Black Code: Inside the Battle for Cyberspace (15 page)

While Google does not disclose the details of every request, it does highlight those that it complied with or turned down. Examples of requests rejected by Google include: Passport Canada’s plea to remove a YouTube video of a Canadian citizen urinating on his passport and flushing it down the toilet; Pakistan Ministry of Information’s request to remove six YouTube videos that satirized the Pakistani Army and senior politicians; the Polish Agency for Enterprise Development’s request that Google remove a search result that criticized the agency, as well as eight more that linked to it; and the Spanish Data Protection Authority’s plea that Google remove 270 search results that linked to blogs and sites referencing individuals and public figures, plus several videos hosted on YouTube that did the same.

•  •  •

There are “requests”
and then there are “other requests”; that is, there are legitimate reasons to shut down certain websites or remove certain content and then there are murky, theatre of
the absurd, non-court-ordered “other requests” that governments the world over are increasingly making. These “other requests” tread dangerously close to our “other lives” – the secrets we share, for very good reason, only with a select few intimate “others” -and our lives, our sanity, depend on the ability to do so, to remain anonymous, invisible to the world outside, particularly to those in positions of power.

Google arranges its content removal request results in two categories: those that come with a court order and those that do not. The only information Google provides in elaborating on these “other requests” is contained in brackets – from “Executive,” the “Police,” et cetera – and such requests often dwarf the number of requests that come with a court order. For example, in 2011 Google received five requests for content removal from India that came with a court order, but nearly 100 for the removal of 246 items that came in the form of “other requests,” of which Google complied with roughly one-quarter. The request from Passport Canada was an “other request,” one of fifteen such requests from Canada, as opposed to four that came backed with a court order. In total, “other requests” to Google increased from 563 in the July to December 2011 period to 1,002 from January to June 2012.

In 2009 a senior Google staffer who dealt regularly with China told me in confidence about the persistent number of “other requests” Chinese authorities make to Google. While many experts assumed that Chinese officials were mostly concerned with data about the Falun Gong, Tiananmen Square, Tibet, or Taiwan, the vast majority of requests were far more frivolous: senior government officials wanting an embarrassing YouTube video of their daughters taken down, or evidence of bureaucratic inefficiency erased from the public record. Google staffers had no policy to deal with such requests and were often at the whim of capricious officials. Most frustrating, I was told, was that they would be given
little time to deal with such requests. Failing to comply, often within less than twenty-four hours, could lead to stalling around approvals necessary to run their business. More than the 2009 Operation Aurora attacks, in which Gmail accounts and Google source code were infiltrated by Chinese hackers, it was the frustration of operating in this “other request” climate that ultimately led to the company’s withdrawal from mainland China to Hong Kong, and to initiatives like the Transparency Reports.

The number of “other requests” Google receives for content removal or user data is suggestive of a troubling trend. Looking at their Transparency Reports, and the “other requests” category in particular, it is striking how much of the policing of cyberspace is taking place outside of the rule of law. As more and more data is entrusted by users to third parties like Google, governments are side-stepping transparent and accountable judicial processes to police that data. “Other requests” are, ironically, becoming the norm for Internet policing.

The most obvious place we would expect to find evidence of this trend is in flawed democracies or autocratic regimes. In Google’s 2011 (July–December) report, Turkey made twenty-three requests for seventy items to be removed, of which 48 percent were complied with; Taiwan, eight content removal requests for twenty-seven items, none of which were complied with; Pakistan, two requests to remove fifteen items, neither of which was complied with. But the most shocking revelation of the Transparency Report concerns those “other requests” for user data and content removal from liberal democratic countries. According to Google, between January and June 2012, the ten countries making the most “other requests” are all democracies: Turkey, United Kingdom, Germany, India, United States, Spain, Brazil, France, South Korea, and Canada. Is it a crime to urinate on your passport in Canada? I doubt it. But it most definitely is
wrong for the Canadian government to make a request to an ISP to remove a video documenting the act. If it were a criminal offence to urinate on your country’s passport, arguably the video is material evidence and, more importantly, what should or should not be censored in Canada is not a decision Passport Canada is authorized to make.

