cloud act as you know noting that that provides kind of a floor and there's no prohibition in having bilateral agreements that are more rights protective the other proposals are still in the works and in addition to these three government initiatives there are various private proposals that have been released or that are in the works to talk about these kinds of making sure the structures are sufficiently rights protective the internet and jurisdiction policy network in which several of us are participating is a multi-stakeholder process that's grappling with some of these issues and trying to make sure that these law enforcement demands will be sufficiently rights protective Greg mentioned that I think was just last week Microsoft released a document entitled six principles for international agreements governing law enforcement access to data and that some of the things included in there were calling for right to notice prior independent judicial review and transparency and then back in April shortly after the cloud act was enacted Dropbox actually posted a blog piece also outlining a call for a more rights protective implementation of cloud act so my question for the panelists is what role do you see for these kind of private statements of principles and development of policies and how can they be most helpful in making sure that these new legal regimes are in fact rights protective to my mind the most important moment of influence is before the legislation is adopted in the case of the United States as Sharon mentioned the cloud act is already law in the case of the EU the evidence regulations not law and it's a proposal I think that if the statements from Dropbox and Microsoft formed the basis for what came out of the Budapest protocol discussions or evidence they would be better than they otherwise would be I think that for both for civil society and for companies there would be there comes a moment comes a moment in every legislative battle legislation is presented to you and you have to make an assessment are you going to support it or oppose it does it meet the standards that you said it should meet or does it fall short if it falls short a little bit what do you do and I so I think that those statements are useful for setting some of the parameters of the debate we certainly made our own statements but when push comes to shove what's important is a lot of pushing and a lot of shoving in order to get the protections that you're seeking I would just add I would just add to that that the cloud act is past but there is still there's in fact an obligation under the cloud act for engagement with outside experts and country experts in but prior to finalizing executive agreements with particular countries so there is an important opportunity for groups and individuals and experts to engage and especially I mean yes the cloud act has passed there has not yet been an executive agreement released there are a number of things that several folks in the room have been pushing in terms of additional requirements that various individuals and entities would like to see one of the things that I think is is critically important is as I said the cloud act envisions envision some sort of auditing mechanism which is kind of innovative and new it's something that's a step up from the mLAT system so under the mLAT system once that data is turned over the US has no say whatsoever and what happens to it the cloud actually provides an opportunity to set limits on how that data is used and then to check that to me seems like a real opportunity and a place for continued engagement and an opportunity to ensure and to push that those auditing mechanisms are employed and that they're employed robustly I'd like to pick up on the point of engagement and also I think these kinds of statements are and that came out last week for example it's important for the debate and for more of us than just the one sitting sort of dealing with this every day to have a discussion about what this actually means and that hopefully if you're entering that debate at the right time you can actually shape that legislation for the better but you are you're right it's very difficult there's a point in time where you have to decide whether you should push anymore or whether that is already gone but for example the point about transparency is very important I think I'd like to see more debate around that like how can companies be transparent what can we be transparent about how what would that look like for example so um another concern that has been raised and people have touched on it here but they're certainly central to GNI's work is protections for freedom of expression and there's an illusion in cloud act to making sure that somehow that's protected but it's a little bit fuzzy so I'd like to ask each of you to weigh in on how you see freedom of expression being protected as these requests are made how would companies know if a request was going to be violative of free expression improvements you would like to see either in the developing proposals or in the actual bilateral agreements that come out under cloud act to make sure that we have robust protections in that area so cloud act says that orders issued under the cloud act shall not violate the right of free expression doesn't say whose version of that right we're talking about it doesn't say whose responsibility it is to make sure that orders don't violate the right of free expression so that leaves a lot of room for creativity or for non-responsiveness to the problem what we have suggested as an approach is particular to the UK which is the first agreement up is for DOJ to make an assessment about which statutes under the UK have been used in the UK have been used to violate the right of free expression I mentioned a couple of them earlier and what we suggested to DOJ was take those statutes and exclude them from cloud act requests if there's a demand for data under one of those statutes send it through the regular MLAT system and let the free expression test occur through that approach a piece just came out from Peter Sawyer and Justin Hemmings that lays out those five UK statutes that ought to trigger that ought to be excluded in our view how to be excluded from cloud act coverage so that demands made under those statutes can get a full free expression review under the current MLAT system I would just I mean I agree with what Greg just said I would just add that I think this is a particularly tricky issue and there's about to be a panel right after ours about global takedown orders I mean as everyone in this room undoubtedly knows that the US version of the First Amendment is very more much more protective of free speech than any other country around the world and there is a delta between human rights free speech standards and the standard that the US holds and so figuring out which which version of free expression and where the floor lies and whether or not it has to be exactly the same as the First Amendment or whether there's some play in that I think is is a tricky and complicated and hard issue particularly for for companies that are operating internationally and operating in a number of regimes that have different understandings of what constitutes free expression there's obviously a floor below which nobody should go but but I would suggest that there's some divergence between the human rights standard and and the US standard yeah from from an operator perspective the view on what is free expression and what you should take down varies a lot from country to country there are many different kinds of jurisdictions out there that we have to relate to and operators often don't have the content as such that would often rest with for example the providers of the email or the platform social media platform or whatever it is that you're using we will transfer the bytes but we don't have the content but in some jurisdictions they will ask us for example to block Facebook or block WhatsApp or what it would be and then you have a free expression challenge and then there's as far as I understand it none of these acts are addressing that kind of borders cross border that only happens in country but it's a it's a real challenge so as Jen described the structure that's been put in place but the cloud act there's first the first step is the US has to decide that it's appropriate to certify a given country as meeting the standards under the cloud act and the cloud acts that's out certain standards that have to be met fortunately the version that ultimately passed now says that there are factors that must be considered considered rather than that factors that might be considered I'm not using the exact sector language but it is it is mandatory that they consider certain factors and it alludes to a process of expert consultation although that is not quite mandatory so my question to the panelists is as we go forward and I guess most people this may not be a fair generalization but are a little bit less concerned about the UK meeting the standards than some of the countries that may be coming down or lining up in the queue after that so what processes do you want to see put in place to make sure that we have a robust rights protective system and making sure that the countries that are able to enter into these bilateral agreements are sufficiently rights protective and I guess the flip side of that is do we need to make sure that there are not so stringent criteria so that there are enough countries that can come into this system actually alleviates the burdens that it was set up to alleviate well one one first to its credit the Department of Justice has been consulting with a number of experts they have I've been involved in at least three consultations with them there's got to be others so to their credit they are reaching out they are considering what people have to say the cloud act leaves a lot of discretion in the Department of Justice to make things come out better than is required by the statute they could put in place a lot of mechanisms in order to protect rights and certainly we've asked for a number of things the without the agreement though one can't tell whether those requests are falling on deaf ears or whether they will they will be met I think that one thing we have to keep in mind is that sometimes a lot of weight is put on congressional review of these agreements the act doesn't require Congress to do anything once the Department of Justice decides to enter into an agreement there will be no vote on the UK agreement there will be in all likelihood no vote on any agreement there and the reason is that they would take a majority vote of both houses of Congress to strike it down and then the president would probably veto their action and then it'd have to go back there be a two-thirds vote of both houses of Congress it's never going to happen so what DOJ decides to do in the context of these discussions that lead to these agreements are really good it's really important are they going to insist that the providers be able to give notice to users will they insist that the providers be able to report the numbers of demands that are being made of them under the cloud act will they insist that the providers when they receive a demand that they believe would compliance with which would violate their users rights that the provider can take that problem to the Department of Justice and have DOJ declare that that demand is outside the scope of the agreement these are all left unresolved in the cloud act they are opportunities we would say responsibilities for DOJ to step in and protect rights Do you want to add on? No? Okay, so I'm going to ask one more question to the panels of folks who have in the audience who may have questions can start thinking up your questions I think we have people who have microphones can start getting ready to roll with that process so if panelists would for the audience a little bit compare and contrast cloud versus e-evidence in terms of in terms of the rights protection framework that we've really been talking about are there a couple of things you would highlight I think Greg alluded to one if you want to elaborate a little bit further that he preferred any evidence or things that you think are better in cloud I'll mention just a couple real quick cloud requires judicial authorization sorry e-evidence requires judicial authorization for traffic data which data can be very sensitive where you were located who you email where you went on the internet that's very sensitive data and requiring judicial authorization is a good thing and the cloud act does not address that problem e-evidence has a provision that says that the provider has to respond to a demand within seven days that's a really short time I think that's a big risk it could make it so that providers comply with demands that they otherwise would evaluate more carefully about whether they were meeting the standards of the statute it also creates a risk that the providers will prioritize the demands that are in their sixth day even though there are more important more urgent demands that are in their first day that must be responded to more quickly I don't think having a shot clock shot clock is a reference to a basketball term having a shot clock on these demands is a good idea there's also no provision in I think either piece of legislation about compensating the providers for the time that they spend in responding to these demands and again I mentioned earlier I think that the e-evidence has a problem in that it doesn't give as it's currently written enough information to the providers so they can make an assessment about whether compliance would violate the rights of their users and also it doesn't give enough space for the enforcing court to take a second look at whether compliance would violate the rights of users so I'm not an expert on the US Cloud Act so I would just piggyback on the comments on the e-evidence but I think industry has many of the same concerns that you just listed and I think the time that we would the pressure that you would feel is and there's also the emergency clause in there with six hours turnaround time and that would be fine if it was a central authority that done all the vetting and came to us then we could do that in six hours if we have to do the evaluations within six hours and bearing in mind all the things we've discussed today about understanding different legal framers and weighing the laws and seeing if there's a conflict of law etc etc that's very short timing and that's not a lot of time to turn around and make a proper assessment I think the question of compensation also should be discussed because there is a risk where potentially countries could just fire off requests all the time if there is no cost attached to it if there is some sort of cost to it then there would that would be somehow I guess making them think twice about what kind of requests they're sending and for what so I mean ideally you would get a very specific request for a specific type of evidence that is needed to solve that case not a blanket request for everything that you have for example so so evidence says for content and traffic it has to be a serious crime so you wouldn't get the frivolous request for that but it doesn't say that about subscriber information or access data so there is a risk that you get a lot of frivolous requests for that data it would be the first thing that they ask for and also that it doesn't require judicial oversights for both categories and we would