Every internet fight is a speech fight
And every internet fight is a sovereignty fight.
This weekend (November 8–10), I’ll be in Tucson, AZ: I’m the Guest of Honor at the TusCon science fiction convention.
My latest Locus Magazine column is “Hard (Sovereignty) Cases Make Bad (Internet) Law,” an attempt to cut through the knots we tie ourselves in when speech and national sovereignty collide online:
https://locusmag.com/2024/11/cory-doctorow-hard-sovereignty-cases-make-bad-internet-law/
This happens all the time. Indeed, the precipitating incident for my writing this column was someone commenting on the short-lived Brazilian court order blocking Twitter, opining that this was purely a matter of national sovereignty, with no speech dimension.
This is just profoundly wrong. Of course any rules about blocking a communications medium will have a free-speech dimension — how could it not? And of course any dispute relating to globe-spanning medium will have a national sovereignty dimension.
How could it not?
So if every internet fight is a speech fight and a sovereignty fight, which side should we root for? Here’s my proposal: we should root for human rights.
In 2013, Edward Snowden revealed that the US government was illegally wiretapping the whole world. They were able to do this because the world is dominated by US-based tech giants and they shipped all their data stateside for processing. These tech giants secretly colluded with the NSA to help them effect this illegal surveillance (the “Prism” program) — and then the NSA stabbed them in the back by running another program (“Upstream”) where they spied on the tech giants without their knowledge.
After the Snowden revelations, countries around the world enacted “data localization” rules that required any company doing business within their borders to keep their residents’ data on domestic servers. Obviously, this has a human rights dimension: keeping your people’s data out of the hands of US spy agencies is an important way to defend their privacy rights. which are crucial to their speech rights (you can’t speak freely if you’re being spied on).
So when the EU, a largely democratic bloc, enacted data localization rules, they were harnessing national soveriegnty in service to human rights.
But the EU isn’t the only place that enacted data-localization rules. Russia did the same thing. Once again, there’s a strong national sovereignty case for doing this. Even in the 2010s, the US and Russia were hostile toward one another, and that hostility has only ramped up since. Russia didn’t want its data stored on NSA-accessible servers for the same reason the USA wouldn’t want all its’ people’s data stored in GRU-accessible servers.
But Russia has a significantly poorer human rights record than either the EU or the USA (note that none of these are paragons of respect for human rights). Russia’s data-localization policy was motivated by a combination of legitimate national sovereignty concerns and the illegitimate desire to conduct domestic surveillance in order to identify and harass, jail, torture and murder dissidents.
When you put it this way, it’s obvious that national sovereignty is important, but not as important as human rights, and when they come into conflict, we should side with human rights over sovereignty.
Some more examples: Thailand’s lesse majeste rules prohibit criticism of their corrupt monarchy. Foreigners who help Thai people circumvent blocks on reportage of royal corruption are violating Thailand’s national sovereignty, but they’re upholding human rights:
https://www.vox.com/2020/1/24/21075149/king-thailand-maha-vajiralongkorn-facebook-video-tattoos
Saudi law prohibits criticism of the royal family; when foreigners help Saudi women’s rights activists evade these prohibitions, we violate Saudi sovereignty, but uphold human rights:
https://www.bbc.com/news/world-middle-east-55467414
In other words, “sovereignty, yes; but human rights even moreso.”
Which brings me back to the precipitating incidents for the Locus column: the arrest of billionaire Telegram owner Pavel Durov in France, and the blocking of billionaire Elon Musk’s Twitter in Brazil.
How do we make sense of these? Let’s start with Durov. We still don’t know exactly why the French government arrested him (legal systems descended from the Napoleonic Code are weird). But the arrest was at least partially motivated by a demand that Telegram conform with a French law requiring businesses to have a domestic agent to receive and act on takedown demands.
Not every takedown demand is good. When a lawyer for the Sackler family demanded that I take down criticism of his mass-murdering clients, that was illegitimate. But there is such a thing as a legitimate takedown: leaked financial information, child sex abuse material, nonconsensual pornography, true threats, etc, are all legitimate targets for takedown orders. Of course, it’s not that simple. Even if we broadly agree that this stuff shouldn’t be online, we don’t necessarily agree whether something fits into one of these categories.
This is true even in categories with the brightest lines, like child sex abuse material:
https://www.theguardian.com/technology/2016/sep/09/facebook-reinstates-napalm-girl-photo
And the other categories are far blurrier, like doxing:
https://www.kenklippenstein.com/p/trump-camp-worked-with-musks-x-to
But just because not every takedown is a just one, it doesn’t follow that every takedown is unjust. The idea that companies should have domestic agents in the countries where they operate isn’t necessarily oppressive. If people who sell hamburgers from a street-corner have to register a designated contact with a regulator, why not someone who operates a telecoms network with 900m global users?
Of course, requirements to have a domestic contact can also be used as a prelude to human rights abuses. Countries that insist on a domestic rep are also implicitly demanding that the company place one of its employees or agents within reach of its police-force.
