An Interview with Joe McNamee Executive Director of EDRi

“Although GDPR is much better than previous legislation, particularly with regard to enforcement, there's still some lack of clarity on issues like online tracking. Hopefully this will be dealt with over time. Obviously, it’s not ideal that companies are still stalking users as they surf the internet.”

Joe McNamee, Executive Director, EDRi (European Digital Rights)
https://edri.org/

While the internet has opened up a world of information to the public, it has also opened up the public to protentional abuse of their privacy and rights. EDRi (European Digital Rights) was formed to give voice to these concerns and help set policy protecting citizen’s rights. We sat down with Joe NcNamee, their executive director and winner of the 2018 Barlow award, to discuss some of today’s most concerning threats to individual rights, privacy, and freedom of expression.

Please tell us a little bit about your background before joining EDRi (European Digital Rights).

At the end of 1995, I worked at the help desk of CompuServe in the UK., eventually moving to tech support. About two years after that, I relocated to Brussels where, for the next 11 or 12 years, I worked in a lobbying firm for the recently formed European Internet Service Providers Association. In 2009 I set up the EDRi office in Brussels, where I've been ever since.

Why was EDRi founded and what is its purpose?

Before EDRi, there were several digital rights organizations in European countries that increasingly saw decisions being made at EU level, without the involvement of an EU voice for digital rights. So, in 2002 they got together and set up EDRi as a way of cooperating with each other. By 2009, it was fairly clear that a more centralized, permanent presence in Brussels was also needed. At the time, I had just concluded over 11 years working on similar issues from an industry perspective and thought I could use that experience to protect citizens’ rights. I saw a lot of issues at the horizon, such as the need for proper privacy protections, net neutrality, content moderation, etc. It was obvious to me that something needed to be done and that EDRi was the best organization to work with to make change happen.

Was EDRi instrumental in the passage of GDPR (General Data Protection Regulation)?

Yes, we worked on GDPR from the start, even before the proposal was drafted. We’ve had multiple meetings with policymakers from the EU member states, the European Commission and Parliament and were engaged extensively at every stage of the process through the final agreement. We produced an extensive guide, www.protectmydata.eu, which explains the main points of GDPR. The guide was intended to support the work of policymakers and at the same time, provide the public with a detailed analysis of the proposal. We also suggested amendments, which we published on the site to provide transparency. Since the GDPR’s adoption, we've been making recommendations on how to implement the law more efficiently.

Are you satisfied with the final GDPR?

I think we achieved everything that was politically achievable at the time, so I'm pleased. Although the GDPR is much better than the previous legislation, particularly regarding enforcement, there's still some lack of clarity in places that hopefully will be dealt with over time. On issues like online tracking, for example, there's still a lot of discussion about what is and what is not allowed. Obviously, it’s not ideal that companies are still stalking users as they surf the internet. Overall the legislation is as good as we could have realistically hoped for.

On your website it states that EDRi “works to ensure that all security and surveillance measures are necessary, proportionate and implemented based on solid evidence.” What issues surrounding online security and surveillance would you like to change?

Obviously, security is important, and law enforcement authorities need to have the tools necessary to do their job. However, legislation in the security area is frequently more knee-jerk than evidence-based. Whenever something happens, politicians feel the need to propose something to reassure the public. However, these proposals are frequently not targeted enough, are not based on evidence, may not actually work, and are not structured in a way that anyone could be reasonably confident that the expected benefits to society are equal to the cost of an individual’s right to privacy and freedom of expression. So, we ask for policy to be based on specific evidence. When proposing a surveillance policy, it needs to be shown that it's needed, effective, proportionate, and worth the cost to citizen’s privacy. Traditionally, that has not been done. The arbitrary retention of telecommunications data and requirements for SIM card registration are fairly obvious examples of policies based on politics and not evidence.

How can we anticipate the amount of time surveillance or security information should be stored in the event it will be needed in the investigation of a crime or attack?

Well, you can't store everything indefinitely in the fear that it might be useful to law enforcement at some time, so you have to draw a line that is reasonable regarding the cost to an individual’s privacy. Take for example telecommunications data retention. We know from long experience that telecommunications data is most often needed within the first three months, quite rarely in the second three months, and almost never after six months to a year. On that basis, you can make a reasonable estimate on how long data needs to be available. Then, consideration needs to be given to the huge insights that can be gained into your life using profiling, based on this information. It is very hard to make the case that specific data retention laws are needed, which is why this was rejected twice by the EU’s highest court.

