You are here

EFF

Error message

  • Deprecated function: Unparenthesized `a ? b : c ? d : e` is deprecated. Use either `(a ? b : c) ? d : e` or `a ? b : (c ? d : e)` in include_once() (line 1389 of /usr/share/nginx/html/blog.headup.ws/htdocs/includes/bootstrap.inc).
  • Deprecated function: Unparenthesized `a ? b : c ? d : e` is deprecated. Use either `(a ? b : c) ? d : e` or `a ? b : (c ? d : e)` in include_once() (line 1389 of /usr/share/nginx/html/blog.headup.ws/htdocs/includes/bootstrap.inc).
Subscribe to EFF feed
EFF's Deeplinks Blog: Noteworthy news from around the internet
Updated: 15 hours 25 min ago

Disentangling Disinformation: Not as Easy as it Looks

Wed, 07/28/2021 - 17:30

Body bags claiming that “disinformation kills” line the streets today in front of Facebook’s Washington, D.C. headquarters. A group of protesters, affiliated with “The Real Facebook Oversight Board” (an organization that is, confusingly, not affiliated with Facebook or its Oversight Board), is urging Facebook’s shareholders to ban so-called misinformation “superspreaders”—that is, a specific number of accounts that have been deemed responsible for the majority of disinformation about the COVID-19 vaccines.

Disinformation about the vaccines is certainly contributing to their slow uptake in various parts of the U.S. as well as other countries. This disinformation is spreading through a variety of ways: Local communities, family WhatsApp groups, FOX television hosts, and yes, Facebook. The activists pushing for Facebook to remove these “superspreaders” are not wrong: while Facebook does currently ban some COVID-19 mis- and disinformation, urging the company to enforce its own rules more evenly is a tried-and-true tactic.

But while disinformation “superspreaders” are easy to identify based on the sheer amount of information they disseminate, tackling disinformation at a systemic level is not an easy task, and some of the policy proposals we’re seeing have us concerned. Here’s why.

1. Disinformation is not always simple to identify.

In the United States, it was only a few decades ago that the medical community deemed homosexuality a mental illness. It took serious activism and societal debate for the medical community to come to an understanding that it was not. Had Facebook been around—and had we allowed it to be arbiter of truth—that debate might not have flourished.

Here’s a more recent example: There is much debate amongst the contemporary medical community as to the causes of ME/CFS, a chronic illness for which a definitive cause has not been determined—and which, just a few years ago, was thought by many not to be real. The Centers for Disease Control notes this and acknowledges that some healthcare providers may not take the illness seriously. Many sufferers of ME/CFS use platforms like Facebook and Twitter to discuss their illness and find community. If those platforms were to crack down on that discussion, relying on the views of the providers that deny the gravity of the illness, those who suffer from it would suffer more greatly.

2. Tasking an authority with determining disinfo has serious downsides.

As we’ve seen from the first example, there isn’t always agreement between authorities and society as to what is truthful—nor are authorities inherently correct.

In January, German newspaper Handelsblatt published a report stating that the Oxford-AstraZeneca vaccine was not efficacious for older adults, citing an anonymous government source and claiming that the German government’s vaccination scheme was risky.

AstraZeneca denied the claims, and no evidence that the vaccine was ineffective for older adults was procured, but it didn’t matter: Handelsblatt’s reporting set off a series of events that led to AstraZeneca’s reputation in Germany suffering considerably. 

Finally, it’s worth pointing out that even the CDC itself—the authority tasked with providing information about COVID-19—has gotten a few things wrong, most recently in May when it lifted its recommendation that people wear masks indoors, an event that was followed by a surge in COVID-19 cases. That shift was met with rigorous debate on social media, including from epidemiologists and sociologists—debate that was important for many individuals seeking to understand what was best for their health. Had Facebook relied on the CDC to guide its misinformation policy, that debate may well have been stifled.