like to see that for both categories for example so a couple of other things that just some differences that I think are worth noting as I said before the cloud app does put in place some limitations on how data can be used disseminated and what needs to be done with irrelevant non-responsive data I think that's important a lot of discussion about in this area at large is focused on acquisition and there's not enough focus generally about what's done with the data after it's acquired particularly given how much information might be obtained so I think that's really important I think the provisions on auditing to ensure to have some sort of after-the-fact oversight to make sure that whatever standards are in fact put in place by the specific executive agreements are in fact being met is also critical that also deals addresses to some extent how that data is ultimately used and can also help with a number of the other things we've talked about here as well in trying to evaluate questions about whether or not the data was used in ways that violate the right to free expression and other areas as well so I think those are important provisions that are in the cloud app that are not in the evidence proposals the evidence proposals as I said before they are much more specific as to how to deal with conflict of law problems and unlike cloud act give an explicit role for the foreign government whose law is who has the conflicting law so in the situation as I said where the conflict is deemed to be based on either a fundamental right of the user or a fundamental interest of the government which would presumably include security but potentially other related interests as well the court is obliged to provide that third-party country an opportunity to object and if that country objects the order can't go through so much more solicitousness for the interests of other foreign governments in both protecting the fundamental rights of their own citizens and residents and also protecting their own fundamental interests as a nation and I think that's important as well okay so I want to open this up for audience questions three though advisories first please wait for the microphone because we are doing a live stream second if you're comfortable please do identify yourself and your affiliation and third mandatory please ask a question okay we're just let Jason go first so Jason from great you mentioned that it's very unlikely that congress will disapprove of these executive agreements that are presented by the executive branch under the cloud act and I think you're you're right about that but that doesn't mean congress doesn't have a role to play and in fact we have an event later this afternoon called forecasting the cloud act I want to give a quick pitch so that event will be happening in the Russell senate office building in room 188 at 2 p.m. and we'll have a very distinguished panel of folks talking about foreign perspectives on the cloud act from a variety of different countries and constituencies because congress can in addition to the remote possibility of disproving can't hold hearings can actually the ranking and the majority leaders of the relevant committees that are referenced in the acts can can request information from the administration to sort of support and substantiate the certification that's made so there is a role that congress can and I think should play so we'll be talking about that later this afternoon my question in order to meet Sharon's rule is about the manifestly abusive standard in the evidence rule so Greg you talked about how you know the review of an order that a company might decide is something's not right with this order and they want to challenge it there's very little information that's provided in the four quarters of the order that's required that could presumably be more information but but then on top of that the standard that's set for a court to be able to invalidate the order to side with the company is that it actually has to be manifestly abusive of a fundamental right under the European Charter for human rights and I don't know what that means and I'm hoping maybe somebody on this panel has a better sense of kind of what kind of thing would rise to that manifestly abusive standard what sort of scenarios would we be looking at where a company could successfully a challenge in order and meet that criteria I think that's just a great question and I don't know enough about European law to say this is a scenario where it's manifestly abusive and this is one where it's not it it does make sense to me though to have a rule that says you can't comply if compliance would violate a person's Charter rights I don't understand why a standard would be any different why raise it above that level it just seems very fundamental to me until we have adequate fourth amendment privacy protections for citizens and residents of this country I can't see how we can in any way extend meaningful protections anywhere else in the world right now consumers have no protections of the personal data broadcast over the internet without their authorization data they have never posted or published so there seems to be a contradiction in this discussion in terms of rights privileges and protections when there really aren't protections right now for users of the internet in this country their age can be posted without authorization leading to age discrimination and job seeking and that is actually quite prevalent right now there are 20 years of their history where they've lived what they've done in the past 20 years broadcast without any authorization and so my question is how can you first implement a do not post and do not publish list to protect users who have no protections right now their personal data before extending and even discussing privacy protections so so I mean I think your your question raises a key kind of issue in us law and and the divergence of the way we think about we deal with data under us law so us and and this is one of the reasons why I think there was there has been a lot of resistance the cloud act amongst privacy act advocates is that us law is robust relatively robustly privacy protective for law enforcement access to data compared to most other countries in the world which is why there's been such a desire to require requests to go through the US process because they're more protective than other places most other places us law has done a very poor job in terms of consumer privacy relative to other places in particular relative to the EU and so right now what we've been talking about here is law enforcement access and there is another very important conversation that should be happening and that is happening to some extent about consumer privacy but we've we've kind of dealt with them very differently under us law and this conversation reflects that as well it's a very it's a very important question because the information that companies have obviously have a huge impact on what law enforcement can get access to and governments can't get access to more broadly but at least in this particular conversation we have separated them right near you thanks marine back from inside cyber security the question is actually my question is actually in terms of the intersection between privacy and security as well there is an act the international crime prevention act that some have promoted as a way to increase data security from hackers and this is supported by senators like Lindsey Graham and the FBI but I know that there are some concerns that giving the FBI permission to take down botnets dismantle botnets that can be used in cyber attacks is there are some concerns that that might lead to the dismantling of or the removal of legitimate content so can you address that I think that may come up more in the second panel but I'll let our panels yeah I think that may be relevant to our next panel I'm gonna say it's a little outside the scope of this discussion I hope you can stay for that one and ask those panelists but there's anyone I could give a little quick all right we're gonna punch that much on our next panel sorry okay actually why don't we we go there first and you're on that side of the room and then we'll come over here hi Drew Mitnick with access now thanks so much for for the session so you talked a lot about the uk the potential uk agreement in particular because that is seemingly the first one that's going to come up just last week the european court of human rights ruled that in part that elements of uk surveillance law was unlawful and there are further cases that would challenge the newer snoopers snoopers charter elements of the snooper charter as well so my question is to what extent do you think the department of justice and the other agencies involved in this process should be looking at things like the european courts rulings and how do you think that will kind of impact the process in general thanks my my frank guess is that they will consider it very superficially and that they will mostly look to what the cloud act requires as opposed to what the european courts are finding that's my supposition the that court decision which found a number of defects in uk law follows a number of other court decisions that have found other problems in uk law i think the cloud act process gives the department of justice some leeway to address those problems i'm not confident that it will i mean my i mean my read of this is is slightly different than i mean i do think that the u.s government is quite aware of the european court jurisdiction and takes it quite seriously my understanding of of the the ruling is that it does it's focused mostly on bulk surveillance and which is not authorized by the cloud act so it's the i think doj would appropriately say that the particular issues that were addressed by this ruling do not impinge on the ability to go forward with the cloud act agreements but if my view is that if there were a ruling that's directly impinged on something that the u.s were negotiating with the uk my guess is that the u.s government would take that very seriously as would the uk government i was recognizing thank you jody ginsburg from index on censorship since we've mentioned the uk quite a lot i have a couple of questions which relate to the bill that's currently going through uk parliament which will effectively allow this agreement to happen which is the overseas production orders bill and i have a couple of questions that relate to some of the things greg talked about the first is about transparency so in the overseas production orders bill there's a non-disclosure element to it in which that could be read to mean that the recipient of the order on the other side is not allowed to disclose it to anyone and i wondered how far that's compatible with the cloud act and whether any agreement that is made will need to explicitly allow for the recipient at least to disclose to outside council or to the doj that they've received the order because i think there's a concern that they wouldn't be able to tell anybody at all so that's the first question and the second question is relates to serious crimes which we've talked about the cloud act referring to in the uk bill it actually talks about indictable offenses which is a fairly broad swathe of offenses which include things like malicious communications as greg mentioned which includes this provision for gross offense that's an indictable offense in the uk so i wondered how far any bilateral agreement will need to quite tightly specify elements within the requesting jurisdictions legislation that fall outside scope and because it feels to me that serious crime is far too broad for it to be usually applicable and i may end up to as we've already heard with these kind of deluge of requests that don't allow it to really be focused down onto the most egregious crimes that i imagine it's intended to deal with so i would first thank you for the question the breadth of the overseas i'm gonna call it the overseas crime bill the breadth of it is as you said it's not limited to serious crimes the demands that can be made under the cloud act are limited to serious crimes in the uk has a definition of serious crimes i believe it requires that for the first offense the maximum penalty must be at least three years in prison or more that's pretty serious so i would suspect that if demands were made that were not on serious crimes that they would be turned down and that the agreement is going to have to clarify exactly what a serious crime is there's ways to do it by specifying statutes and there's ways to do it by specifying types of conduct and there's ways to do it by specifying a period of imprisonment we don't know how they will define serious crimes it's always been an open question and your your other question was non-disclosure that's another issue left unaddressed in the cloud act we have asked doj to ensure that providers retain the ability first to report on the number of demands made it's not even clear under that provision that you cited that a provider would be allowed to do that those are reported today it's just that they're reported in the us numbers when a foreign government makes a demand for content it goes through the us process and the number is reported as a us number even though it's a responsive to an m-lat demand and when it comes to the providers being able to give notice cloud act is silent it's something doj could negotiate in the agreement and when it comes to the government giving notice the cloud act is silent and it's also something that could be negotiated in the agreement I think right next to the question right I wanted to raise a question from just completely different dimension which is the possible constitutional validity of the cloud act because the fourth amendment and the counterpart to fourth amendment in other countries the constitution usually says certain seizure has to be done according to warrants Korean constitution for instance says warrants issued by judges now judges they're naturally mean judges of the country that the constitution is written for the fourth amendment is silent who is going to issuance but natural interpretation is that it has to be the some officers who have constitutional duty to careful the privacy of the people being searched and seized what the cloud act does is forcing the forcing open the private you know private data of the people according to warrants issued by judges of another country depending on just you know original list or some original intent construction of the US constitution I think there is a viable constitutional challenge to be made to the I don't know whether there's a constitutional scholar in this room so is that your question look about the constitution that's one question the second question is about the text the text of the cloud act this question goes to you Jennifer you you broke down the cloud act into two parts the first part applying to US based companies and the second part about you know US companies accessing and foreign companies accessing domestic data I was just wondering I didn't read the cloud act myself but I was just wondering whether the first part US based company having to turn over the data that they control residing overseas whether that is really a separate part or just the natural application of the second more fundamental part because if it's the first part if the first part is a separate from the second part that's a whole new law that's whole new procedure that requires for instance you know definition or