Good Intentions, Recalcitrant Text - I: Why India’s Proposal at the ITU is Troubling for Internet Freedoms

At the 2014 Plenipotentiary Conference (‘PP-14’ or ‘Plenipot’) of the International Telecommunications Union (ITU), India has tabled a draft proposal on “ITU’s Role in Realising Secure Information Society” [Document 98, dated 20 October 2014] (“Draft Resolution”). India’s proposal has incited a great deal of concern and discussion among Plenipot attendees, governments and civil society alike. Before offering my concerns and comments on the Draft Resolution, let us understand the proposal.

Our Draft Resolution identifies 3 security concerns with exchange of information and resource allocation on the Internet:

• First, it is troubling for India that present network architecture has “security weaknesses” such as “camouflaging the identity of the originator of the communication”;[1] random IP address distribution also makes “tracing of communication difficult”;[2]
• Second, India is concerned that under the present allocation system of naming, numbering and addressing resources on the Internet, it is impossible or at the very least, cumbersome to identify the countries to which IP address are allocated;[3]
• Third, India finds it insecure from the point of view of national security that traffic originating and terminating in the same country (domestic traffic) often routes through networks overseas;[4] similarly, local address resolution also routes through IP addresses outside the country or region, which India finds troubling.[5]

In an effort to address these concerns, the Draft Resolution seeks to instruct the ITU Secretary General:

• First, to develop and recommend a ‘traffic routing plan’ that can “effectively ensure the traceability of communication”;[6]
• Second, to collaborate with relevant international and intergovernmental organisations to develop an “IP address plan” which facilitates identification of locations/countries to which IP addresses are allocated and coordinates allocation accordingly;[7]
• Third, to develop and recommend “a public telecom network architecture” that localizes both routing[8] as well as address resolution[9] for local/domestic traffic to “within the country”.

Admittedly, our Draft Resolution is intended to pave a way for “systematic, fair and equitable allocation” of, inter alia, naming, numbering and addressing resources,[10] keeping in mind security and human rights concerns.[11] In an informal conversation, members of the Indian delegation echoed these sentiments. Our resolution does not, I was told, raise issues about the “concentration of control over Internet resources”, though “certain governments” have historically exercised more control. It also does not, he clarified, wish to make privacy or human rights a matter for discussion at the ITU. All that the Draft Resolution seeks to do is to equip the ITU with the mandate to prepare and recommend a “roadmap for the systematization” of allocation of naming, numbering and addressing resources, and for local routing of domestic traffic and address resolution. The framework for such mandate is that of security, given the ITU’s role in ‘building confidence and security in the use of ICTs’ under Action Line C5 of the Geneva Plan of Action, 2003.

Unfortunately, the text of our Draft Resolution, by dint of imprecision or lack of clarity, undermines India’s intentions. On three issues of utmost importance to the Internet, the Draft Resolution has unintended or unanticipated impacts. First, its text on tracing communication and identity of originators, and systematic allocation of identifiable IP address blocks to particular countries, has impacts on privacy and freedom of expression. Given Edward Snowden’s NSA files and the absence of adequate protections against government incursions or excesses into privacy,[12] either in international human rights law or domestic law, such text is troublesome. Second, it has the potential to undermine multi-stakeholder approaches to Internet governance by proposing text that refers almost exclusively to sovereign monopolies over Internet resource allocation, and finally, displays a certain disregard for network architecture and efficiency, and to principles of a free, open and unified Internet, when it seeks to develop global architecture that facilitates (domestic) localization of traffic-routing, address resolution and allocation of naming, numbering and addressing.

In this post, I will address the first concern of human rights implications of our Draft Resolution.

Unintended Implications for Privacy and Freedom of Expression:

India’s Draft Resolution has implications for individual privacy. At two different parts of the preamble, India expresses concerns with the impossibility of locating the user at the end of an IP address:

• Pream. §(e): “recognizing… that the modern day packet networks, which at present have many security weaknesses, inter alia, camouflaging the identity of originator of the communication”;
• Pream. §(h): “recognizing… that IP addresses are distributed randomly, that makes the tracing of communication difficult”.