3. Enforcing rules around disinformation is not an easy task.

We know that enforcing terms of service and community standards is a difficult task even for the most resourced, even for those with the best of intentions—like, say, a well-respected, well-funded German newspaper. But if a newspaper, with layers of editors, doesn’t always get it right, how can content moderators—who by all accounts are low-wage workers who must moderate a certain amount of content per hour—be expected to do so? And more to the point, how can we expect automated technologies—which already make a staggering amount of errors in moderation—to get it right?

The fact is, moderation is hard at any level and impossible at scale. Certainly, companies could do better when it comes to repeat offenders like the disinformation “superspreaders,” but the majority of content, spread across hundreds of languages and jurisdictions, will be much more difficult to moderate—and as with nearly every category of expression, plenty of good content will get caught in the net.

Should Congress Close the FBI’s Backdoor for Spying on American Communications? Yes.

Wed, 07/28/2021 - 14:25

All of us deserve basic protection against government searches and seizures that the Constitution provides, including requiring law enforcement to get a warrant before it can access our communications.  But currently, the FBI has a backdoor into our communications, a loophole, that Congress can and should close.

This week, Congress will vote on the Commerce, Justice, Science and Related Agencies Appropriations bill (H.R. 4505). Among many other things, this bill contains all the funding for the Department of Justice for Fiscal Year 2022 along with certain restrictions on how the DOJ is allowed to spend taxpayer funds. Reps. Lofgren, Massie, Jayapal, and Davidson have offered an amendment to the bill that would prohibit the use of taxpayer funds to conduct warrantless wiretapping of US Persons conducted under Section 702 of the FISA Amendments Act. We strongly support this Amendment.

Section 702 of the Foreign Intelligence Surveillance Act (FISA) requires tech and telecommunications companies to provide the U.S. government with access to emails and other communications to aid in national security investigations--ostensibly when U.S. persons are in communication with foreign surveillance targets abroad or wholly foreign communications transit the U.S. But in this wide-sweeping dragnet approach to intelligence collection, companies allows government access and collection of a large amount of “incidental” communications--that is millions of untargeted communications of U.S. persons that are swept up with the intended data. Once it is collected, the FBI currently can bypass the 4th Amendment requirement of a warrant and sift through these “incidental” non-targeted communications of Americans -- effectively using Section 702 as a “backdoor” around the constitution. They’ve been told by the FISA Court this violates Americans’ Fourth Amendment rights but it has not seemed to stop them and, frustratingly, the FISA Court has failed to take steps to ensure that they stop.

This amendment would not only forbid the DOJ from doing this activity, it would also send a powerful signal to the intelligence agency that Congress is serious about reform.

Take action

Tell your member of Congress to support this amendment today.

The DOJ is opposing this amendment, saying that it would inhibit their investigations and make them less successful in rooting out kidnappings and child trafficking. We’ve heard this argument before, and it’s just not convincing.

The FBI has a wide range of investigatory tools.  It gives a scary list of potential investigations that it says might be impacted by removing its backdoor, but for every single one of them, the FBI can get a warrant or use other investigatory tools like National Security Letters. What the DOJ elides in protesting this narrow amendment is that the FBI has gotten used to searching through already collected communications of Americans —overbroadly collected for foreign intelligence purposes — for domestic law enforcement purposes. But it is not the purpose of 702 to save the FBI the trouble of getting a warrant (FISA or otherwise) for domestic investigations as the law and the Constitution requires before it collects needed information from the telecommunications and Internet service providers. The FBI is in no way prohibited from using its long-standing powerful investigatory tools due to this amendment - it just can no longer piggy-back on admittedly over broad foreign intelligence collections.  

The government also elides that what it wants is to take advantage of Section 702’s massive well-documented over-collection to have a kind of time machine. There is a possibility that information collected by the NSA will be deleted before the FBI can get a warrant, but the FBI has not submitted any public (or as far as we can tell, classified) evidence that this is a major problem in practice or would have resulted in thwarted prosecutions -- as opposed to just requiring a bit more effort by the FBI. But protecting Americans privacy is worth making the FBI follow the Constitution, even if it is a bit more effort.

