This is a write-up of my comments at the Working Group 3 Transparency and Privacy: Problem Statement panel of of Freedom Online Coalition Conference, San Jose, Costarica, October 17, 2016.
Transparency reports made it possible to come up with a conclusion that Korea’s warrantless access to the user identity is more than 50-60 times per capita the U.S. The shock effect resulted in 21 bills in the last legislature all bringing the system under a warrant regime, and the new legislature also brough 3 different bills. This shows the political value of transparency reporting as well as what needs go to into transparency reporting. It should enable country-to-country comparison to pressure the authorities into moderating on their surveillance efforts.
Also, transparency reporting in Korea allowed us to learn that there are 10 million warrantless access to user identities in Korea every year. We built our litigation strategy and public campaign strategy around it. First, we figured that, if we could win just one lawsuit even for a small amout, say $100, that will pose considerable threat to the companies making the disclosure because $100 multiplied by the industry-wide annual total of 10 million comes out to be a whopping 1 billon dollars each year. So, we actually went ahead and won a small damage suit and that did the trick: all the major portals stopped making the warrantless disclosures to the authorities! Second, the telcos continued providing the identities and we wanted to sue to stop them but didn’t know who could a plaintiff because we could not find out. But, knowing that there are 10 million people each year, we figured that every person has 20% chance of being a victim so we began “Ask Your Telco’ Campaign where people called their telcos to find out whether the disclosures have been made, and the campaign caught on like wildfire, and many people and many organizations participated in the campaign.
Now, how was this transparency reporting made possible? Article 83 of Telecommunications Act, the very article which allows warrantless access to user identities, also mandates the reporting of those numbers to the communications ministry, which is in turn required to publish the national total of the numbers. Why this Janus-faced provision? That article 83 is a privacy provision and starts with paragraph 1 that says all telcom providers shall keep user data confidential, and paragraph 3 of that makes an exception saying that they may provide the data to the authorities for criminal investigation purposes. Because the whole thrust of article 83 is privacy protection, it also apologetically includes para. 6 which requires thes disclosures to be added up and the numbers to be reported to the ministry. So, you should look at communication privacy laws of your country, I am sure you have one, protecting telecom user privacy, and we can try legislating a law like this. Actually, I was hoping that FOC include this type of law as one of the standard for FOC membership.
(As Rebecca MacKinnon proposed on the latter segment of this Transparency track) Probably, not having or abolishing a law prohibitng the companies from disclosing the numbers is the first step but other than the US law on National Security Letters, there are actually not many such laws. There are many laws prohibiting the companies from informing the facts of on-going surveillance to the targets of the surveillance, for the obvious purpose of preserving integrity of investigation, but it is rare to have laws that prohibit disclosing the numbers. The reasoning behind such prohibition is, of course, a concern that the targets of surveillance may infer from the change in the numbers of surveillance requests the fact that they are being surveillanced. But, think about it. Given the huge numer of NSLs (several thousands each year and sometimes 20K at the top each year, which surpasses the number of federal wiretaps), it is really difficult for them to make such inference. Also, the Korean law does not even produce the company totals but just the national total, and even the national total can be of help in theorizing about privacy governance. So, this much can be proposed to FOC membership for adoption as a standard. To restate it, “all FOC members shall publish the national totals of all wiretaps, metadata accesses, and user identity accesses.”