While the Canadian example stands out for its arbitrariness, the data concerning the United States stands out for sheer volume. According to Google, between July and December 2011, seventy “other requests” were made by the U.S. government for the removal of 2,341 items, of which 44 percent were complied with. In more than half of the cases, Google determined these “other requests” to be frivolous. Germany made forty-three “other requests” for the removal of 418 items, of which 72 percent were complied with. In Britain, there were thirty-seven “other requests” for the removal of 750 items, of which 54 percent were complied with. France made nineteen “other requests” for the removal of thirty-nine items, of which 47 percent were complied with. With the exception of some minor notes made by Google in the margins, no further detail is provided. At least in this instance, we are left largely in the dark about how cyberspace is being policed.

A short time after Google’s first 2012 update, Twitter produced its own transparency report. The company noted its commitment to responsible behaviour and the inspiration provided by Google. Perhaps more tellingly, however,
Twitter’s report came out immediately after it lost a court case and was required to turn over three months’ worth of data on an Occupy Wall Street protester. Although their transparency report does not provide anywhere near the same level of detail as Google’s, it is an interesting complement and represents the same troubling trend. According to Twitter, the company received more requests from governments in the first half of 2012 than in all of 2011. When it comes to requests for user
information, no country comes close to the United States: 849 user information requests, and of those Twitter complied with 75 percent. For its part, Canada made eleven requests for user account information and Twitter complied with two. Japan made ninety-eight requests, nineteen of which were complied with. Twitter is one of the few companies that alerts users to requests made by law enforcement agencies about their accounts, unless specifically prohibited from doing so by a court order or statute.

We might assume that it is the countries of the global South and East that are the main threats to rights and freedoms in cyberspace, but the global North and West appear to be on the same path – maybe even leading the way.

•  •  •

As far as transparency practices go
, the Google and Twitter reports are a step in the right direction, but they represent only a partial peek into the hidden underworld of extrajudicial cyberspace policing. Also, the reports beg several questions. What other types of requests are being made that are not anywhere disclosed? To what extent do other companies receive the same type and volume of requests? Presumably, Google and Twitter are representative of a much larger social media universe. What about Microsoft? Skype? Facebook?

The Electronic Frontier Foundation (EFF) has attempted to answer these questions on a project website called “When the Government Comes Knocking, Who Has Your Back?” The
EFF has investigated and ranked eighteen U.S. email, ISP, and cloud storage companies across several categories – including terms of service, privacy policies, and published law enforcement guidelines – and examined company track records of standing up for their users in court. As the EFF explains: “When you use the Internet, you entrust your online
conversations, thoughts, experiences, locations, photos, and more to companies like Google, AT&T and Facebook. But what happens when the government demands that these companies hand over your private information? Will the company stand with you? Will it tell you that the government is looking for your data so that you can take steps to protect yourself?” Their scorecard is instructive: not one of Amazon, Apple, AT&T, Comcast, Foursquare, Loopt, Microsoft, MySpace, Skype, Verizon, or Yahoo! tells users about data demands or are transparent about government requests.

While the Google and Twitter transparency reports, and projects like EFF’S, provide some insight, other research fills in the blanks and helps illustrate the danger of “other requests” becoming the norm vis-à-vis cyberspace. Take the case of Anthony Chai. In 2006, this Thai-American citizen was detained and interrogated while visiting Thailand, and subsequently harassed when he returned to the U.S., for comments he’d posted on
http://www.manusaya.com
a year earlier that allegedly violated Thailand’s
lèse-majesté
laws (which make it a crime to insult Thai royalty). The website was hosted by Netfirms, a Canadian company, which shut it down in June 2005 at the Thai government’s request. Because Netfirms is not a Thai company and enjoyed the protections of Canadian law, the shutdown was an especially pernicious response to an “other request,” – one with considerable international implications. Equally disturbing is the possibility that Netfirms released Anthony Chai’s IP address, linking anonymous
http://www.manusaya.com
posts to him and subjecting him to detention and harassment by the Thai government. This disclosure would be in violation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Though the case is
pending in a California district court (where Chai has filed a lawsuit against Netfirms), it shows that a company may violate its own country’s laws in seeking to comply with another country’s “other requests.”