The US Supreme Court has denied domestic law enforcement a general warrant — collecting first a broad swath of Americans’ communications then sorting through later what it may need. That is what the FBI is defending here, it is what the FISC raised concerns about and it is what this amendment will rightfully stop.

Tell your member of Congress to support this amendment today.

Take action

Tell your member of Congress to support this amendment today.

EFF at 30: Freeing the Internet, with Net Neutrality Pioneer Gigi Sohn

Wed, 07/28/2021 - 12:46

To commemorate the Electronic Frontier Foundation’s 30th anniversary, we present EFF30 Fireside Chats. This limited series of livestreamed conversations looks back at some of the biggest issues in internet history and their effects on the modern web.

To celebrate 30 years of defending online freedom, EFF held a candid live discussion with net neutrality pioneer and EFF board member Gigi Sohn, who served as Counselor to the Chairman of the Federal Communications Commission and co-founder of leading advocacy organization Public Knowledge. Joining the chat were Senior Legislative Counsel at EFF Ernesto Falcon and Associate Director of Policy and Activism Katharine Trendacosta. You can watch the full conversation here.

In my perfect world, everyone’s connected to a future proof, fast, affordable—and open—internet.

On July 28, we’ll be holding our final EFF30 Fireside Chat—a "Founders Edition." EFF's Executive Director, Cindy Cohn will be joined by some of our founders and early board members, Esther Dyson, Mitch Kapor, and John Gilmore, to discuss everything from EFF's origin story and its role in digital rights to where we are today.

EFF30 Fireside Chat: Founders Edition
Wednesday, July 28, 2021 at 5 pm Pacific Time
Streaming Discussion with Q&A

RSVP to the Next EFF30 Fireside Chat

THIS EVENT IS LIVE AND FREE! $10 DONATION APPRECIATED

The conversation began with a comparison between the policy battles of the 1990s, the 2000’s, and today: “What was happening was that the copyright industry--Hollywood, the recording industry, the book publishers--, saw this technology that gave people power to control their own experience and what they wanted to see, and what they wanted to listen to, and it flipped them out...we really need[ed] an organization in Washington that’s dedicated to a free and open internet, that’s free of copyright gatekeepers, and free of ISP gatekeepers.” This was the founding of Public Knowledge, an organization that fights, alongside EFF, to protect the open internet.

%3Ciframe%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fembed%2FASCg1x5al_o%3Fautoplay%3D1%26mute%3D1%22%20allow%3D%22accelerometer%3B%20autoplay%3B%20clipboard-write%3B%20encrypted-media%3B%20gyroscope%3B%20picture-in-picture%22%20allowfullscreen%3D%22%22%20width%3D%22560%22%20height%3D%22315%22%20frameborder%3D%220%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from youtube.com

Many think of net neutrality—the idea that Internet service providers (ISPs) should treat all data that travels over their networks fairly, without improper discrimination in favor of particular apps, sites or services—as a fairly recent issue. But it actually started in the late 1990’s, Sohn explained. The battle, in many ways, began in earnest in Portland, when the city’s consumer protection agency told AT&T that their cable modem service was going to be regulated under Title VI of the Communications Act of 1934. This led to a court case where the Ninth Circuit determined that the cable modem service was actually a communications service, and fell under Title II of the Communications Act, and should be regulated similarly to a telephone service. Watch the full clip below for a full deep dive into net neutrality’s history:

%3Ciframe%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fembed%2F9I8CJbn6KVQ%3Fautoplay%3D1%26mute%3D1%22%20allow%3D%22accelerometer%3B%20autoplay%3B%20clipboard-write%3B%20encrypted-media%3B%20gyroscope%3B%20picture-in-picture%22%20allowfullscreen%3D%22%22%20width%3D%22560%22%20height%3D%22315%22%20frameborder%3D%220%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from youtube.com

Moving to the topic of broadband access, Katharine Trendacosta describes it along the lines of net neutrality. “It’s not a partisan issue. Most Americans support net neutrality. Most Americans need internet access.” And the increased need for access during the pandemic wasn’t a blip--”This is always what the future was going to look like.”

