IGF 2020 WS #340 Checks and balances of data privacy within mass surveillance

    Time
    Tuesday, 17th November, 2020 (14:30 UTC) - Tuesday, 17th November, 2020 (16:00 UTC)
    Room
    Room 1
    About this Session
    The session aims to discuss the checks and balances of privacy protection related to the worldwide use of personal data for mass surveillance purposes. The discussion will address assumptions and conditions in which huge amounts of personal data are sought out and used for, along with the potential risks and effects of these measures.
    Subtheme

    Organizer 1: Isadora Perez Alves Peixoto, CGI.br - Brazilian Internet Steering Committee
    Organizer 2: Vinicius W. O. Santos, NIC.br / CGI.br
    Organizer 3: Everton T Rodrigues, NIC.br
    Organizer 4: Carlos Alberto Afonso, Instituto Nupef
    Organizer 5: Flávia Lefèvre Guimarães,
    Organizer 6: Hartmut Glaser, Brazilian Internet Steering Committee (CGI.br)

    Speaker 1: Carlos Affonso de Souza, Civil Society, Latin American and Caribbean Group (GRULAC)
    Speaker 2: Flávia Lefèvre Guimarães, ,
    Speaker 3: Ellen Strickland, Civil Society, Western European and Others Group (WEOG)
    Speaker 4: Graciela Selaimen, Civil Society, Latin American and Caribbean Group (GRULAC)

    Additional Speakers

    Speaker 5: Ian Brown, Technical Community, Western European and Others Group (WEOG) [CONFIRMED]
    Speaker 6: Nneka Ekechukwu-Soyinka, Private Sector, WEOG [CONFIRMED]
    Speaker 6: Chenai Chair, Civil Society, Africa Group [CONFIRMED]

    Online Moderator

    Luiza Mesquita, Technical Community, Latin American and Caribbean Group (GRULAC)

    Rapporteur

    Everton T Rodrigues, Technical Community, Latin American and Caribbean Group (GRULAC)

    Format

    Round Table - Circle - 90 Min

    Policy Question(s)

    In this session, participants will be engaged in this discussion around two main policy questions: (i) what are the demands, conditions, tools, solutions, outcomes and potential effects posed by the massive pursuit of personal data in order to best utilize data without harming fundamental rights as the right of privacy; and (ii) how to leverage multistakeholder dialogues in order to reach possible solutions and consensus on this issue?

    This session aims to discuss the checks and balances of privacy protection related to the worldwide use of personal data for mass surveillance purposes. The discussion will address assumptions and conditions in which huge amounts of personal data are sought out and used for, along with the potential risks and effects of these measures. Not only, the different ways our societies have been dealing with this debate, and how the multistakeholder Internet governance ecosystem is framing these issues will be also discussed.

    SDGs

    GOAL 3: Good Health and Well-Being
    GOAL 9: Industry, Innovation and Infrastructure
    GOAL 16: Peace, Justice and Strong Institutions
    GOAL 17: Partnerships for the Goals

    Description:

    The outbreak of the COVID-19 has resurfaced several discussions aside from social distancing and health systems. As the virus spread and the negative effects became more visible, such as the number of deaths, many governments have started to put measures in place in order to control the outbreak and ease the impacts on society. Turns out citizens' personal data have been considered an essential resource in order to achieve this goal. Governments, in partnership with different companies, have established mechanisms to collect, structure and analyze personal data as to identify common behaviors and frequent activities by even tracing the geolocation on people's mobile phones. Since then, instead of being perceived as a quick-to-think and reasonable action, such measures are being perceived as a mass surveillance imposition, with no opt-out, nor transparency measures of how the data is being used, for how long it will be kept and the method for the data destruction after the usage. Furthermore, a number of necessary discussions are rising: the lack of ongoing external studies that prove the effectiveness of the surveillance from governments for the intended measures; the need from companies to demand consent from each citizen in order to share their personal data with another party; and how is the data analyzed and for how long will the tracing last? The above described practices raise a set of concerns in terms of privacy and data protection related issues. Several organizations and individuals have been denouncing unreasonable and disproportionate actions towards citizens, as well as the risks associated with what has been considered dangerous precedents that could harm citizens’ rights, and potentially leverage mass surveillance purposes that could last beyond the ongoing pandemic. In this session, participants will be engaged in this discussion around two main policy questions: (i) what are the demands, conditions, tools, solutions, outcomes and potential effects posed by the massive pursuit of personal data in order to best utilize data without harming fundamental rights as the right of privacy; and (ii) how to leverage multistakeholder dialogues in order to reach possible solutions and consensus on this issue? In regards to methodology, this session will have a round-table approach based on two distinct rounds: in the first round, an expert will introduce the overall discussion and then the moderator will open the floor to invited participants - they will be able to give their own stakeholder views on the first proposed question (3 min each), followed by an open discussion with the audience; and in the second round, the invited participants will be able to share thoughts on the second proposed policy question (3 min each), followed by an open discussion with the audience and a wrap up moment led by the moderator. The on-site moderator will be responsible to assign the speaking slots, always seeking to keep an adequate balance in terms of diversity of stakeholders, regions and gender. As a result, a detailed report will be produced, and we expect to extract recommendations and guidelines from the discussions, which could be communicated to several other permanent intersessional tracks, inside and outside the scope of the global IGF. Online participants will have the same treatment as those that are on site, being able to speak and comment and/or ask questions, as well as having their inputs read when that is the case. For the online participation we will rely on the platforms provided by the IGF organization as well as on social media through the use of hashtags. Intended agenda: Introduction by the subject matter expert - 20 min Overarching discussion, first policy question - 30 min Overarching discussion, first policy question - 30 min Wrap up - 10 min

    Expected Outcomes

    For this activity, we envisage at least three main expected outcomes: (i) outreach with multiple and distinct stakeholders in order to spread the word and include more people on the debate; (ii) build new networks for discussion and collaboration on the topic; (iii) produce a detailed report, that could lead to a potential impact on policy making through the diffusion of the workshop results.

    In regards to methodology, this session will have a round-table approach based on two distinct rounds: in the first round, an expert will introduce the overall discussion and then the moderator will open the floor to invited participants - they will be able to give their own stakeholder views on the first proposed question (3 min each), followed by an open discussion with the audience; and in the second round, the invited participants will be able to share thoughts on the second proposed policy question (3 min each), followed by an open discussion with the audience and a wrap up moment led by the moderator. The on-site moderator will be responsible to assign the speaking slots, always seeking to keep an adequate balance in terms of diversity of stakeholders, regions and gender. As a result, a detailed report will be produced, and we expect to extract recommendations and guidelines from the discussions, which could be communicated to several other permanent intersessional tracks, inside and outside the scope of the global IGF. Online participants will have the same treatment as those that are on site, being able to speak and comment and/or ask questions, as well as having their inputs read when that is the case. For the online participation we will rely on the platforms provided by the IGF organization as well as on social media through the use of hashtags. Intended agenda: Introduction by the subject matter expert - 20 min Overarching discussion, first policy question - 30 min Overarching discussion, first policy question - 30 min Wrap up - 10 min