struggle over what is a US based company you know if there is a if there is a German chat app that's widely popular within the US is that a US based company I mean what does it mean US based is it the location of the server it cannot be the location of the server because the the idea is to locate the overseas server or controlled by US controlled by a domestic based company right what's a US based company okay I think we need to move on to an answer that's the question thank you so so I'll start with a second question then I'll move to your first one so I was using that for so first the two parts of the cloud act are very distinct they could have been two separate laws they're not interconnected they don't need to be interconnected as for the first part I was using that term US based kind of as a shorthand for for when the government serves a warrant or another form of court order which they can only do to on a company for whom there's jurisdiction to do that meaning they have to have some presence in the United States for the warrant or the court order to be served it doesn't change anything about underlying fundamental US law about when those orders can be served it just says when they're served the responsive company has to turn over all data within its custody or control regardless of its location so it doesn't change any of the underlying jurisdictional rules that apply as to your first question I'm not so convinced that there's a legitimate constitutional challenge because the fourth amendment is a constraint on the US government it it it precludes the US government from engaging in unreasonable searches and seizures and it says nothing about what other governments can do so there's no fourth amendment right visa v any other foreign government so the US government whenever it acts has to act consistent with the fourth amendment but there's no obligation that any other government has to act and it doesn't provide rights visa v other governments as much as many of us would like that to be the case I'm sorry we do need to wrap this up thank you maybe our panelists will be around if there's further opportunity and I did get the wrap-up signal while this was going on I just want to ask our panels if they have you know like 30 seconds you want to share on anything else if you've had an opportunity to say everything you needed to say I would just say we're in a situation where we have a big problem we're trying to solve it so far the solutions are not in our view meeting international human rights standards there are still opportunities for advocacy I think I've said most of the things I would like to say it will be very interesting to see where the evidence regulation actually lands and we'll watch that closely I mean I would just add on that I mean this is a dynamic an exciting sort of issues and they're going to be with us for some time and we're at the moment where the solutions and the framework is just being developed so engagement is really exciting and important okay if you would join me in thanking our panelists okay I think we have a short break on the schedule now before and there's coffee and pastries in the back and then we'll start up with the second panel thank you oh how interesting yeah I'm gonna try this one more time I think we're about to get started in just a minute or two so if folks could wrap up their conversations and take their seats our second panel will get underway thank you hi everyone we're just about to get started for our second panel so if everybody could go ahead and take their seats we'll get started in just a minute all right good morning everybody if you could start to take your seats we'll get started with the second panel of the learning forum on how jurisdiction affects human rights online my name is Arturo Carrillo I'm a professor at GW law school where I direct the International Human Rights Clinic and go and co-direct the global internet freedom project as you know this panel is on global takedown orders global takedown orders are decisions by national authorities directed at internet platforms often social media based requiring the companies that operate those platforms to remove content or access to content deemed illegal in the country's jurisdiction and often such that that content is no longer reachable from that country or other jurisdictions other countries territory as well as I'm sure you're all aware online hate speech intellectual property rights and protected personal data have all recently been the subject of global takedown orders the issue that we'll be focusing on today is the extent to which those decisions those takedown orders by national authorities can and should affect the application of the laws and rights of persons in other countries separate from the one from the country ordering the takedown so the debate currently rages and tends to break down into two camps the territorialist camp and the universalist camp so let me give you an example when Austria and Austrian court recently ordered Facebook to take down a majority of comments against an Austrian politician as hate speech they ordered Facebook to do that not just so that that content couldn't be reached in Austria but also would not be accessible from any other jurisdiction in the world hence global takedown order that's a universalist approach critics have said that goes too far Austria should restrict the order to its own territory access from Austria or at best perhaps you're you know you're up right European Union for example so that would be the territorial approach to better understand how this issue and this debate can be addressed by our panelists today I think it helps to frame the discussion by briefly looking at how jurisdiction works in international law after all jurisdiction is in the title of the forum so might be worth taking a look at what it means so jurisdiction in international law describes the lawful power of states in two key respects first it refers to the power of states to define and prescribe the rights and duties of natural and juridical persons and thus control their conduct right and so in this sense it's the legislative power the power to prescribe norms and we'll call it therefore the prescriptive jurisdiction power the second dimension of jurisdiction of interest to us is the power of states to enforce the exercise of that prescriptive jurisdiction power right that's the enforcement jurisdiction power so most of our discussion this morning and on this panel will refer to jurisdiction as the power of courts and other national authorities to enforce domestic norms legitimately enacted but which are interpreted in such a way and applied in such a way as to have extraterrestrial effect that conflicts with the laws of other states or affects the rights of people in other states and by states I mean countries right capital S that's the international law parlance and my apologies in advance to non-lawyers so why does this distinction between prescriptive and enforcement jurisdiction matter it matters because while there are criteria in place to help determine when the exercise of prescriptive jurisdiction is justified or not no similar standards yet exist to determine or help evaluate when an exercise of enforcement tradition jurisdiction power that is extraterritorial in effect is justified or not that's why we are where we are today so let me just say that when you have prescriptive power exercised by a state international law requires that the state have some nexus to the object regulated right and so that means that usually there's some territorial connection the effects of the conduct abroad being regulated can be felt in the territory of the regulating state or the you know legislation enacted affects nationals of that state abroad or in some way so you know that's the effects doctrine or the nationality principle without such a nexus or connection the exercise of prescriptive jurisdiction by a state is presumptively unlawful right in contrast the enforcement jurisdiction with extraterritorial extraterritorial effects like that that we've seen in the cases that we'll be looking at this morning are not yet subject to a similar framework and that raises the question of well what rules or criteria should we be talking about when we address the enforcement jurisdiction power so with that preface i'd like to turn now to the panel and have them each address from their particular perspective the issue before us today i'm going to start with professor anupam chander professor of law at georgetown law center where he serves as the faculty advisor to georgetown's institute for technology law and policy anupam tell us a bit about the legal landscape that you see in this respect and with global takedown orders and your thoughts on on that issue great so let me begin by describing three cases which may be less familiar to you and then end with a case that i think will be familiar to you but try to say something new about that case so three cases so begin with google's implementation of the right to be forgotten in europe this is the case that's currently being heard at the at the european court of justice involving a french administrative body that directs google to apply uh to to apply the right to be forgotten implementations across the world so google first sought to say if you are trying to reach this information from within a domain a country level domain that is european including not just e u states but also european free trade association states all those domains would would not have this information processed through the search engine okay but the french tribunal the french administrative agency was dissatisfied with the result it said you can reach this information through google.com etc from france and google suggested perhaps just geoblocking this information so that you wouldn't be able to access it from within the within europe overall the french authority was still dissatisfied and demanded global implementation of this this is an issue now before the the court of justice of the european union which just heard this argument this last week the european commission interestingly in this case has sided with google against the french authorities saying essentially no this private the data protection law which is how which is the basis for the data sorry the right to be forgotten does not apply globally in this way and so in that case we'll we'll now have a judgment from the european union's highest court as to whether or not this right to be forgotten must be instituted globally now the scary part of this essentially is the possibility that a european judgment would lead to what people have described as a memory hole the erasure of information across the world right so a real content a deletion request a second case that involves now coming again to another european jurisdiction involves austria austria has has ruled that a particular facebook page criticizing a green politician the leader of the green party at the time was actually consistent hate speech now the actual words used at least in translation don't don't strike i think wouldn't strike most americans hate speech was words like traitor uh things like that that did not seem uh would not be what americans would even if we were to uh to have a kind of uh you know ban hate speech it's not clear that they would be banned but the but the austrian order said that this was hate speech and this information had to be removed across the world again a global content takedown order this issue has been uh certified to the again to the european court of justice uh and so we'll see what the what the european ruling is on this on this question a third issue arises out of canada this is an ongoing kind of series of cases where there are there are decisions available um and this went up to the canadian court of justice i'm sorry the canadian canadian supreme court uh where the canadian supreme court was asked this uh whether or not an order requiring the delisting uh of of uh of uh particular uh a company called data link from google search engines had to be applied globally and the your the canadian court of the canadian supreme court said yes it had to be removed globally and so and this was based upon a trade secret claim now the odd thing about the trade secret claim was that it was never ruled on on the merits the the particular uh a person who was accused of violating the trade secrets of a canadian company uh fled canada uh and is perhaps we don't know exactly where he is but he's uh kind of uh interesting character um and uh and so so we don't know what exactly the real problem was in intellectual property law that is we haven't really had a resolution of the trade secret claim on its merits but the canadian's court is still insisting um essentially through a default judgment uh that this be applied across the world that is wherever he goes he cannot be listing this uh this uh information for sale of his router products which the canadian company claims violate their trade secrets and so the canadian court ruled this uh google turned around and sued in the united states and wins a judgment from the united states uh district court saying essentially that such the the effort to enforce such a ruling would be in violation of section 230 of the communications dc act in the united states that the united states uh law would prevent the this kind of claim from going forward um so so there's likelihood that it's kind of um you know protected at least from any effort to enforce this within us jurisdiction at least of the district court opinion holds this will all remind that last case will especially remind you of the uh famous case in this area which is the yahoo case uh stemming out of the early 2000s so in uh the french courts as you as you know in this case had ruled that yahoo had to ban uh uh nazi materials from reaching french citizens the interesting thing about the case was that the french judge in the case judge gomez said that yahoo uh was under a moral imperative to remove this globally okay he uses this language but he says it's not under a legal imperative to remove this globally um and he based this decision first on a panel that he assembled the of three uh experts a french expert a british expert and the american internet pioneer often called one of the fathers of internet vint surf uh and so this panel uh was tasked with a question can yahoo stop this information from accessing uh from reaching french shores okay can it geoblock can it geolocate where a user is the the panel interestingly said well basically 70 to 90 percent of the time yes it can do so effectively and that was enough for the french tribunal the uh for the french judge to rule that yahoo had this obligation to stop this information from reaching french shores so it's a really interesting contrast to the kanil decision uh essentially which says this had to be applied globally uh the french judge in that case said there was a moral imperative to apply globally but we're gonna let you wallow in your own uh you know stuff wherever you are outside uh france and we only hope to protect french people from this material so that's the kind of interesting set of cases i think that uh that have teed up this issue quite you know and we'll see significant movement on this um the the canadian court case is back before the canadian courts google has reopened the case uh in in canada now with this american ruling in hand um and of course we've seen that the there are efforts to hear from the european court of justice on this