%3Ciframe%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fembed%2FAeph3-kemwo%3Fautoplay%3D1%26mute%3D1%22%20allow%3D%22accelerometer%3B%20autoplay%3B%20clipboard-write%3B%20encrypted-media%3B%20gyroscope%3B%20picture-in-picture%22%20allowfullscreen%3D%22%22%20width%3D%22560%22%20height%3D%22315%22%20frameborder%3D%220%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from youtube.com

But crises like the pandemic do show the dangerous cracks that exist due to the current lack of broadband regulation. For example, Sohn explained, the Santa Clara fire department was throttled during the Mendocino Complex fire, and had nowhere to go to fix the problem. And over the last year, “the former FCC chairman had to beg the companies not to cut off people’s service during the pandemic. The FCC couldn’t say ‘you must,’ they had to say ‘Mother, may I?’” To put it bluntly, said Ernesto Falcon, as access is more critical than ever, the lack of authority leaves many people without recourse: “Three-quarters of Americans now think of broadband as the same as electricity and water in terms of its importance in everyday life--and the idea that you would have an unregulated monopoly selling you water, who wants that? No one wants that.”

In the regulatory vacuum, Sohn said, the states are the new battleground for getting net neutrality and broadband access to everyone--and they are well poised to fight that fight. Several states have passed net neutrality laws, including California (the ISPs, of course, are fighting back with lawsuits). And though the federal government has failed to properly expand broadband access, states can do, and some have done, much better:

The FCC and other agencies have spent about 50 billion dollars trying to build broadband everywhere and they’ve failed miserably. They invested in slow technologies, they weren’t careful with where they built, we have slow networks, and by one count we have 42 million Americans that don’t have access to any network at all. We need to be much much smarter. It’s not only about who gets the money, or how much, or for what, but it’s also how it’s given out. And that’s one of the reasons why I’m favorable towards giving a big chunk to the states. They’ll have a better idea of where the need is.

%3Ciframe%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fembed%2FEUTcpkNfF9w%3Fautoplay%3D1%26mute%3D1%22%20allow%3D%22accelerometer%3B%20autoplay%3B%20clipboard-write%3B%20encrypted-media%3B%20gyroscope%3B%20picture-in-picture%22%20allowfullscreen%3D%22%22%20width%3D%22560%22%20height%3D%22315%22%20frameborder%3D%220%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from youtube.com

This chat was recorded just weeks before California Governor Newsom signed a massive, welcome multi-billion dollar public fiber package into law in late July.

The conversation then went to questions from the audience, which tackled ways to kickstart competition in the ISP market, how to convince politicians to make an expensive fiber optic investment, and ultimately, what the role of government should be in an area in which they’ve (so far) failed. You can, and should, watch the entire Fireside Chat here. Whatever you take away from this wide-ranging discussion of open internet issues, we hope you’ll help us work towards Sohn’s vision of a world where “everyone’s connected to a future proof, fast and affordable—and open—internet.” This is a vision that EFF shares, and one that we believe can exist—if we fight for it.

___________________________
Check out additional recaps of EFF's 30th anniversary conversation series, and don't miss our final program where we'll delve into the dawn of digital activism with EFF’s early leaders on July 28, 2021: EFF30 Fireside Chat: Founders Edition.

EFF Sues U.S. Postal Service For Records About Covert Social Media Spying Program

Tue, 07/27/2021 - 13:56
Service Looked Through People’s Posts Prior to Street Protests

Washington D.C.—The Electronic Frontier Foundation (EFF) filed a Freedom of Information Act (FOIA) lawsuit against the U.S. Postal Service and its inspection agency seeking records about a covert program to secretly comb through online posts of social media users before street protests, raising concerns about chilling the privacy and expressive activity of internet users.