A similar scenario applies to passenger name record data where information regarding air travelers is preserved for extended periods. The agreement between the EU and the U.S. necessitates that this air passenger data be stored for a significantly longer duration compared to its agreement with Canada, even though there's no operational basis for this difference. Notably, the European Court of Justice delivered a relatively recent verdict stating that even the arrangement with Canada isn't in line with European law, necessitating its renegotiation.

Regarding privatized law enforcement your site states “there is a major trend towards governments persuading or coercing companies to impose restrictions on fundamental freedoms under the guise of “self-regulation,” thereby circumventing legal protections.” What are these illegal measures and how do governments get private companies to impose these restrictions?

In pretty much all relevant pieces of international law there is a provision that restrictions on human rights such as freedom of expression need to be provided for by law. And, of course, you have national constitutions like the US Constitution and its famous First Amendment. Therefore, there are clear rules on restrictions on freedom of expression and speech that a government can impose. However, internet companies have freedom of contract so they can and do restrict content based on their Terms of Service. For example, Facebook and Instagram ban images with female nipples. Obviously, that's a business decision and their right, but what tends to happen is that governments coerce or persuade companies to use the power of their Terms of Service to restrict content in a way that the government legally cannot.

For example, in the famous Wikileaks case, there was governmental pressure directly encouraging certain companies to withdraw services from Wikileaks. It was temporarily successful in that Wikileaks’ domain name was not renewed; its web hosting was withdrawn, etc. The government couldn't have done that directly but found an indirect way to do it. So, the very big question that needs to be asked is at what level, in spirit if not in letter, would government encouragement, coercion and pressure on a service provider constitute a breach of that government’s obligation to only restrict freedom of communication when provided for by law? Is breaching the spirit of the Constitution more acceptable than breaching the letter of the Constitution?

In Europe, we have the Charter of Fundamental Rights that says that restrictions need to be provided for by law and be necessary and proportionate to achieve the intended objectives. But all of that is circumvented by producing pressure on the internet companies and leaving it up to them to arbitrarily impose the restrictions. New terrorism legislation and new directives push for more liability of internet companies for failing to police and delete online content. That's a massive shift in how our freedom of expression is regulated and how accountability for those restrictions is outsourced to unaccountable companies.

What we find disturbing is the circumvention of these very basic pillars of our democracies are being eroded. Do we care that the US Constitution and the primary law of the EU are being circumvented in this way? Maybe, as a society, we will conclude that we don't care. I hope not, but we need to have the discussion.

What about a non-government, private internet company deleting content and they feel are not in line with their political views?

I haven't seen any empirical data to suggest that is happening, but obviously if it were, that would be concerning, particularly if that company was a monopoly. What's more important is that internet companies are being paid to run targeted, surveillance-based political advertisements. On the one hand, governments are telling Internet companies to arbitrarily and unaccountably restrict, control and manage content and on the other hand, political parties are paying Internet companies to influence elections. What can we expect as a result of these two activities? Internet companies are choosing to regulate where the government chooses not to or is constitutionally prohibited from doing so. That does not seem like a healthy environment.

What is net neutrality and why is it important?

Net neutrality is how the Internet has always existed, in that everyone can communicate with everyone in a more or less equal way. It stops becoming neutral when service providers (ISPs) give privileged, better access to let’s say Netflix and YouTube while all other online video services receive slower, weaker access, or no access at all.

It's quite a fascinating issue that competition doesn't fix. A new, innovative company with a great new service cannot be a customer of every internet service in their country, so, they have no leverage. They can't tell Verizon they will take their business elsewhere if Verizon doesn’t provide them equal access because they might not be a customer of Verizon in the first place.

Net neutrality laws do away with companies like YouTube and Facebook paying Internet service providers for privileged access. Verizon, AT&T, or British Telecom have millions of customers paying for Internet access and they would obviously like to have internet services pay for privileged access to their customers too. In this way, ISPs would be basically getting paid twice for the same service.

While these types of abuses have been the exception rather than the rule in the U.S., there were some examples of anti-competitive behavior that were already very worrying. The FCC had the flexibility to quickly adopt a net neutrality order because it didn't have to go through a legislative process. The disadvantage, however, is that just as the FCC under Obama was able to quickly and easily impose a net neutrality rule, the FCC under Trump was able to remove that order just as quickly and easily.

The European Union had to go through the slower, more time consuming and complicated process of passing net neutrality legislation. While it is not an entirely perfect net neutrality law, it would be quite difficult, although not impossible, to overturn. Efforts to overturn it started almost immediately after the law was adopted in 2015.