question thank you and i'm sure we'll come back and we'll be talking more about the case as we go forward uh now we want to hear from mark mccarthy senior vice president for public policy at the software and information industry association where he advises member companies and directs public policy initiatives and technology policy data privacy trade internet internet governance intellectual property and others uh so mark talk talk to us about the perspective of companies uh from a policy and strategic point of view uh when dealing with global takedown uh orders so so thanks very much um the the the big picture uh point to take away from uh from the discussion that anabam launched it is that the companies don't want to be here i mean it's not as though they're wandering around the world saying let's see if i can generate an interesting conflict of law situation uh they they really are in an uncomfortable spot and and of course as anabam mentioned this is not a new issue for them it goes back 20 years it's reached a kind of flashpoint for a number of reasons i'll get to uh but it's not a new set of issues so what i want to focus on is two things one is that the legal situation and i don't want to descend to the level of of legal principles but i do want to talk a little bit about the the the moral or policy principles that should should be guiding this because i think that's where the the real issues arise it's not a matter of just finding the right legal precedent and you know finding a narrow legal way of approaching these issues they really do affect uh the the global nature of the internet and what we want this beast to become uh and beyond that though i want to talk a little bit about what companies are doing on their own uh because uh over the last 20 years they've moved beyond just trying to comply with law uh and they've developed their own set of standards and principles and processes for keeping their systems free of what they view as um un un un helpful harmful whatever content so um let's start um on the legal stuff the principle cannot be that whenever one country says something is illegal it has to vanish from the internet everywhere it simply can't be the right principle because there are too many countries with laws that would make the flow of speech much much too narrow so that can't be the right the right principle so at at least part of the universalist principle has got to be wrong on the other hand you do have to obey local law i mean companies are not outlaws they're not wandering around the world saying i'll obey this law but not that one and this one but not that one they have to be good citizens in the countries where they do business and that means obeying local law so what happens when a country says uh take it down globally well the the answer is going to be that you'll take it down globally i mean you're not going to say to the government of france or the entire european union i don't care what your law is right i'm just going to do what i think is right so the question is what's the right answer how should we get to an answer that makes sense for everybody and i think the balance that we should be looking for is something like global norms and consistent law when when when there is a kind of consensus about a particular topic and laws are roughly consistent then global take down does does make sense um and we've seen that in some cases the example that everyone uses is child pornography no one is saying well that's just a local law i'll keep it up everywhere where i can find a jurisdiction where they haven't passed a child pornography law yet those kind of take downs are the kind of things that companies view as as as global in character now now where do you find the balance in particular cases is really hard and and that that's why i think this is not going to be an easy issue and one where you can't just rely on some legal precedent that you find in in casebooks uh right to be forgotten that on my judgment that clearly falls on the wrong side of the line that there is not a global consensus in that area the laws in europe are are not part of a normative consensus that we all share and so the kinds of stuff that's taken down right now under the european laws is not the kind of stuff that would be generally taken down in other jurisdictions um google and microsoft have been very active this is not as though there are 10 cases that we have to think about uh some of the numbers are really pretty astonishing uh since the right to be forgotten was put in place there have been 725 000 takedown requests to google um that covered almost 3 million url's and and google has has come to a judgment balancing the claims of privacy against the the public interest in having the information flow and about 45 percent of those cases they've taken down uh the site microsoft is in a similar situation they've got far fewer uh requests but their takedown rate is about 50 50 uh so this this is this is a an effort that's really imposing a lot of burden and a lot of costs on on on companies and they're stepping up to the plate to do it uh you make that an international norm and i think you're going one step too far uh it is worth noticing though that that there are costs for just local takedowns um people when they want to preserve their privacy they don't want to preserve their privacy just among their friends and neighbors in their own local jurisdiction they want to protect it globally the turks are not interested in just saying well i'll make sure that people don't denigrate Turkishness within my own borders they want to be that to be something that applies around the entire world so there are costs of uh saying we're only going to do this locally uh and companies have to be aware of those of those costs sometimes you can be in a situation where you can you can arrange your system so as to match local norms where countries don't really care about the global stuff uh so for example on internet gambling uh the u.s actually cares about that but we don't really care whether a british citizen goes to Antigua to engage in internet gambling right it's not something that we care about we have an interest in defending our judgment that our citizens shouldn't be engaging in that so it turns out you can arrange credit card systems to observe that kind of distinction right where it doesn't really make a difference to other countries what happens locally you can arrange systems to make that happen that's kind of an exception the internet generally doesn't allow that kind of breaking up into little parts uh the second point i want to get to is um what a company is doing on their own uh where it's not a matter of law and and companies got backed into this i would say step by step by step uh the card companies initially said we're not doing anything but what's required of of us by law and slowly but surely they moved into a much more expansive program all companies that operate on the internet now have their own terms and conditions their own norms their own processes and their own standards and because they've taken that step they're exposed to pressure from from from governments to move ahead and say i know it's not illegal in my country for this to be banned from your system but we don't want it there anyhow take it down it's not really illegal hate speech but we don't want it up please take it down and under your own standards you should be taking steps to remove it that kind of pressure counts as government action we saw it many many years ago when wiki leaks was involved in in some release of material that was viewed as security risk by many u.s government officials and one after the other the intermediaries began to deny service to wiki leaks it started with the hosting services and finished with the payment services none of that was illegal nothing that that wiki leaks had done was illegal but yet the companies were pressured by by governments to take action against them that's something we're seeing more and more and more of and it's something that the companies have to be careful about and be alert to how can they protect themselves the best answer is transparency they need to be open about what they do what their processes are what their standards are that's not easy because this is an evolving area and a standard that you thought was pretty good yesterday is going to turn out to have lots of holes in it today but that kind of evolution has to be done in public in many ways the companies are growing up their adolescents who are learning to be adults and they're doing in front of everybody it's a worldwide process to see them become mature adults it's not entirely easy it's not successful some of its a bit embarrassing but it's the kind of process that has to be done in public it can't be done behind closed doors and there has to be some process for redress I mean mistakes are going to be made you know if you are engaged in the kind of content moderation that these companies are engaged in with the extent of users that they're involved in if you don't make a mistake you're doing something wrong and so you have to be in a situation where you can correct those mistakes and you have to have a process for doing that and that applies both to the legal takedowns and the ones that are done by internal processes and procedures so let me stop there I'm sure there's a lot to be talking about and thank you very much for having me at this very very interesting panel well thank you Mark that was very very insightful and I think there are a number of juicy elements to come back to but we're going to move on now to Emma Lanso director at the Center for Democracy and Technology of the Free Expression Project where she works to promote law and policy that supports users freedom of expression in the United States and abroad Emma's an expert on the human rights implications of many things but in this case global takedown orders and so tell us how you see that playing out and and to the extent you know government views come into play as well it'd be great to hear that thank you so much for having me on the panel today and for everyone for coming out I think there's already been a lot of really great ideas that Anupama and Mark have brought up and I'm really glad that you mentioned the Yahoo versus Likra case from way back in the early odds because I think I feel like a lot of the conversations we're having right now around what to do about content removal and conflict of laws and jurisdiction these are sort of the next phase of conversations that we've been having pretty much since the internet became massively available the internet as a communications medium has technical characteristics that means it inherently challenges government's ability to enforce lawful or unlawful restrictions on speech within their borders that's that's we've known that since the the very beginning it has you know low barriers to entry it has no gatekeepers sort of it has you know it's borderless it's global sort of and there are just some some of these fundamental characteristics that persist even as more people come online the internet plays a much bigger role in people's daily lives so we're sort of having all over again some conversations that have been going on for for quite some time but I think to me one of the big themes of today is that while the internet certainly challenges government's ability to restrict speech governments are pushing back hard through law through policy they're not going quietly into the good night and saying well you know yes government sovereignty over content regulation in countries was completely obviated by the internet no they are really trying to find lots of different ways to continue to enforce their law and you know and not always for you know censorious you know authoritarian reasons the a lot of these cases that we've been talking about today are about you know governments judges trying to take seriously how to balance privacy rights dignity rights intellectual property rights with all of the other questions and considerations that these cases bring up so I think one of the other big dynamics that we're seeing today is that you know all of the cases that we mentioned this morning these are not authoritarian regimes you know these are western democracies and these questions are playing out just as much in France and Canada and the US as they are in Turkey or China to me one of the big sort of motivating questions that helps us understand what's going on in these cases but also in the kind of the broader policy discussion is this question of efficacy and like what is an effective remedy when part of the problem is that certain content is available online we sort of in some ways can have the worst of both worlds with online content it is you know there there are lots of efforts by governments around the world to clamp down on access to content and some of those efforts can be very effective at substantially burdening people's access to information and ability to find platforms for their speech but it's really hard to be perfectly effective at clamping down on speech online so if the threat of a particular say news story or defamatory post is that it persists in availability and damages someone's reputation it is really hard to actually affect a perfectly complete remedy to that situation as you know as Mark mentioned and as Anupama mentioned geo blocking has been sort of the best answer that a lot of the big platforms have been able to to come to with how to try to balance this conflict of laws you know questions of jurisdiction and the fact that they run worldwide platforms but of course that is also not perfectly effective often uses IP addresses as proxies for geographic location there's some other methods that you can use that also start raising privacy concerns but these methods also can be circumvented by at least some of the people within a country so again we're really not talking about kind of a complete remedy and crucially the geo blocking strategy does not and very intentionally does not affect availability of that material outside of the country as Mark was saying you know if your goal is to make sure that no one defames the king or that no one sees this information about someone's you know juvenile arrest record and decides not to hire them for a job because of it having a a geo located remedy will not feel complete where I see this really raising concern in policy debates is that on the wind hand you have some governments moving either further down the stack you know away from saying content hosts or search engines you must control access to this information and going levels deeper to say ISPs you must control this access to information you must filter out every example of this post or this article or this video from anyone in the country accessing it or the sort of the most extreme solution network shutdowns saying that you know because this website remains available in this country uh or because this website won't take down this material um it cannot be accessed at all from within a country or region within a country those are obviously really extreme solutions I think it's hard to argue that they are ever kind of proportionate in international human rights considerations that having a kind of a total shutdown of a network total blocking of a website is a tailored and proportionate response but it is sort of one of the natural progressions of thought if you're if you're going to hold to this question of effective remedy needs to be 100% blocking so I was really interested