Under an initiative called Internet Covert Operations Program, analysts at the U.S. Postal Inspection Service (USPIS), the Postal Service’s law enforcement arm, sorted through massive amounts of data created by social media users to surveil what they were saying and sharing, according to media reports. Internet users’ posts on Facebook, Twitter, Parler, and Telegraph were likely swept up in the surveillance program.

USPIS has not disclosed details about the program or any records responding to EFF’s FOIA request asking for information about the creation and operation of the surveillance initiative. In addition to those records, EFF is also seeking records on the program’s policies and analysis of the information collected, and communications with other federal agencies, including the Department of Homeland Security (DHS), about the use of social media content gathered under the program.

“We’re filing this FOIA lawsuit to shine a light on why and how the Postal Service is monitoring online speech. This lawsuit aims to protect the right to protest,” said Houston Davidson, EFF public interest legal fellow. “The government has never explained the legal justifications for this surveillance. We’re asking a court to order the USPIS to disclose details about this speech-monitoring program, which threatens constitutional guarantees of free expression and privacy.”

Media reports revealed that a government bulletin dated March 16 was distributed across DHS’s state-run security threat centers, alerting law enforcement agencies that USPIS analysts monitored “significant activity regarding planned protests occurring internationally and domestically on March 20, 2021.” Protests around the country were planned for that day, and locations and times were being shared on Parler, Telegram, Twitter, and Facebook, the bulletin said.

“Monitoring and gathering people’s social media activity chills and suppresses free expression,” said Aaron Mackey, EFF senior staff attorney. “People self-censor when they think their speech is being monitored and could be used to target them. A government effort to scour people’s social media accounts is a threat to our civil liberties.”

For the complaint:
https://www.eff.org/document/eff-v-usps-complaint

For more on this case:
https://www.eff.org/cases/eff-v-usps-social-media-monitoring-icop

For more on social media surveillance:
https://www.eff.org/issues/social-media-surveilance

Contact:  HoustonDavidsonLegal Fellowhouston@eff.org AaronMackeySenior Staff Attorneyamackey@eff.org

EFF, ACLU Urge Appeals Court to Revive Challenge to Los Angeles’ Collection of Scooter Location Data

Fri, 07/23/2021 - 16:48
Lower Court Improperly Dismissed Lawsuit Against Privacy-Invasive Data Collection Practice

San Francisco—The Electronic Frontier Foundation and the ACLU of Northern and Southern California today asked a federal appeals court to reinstate a lawsuit they filed on behalf of electric scooter riders challenging the constitutionality of Los Angeles’ highly privacy-invasive collection of detailed trip data and real-time locations and routes of scooters used by thousands of residents each day.

The Los Angeles Department of Transportation (LADOT) collects from operators of dockless vehicles like Lyft, Bird, and Lime information about every single scooter trip taken within city limits. It uses software it developed to gather location data through Global Positioning System (GPS) trackers on scooters. The system doesn’t capture the identity of riders directly, but collects with precision riders’ location, routes, and destinations to within a few feet, which can easily be used to reveal the identities of riders.

A lower court erred in dismissing the case, EFF and the ACLU said in a brief filed today in the U.S. Circuit Court of Appeals for the Ninth Circuit. The court incorrectly determined that the practice, unprecedented in both its invasiveness and scope, didn’t violate the Fourth Amendment. The court also abused its discretion, failing to exercise its duty to credit the plaintiff’s allegations as true, by dismissing the case without allowing the riders to amend the lawsuit to fix defects in the original complaint, as federal rules require.

“Location data can reveal detailed, sensitive, and private information about riders, such as where they live, who they work for, who their friends are, and when they visit a doctor or attend political demonstrations,” said EFF Surveillance Litigation Director Jennifer Lynch. “The lower court turned a blind eye to Fourth Amendment principles. And it ignored Supreme Court rulings establishing that, even when location data like scooter riders’ GPS coordinates are automatically transmitted to operators, riders are still entitled to privacy over the information because of the sensitivity of location data.”