One country where “other requests” are the operational norm is China, and probably the most infamous case there involved Google’s competitor, Yahoo! In 2002 and 2004,
the Chinese government requested information – including private emails – about two dissidents it sought to silence and punish: Wang Xiaoning and Shi Tao. Yahoo! complied with the demands and the sharing of their data led directly to the prosecution and imprisonment of the dissidents. Their families, with the help of the American branch of the World Organization for Human Rights, filed a suit against Yahoo! in the United States, and Yahoo! executives were called before Congress to explain their actions. The company, they testified, was merely following “local law.” Compliance with the type of demands that Yahoo! faced in China might well be part of doing business in that country, but where should foreign companies draw the line?

In 2008, as previously mentioned, the Citizen Lab’s Nart Villeneuve discovered that there was a content filtering system on the Chinese version of Skype. Called “TOM-Skype,” it is a joint venture between Skype (which at the time was owned by eBay, but is now owned by Microsoft) and the Chinese media conglomerate, the TOM Group. The Citizen Lab looked into TOM-Skype’s content filtering mechanism, and found that each time certain keywords were typed into the chat window a hidden connection was made. We followed that hidden electronic trail, apparent only through detailed packet capture analysis, to a server in China which, it turned out, had a directory that was not password protected. It contained a voluminous number of encrypted files, plus the decryption key. Upon decrypting the data, we discovered that TOM-Skype had been systematically intercepting and monitoring millions of private chats, triggered whenever any of the users typed in a banned keyword. From that moment on, their chats were intercepted, as were those with whom they were communicating, and uploaded to a server in China, presumably to be shared with
Chinese security services. The interception directly contravened Skype’s explicit terms of service, which promised state-of-the-art “end-to-end encryption,” allowing it to be widely promoted as a secure tool for dissidents and others at risk.

The scandalous tale was covered by John Markoff in the
New York Times
, and Skype later apologized. A few years later, however, University of New Mexico researchers found the exact same content-filtering and interception system was still in place on TOM-Skype. Notably, Skype scores zero on the EFF scorecard, and its present owner, Microsoft, fares little better: neither tells users about data demands, is transparent about government requests, or fights for user privacy rights in court. Apparently, “local laws” and “other requests” prevail.

•  •  •

In the case of WikiLeaks
, although no judicial process supported it, many companies either pulled their services or refused to support the organization after it linked to thousands of leaked U.S. State Department cables. In December 2010, its domain name service provider, EveryDNS, ceased DNS-resolution services for
http://www.wikileaks.org
, severely hampering its ability to communicate. EveryDNS cited the ongoing denial-of-service attacks against WikiLeaks as the reason for its cessation of services, but most suspect the U.S. company was wary of political repercussions in the event of continued service. Another American hosting company, Amazon, also dropped WikiLeaks as a customer. And, around the same time, several credit card and financial services companies – Bank of America, Visa, Western Union, MasterCard, PayPal, and Amazon – stopped processing donations to WikiLeaks. PayPal claimed it did so because WikiLeaks violated its terms of service, which states, “Our payment service cannot be used for any activities
that encourage, promote, facilitate or instruct others to engage in illegal activity.” One PayPal executive, Osama Bedier, claimed the company took the measure after a letter was circulated by the State Department that referred to WikiLeaks being in illegal possession of documents. However, nowhere does the letter, sent directly to WikiLeaks, suggest the organization itself was breaking U.S. law, and this raises the troubling prospect of a government and/or company arbitrarily deciding to withhold services to an organization simply because it is controversial.