A missed opportunity in Morocco

As more and more of our information enters the digital world, it is of paramount importance that leaders in law and policy confront the hard questions surrounding data management and security. That is why I was honored to attend the annual Conference of Data Protection and Privacy Commissioners, where data protection authorities from around the world gather to coordinate and respond to emerging privacy issues. It’s held every year in a different city, and this year in Marrakech, Morocco. Unfortunately, it turned out to be a missed opportunity to engage meaningfully on some of the most important issues we face, such as government proposals to ban or weaken encryption.

I was invited to the conference to participate in a closed-session briefing on “Encryption and the Rule of Law.” Through Securetheinternet.org, Access Now and more than 200 other organizations  — as well as several hundred more experts and individuals — are calling on government leaders to formally reject laws, policies, or other mandates or practices that limit access to or undermine encryption. Access Now is also calling for human rights safeguards for government hacking operations, including hacking by contractors or other third-parties at a government’s request or order.

I did not go to Marrakech without careful consideration. I knew that as a representative of civil society, I would likely be in the minority, since the cost of attending the conference is too high for many non-governmental organizations. Additionally, Morocco does not have a stellar record on privacy and free expression online. Last year, Privacy International published an in-depth report on how government authorities in Morocco use surveillance against journalists and activists, including buying and using spyware from the now-infamous Hacking Team. After the report was published, the Moroccan Ministry of the Interior placed Privacy International itself under investigation.

Following are my reflections on each day of the conference, along with takeaways for the conference organizers, participants, and others who care about the future of privacy online.

Day one: Delivering a message on encryption

During the closed session on encryption, I had the opportunity to point out the dangers of “back doors” or other mandates to weaken encryption. I explained in no uncertain terms that governments banning or weakening encryption won’t keep criminals or terrorists from using it, but will make ordinary internet users less safe, harming their privacy, damaging their trust, and chipping away at the foundation for economic growth and development in the digital age. I emphasized that, while there are many areas in policy where compromise is necessary for progress, a “compromise” on encryption is nonsensical and can only end in disaster. I also brought up government hacking, directly asking the commissioners — for whom protection of privacy is a paramount concern — to work to protect our human rights in any hacking operations.

Day two: Promising progress for human rights

On the second day, the participants adopted several resolutions, including a very strongly worded statement on the need to protect human rights defenders (who, it should be noted, rely on strong encryption to safeguard their private communications). Governments need to “provide and promote safe and effective channels for individuals to report poor privacy practices, to seek redress for breach of data protection rules, or disproportionate action against the rights to privacy and data protection,” the resolution states. This is an issue Access Now has raised in the U.S. with our repeated requests for U.S. federal agencies to identify a point of contact for human rights complaints, and we strongly agree. Privacy International praised the resolution, publishing an editorial on Medium entitled, “There is too much at stake for this to be a PR stunt.” I believe we all went into the third day of the conference — the start of the public sessions — with a great deal of hope.

Days three and four: Public sessions, but little engagement

Unfortunately, that optimism was ultimately unjustified. The public sessions consisted of lengthy “panel discussions” where very little discussion took place. Instead, we had a series of individual presentations, with almost no interaction among panelists and very few questions from an increasingly antsy audience. The speakers were highly knowledgeable — I am honored to have met and worked with many of them, throughout my career — but the format itself was not conducive to real conversation, and consequently, there was scant opportunity to make progress on the issues at stake.

Even the side events, all of which appeared to be productive and interesting, were scheduled in overlapping time slots following closing ceremonies, so participants could attend only one full session, or parts of several.

To make progress and find solutions, we need real conversation among diverse stakeholders, so that we can work together. But as I sat in the audience, I couldn’t help but feel that I was being spoken at, not spoken with.

Takeaways: For better outcomes, we need more dialogue

When it comes to progress on digital rights, however, the most troubling disconnect was yet to come. While conference participants spent the week with data protection authorities, Moroccan prosecutors met in Paris with counterterrorism officials from other nations. The day after closing ceremonies in Marrakech, prosecutors at the Paris meeting published a renewed request for companies to deliberately weaken the encryption in their products to give law enforcement exceptional access. This was deflating for those of us working to make a difference for privacy in Marrakech, since it looked as though we might as well have been screaming into the wind.

Compounding this frustration, two days after that, The Intercept published a report showing how a small company called Endace creates technology that’s used to conduct mass-scale surveillance. A Moroccan intelligence agency was listed among its customers.

This sequence of events demonstrates the problem with siloed discussions, and it’s a problem not just at conferences, but in the technology policy sphere and society as a whole. If we want real outcomes from discussions like the ones in Marrakech — such as better digital security and protection for human rights — we have to work harder to open the floor for debate, and provide real opportunities for everyone to interact.

One way to do this is to work together to shift norms. For my part, I personally commit to attend conferences only when they are structured to foster active engagement, and I encourage conference organizers and facilitators to commit to developing programs that provide ample time for discussion among the participants — moderators, panelists, and audience alike.  

What’s next? Join us

Despite the flaws in the format, this was not a bad conference, and the resolutions I mention above represent important work. But the stakes are high. In some cases, having good digital security can be a matter of life and death. To get better outcomes, we need to do more to foster open dialogue and break the silos. Ensuring a more robust, diverse civil society presence would make dialogue in this space even more productive.

As a concrete next step to protect the right to privacy worldwide, I encourage Data Protection Authorities in every country to sign the statement at SecuretheInternet.org and commit to a more secure future.

I also encourage all the participants and data protection commissioners from the conference to join us at RightsCon, Access Now’s interactive, outcome-driven conference exploring the intersection of technology and human rights, which takes place from March 29-31, 2017 in Brussels, Belgium. We’re working to ensure that there is ample opportunity to discuss data protection issues in depth, and we warmly invite any commissioner who wants to participate or lead a session to do so. (If you’d like to speak or lead a session, proposals are due on November 25, and I’m happy to chat through the submission process with any of my fellow participants at the conference in Marrakech.) We’ll also be discussing government hacking, and we want broad participation in our effort to turn rights-respecting principles into practice.

It’s time that we move forward on these important issues. But we can only do it by working together. Let’s make sure to do just that.