The city has never presented a justification for this dragnet collection of location data, including in this case, and has said it’s an “experiment” to develop policies for motorized scooter use. Yet the lower court decided on its own that the city needs the data and disregarded plaintiff Justin Sanchez’s statements that none of Los Angeles’ potential uses for the data necessitates collection of all riders’ granular and precise location information en masse.

“LADOT’s approach to regulating scooters is to collect as much location data as possible, and to ask questions later,” said Mohammad Tajsar, senior staff attorney at the ACLU of Southern California. “Instead of risking the civil rights of riders with this data grab, LADOT should get back to the basics: smart city planning, expanding poor and working people’s access to affordable transit, and tough regulation on the private sector.”

The lower court also incorrectly dismissed Sanchez’s claims that the data collection violates the California Electronic Communications Privacy Act (CalECPA), which prohibits the government from accessing electronic communications information without a warrant or other legal process. The court’s mangled and erroneous interpretation of CalECPA—that only courts that have issued or are in the process of issuing a warrant can decide whether the law is being violated—would, if allowed to stand, severely limit the ability of people subjected to warrantless collection of their data to ever sue the government.

“The Ninth Circuit should overturn dismissal of this case because the lower court made numerous errors in its handling of the lawsuit,” said Lynch. “The plaintiffs should be allowed to file an amended complaint and have a jury decide whether the city is violating riders’ privacy rights.”

For the brief:
https://www.eff.org/document/sanchez-v-ladot-opening-appellage-briefpdf

Contact:  JenniferLynchSurveillance Litigation Directorjlynch@eff.org

Data Brokers are the Problem

Fri, 07/23/2021 - 14:59

Why should you care about data brokers? Reporting this week about a Substack publication outing a priest with location data from Grindr shows once again how easy it is for anyone to take advantage of data brokers’ stores to cause real harm.

This is not the first time Grindr has been in the spotlight for sharing user information with third-party data brokers. The Norwegian Consumer Council singled it out in its 2020 "Out of Control" report, before the Norwegian Data Protection Authority fined Grindr earlier this year. At the time, it specifically warning that the app’s data-mining practices could put users at serious risk in places where homosexuality is illegal.

But Grindr is just one of countless apps engaging in this exact kind of data sharing. The real problem is the many data brokers and ad tech companies that amass and sell this sensitive data without anything resembling real users’ consent.

Apps and data brokers claim they are only sharing so-called “anonymized” data. But that’s simply not possible. Data brokers sell rich profiles with more than enough information to link sensitive data to real people, even if the brokers don’t include a legal name. In particular, there’s no such thing as “anonymous” location data. Data points like one’s home or workplace are identifiers themselves, and a malicious observer can connect movements to these and other destinations. In this case, that includes gay bars and private residents.

Another piece of the puzzle is the ad ID, another so-called “anonymous" label that identifies a device. Apps share ad IDs with third parties, and an entire industry of “identity resolution” companies can readily link ad IDs to real people at scale.

All of this underlines just how harmful a collection of mundane-seeming data points can become in the wrong hands. We’ve said it before and we’ll say it again: metadata matters.

That’s why the U.S. needs comprehensive data privacy regulation more than ever. This kind of abuse is not inevitable, and it must not become the norm.

Council of Europe’s Actions Belie its Pledges to Involve Civil Society in Development of Cross Border Police Powers Treaty

Thu, 07/22/2021 - 21:06

As the Council of Europe’s flawed cross border surveillance treaty moves through its final phases of approval, time is running out to ensure cross-border investigations occur with robust privacy and human rights safeguards in place. The innocuously named “Second Additional Protocol” to the Council of Europe’s (CoE) Cybercrime Convention seeks to set a new standard for law enforcement investigations—including those seeking access to user data—that cross international boundaries, and would grant a range of new international police powers. 