The concerns here surround difficulties in tracking IP addresses due to the widespread use of NATs, as also the existence of IP anonymisers like Tor. Anonymisers like Tor permit individuals to cover their online tracks; they conceal user location and Internet activity from persons or governments conducting network surveillance or traffic analysis. For this reason, Tor has caused much discomfort to governments. Snowden used Tor while communicating with Laura Poitras. Bradley (now Chelsea) Manning of Wikileaks fame is reported to have used Tor (page 24). Crypto is increasingly the safest – perhaps the only safe – avenue for political dissidents across the world; even Internet companies were coerced into governmental compliance. No wonder, then, that governments are doing all they can to dismantle IP anonymisers: the NSA and GCHQ have tried to break Tor; the Russian government has offered a reward to anyone who can.

Far be it from me to defend Tor blindly. There are reports suggesting that Tor is being used by offenders, and not merely those of the Snowden variety. But governments must recognize the very obvious trust deficit they face, especially after Snowden’s revelations, and consider the implications of seeking traceability and identity/geolocation for every IP address, in a systematic manner. The implications are for privacy, a right guaranteed by Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Privacy has been recognized by the UN General Assembly as applicable in cases of surveillance, interception and data collection, in Pream. §4 of its resolution The Right to Privacy in the Digital Age. But many states do not have robust privacy protections for individuals and data. And while governments may state the necessity to create international policy to further effective criminal investigations, such an aim cannot be used to nullify or destroy the rights of privacy and free speech guaranteed to individuals. Article 5(1), ICCPR, codifies this principle, when it states that States, groups or persons may not “engage in any activity or perform any act aimed at the destruction of any of the rights and freedoms recognized herein…”.

Erosion of privacy has a chilling effect on free speech [New York Times v. Sullivan, 376 U.S. 254], so free speech suffers too. Particularly with regard to Tor and identification of IP address location and users, anonymity in Internet communications is at issue. At the moment, most states already have anonymity-restrictions, in the form of identification and registration for cybercafés, SIM cards and broadband connections. For instance, Rule 4 of India’s Information Technology (Guidelines for Cyber Cafe) Rules, 2011, mandates that we cannot not use computers in a cybercafé without establishing our identities. But our ITU Draft Resolution seeks to dismantle the ability of Internet users to operate anonymously, be they political dissidents, criminals or those merely acting on their expectations of privacy. Such dismantling would be both violative of international human rights law, as well as dangerous for freedom of expression and privacy in principle. Anonymity is integral to democratic discourse, held the US Supreme Court in McIntyre v. Ohio Elections Commission [514 U.S. 334 (1995)].[13] Restrictions on Internet anonymity facilitate communications surveillance and have a chilling effect on the free expression of opinions and ideas, wrote Mr. Frank La Rue, Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression (¶¶ 48-49).

So a law or international policy for blanket identification and traceability of IP addresses has grave consequences for and prima facie violates privacy, anonymity and freedom of speech. But these rights are not absolute, and can be validly restricted. And because these human rights are implicated, the ITU with its lack of expertise in the area may not be the adequate forum for discussion or study.

To be valid and justified interference, any law, policy or order interfering with privacy and free speech must meet the standards of reasonableness and proportionality, even if national security were the government’s legitimate aim, laid down in Articles 19(3) and 17 of the Covenant on Civil and Political Rights (CCPR) [Toonen v. Australia, Communication No. 488/1992, U.N. Doc CCPR/C/50/D/488/1992 (1994), ¶6.4]. And as the European Court of Human Rights found in Weber & Saravia v. Germany [Application no. 54934/00, 29 June 2006 (ECHR), ¶95], law or executive procedure that enables surveillance without sufficient safeguards is prima facie unreasonable and disproportionate. Re: anonymity, in Delfi AS v. Estonia [Application no. 64569/09, 17 February 2014, ¶83], while considering the liability of an Internet portal for offensive anonymous comments, the ECHR has emphasized the importance of balancing freedom of expression and privacy. It relied on certain principles such as “contribution to a debate of general interest, subject of the report, the content, form and consequences of the publication” to test the validity of government’s restrictions.

The implications of the suggested text of India’s Draft Resolution should then be carefully thought out. And this is a good thing. For one must wonder why governments need perfect traceability, geolocation and user identification for all IP addresses. Is such a demand really different from mass or blanket surveillance, in scale and government tracking ability? Would this not tilt the balance of power strongly in favour of governments against individuals (citizens or non-citizens)? This fear must especially arise in the absence of domestic legal protections, both in human rights, and criminal law and procedure. For instance, India’s Information Technology Act, 2000 (amended in 2008) has Section 66A, which criminalizes offensive speech, as well as speech that causes annoyance or inconvenience. Arguably, arrests under Section 66A have been arbitrary, and traceability may give rise to a host of new worries.