to hear that in the the yahoo liquor case that the the expert panel had sort of concluded that around 70 to 90% of 70 to 90% efficacy in limiting access to Nazi memorabilia sales in in France I think we will need to be having conversations going forward about like what's the right ballpark of efficacy 100% is technically impossible unless you take some really extreme measures and even then probably not you're probably still not going to 100% prevent every person in a country from accessing some information on the other hand we also start seeing ideas kind of persisting or inspired by this kind of improvements on efficacy idea coming up for example in legislation that the European Commission has just proposed on restricting access to terrorist content this draft legislation was just proposed by the European Commission last week it builds on several years of kind of talking about a lot of these issues through different policy processes and recommendations but they look at questions of notice and stay down as we've called it with the idea that if a platform has been told this content is illegal terrorist content or it also comes up sometimes in copyright infringement cases that you must ensure not only to take it down from this particular URL but that it can never appear again on your platform that's another one of these efforts that I see really in this efficacy bucket of it's not enough to do removal of specific posts it's a more sort of holistic and comprehensive look at keeping information off of platforms again what it doesn't do is really fully account for the fact that the same post in different contexts can be lawful or unlawful so that's another kind of issue that maybe we can dig into a little bit and then just to echo Mark's points about platforms terms of service if there's one set of rules that at least today the platforms do apply globally across their services it is their own content policies and again governments are not just sitting quietly and observing that they are making use of that they are using this best tool terms of service enforcement as a way to pursue their own desires to see content removed globally again in this European Commission legislative proposal on terrorist content there are provisions they are suggesting a legal requirement that every platform have a policy against terrorist content now I think today the vast majority of them do but this would be a legal requirement that every platform have some policy they haven't quite yet dictated what that policy should be but I don't know that that that will remain true forever and also to have programs in place where platforms can receive notifications from law enforcement that content likely violates the platform's terms of service and so should come down globally so you know it's a there's a lot more to it we can get into it but but as far as using all of the potential tools in the toolbox for how to affect will will take down of content I would say it seems to be something that every government is looking at today and they are really quite creative thank you Emma and to round out the panel we're going to hear from Jessica Deere co-founder of the Beirut based digital rights research training and advocacy organization SMECS and director of the recently launched a serilla collaborative a global initiative that maps and analyzes the emergence and evolution of legal frameworks in a digital environment uh so just Jessica the cases we've been talking about in the issues we've been talking about seem are largely situated in the north the global north and western developed countries you do a lot of work in the global south and the MENA region what does this look like what does this problem look like from that perspective how is it affecting people there if directly or indirectly would be really helpful to hear great thank you thank you for having me and thanks for all your interest so as I was preparing for this panel and sort of reading up on the decisions and some of the the issues at play I kept sort of struggling with the idea of how does this really apply to us in the global south beyond the idea that that governments can see the decisions that are taking place in the right to be forgotten cases and in the austria case which is particularly troubling to me as sort of precedents that they might want to copy paste from that's very clear and and of concern but I wanted to try and dig a little bit deeper and sort of the way that I think about it from so I'm I'm from the United States but I've lived in Lebanon for the past 12 years and and run an organization there and network with a lot of global south organizations and if you're in the global south or if you're in if you're not based in the home country of a global internet company or you're not in a country with a democratic like a strong democratic tradition or rule of law extraterritoriality of jurisdiction is the norm it is not the exception and and I think it's really worth sort of reframing the discussion because we're talking a lot about european courts north american courts and european and and north american companies and so um you know from the beginning of the internet from beginning of especially the commercial internet uh the terms of service and the policies of these companies that have these giants that have come from the united states sort of are sort of de facto imposing the the law of of the united states I think in the previous panel we were discussing about the cloud act whether or not free expression meet references the first amendment or does it reference some other global norm well um one of the the sort of reasons I did it was interesting to see the sort of articulated by paul berman where he sort of says it's easy to see the extraterritoriality charge runs in both directions and I don't think we talk about that enough he says if frayner spans if if france or spain excuse me is not able to block the access of its citizens to prescribe material then the united states will effectively be imposing first amendment norms on the entire world well that's what's been happening so you can hardly blame and and that may be a good thing I mean I personally you know like the first amendment um but you kind of can't blame in the sort of territorial world of sovereignty and such that the other countries kind of want to push back on that not to say that that's what they should do but then you look at it I think as as um one of the questioners asked in the other panel you look at it from a data protection perspective and that's also been imposed in some ways where the data of people worldwide is being exposed and used in ways that does not also um correspond with different legal regimes so I think it's worth remembering for our conversation today that that this sort of extraterritoriality which I referenced in my notes as E.J. of jurisdiction so I might say that again here isn't decided only legally or in court cases but it's also you know again to reference American history sort of this kind of manifest destiny on the internet which which um which is kind of you know so it's not just law it's also sort of acts so I have a few examples of this specifically um vis-a-vis the Middle East which is you know my region of operations or um and and recent events which is um so the GDPR the passage of the GDPR which we all know you know it's a European law but it's application to uh companies targeting people in the EU uh or yeah it is sort of global so laws uh when when lawmakers are making laws in other regions they often don't have the kinds of debates or public input or even the resources to develop legislation from a much more sort of um thorough perspective so you end up seeing a lot of law that sort of templated in one country and passed on to other countries good law and bad law GDPR is like that um GDPR in the Middle East despite its its relevance there isn't really being paid much attention to we'll wait to see what happens and what kinds of cases might surface there um uh I think another good example is um last year when Google sort of as a part of this anti-terror agenda that has been sweeping the world for the past few years um sort of led to the implementation of testing or implementing algorithms that resulted in the removal of thousands of videos um from the Syrian archive of of atrocities in Syria which will um undoubtedly have a negative effect on human rights documentation this you know perhaps it's not decided in a court but it is a part of sort of the soft law that's emerging around the world and it's being applied in ways that do have an extraterrestrial territorial effect um a third example and I think this is sort of a more historical sort of a long-term example is a proliferation of copyright law and the DMCA and how copyright law as a result of advocacy by motion picture association and others over the last 20 25 years or whatever has been sort of really locked down globally um in in ways that don't necessarily benefit a lot of the countries in which it's the copyright law now exists um you know there's a lot of problems with access to knowledge um especially in developing countries or in the global south um and you know the internet's not the only place where this happens um as a US citizen living abroad there's something called fat co which people may or may not know about which requires me every year to list all of my bank accounts um in Lebanon and their value so it's not just a problem of of um for the US government it's not just a problem of the internet but anyway the point is just that like you know there are power dynamics between legal systems too and legal systems in the global south do not have as much power as those in the global north and um what we might see as a as a I mean it's a very interesting question it's a challenging question this idea of of extraterritorial jurisdiction in the way that we're talking about today it may not be as relevant so I mean it's relevant but it it's not necessarily the top of mind it's been going on for a long time and exercise in different ways so still as we said the cases are important to civil society and global south because they do set precedents that allow states both to reinforce the restrictive legislation and to extend its reach so you know the point that I think Daphne Keller made in her op ed last week is if Canada or Austria can do it why can't Saudi Arabia or Turkey and I think we all agree that we don't necessarily want to have an internet where you can't find out about the Armenian genocide or out of Turk because it's discomforting to Turkey and you certainly don't want to you know impose blasphemy laws and and things like that so the third point and I'll just try and just to wrap this part of sort of what I want to say is that um there's another aspect of extraterritorial jurisdiction that we're dealing with in the Middle East which is more on a regional level so we're talking about global takedowns right now but on a regional level in this block of Arab countries we're seeing corporations like Microsoft with Bing or Apple this year with iTunes interpreting laws in one country like the Emirates or sort of the standards in Saudi Arabia and applying them to the whole region so for up until last year Bing search engine was sort of calibrated for certain I think like you know word blocking filtering that that was relevant to Saudi Arabia but not at all relevant to Lebanon you know like you couldn't search for breasts maybe or you know these anything that maybe was sexually suggestive and this year at iTunes Middle East platform refused to upload five songs from the album of a I think it's a Lebanese band because it deemed them quote inappropriate for the Arab world and these songs funnily enough we're actually mocking religious fundamentalism so if if the Emirates are actually really part of our anti-terror agenda well wouldn't you expect this content to be allowed well it's not that the Emirates said that you can't upload this content but that's probably what one of the laws said and Apple's aggregator that they worked with interpreted that law and then applied it to the whole region because of the way the stores are set up we did a petition as smacks and petition Apple along with the band to get the songs uploaded onto the platform they complied but they did it very quietly and and they apologized to the band and they said oh we'll just use a different aggregator so this is happening you know under sort of very quietly and without a lot of transparency besides you know what we write about so I think I think we ought to include in this discussion not just certainly not just the global north sort of perspective on extraterrestrial jurisdiction realize that it's been the norm for for people in other countries since the beginning of the internet but also look at it in in sort of these more regional or kind of block ways we look at what the block the the block at the ITU is trying to do in terms of effecting internet policy and and it doesn't have to just be regional blocks it can also be ideological blocks or you know groups of islamic countries or things like that so we ought to sort of expand how we're framing the discussion to include the whole world thank you Jessica for broadening that perspective for us and I think we can all appreciate the the implications that the issue of global takedown orders or even just the way that companies have to deal with the effects of their managing these platforms as Jessica described so I think there are a couple of aspects I want to highlight before asking a question or a couple of questions of the panel and then we'll open it up to to the group one is the the fact that certainly in the global takedown order situation and to some extent where you don't have that yet the companies are acting as third-party private enforcers of the national authorities decision to restrict content in their jurisdiction and in other countries and that sets up a unique kind of dynamic that isn't reproduced when these authorities are enforcing their law in their own territory and maybe we could say a bit more about what that means for for companies and I know Mark was talking about that you know secondly this this notion that others have talked about of digital imperialism when courts do impose their view through a global takedown order it essentially forces other jurisdictions if they're going to comply to to adopt that particular legal framework which if they have conflicting laws they can't right and that that happened with the candidate case where the US said this this decision by the Supreme Court of Canada goes against our you know Communications ECC Act Section 230 and First Amendment 2 I think right in any case it was definitely not consonant with the US law and and the court expressed it as such so from that perspective the digital imperialism piece is is worrisome and then Jessica's point about countries in the global south seeing what's going on and how courts can can essentially seek to impose their own interpretations of norms outside their borders may see that may take that as an example to follow in in noxious ways. Saudi Baselby laws is an example commonly cited what if those were imposed right through platforms online on the rest of the world that would be obviously untenable so there's a great deal at stake and I want to pose a question first to the to the whole panel but particularly the lawyers Anupam you talked about the yahoo case that wasn't the early odds right so you know in in internet years that's like a thousand years since that case happened