But the treaty’s drafting process has been deeply flawed, with civil society groups, defense attorneys, and even data protection regulators largely sidelined. We are hoping that CoE's Parliamentary Committee (PACE), which is next in line to review the draft Protocol, will give us the opportunity to present and take our privacy and human rights concerns seriously as it formulates its opinion and recommendations before the CoE’s final body of approval, the Council of Ministers, decides the Protocol’s fate. According to the Terms of Reference for the preparation of the Draft Protocol, the Council of Ministers may consider inviting parties “other than member States of the Council of Europe to participate in this examination.”

The CoE relies on committees to generate the core draft of treaty texts. In this instance, the CoE’s Cybercrime Committee (T-CY) Plenary negotiated and drafted the Protocol’s text with the assistance of a drafting group consisting of representatives of State Parties. The process, however, has been fraught with problems. To begin with, T-CY’s Terms of Reference for the drafting process drove a lengthy, non-inclusive procedure that relied on closed sessions (​​Article 4.3 T-CY Rules of Procedures). While the Terms of Reference allow the T-CY to invite individual subject matter experts on an ad hoc basis, key voices such as data protection authorities, civil society experts, and criminal defense lawyers were mostly sidelined. Instead, the process has been largely commandeered by law enforcement, prosecutors and public safety officials (see here, and here). 

Earlier in the process, in April 2018, EFF, CIPPIC, EDRI and 90 civil society organizations from across the globe requested the COE Secretariat General provide more transparency and meaningful civil society participation as the treaty was being negotiated and drafted—and not just during the CoE’s annual and somewhat exclusive Octopus Conferences. However, since T-CY began its consultation process in July 2018, input from external stakeholders has been limited to Octopus Conference participation and some written comments. Civil society organizations were not included in the plenary groups and subgroups where text development actually occurs, nor was our input meaningfully incorporated. 

Compounding matters, the T-CY’s final online consultation, where the near final draft text of the Protocol was first presented to external stakeholders, only provided a 2.5 week window for input. The draft text included many new and complex provisions, including the Protocol’s core privacy safeguards, but excluded key elements such as the explanatory text that would normally accompany these safeguards. As was flagged by civil society, privacy regulators, and even by the CoE’s own data protection committee, two and a half weeks is not enough time to provide meaningful feedback on such a complex international treaty. More than anything, this short consultation window gave the impression that T-CY’s external consultations were truly performative in nature. 

Despite these myriad shortcomings, the Council of Ministers (CoE’ final statutory decision-making body, comprising member States’ Foreign Affairs Ministers) responded to our process concerns arguing that external stakeholders had been consulted during the Protocol’s drafting process. Even more oddly, the Council of Ministers’ justified the demonstrably curtailed final consultation period by invoking its desire to complete the Protocol on the 20th anniversary of the CoE’s Budapest Cybercrime Convention (that is, by this November 2021).

With great respect, we kindly disagree with Ministers’ response. If T-CY wished to meet its November 2021 deadline, it had many options open to it. For instance, it could have included external stakeholders from civil society and from privacy regulators in its drafting process, as it had been urged to do on multiple occasions. 

More importantly, this is a complex treaty with wide ranging implications for privacy and human rights in countries across the world. It is important to get it right, and ensure that concerns from civil society and privacy regulators are taken seriously and directly incorporated into the text. Unfortunately, as the text stands, it raises many substantive problems, including the lack of systematic judicial oversight in cross-border investigations and the adoption of intrusive identification powers that pose a direct threat to online anonymity. The Protocol also undermines key data protection safeguards relating to data transfers housed in central instruments like the European Union’s Law Enforcement Directive and the General Data Protection Regulation. 

The Protocol now stands with CoE’s PACE, which will issue an opinion on the Protocol and might recommend some additional changes to its substantive elements. It will then fall to CoE’s Council of Ministers to decide whether to accept any of PACE’s recommendations and adopt the Protocol, a step which we still anticipate will occur in November. Together with CIPPICEDRI, Derechos Digitales and NGOs around the world hope that PACE takes our concerns seriously, and that the Council produces a treaty that puts privacy and human rights first.