Just as data localization can be a way to improve human rights (by keeping data out of the hands of another country’s lawless spy agencies) or to erode them (by keeping data within reach of your own country’s lawless spy agencies), so can a requirement for a local agent be a way to preserve the rule of law (by establishing a conduit for legitimate takedowns) or a way to subvert it (by giving the government hostages they can use as leverage against companies who stick up for their users’ rights).
In the case of Durov and Telegram, these issues are especially muddy. Telegram bills itself as an encrypted messaging app, but that’s only sort of true. Telegram does not encrypt its group-chats, and even the encryption in its person-to-person messaging facility is hard to use and of dubious quality.
This is relevant because France — among many other governments — has waged a decades-long war against encrypted messaging, which is a wholly illegitimate goal. There is no way to make an encrypted messaging tool that works against bad guys (identity thieves, stalkers, corporate and foreign spies) but not against good guys (cops with legitimate warrants). Any effort to weaken end-to-end encrypted messaging creates broad, significant danger for every user of the affected service, all over the world. What’s more, bans on end-to-end encrypted messaging tools can’t stand on their own — they also have to include blocks of much of the useful internet, mandatory spyware on computers and mobile devices, and even more app-store-like control over which software you can install:
https://pluralistic.net/2023/03/05/theyre-still-trying-to-ban-cryptography/
So when the French state seizes Durov’s person and demands that he establish the (pretty reasonable) minimum national presence needed to coordinate takedown requests, it can seem like this is a case where national sovereignty and human rights are broadly in accord.
But when you consider that Durov operates a (nominally) encrypted messaging tool that bears some resemblance to the kinds of messaging tools the French state has been trying to sabotage for decades, and continues to rail against, the human rights picture gets rather dim.
That is only slightly mitigated by the fact that Telegram’s encryption is suspect, difficult to use, and not applied to the vast majority of the communications it serves. So where do we net out on this? In the Locus column, I sum things up this way:
- Telegram should have a mechanism to comply with lawful takedown orders; and
- those orders should respect human rights and the rule of law; and
- Telegram should not backdoor its encryption, even if
- the sovereign French state orders it to do so.
- Sovereignty, sure, but human rights even moreso.
What about Musk? As with Durov in France, the Brazilian government demanded that Musk appoint a Brazilian representative to handle official takedown requests. Despite a recent bout of democratic backsliding under the previous regime, Brazil’s current government is broadly favorable to human rights. There’s no indication that Brazil would use an in-country representative as a hostage, and there’s nothing intrinsically wrong with requiring foreign firms doing business in your country to have domestic representatives.
Musk’s response was typical: a lawless, arrogant attack on the judge who issued the blocking order, including thinly veiled incitements to violence.
The Brazilian state’s response was multi-pronged. There was a national blocking order, and a threat to penalize Brazilians who used VPNs to circumvent the block. Both measures have obvious human rights implications. For one thing, the vast majority of Brazilians who use Twitter are engaged in the legitimate exercise of speech, and they were collateral damage in the dispute between Musk and Brazil.
More serious is the prohibition on VPNs, which represents a broad attack on privacy-enhancing technology with implications far beyond the Twitter matter. Worse still, a VPN ban can only be enforced with extremely invasive network surveillance and blocking orders to app stores and ISPs to restrict access to VPN tools. This is wholly disproportionate and illegitimate.
But that wasn’t the only tactic the Brazilian state used. Brazilian corporate law is markedly different from US law, with fewer protections for limited liability for business owners. The Brazilian state claimed the right to fine Musk’s other companies for Twitter’s failure to comply with orders to nominate a domestic representative. Faced with fines against Spacex and Tesla, Musk caved.
In other words, Brazil had a legitimate national sovereignty interest in ordering Twitter to nominate a domestic agent, and they used a mix of somewhat illegitimate tactics (blocking orders), extremely illegitimate tactics (threats against VPN users) and totally legitimate tactics (fining Musk’s other companies) to achieve these goals.
As I put it in the column:
- Twitter should have a mechanism to comply with lawful takedown orders; and
- those orders should respect human rights and the rule of law; and
- banning Twitter is bad for the free speech rights of Twitter users in Brazil; and
- banning VPNs is bad for all Brazilian internet users; and
- it’s hard to see how a Twitter ban will be effective without bans on VPNs.
There’s no such thing as an internet policy fight that isn’t about national sovereignty and speech, and when the two collide, we should side with human rights over sovereignty. Sovereignty isn’t a good unto itself — it’s only a good to the extent that is used to promote human rights.
In other words: “Sovereignty, sure, but human rights even moreso.”
If you’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
https://pluralistic.net/2024/11/06/brazilian-blowout/#sovereignty-sure-but-human-rights-even-moreso
Image:
© Tomas Castelazo, www.tomascastelazo.com (modified)
https://commons.wikimedia.org/wiki/File:Border_Wall_at_Tijuana_and_San_Diego_Border.jpg
CC BY-SA 4.0
https://creativecommons.org/licenses/by-sa/4.0/