    Relevance to Internet Governance: There is consensus on the need to ensure Humans Rights online, and this issue has been gaining relevance for the Internet Governance debates as our societies depend more and more on Internet-related infrastructure. Organizations around the world are highlighting particularly freedoms of speech, information, and right to privacy as principles that are fundamental to the upholding of liberal democratic values. When Edward Snowden revealed to the world the United States' government huge surveillance strategy and its worldwide reach, it pointed out for the necessity of greater efforts to protect the digital environment from Human Rights violations based on the exacerbation of the power of governments and companies that are ultimately making use of indiscriminate personal data collection. The Snowden revelations brought about a series of discussions worldwide which culminated into one of the most important Internet Governance events - the Global Multistakeholder Meeting on the Future of Internet Governance – NETmundial, held in São Paulo, in 2014, with the participation of 1480 stakeholders from 97 nations. On that occasion, the Brazilian president at the time, with the support of other government representatives, international organizations and NGOs, called for the creation of a multilateral mechanisms for the worldwide network that should be capable of ensuring principles such as: freedom of expression, privacy of the individual and respect for human rights, among others. In 2020, due to the COVID-19 outbreak privacy advocates around the world have sounded the alarm. Actions from many different fronts are being developed in order to allegedly counter the pandemic - and, once more, the slight balance between mass surveillance and personal data protection jumps on the stage raising several concerns. Since the first detection of COVID-19 in China, a handful of governments took digital action, vacuuming up citizens’ cell phone data, sometimes even including their rough location history. South Koreans are tracked through GPS location history, credit card transactions, and surveillance camera footage. Israelis learned last month that their mobile device locations have been collected for years, and now the government moves through this enormous database in broad daylight, this time to allegedly track the spread of COVID-19. Russians cannot leave home in some regions without scanning QR codes that restrict their time spent outside—three hours for grocery shopping, one hour to walk the dog, half that to take out the trash. This month, more than 100 civil and digital rights worldwide organizations urged that any government's coronavirus-targeted surveillance mechanisms ought to respect Human Rights. According to a Privacy International analysis, at least 23 countries have deployed some form of telecommunications tracking to limit the spread of coronavirus, while 14 countries are developing or have already developed their own mobile apps, including Brazil and Iceland, along with Germany and Croatia, which are both trying to make apps that are GDPR-compliant (or to their national's equivalent laws). But rapid surveillance demands rapid infrastructure. The push to allegedly digitally track the spread of coronavirus comes not only from governments, but also from companies that build potentially privacy-invasive technologies, such as a joint effort recently announced by Apple and Google. The combination of state and private surveillance means that digital technology instead of promoting equity and inclusion for all, might be encouraging a segregation within societies through a dichotomy of “watchers” - invisible, unknown and unaccountable for -, and the “watched by”. This segregation has profound consequences for democratic processes, as gathering of information tend to lead to asymmetries of knowledge, also translated into asymmetries of power. Mass surveillance has been a historically core debate, given its roots in the complex relationship between governments, companies and citizens. Almost a decade after the Snowden leaks, the world faces another challenge on the privacy boundaries online, reassuring the relevance and importance to advance this on Internet Governance once more.

    Relevance to Theme: The relationship of privacy and data protection with the Internet and the advance of the digital interactions of our societies have been heavily discussed in the past years for different reasons. Recently, the most important game changer in this field has been the enforcement of the European General Data Protection Regulation – GDPR, which came into effect in May 2018. The GDPR was the main issue discussed in several Internet Governance policy arenas for a long time, by fostering debate and forming coalitions to work together on topics of interest, as well as promoting counterpart legislation around the world. But to consider the existence of the GDPR as the end of the discussion is to not acknowledge that privacy and data protection related questions are fluid and all around always changing. Surely it is an inflection point current legislation on the topic, but our connected society has been demanding more. Take for example the domain name ecosystem and the Internet Corporation for Assigned Names and Numbers – ICANN, where several professionals are engaged in a task force to build and implement rules for domain name registration data, so as to make it compliant with the new set of rules that were put in place. We need that effort for privacy and data protection, too. In the Brazil scenario, mobile telephone operators have voluntarily provided access to citizen's cellphones personal data, such as geolocation history, as allegedly anonymized aggregated information to government of some states, without even letting the owners of such personal data, aka the citizens, know, let alone ask for consent. This voluntary provision is supposedly due in order to identify crowds and assess the progression of the virus, and yet no ongoing technical study is being held as to guarantee the effectiveness of this approach. Finally, the relevance to the data track reflects upon the tech-focused tools as the ultimate go-to solutions for social issues, in this case a health issue. Is tech capable of making up for structural gaps, including shortage of personal protective equipment for medical professional, non-existent universal testing, and a potentially fatal selection of intensive care unit beds left to survive a country-wide outbreak? Or how is tech able to play a relevant part without harming human rights and invading citizen's right to data protection. As stated in a recent open letter from international privacy groups - technology can and should play an important role during this effort to save lives, such as to spread public health messages and increase access to health care. However, an increase in state digital surveillance powers, such as obtaining access to mobile phone location data, threatens privacy, freedom of expression and freedom of association, in ways that could violate rights and degrade trust in public authorities - undermining trust and the effectiveness of any public health response.

