By Kirsten Fiedler

The European Commission has confirmed to EDRi that it is preparing to partner with US online companies in order to plan the arbitrary monitoring and censorship of European citizens and, contrary to previous assurances, will exclude civil society from these discussions. More disturbingly, this is happening at the same time as the US is preparing the “Cybersecurity Information Sharing Act” (CISA), which grants US companies a “safe harbour” from liability for any damage they cause when enacting counter-measures against security risks.

Last month we reported that, from time to time, the European Commission launches talks with the Internet industry to encourage companies to take “voluntary” action to fight against allegedly illegal or unwanted online activity. Very often, however, these projects seem to be launched or financed without any consideration for lessons learned from past (and mostly failed) enforcement initiatives. Take, for example, the CleanIT project, which proposed that online companies should prevent anonymous use of online services, implement automated detection systems and remove content on the simple request of law enforcement authorities “without following the more labour-intensive and formal procedures for ‘notice and action’”.

In March 2015, a European Union document on the “fight against terrorism” (pdf) charged the Commission with the creation of a “Forum with the Internet service providers community” in order to contribute to Europol’s work (even though this project had been launched a year earlier). Since then, no information has been made public as regards the progress of this “EU Internet Forum”.

Obviously, we wanted to know more and sent an “access to documents” request to the European Commission. In May, the Commission responded, claiming that no documents existed since the forum was not set up at the time of our request. A couple of exchanges and months later, the Commission sent us some – not all – of the requested documents. We received:

These documents reveal that the Commission organised two meetings of the Forum to prepare the official launch of the EU Internet Forum scheduled for the end of the year. These preparatory meetings took place on 27 May and 24 July. Companies were invited to discuss “challenges and scope of engagement in countering online terrorism activity” by, for example, “reducing accessibility” and by challenging “the terrorist narrative online”. An earlier Communication on the EU’s Agenda on Security also stated the objective to explore “the concerns of law enforcement authorities on new encryption technologies” (pdf).

Among the planned activities of the forum are awareness-raising activities for Member States, training sessions and workshops, as well as “reaching out to smaller companies” to enable them to respond to removal requests. A preparatory meeting took place on 27 May and a meeting to “raise awareness” on 24 July.

Despite the fact that the European Agenda on Security initially announced the launch of this “EU-level Forum with IT companies to bring them together with law enforcement authorities and civil society” (emphasis added), we learn from the documents that the Commission did not contact any civil society groups to take part since “it does not directly communicate with community groups or citizens”. The Commission does not explain further why only industry was invited while human rights organisations and NGOs in the field of information technology were ignored. It seems the idea to have civil society on board has been dropped entirely. However, the Commission refers to links on the website of the Radicalisation Awareness Network – apparently in the hope that this would be sufficient to make citizens aware of DG Home’s activities.

In its reply to us, the Commission unfortunately refused to grant us access to preparatory documents of the Forum as it considers that this “could seriously undermine the ability of the Commission and other involved stakeholders to freely exchange their views concerning actions and initiatives to be taken within the IT Forum”. It is clear that discussions regarding activities by online services will directly affect the communications of their customers and therefore ultimately have an impact on citizen’s fundamental right to the freedom of expression. However, human rights organisations and experts in the field of information technologies from academia or civil society do not seem to be considered to be “relevant stakeholders” nor even “interested parties”.

The Commission also argues that it wants to remain “free from external pressure” to explore potential policy options, but some policy options seem already decided, such as including the issue of “detection and removal” of alleged terrorist material (meeting report 7 May) in the upcoming meetings. The EU’s Home Affairs Commissioner Dimitris Avramopoulos is now planning a trip to Silicon Valley to discuss the upcoming launch of the EU Internet Forum – with US service providers.

It is strange that the Commission wishes to remain “free to consider all policy options” while at the same time asking US businesses how online communications should be regulated in Europe. It is even more kafkaesque, when these same US businesses are about to receive near-blanket immunity for activities covered by the draft CISA. This draft Bill grants two new powers to US companies allowing them to launch countermeasures to “cybersecurity threats” and to monitor information systems. The Bill gives immunity to companies for these monitoring activities and whenever they wish to share private data of their customers (including EU customers) with US government agencies – with wide-ranging protection from liability for any damage that they may cause in the process. EDRi-members EFF and Access as well as Fight for the Future are currently campaigning to stop this fatally flawed Bill.

This is a disturbing approach by the US government because, until now, online intermediaries have had little interest in adopting law enforcement roles due to unclear legal protections (“safe harbours”) offered to them in cases where their networks are used for illegal activities. Ever since the failed Stop Online Piracy Act (SOPA) three years ago, the US government has been attempting to change this situation.

In Europe, Member States have the obligation to respect the Charter of Fundamental Rights. However, if measures are applied “voluntarily” by private companies, governments’ obligations under the Charter are not active. Many case studies have shown, private companies limiting fundamental rights in the online space continue, flouting the principle that restrictions on civil and human rights must be based on law (Articles 8 and 10, European Convention on Human Rights; Article 52, European Charter of Fundamental Rights and Article 19, International Convention on Civil and Political Rights).

To avoid another failed project pushing for a privatised law enforcement activities through online service providers, we believe that the Commission should seek expert input to examine whether and how regulation of the European online space by US companies has an impact or unintended consequences for the fundamental rights of European citizens. In January, the EU’s Ministers of Interior emphasised the need to safeguard the Internet, “in scrupulous observance of fundamental reedoms, [as] a forum for free expression, in full respect of the law.”

We agree. Does the Commission?

Also see EDRi’s booklets on the topic:

Human rights and privatised law enforcement
https://edri.org/wp-content/uploads/2014/02/EDRi_HumanRights_and_PrivLaw_web.pdf

The slide form “self-regulation” to corporate censorship
https://edri.org/wp-content/uploads/2010/01/selfregualation_paper_20110925_web.pdf

Twitter_tweet_and_follow_banner