right so when the judge there said that there were no legal imperatives one wonders is that still true and in particular you know international human rights now has come to bear much more on the digital arena than than even early on and we heard Emma talk about responses that were tailored narrowly tailored and proportional and so that that borrows from the human rights this course so is that not possibly a source some have posited of of legal criteria that could apply to these issues so that's that's the question but but it might be something other than human rights but what do you guys think where might we are there legal imperatives or criteria now and if so where would we draw them from and to what extent is human rights a good source for that so great question and you began the conversation with this panel describing a territorialist view and a universalist view and those two that framing invites a different so in so it's complicated right because the universalist application of these orders means take it down globally or the territorial application of these orders means take it down so that only doesn't come to our shores the French approach in the Yahoo case so but there's a universalist territorialist approach from the human rights perspective which is which actually frames things in a different way which says which which is what you're referring to now which is hey these are norms that are universal norms and therefore should be applied universally despite what any nation might have its own views on these questions this goes to some extent to what mark is talking about is there convergence on these issues globally and so you know on child pornography you know clearly there's kind of a global consensus and that is a kind of global norm and it can be applied globally so uncertain the question then is on content what are what is their global consensus on is their global consensus on copyright is their global consensus on trademark is their global consensus on trade secret I don't think so and is there is their global consensus on hate speech certainly not right so so on those fronts it's it's hard to say that there is a universal norm that can be applied now clearly Arthuro has long pressed in his own writing that companies and governments need to always be mindful of universal human rights right that has to be the foundational principle that we apply and that gives us substantial norms but at the same time it doesn't give us doesn't tell us whether something stays up or down in in nearly the kind of fine detail that we need to to figure out and just to add on to that point I think it's one of the real challenges that I think we face when we look to international human rights law for like the substantive norms of what should content policies be for example is that there's an awful lot that's regulated under content policies today that would not be under human rights law and I think of nudity and kind of sexual content as a prime example where the vast majority of major you know mainstream general audience platforms have some kind of rule against at least explicit pornography if not nudity in general we all know lots of stories about how tricky that is to enforce and all of the very many reasonable ways that people want to use nudity in their depictions of just their life or advocacy or whatever it might be so I think one of the big questions too is as we've kind of all grown up with the internet over the past 20 25 years there's been a sort of a presumption of less freedom on many platforms than sort of full first amendment protected speech and that people are at the very least really accustomed to that and if you got rid of that and said okay look can't platforms should not restrict anything more than what governments could restrict if they were in the same position that might be a wonderful place to end up as like a first amendment maximalist but it would also mean you'd probably have porn in every comment section and social media platform and and and then what would we do and that's what the thing I don't think the conversation ends there the answer might be then you do a lot of like user side filtering to limit that and like put all of the fine grained restriction of speech in the hands of people themselves and not the platforms that's that's one direction to go but you know we we see a little bit in kind of the use of of privacy control tools on social media platforms people even who want to protect their own privacy and don't like what they understand platforms to be doing still may not use tools to do the fine grained management themselves so I think that kind of that question of we are in a little bit different position with thinking about these platforms and what roles we want them to play then how we've thought about governments and that's where I think a lot of the the challenge comes because it we can't just directly translate all of what we expect from a government onto platforms but there is an awful lot that we can't expect from companies that's helpful mark yeah so um on on the question of the you know can you apply international human rights law to give us a legal solution this I don't I don't think so I think it's not determinant enough to really give a unique answer I still think the principle I laid out of you know consistency of laws and universal legal norms is the right way to look whether countries will get there I don't know I mean that's that's really a matter of their local legal systems and and we'll see how it works out but on the legal question I think that's that's where we have to we have to go I'm not sure there's an easy answer even if you take that position because then what's a universal legal norm right where we found consensus but at least it gives us a way to think about the issue but I do think largely and I'm going out a little bit on the limb here I think the the game is really shifted away from the legal norms to the terms and conditions of companies okay I really think if if if you're looking for ways in which content will be restricted and you just look at what governments do efficiently I think you'll miss the the first amendment issue of our time which is what what are what are companies doing on their own subject to their own perception of the right norms and standards to to restrict content and what kind of redress rights are they giving people and so on and so forth that's I think the major thing to go back to the early odds and the yahu case people forgot how that got resolved it didn't get resolved in the court of law yahu just took the stuff down right they said I'm not taking this legal risk globally I mean why should why should I defend the Nazis you know and when it's giving me all this grief with the French government and so the the the issue wasn't resolved as a matter of developing legal norms but business practice evolved in a way that gave an answer maybe not an answer we like but but an answer that I think is the way these answers are going to be constructed going forward into the future I'm so I was I attended I was thinking about David K's report on content moderation one of his key recommendations was that companies should integrate or sort of adopt international human rights law because it is a global norm and and it is law and 170 countries have ratified it and have said that we support this so like I mean and and his recommendation that companies should align their terms of service more with international human rights law doesn't mean it's going to be perfect but but that that we do have a place to start it's not like we don't have a place to start I I also think that that there could be some kind of I think about the Austria case and I don't understand so and this happens in the Middle East all the time too but there are certain laws in the Middle East in these countries who have ratified the ITCPR and and you know say that they protect freedom of expression and their national laws completely contradict their constitutions right I mean this is you know there's all kinds of conflict of law within legal systems themselves so so couldn't before a court can assert some sort of extraterritorial jurisdiction and I don't know all the procedural stuff but couldn't it there the law the statute that they're using be evaluated for its compliance with international human rights law under their own under their own the obligations that they've set for themselves and you know it it seems like that could be something like what Greg was saying in the about the cloud act in the previous panel that it could also be a way of trying to raise the bar um and and there's that and then there is this idea of that that there are so many you know every the way I think of it is like the law making is being somehow expanded it's not just the purview of the legislators anymore or the courts it's also the soft law of treaties and these different codes of conduct also the terms of service but the but the group that I find missing are the users and and it brings me back to another one of David K suggestions which is to create some kind of councils social media councils he calls them but that are similar to the press councils but if we have multi-stakeholder councils that are operating not in specific jurisdictions but perhaps across jurisdictions that are dealing with certain kinds of uh that are based that are you know trying to evaluate different things with human rights law and other laws in place or maybe there's data protection councils there's got to be some way for for you know this to be more a conversation about justice than about law and I think we're missing somehow the idea of justice for the users we're talking about determining what they should and should not have to to comply with or agree with but they really we really we're all users in here with a different hat on don't have access to the creation of these laws except through representation but but if that if the law the actual law is really only one part of the puzzle now I think we need to be looking for other other openings and other mechanisms by which we can participate in this process and and hold it accountable and and sort of rethink what law with the with you know with the little l I guess looks like in an internet environment I think I read something recently that it's a Howard Zen so you know it's it's an article called the conspiracy of law and he talks about how we can get stuck in the past of how let law look like in the past and I think I think this is why we're having similar conversations to what we're having you know over the past 20 years is because we haven't taken the moment to sort of pause and sit and rethink or reimagine sort of outside the constructs of what we already know about how legal systems work what law on the internet or what rules or what I don't know governance yeah again and not just at the top level but what it can be right and and uh professor Paul Berman who's written uh extensively on jurisdiction has the theory of cosmopolitan or pluralist approach to jurisdiction which which posits that we shouldn't be married to these formal rules which clearly are falling short in this area but think more about communities of users and where uh you know uh these activities are directed to and have that be a basis for establishing when jurisdiction enforcement jurisdiction can be exercised or not uh which is you know looking more broadly at law with a little l than what most international lawyers do before moving on I just want to clarify that my question about potential human rights sources for guidance in this area wasn't limited just to the substantive norms which I think you all addressed pretty accurately and and but as an inspiration for criteria or elements that national authorities can use when making the decision to enforce or not a particular order uh extraterritorially so um human rights also includes a balancing regime when you have conflicts of rights which all these cases implicate and that's where you have to think about what's absolutely necessary that's where you have to think about the proportionality of the measure and its effect and you know look at what what rights are being impacted uh and you know one could invite national authorities to think about the rights of other people as a discretionary but maybe eventually a normative uh right criteria so so I was looking at it more broadly than just the content and um but um and maybe we can have more discussion about that of people oh sure just and I think there's also a lot for companies and platforms to learn from the procedural kind of guarantees in human rights as well right well and this is the kind of the remedy the notice and appeal questions that so many advocates around the world have been talking about for for a very long time that we'd like to see improvements from platforms on essentially the customer service aspect of content hosting and content moderation and I think they have I mean in my in conversations with companies I I do hear this uh human rights change discourse of balance and proportionality and uh come into play and um so yes thank you for highlighting the procedural dimension of it uh and to to mark and to Jessica and to the rest of the panel one final question uh you talked about how uh transparency was key and you referenced it again just now could could you say more about what that looks like how and anyone else could make suggestions too on this notion of what can companies do to be more transparent about how they're being forced to implement global takedown orders and or um uh regulate content online in a way that might go you know across borders and how that looks to folks users on the other side of events as well um so a start is what what uh google and microsoft uh are doing already which is to post these transparency reports okay right which which say here the number of cases where we were asked by by governments to take material down here's the ones that we said yes to um and they've got that for right to be forgotten they've got it for dmca takedowns they've got it for all of the the the takedowns which implicate government so that's a start i i do think their terms and service are public which is good but the criteria that they use to apply those terms and services tend not to be uh and and the reason for that is pretty clear i mean they don't want to give a roadmap to the bad guys to figure out how to go around it so but some some balancing of that needs to be done so that when a decision is made the the people who are adversely affected by it have some sense of what the criteria would be um the financial services industry actually has a model here if you get an an adverse notice of action based on your credit report you've got to get an explanation of that you know something like that that provides the the the person whose material has been removed an understanding of what it was that prompted the removal now can that be done easily when you're dealing with a universe of two billion users no uh and so it's gonna have to be an automated process to be honest that's how credit card companies work too their statement of reasons is not something that a human being writes out in longhand right it's all computerized but i do think something along those lines would be helpful uh and then the last is is some sort of process uh if a if a person feels aggrieved it's there but it's hard to find and you know again it's scale that's creating these issues um the the companies are operating at such enormous scale that that it is very very difficult to provide