In any event, IP addresses and users can be discerned under existing domestic law frameworks. Regional Internet Registries (RIR) such as APNIC allocate blocks of IP addresses to either National Internet Registries (NIR – such as IRINN for India) or to ISPs directly. The ISPs then allocate IP addresses dynamically to users like you and me. Identifying information for these ISPs is maintained in the form of WHOIS records and registries with RIRs or NIRs, and this information is public. ISPs of most countries require identifying information from users before Internet connection is given, i.e., IP addresses allocated (mostly by dynamic allocation, for that is more efficient). ISPs of some states are also regulated; in India, for instance, ISPs require a licence to operate and offer services.

If any government wished, on the basis of some reasonable cause, to identify a particular IP address or its user, then the government could first utilize WHOIS to obtain information about the ISP. Then ISPs may be ordered to release specific IP address locations and user information under executive or judicial order. There are also technical solutions, such as traceroute or IP look-up that assist in tracing or identifying IP addresses. Coders, governments and law enforcement must surely be aware of better technology than I.

If we take into account this possibility of geolocation of IP addresses, then the Draft Resolution’s motivation to ‘systematize’ IP address allocations on the basis of states is unclear. I will discuss the implication of this proposal, and that of traffic and address localization, in my next post.

[1] Pream. §(e), Draft Resolution: “recognizing… that the modern day packet networks, which at present have many security weaknesses, inter alia, camouflaging the identity of originator of the communication”.

[2] Pream. §(h), Draft Resolution: “recognizing… that IP addresses are distributed randomly, that makes the tracing of communication difficult”.

[3] Op. §1, Draft Resolution: “instructs the Secretary General… to collaborate with all stakeholders including International and intergovernmental organizations, involved in IP addresses management to develop an IP address plan from which IP addresses of different countries are easily discernible and coordinate to ensure distribution of IP addresses accordingly”.

[4] Pream. §(g), Draft Resolution: “recognizing… that communication traffic originating and terminating in a country also many times flows outside the boundary of a country making such communication costly and to some extent insecure from national security point of view”.

[5] Pream. §(f), Draft Resolution: “recognizing… that even for local address resolution at times, system has to use resources outside the country which makes such address resolution costly and to some extent insecure from national security perspective”.

[6] Op. §6, Draft Resolution: “instructs the Secretary General… to develop and recommend a routing plan of traffic for optimizing the network resources that could effectively ensure the traceability of communication”.

[7] Op. §1, Draft Resolution; see note 3.

[8] Op. §5, Draft Resolution: “instructs the Secretary General… to develop and recommend public telecom network architecture which ensures that effectively the traffic meant for the country, traffic originating and terminating in the country remains within the country”.

[9] Op. §4, Draft Resolution: “instructs the Secretary General… to develop and recommend public telecom network architecture which ensures effectively that address resolution for the traffic meant for the country, traffic originating and terminating in the country/region takes place within the country”.

[10] Context Note to Draft Resolution, ¶3: “Planning and distribution of numbering and naming resources in a systematic, equitable, fair and just manner amongst the Member States…”

[11] Context Note to Draft Resolution, ¶2: “…there are certain areas that require critical attention to move in the direction of building the necessary “Trust Framework” for the safe “Information Society”, where privacy, safety are ensured”.

[12] See, for instance, Report of the Office of the High Commission for Human Rights (“OHCHR”), Right to Privacy in the Digital Age, A/HRC/27/37 (30 June 2014), ¶34-35, http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf. See esp. note 30 of the Report, ¶35.

[13] Many thorny political differences exist between the US and many states (including India and Kenya, who I am told has expressed preliminary support for the Draft Resolution) with regard to Internet governance. Irrespective of this, the US Constitution’s First Amendment and judicial protections to freedom of expression remain a yardstick for many states, including India. India, for instance, has positively referred to the US Supreme Court’s free speech protections in many of its decisions; ex. see Kharak Singh v. State of Uttar Pradesh, 1963 Cri. L.J. 329; R. Rajagopal v. State of Tamil Nadu, AIR 1995 SC 264.