    Online Participation

     

    Usage of IGF Official Tool. Additional Tools proposed: Social media platforms (twitter and facebook) will also be employed by the online moderator who will be in charge of browsing them using some hashtags (to be defined). Comments and questions may pop up in the hashtags and the online moderator will work in collaboration with the on site moderator to make sure all of them are covered. If, by any reason, the number of online interventions surpass the usual, the online moderator will sum up similar questions / interventions in blocks of issues so as the participants may have the opportunity to cover all of them.

     

    Agenda

    Intended agenda:

    Introduction - 5 min

    First segment - 25 min

    Second segment - 25 min

    Q&A - 20 min

    Final considerations - 15 min

    1. Key Policy Questions and related issues
    What are the demands, conditions, tools, solutions, outcomes and
    potential effects posed by the massive pursuit of personal data in order to best utilize data
    without harming fundamental rights as the right of privacy
    How to leverage multistakeholder dialogues in order to reach possible
    solutions and consensus on this issue?
    2. Summary of Issues Discussed

    . Legislation and legislators should consider that its enforcement will necessarily take place through data processing, so it should be responsible for what and how it regulates personal data protection.

    . Existing legislation must be adapted to the current context and data demands. In places that do not have specific Internet personal data protection regulations, responsible parties must be careful and transparent with the adopted rules, express their rationale and the methods adopted for data management, in order to protect data and identities while manipulating public health data.

    . Stimulate transparency and trust mechanisms on the Internet with a real concern to protect identities (especially minorities) avoiding the enhancement of an environment of mass surveillance and reinforcement of discrimination.

    . Advance in data privacy regulation only insofar as there is a deep understanding of what the problem is for which interest group, to avoid solutions that not only do not solve the problem, but also create new ones. 

    . To carry out in practice what the data regulation determines, like data collection using proper tools, data processing with properly maintained databases, etc. To avoid collecting unnecessary data, avoiding for instance the use of personal data by intelligence agencies with discriminatory developments, such as the case that occurred this year in the European Union. 

    . People-centered approach with democratic safeguards for processing personal data to ensure public trust in the process. 

    . Build solutions to the problem of mass surveillance in the context of the pandemic with the participation of the affected population (at some point in the process), on a multistakeholder approach.

    . Deepen the understanding about the different dynamics of power and also about the unequal distribution of resources between different interest groups in order to mitigate this issues and properly leverage a multistakeholder dialogue.

    3. Key Takeaways

    The policy questions previously addressed in this session were complex and related to a major challenge that the world has been facing for almost an year. Despite of this, consensus was reached on how to address such problems.

    One of the most important topics would be the takeaways built collectively after the comments and questions posed by the attendees that technology itself is just one of the layers to overcome current data protection in pandemic context challenges. In this sense, to build solutions to address these challenges four different aspects should be taken into account: (i) legal, (ii) economics, (iii) technological, and (iv) cultural.

    To this end, the use of technology and law enforcement need to be supported by dialogue with other stakeholders to maintain citizens privacy and be useful for solving problems, considering the correct measurement of data collection for the benefit of the community. 

    In this regard, the barriers that hinder the construction of multistakeholder solutions need to be mitigated, such as inclusion problems (Internet access, appropriate devices, financial resources to guarantee the presence in such ocasions), and also the understanding of the different power dynamics of each sector and how they influence the presence and positioning of the others. By minimizing these barriers, the multisectoral approach will move towards building effective solutions for the nowadays challenges.

    6. Final Speakers

    - Chenai Chair, Civil Society, Africa Group

    - Ellen Strickland, Civil Society, Western European and Others Group

    - Nneka Ekechukwu-Soyinka, Private Sector

    - Ian Brown, Technical Community, Western European and Others Group

    - Carlos Affonso de Souza, Civil Society, Latin American and Caribbean Group

    - Talar Kalayciyan, Public Sector, Personal Data Commission within the Chief Information office (municipality Amsterdam), Western European and Others Group

    7. Reflection to Gender Issues

    The session did not address the gender issue directly, however it did arise (along other minorities) in the discussion of the effects of mass surveillance in the pandemic context, such as related in the second topic of this report.

    9. Group Photo
    IGF 2020 WS #340 Checks and balances of data privacy within mass surveillance