an easy avenue for remedies and and redress but it has to be done they've done a reasonable job of that unright to be forgotten right because that that tends to be the kind of thing that has to be resolved you know on an individual basis i know there are three million urls but you know they they still have to look at the the the issue and make a judgment to balance the the interest of the public and getting access to the information and the privacy interest of the person who thinks that he's been he's been aggrieved and and there's a process there that that works it's hard to do that for all of the content takedowns that they're involved in but i think that's the direction we have to move in thank you that's that's helpful to clarify the your initial comment anyone else on the panel want to speak to what companies are doing or could do more in this vein emma sure yeah um so and on the the question of kind of more detailed guidelines about um what companies content policies actually are um facebook did this uh earlier this year um publish you know some more a deeper look into how exactly they interpret their own content policies um which i think is really helpful and also point in terms of getting a better sense of how they're thinking about what are pretty big difficult questions like how to apply the same hate speech policy to you know two billion users worldwide um that's never been tried before and uh is very difficult especially with something like hate speech where you know whether something actually counts as hate speech is hugely context dependent um depending on cultural and just individual kind of circumstances um so that you know i think that was a really important move by facebook and hope that a lot of other platforms can do the same sort of thing and see you know does do we end up in this concern about gaming the system and oh now that people really know more about how the company interprets own policy do we see people kind of threading or walking a very fine line um to continue to say harass people on the platform while still saying informal compliance with the policy but as far as other transparency efforts um that we're hoping to see so cdt joined with uh e f f a cl u the open technology institute here new america um and a number of academics on a set of uh recommendations we call the santa clara principles um earlier this year and they're really kind of a reflection of what has become a really common set of recommendations across lots of ngo's and thinkers um in this space for for a number of years really focusing around um numbers notice and appeal where our three big categories numbers focusing particularly on um terms of service enforcement we do have now pretty much an industry best practice around reporting on government demands for access to user data or content removal which is great and i'm glad to see how quickly and widely that spread um but we there's not anywhere close to a consistent or much of any reporting on how companies enforce their own content policies and what that really looks like at scale um it makes all of the public policy discussions we have around these questions really hard because you know if you're talking to a policymaker and they're putting out a plan of action that involves a lot of fine grained individualized determination of content for illegality in germany say um the fact that facebook is getting a million flags a day of content really starts making that kind of individualized determination uh pretty far fetched as an actual part of a functional policy um so getting more of a sense of the the kind of the scale and scope of all of this and as mark was saying so i won't repeat it um better notice to people about why their content is being flagged better information to the people who are doing the flagging about what happened you know if you're reporting abuse on a platform if you're reporting harassment whether of yourself or of somebody else reporting that and then having it go into a black hole and you never know really what happens and maybe the problem isn't resolved is also a deeply unsatisfying circumstance so lots to improve on notice and effective remedy is i think kind of the white whale and all of this what does it really mean to truly meaningfully appeal a content takedown decision that's a very jazz point that yeah mark was on great thank you any other comments there i'm go ahead um so quickly just pulling up on emma's point um facebook did a really good job of responding and mark has also said this to european content uh policies the europeans don't think so but facebook has been working hard to try to comply but uh the issues have largely written risen in other jurisdictions that have not received the same attention from facebook obviously i'm thinking of me and mar where facebook didn't spend a lot of resources doesn't didn't have a huge team of people who spoke the language etc and so facebook is belatedly coming to these kinds of questions and this is a question that jessica raised at the start which is how much of these are these companies responding to what's happening elsewhere in the world on a word jessica before we open it up sure i mean i i just on the transparency issue i think while the transparency reports i mean of course we're happy to have them i think they could be more granular even in their detail about government request specifically mentioning the laws and under which these requests are being made so to help people understand what are the legal justifications and and things like that so certainly of course the data that emma's emma's also mentioned um and i mean i guess in terms of you if you want to really have a strong list probably most people in here are aware but ranking digital rights uh has you know basically wrote written the book on what the kinds of indicators are that we should be looking at for different companies in terms of how they are addressing a lot of these issues um in terms of appeal and and and uh redress and sort of how clear uh policies are and we've been using that at smacks and other other organizations in the global south to to evaluate telecom and and other internet companies so you know another source of information from the global south that can be very useful um and then obviously um more transparency in in um well i i think i'm not gonna i think i'm that one's just another associative sort of bot so i'll just hold on to it okay well uh that leaves i think um some time for questions from the audience uh we have a mic that we want to pass around to make sure that you if you have a question you speak into that mic and please if you can identify yourself um Courtney you want to kick us off i'm Courtney Raj i'm the advocacy director at the committee to protect journalists a couple of things one deeply concerned to hear that judicial rulings should de facto like apply globally i think that's really concerning when you look at cases like turkey or egypt or frankly many parts in the world and i want to ask the panel why are we just taking it as a given that national sovereignty and national nation state laws should apply on the internet the way that they do offline and why can we not envision a whole different paradigm because this is the there it is a potential space to empower those who do not have the power of the state behind them or the power of corporations so it concerns me that in all of these discussions there's no imagination there's no envisioning of something different which was the very outset the internet as a place that is beyond these national laws and i'm sorry if this sounds like i don't know you know a bit like polyannish but given the people that we work with and as just pointed out you know the people in the global south who are de facto getting access to a space that is oftentimes actually allowing greater expressive potential than they have in their countries even if they you know face repercussions for that expression i really want to think about what we could imagine is a different paradigm than just saying hey france germany turkey egypt lebanon whoever should have the right to control content in their little you know url you know their ip addresses in their domains or try to assert their rights globally thanks let's get another couple questions maybe and then we'll open it up i think frank wanted to ask a question i wanted to make precisely a connection with the frank larou thank you for the question i'd like to make a connection with the past panel as well and going back to the issue of universality in the past panel we were talking about executive agreements between states and that's a very worrisome concept because that means that we will generate different standards according to each agreement and yes the ideal is that some of them may be good but others will respond to the needs or the propositions of other states or their own legislation and in this panel again what we're looking at in the terms of service is in many occasions the takedown will depend as was said by the panel more on the policies of the terms of the corporations than on the law but taking narduro's proposition as well in the past the policies should also be based on international human rights standards that's why we have international human rights standards regardless of what country where they are and we're eroding the advancement of world civilization in terms of human rights by generating standards that are lower than those that were already recognized legally at an international level so yes we will rely on the terms of service and implementation but corporation should be based on international law and international human rights standards for those terms of service otherwise we're creating a double standard for citizens of different parts of the world and this also goes for questions of jurisdiction because I mean yes you have courts and courts making decisions but if a court in China makes a decision I'm sure that no one will demand the same implementation so it is more sensitive I like Courtney's comment just now that internet is the great opportunity for universalizing human rights for generating a new practice and a new understanding and new global concept well why don't we do a round of reactions and responses first then we'll take another couple questions who wants that Emma you look like you're trying to take it out seriously no and I really appreciate Frank's comments about kind of are the content policies especially of like world spanning platforms that have billions and billions of users sort of undermining our expectations of what does it mean to really have freedom of expression because these are sort of independently developed sets of policies that aren't explicitly tied to human rights standards and I do definitely worry about that I worry about the sort of what does it what does it condition people to expect as far as what they can expect for clarity of the standards that govern their speech ability to get redress is there an independent arbiter involved in all of this so I share those concerns I also do have concerns the other direction though if the right now I think you'll have to ask the different companies it how much they would describe their standards as informed by human rights law you know to just to this earlier point I think if we're if you're a company looking for a global standard to hitch your content policy to international human rights law is the best one that we've got but there's a lot especially here in the US we talk a lot about the freedom the platforms have to design their own policies that's like they're sort of they're not promising at least here that these reflect the global norms and standards and I worry a little bit that if we start talking about the policies are essentially mirrored to global standards oh except there's some stuff that we would really like to restrict on the platforms that that may have the reverse effect of undermining what we think of as a legitimate restriction on speech in that international human rights framework right so right now the restrictions are you know like public safety the sort of amorphous public order if we start expanding what platform should be able to restrict to include things like nudity or a more a weaker definition of harassment I do sort of worry about that backfilling into governments taking that up as a like look we've all agreed it's actually sometimes really important to for the safety of children limit you know nudity whatever it might be so I I don't know I think it's I'm worried about international human rights standard being undermined from many directions yeah all right yeah I think that last point was was excellent but I I do think to go to go back to the why can't we do things differently that wasn't an ideal it was 20 years ago everyone thought that that was the feature of cyberspace as they as they call it but to be honest what that evolved into was not a regime where local communities of users would set up their own norms right and or maybe global communities of users setting up their own norms what that evolved into are the terms and services the conditions of the large companies that that's the natural evolution of this idea that there should be a separate law for cyberspace right so I think we got to that point I'm not sure we're happy that we got there in that way but I do think it's it's worth notice noticing the connection between the early ideal of a community of users regulating themselves and terms and conditions that are established by by by giant companies on the can we just live up to international human rights law I do think we're beyond that there's so many things that are permitted under international human rights law that that that private companies simply wouldn't allow on their platforms that I think Emma's right that if you try to conflate the two you know the fact that platforms will decide what they want to put on their their platforms for their own reasons you know that have to do with attracting a crowd and making it a nice place for people to visit that you'll you'll wind up weakening the standards of international human laws in ways that we probably don't want to have happen so I think we should keep those separate the the you're gonna have to rely on the content policies of large companies as a way to make sure some of the stuff that we don't want available to large numbers of people isn't there but you don't want to make that a matter of international law I think the two should be kept as separate regimes so let me just give the example of alex jones right on who yeah so who has been quote de-platformed on some of the major internet platforms so I there's a question as to what exactly the international law norm would be with respect to hate speech and so that's an open question but there's also a question as to whether or not this application by particular countries particular just I'm sorry platforms of their hate speech policy is narrower than what the general rule allows right with law allows and so in the United States currently alex jones is allowed to pervade his hateful nonsense this is the kind of you know the same thing that judge gomez said in the french yahoo case you know despite the moral imperative the law permits it in the united states and so I think I am comfortable and this will be something that you know it will be controversial that some platforms decide to de-platform alex jones whereas a platform like gabb says please all white supremacists come jump on our platform because we are you know pro this stuff and so I think you know