PI advises Kyrgyzstan on internet privacy and surveillance
At the request of the Civil Initiative on Internet Policy, a Kyrgyz public foundation, Privacy International participated in an international conference on Internet and Law in Bishkek, Kyrgyzstan.
The event was organized in response to proposals for a new data retention law and content regulation of the Internet and was attended by government officials, journalists, legal experts, and representatives of the telecommunications industry.
Kyrgyzstan adopted a data protection law only in April 2008. Given that this privacy legislation is relatively recent and has not yet been fully tested, there is a growing public concern that additional regulatory intervention, such as the introduction of data retention law, might be premature and inappropriate. This conference thus aimed to provide a platform for an open public debate. Relevant international practices were also discussed in order to inform the debate.
Lessons learned from EU Data Retention Law and applicable to the Kyrgyz context
Privacy International was invited to deliver a presentation on the justifications for and challenges associated with EU data retention law. Different cases of corporate and governmental abuse of personal data were used as a way to show the potential risks of mandatory blanket data retention. The importance of strong privacy safeguards was emphasized for the prevention of wiretapping, surveillance, and other uses of data by third parties, such as intellectual property rights enforcement. Examples of challenges of Directive 2006/24/EC were discussed to illustrate the flawed nature of the law, especially where countries have gone beyond the Directive’s recommendations and granted direct access to data retained by Internet and mobile communications providers to law enforcement agencies.
Privacy International also provided a training session on the legal and technical implications of data retention for communications service providers to local ISP representatives. The training focused on liabilities, costs, and potential reputational risks. It further elaborated on the necessary conditions that need to be met before data retention legislation may be considered morally and legally acceptable. Those included the provision of clear definitions of who may be targeted, under what circumstances, what type of communications may be intercepted and why is this appropriate.
Challenges faced by Kyrgyz communications service providers in view of existing and newly proposed laws
Based on the discussions that followed the presentation and the workshop, it seems that the most pertinent issues in the Kyrgyz context relate to ISPs’ unclear legal obligations, SORM (surveillance technology introduced by the government for the purpose of blanket data collection and retention from ISPs), filtering of spam, and censorship through website blocking or DOS (denial of service) attacks.
An area of particular concern is the fact that under Kyrgyz law, owners of blogging platforms are liable for any defamatory or otherwise illegal content posted by their users. As a result, people who post comments that are provocative or critical of the government are asked to identify themselves within a 5-day period. If they fail to do so, their posts are never published. Similar concerns have however made some believe that online content regulation could be a solution, effectively treating websites as mass media sources.
ISPs, on the other hand, are predominantly concerned about the financial and legal obligations associated with the introduction of SORM, a technology similar to the “black boxes”, proposed under the UK’s Interception Modernization Program. They are worried about the lack of clear access rules, as well as the costs incurred as a result of installing new equipment that might or might not be compatible with their existing network set up.
Currently there is no existing Kyrgyz law that regulates law enforcement access and data retention periods. There are no procedural provisions in national law on the circumstances under which the government can use SORM, what data can be retained and for how long. Also, the government has not so far committed to providing financial assistance to ISPs.
At the end of the conference there was a seeming consensus on the danger of Internet content regulation and the inherent flaws of data retention law, as a tool for surveillance for the prevention of serious crime. The audience had managed to not only share their own experiences but also learn from other industry and government representatives from the Central Asia region. It appeared that ongoing provision of information and guidance on relevant regulatory practices could empower industry players to demand from the government increased and much needed transparency and accountability. It could also inform Kyrgyz policy makers of how to enact the most effective and privacy-friendly legislation.