that's an american perspective I am comfortable with that now that doesn't mean I'm you know I'm comfortable with the legal regime that enables that to happen and so I think that's the the better approach from the legal perspective now frank raised the question of what does this you know can't we use international law or international human rights law in particular to to govern this this question it's not clear to me that international human rights law gives us enough of an answer what so I'll I could turn it back to you frank to say what does it say about gab should it be illegal under international human rights law and so so that would be the so I would yeah so that would be what I would ask and or is it it should is what twitter is let's say you know there was a lot of pressure put on twitter to de-platform and ultimately there's a temporary suspension whether or not it's permanent of alex jones is that a violation of alex jones is human rights right free expression so those are the questions yeah so yeah well I'm certainly not going to talk about with legal under international human rights law because it's not my my expertise but I guess I guess what I want to say is that I I respectfully disagree that that the terms of service that we have today is the result of a natural evolution of the internet from 25 years ago I think there was a lot of there have been a lot of decisions made that are sort of you know the the libertarian sort of direction that the internet should take and that there were a lot of there's a lot of pressure and a lot of advocacy for that particular direction I think there was an uh an editorial uh not that in in the New York Times recently Joe Lapour wrote that was about that specifically in sort of America's fascination with technology and the libertarianism that basically has produced the Silicon Valley companies that we're all contending with today and that we should be thinking a little bit more deeply about that it's not something that just happened because this is an organic evolution there have been forces at play from the very beginning that have led us to this point and and I think also in these conversations we're also taking for granted that we're only talking about these giant international global internet companies and we need to also be thinking about smaller companies mid-sized companies and how do we enable their participation in the creation of policy and law and upholding human rights um you know it's not just you know despite the fact that it kind of is it's not just apple google facebook and twitter and twitter you know as we all know it sort of gets lumped in there and then has never made a profit you know so so you know whatever but that does have a lot of power um I think also this idea about sovereignty that Courtney raised is one that troubles me a lot living in you know in and among a lot of authoritarian regimes is why should we respect their sovereignty um when they're not respecting you know the personal dignity of the people who live under those regimes why can't we challenge that more under our international system why do they get the same standing as any other nation state that does go to the effort of at least trying to present um you know being a democratic country in rule of law and you know one of the things that was stated that you know in sort of the beginning of this discussion not this particular discussion but this extraterritorial jurisdiction discussion is the idea of polity and that that you know it relies on the consent of the governed you know this idea of sovereignty and that certainly does not exist in a lot of these countries so we have to remember that when we're talking about sovereignty especially in this internet sort of age um and and how can we use this as an opportunity to redefine what that actually means since we're not limited by territorial borders um something I recently discovered is sort of this idea this is kind of like um sorry to get really nerdy here but this idea of sort of um like a theory of justice is John Rawls is like this original position of like you we're all sort of uh we don't know who we're going to be or what traits we're going to have and we all get together and we sort of decide what should the legal what should the framework for justice be in our new community and because we don't know if we're going to be rich or poor or black or white or whatever we're all going to make the best decisions for the system as a whole and then he took that and he wrote something else called laws of the people and the last principle in the laws of the people is that and I have it I hope somewhere here so I want to quote it is um there are many different principles and I realize this is taking you know becoming really vague but the last principle is that people's people's and I sort of refer this to this cosmopolitan pluralism that you're talking about these communities right that we're communities and what if we're a community or a people of open culture and but the last principle is like people's have a duty to assist other peoples living under unfavorable conditions that present prevent them from that prevent they're having a just or decent political and social regime and the nice thing about this this is that you know with even within this it doesn't mean everybody has to he talks about liberal people and decent and you can have different standards within that but the nice thing is that is that we're not sort of a race to the bottom of like you know trying to create the lowest common denominator of what is is free expression and what is privacy so I would like to try and push the conversation that direction okay I think we just time from any couple more questions Rebecca and then in the back and I think that'll wrap it up hi I'm Rebecca McKinnon I mean it seems what we're coming down to here is a challenge of politics and representation right so you know who are the internet companies to say we're going to ignore the sovereignty of these nations because who are they representing or then who's kind of making the decision and who are they represent you know and and how do you avoid the cultural imperialism charge without having some sort of polity you know whether it's geographically based or based on some other community or constructive community that is standing behind the decision to ignore national sovereignty and it seems that's what's missing right that that there's no community that is granting legitimacy and consent to an act of ignoring national sovereignty and then the question is you know if if if if there's a sense that that would serve human rights to have that how do how is it possible to achieve and how do you do so and are David K's kind of suggestions around councils and so on one step in that direction or you know I mean that that seems to be the knot that kind of needs to be untied somehow yeah one more question over here address the question that I inappropriately asked the first panel it's about the sometimes what to describe as the tension between privacy and data security and specifically if you can address the international crime prevention act as some folks have voice concerns that giving the FBI which the SAC would do the ability to take down botnets or suspected botnets used by hackers would give them the ability to take down legitimate content all right that's our round of questions once the well Rebecca is arguing for the consent of the network so clearly international rights law has to be the baseline right the companies have to comport themselves according accordingly governments have to accord themselves accordingly and when the governments aren't living up to human rights law companies shouldn't follow their dictates the hard part is that's that's the obvious you know clear statement and that's because it's universal law it's not seen as culturally imperialist because it is universal etc right so it's not it's not kind of colonial or imperial project but the problem is that when these companies try to operate in jurisdictions they find that they have people on the ground etc that make it hard to not obey the dictates because of the you know the risks that they have so it's not only the of course it's money at stake you know they want to operate in jurisdictions where they make money but they also have the difficulty of operating in jurisdictions where they will feel the pressure from you know on local employees and risks vietnam's data localization policy literally requires officially a person on the ground that you know is is thereby therefore able to be kind of dragooned into court and put into the jail etc and so so that's the the difficulty here and so I I the one thing I don't agree with in the comments is the idea of cyberspace should be entirely different I think that that vision you know the johnson and post john perry borla vision the the dawn of the internet age of the web age isn't accurate and it shouldn't be accurate that is you know we have human rights law I think that's that's perfectly normatively plausible and that doesn't mean that we need to so by saying this I'm not saying that we shouldn't ignore local sovereigns that insist on violating human rights law that's a different different a different question I don't think it means that we don't feel an obligation to other jurisdictions that's a distinct question but I think treating cyberspace as a unique jurisdiction that is immune to territorial regulation is is also problematic and it would actually reduce consumer protections dramatically well it's closing statements yeah no just building on that point I think one of because I was thinking a lot about Courtney's call to have like more creativity and think think more think bigger about what could be possible with the internet and I think until we get the technical means for control of the network out of the hands of governments where that's that's always going to be a sticking point right and you know this and I think it's a great reflection of what an amazing audience that we hear that we've got like luminaries in the field who are asking questions of the panel which I really want to just like hear your your ideas on this because I think for me seeing the the tension especially around things like network shutdowns you know the pushing the issue to the brink of if the platform will try to self-govern and set its own terms and you know agree have its community of people decide this is what goes on this platform when a government can say fine then your platform is not accessible to anyone in this country I do think that is a genuine tough choice for different platforms to make do you then give a little bit on what the government is asking you to do as far as specific content regulation or do you say no one in this jurisdiction who can't circumvent the block can have access and that's I don't think there's a one universal right answer in that question I do think it's really tough call well I think we'll close I'll just say that the one perspective missing from the panel is that of government agencies and officers who make these decisions or or promote them and it would be interesting to think about what goes through the mind of you know someone in the French agency who is ordering right Google to take it down around the world the information that they've been asked to have removed or and and what might influence that perspective and I think that's where the role of human rights not necessarily as a binding legal obligation every time but as a source of guidance and inspiration and of developing functional criteria to you know so that on balance the enjoyment of human rights is impinged less with one decision i.e don't take it around don't take it down all over the globe but find a way to limit then then then the contrary position right so well if you'll join me in thanking the panelists for a fascinating discussion I believe lunch is next right between you and lunch so I'm going to be just very very brief and sum up a few thoughts from both panels today so I just first think that something coming out of both with respect to the cross-border data issue as well as the global takedown issue in terms of both privacy and freedom of expression that this idea of a free and open internet that is operating globally but is sort of dependent upon U.S. companies and U.S. law is a status quo that has had benefits for human rights but is ultimately unsustainable and has also sort of you know created a lot of issues around the world and so in in dealing with that two things seem to come out of the the sessions today one is that international human rights law and standards are necessary but perhaps insufficient in terms of how we think about these things how we apply them and how we get laws and policies around the world that will actually respect and promote those rights that we also need to broaden the perspectives that are thinking about these things particularly outside of the United States and Europe and to look to whether it is startups and small media enterprises in many different parts of the world civil society organizations that are working on digital rights and other issues around the world and outside of the United States and Europe as well as trying to figure out how do we get users as a polity engaged in these discussions these are things that we're thinking about at GNI and that I would encourage all of us to do a second thing is continue this process of finding unlikely allies there's many things that whether it's governments companies civil society organizations other stakeholders disagree on when it comes to internet policy but where we find points of agreement we need to push forward you know Jen Daskell and Greg from the first panel disagreed about a great many things and there are many posts on lawfare and just security of them and others going back and forth on the cloud act but now that it's being implemented there are important safeguards that they agree on and we need to sort of move forward and whether on a great many issues we can't hold grudges we need to find ways to work together and push for the right laws and policies third when governments and companies are interacting and as we talked about the importance of how company terms of service you know are sort of the new locus of these debates and governments are trying to influence those we need to have others in the room as well not just because transparency about how these policies are developed and implemented is useful in its own right but if you don't have others in the room you miss important substantive matters we talk about things like when you know video evidence of human rights violations in Syria and elsewhere has been taken down if you have human rights you know sort of professionals who are in the room they can help spot those things and avoid some of those negative consequences and then lastly I think we all need to keep making that affirmative case for human rights and particularly for freedom of expression at a time when we're all too often looking at all of the negative consequences of all types different types of dangerous harmful speech around the world we need to think about the ways that freedom of expression is actually critical and something that we need to base all of our work upon so those are just a few thoughts from today on behalf of the global network initiative thank you you've been a spectacular audience who want to thank OTI for hosting us and ASIL for cosponsoring this event and with that uh lunch is served somewhere I believe outside uh yeah so thank you