The online surveillance which followed the September 11 terrorist attacks shifted the narrative around the internet, from hopes of freedom to concerns about privacy. Geneva-based experts explain how we got there and how the UN and regulatory authorities are addressing these concerns.
In the wake of the September 11 terrorist attacks, the United States Congress passed the Patriot Act. It was a bill granting law enforcement agencies increased power to conduct surveillance of US citizens and was signed into law by President George W. Bush a few weeks later.
The Patriot Act emerged in the early days of the commercial internet. Fewer than 9% of the world’s population had access to the World Wide Web at the time. Today that figure has jumped to nearly two-thirds.
In 2001, internet governance – the technical standards that underpin the internet, and the policies that address how it is used – was still a nebulous concept. It grew in large parts in the aftermath of the attacks.
Geneva, birthplace of internet governance
Early on, Geneva positioned itself as a hub of internet governance when it hosted the first phase of the World Summit on the Information Society (WSIS) in 2003. The conference was convened by the United Nations (UN) and the International Telecommunication Union (ITU). It was the first international meeting on internet governance.
It was after the second phase of the WSIS in 2005 that the Internet Governance Forum (IGF) was established with a secretariat in Geneva. The annual forum allows for multi-stakeholder discussions on internet governance, but it cannot decide on norms or policies.
“9/11 was not an immediate trigger. We didn't discuss 9/11. But it created a new narrative,” says Jovan Kurbalija, head of the Geneva Internet Platform (GIP), an initiative of the Swiss government aimed at facilitating digital policy discussions.
Kurbalija was involved early on as a member of the UN working Group on Internet Governance (WGIG). Between 2004 and 2005, the WGIG was tasked with devising a definition of internet governance and laying the groundwork for the negotiations at the second WSIS.
“The narrative of the 90s, after the end of the Cold War, was the sky's the limit. The narrative of possibilities, of new opportunities for democracy, for the economy, and digitalization as a tool for that,” explains Kurbalija.
“There was no popular idea that there was any negative aspect to the internet. There was much less discussion about, or thinking about privacy and surveillance, because, for one thing, the main internet companies of today were so small at the time, or not even founded,” agrees Michael Kende, a visiting lecturer on internet governance at the Graduate Institute in Geneva.
Gradually, the ramping up of online surveillance to prevent future terrorist attacks impacted the internet. Surveillance “easily spilled over into the economy and parts of the society”, Kurbalija argues.
In 2013, former National Security Agency (NSA) contractor Edward Snowden, started leakingExternal link documents revealing the extent of mass surveillance programs in the US. The documents that Snowden shared with journalists over the years showed that the NSA together with British, Australian, and Canadian intelligence agencies, had spied on millions of citizens across the world as well as foreign leaders.
“Internet trust really started to be questioned there because people started to realize what kind of information was being accessed, and what kind of information the internet companies were giving to the government,” Kende explains. The revelations had a significant impact on internet companiesExternal link such as Google, Facebook or Microsoft, which then strengthened their encryption practices, and started keeping data in Europe.
Internet governance talks were affected too, with data privacy and cybersecurity becoming critical issues. The moment was a “wake up call” for regulators, Kurbalija says.
In 2016, the EU adopted the General Data Protection Regulation (GDPR) on data privacy. The regulation gave more control to individuals over their personal data on the internet. It proved influential and was followed by similar privacy laws in countries outside of Europe. China recently introduced a new data privacy lawExternal link that draws similarities with the GDPR.
The increased focus on data privacy also had an impact on human rights discussions in Geneva. In 2015, The UN Human Rights Council (HRC) created a new special rapporteur mandate on the right to privacy. The HRC has since then regularly adopted resolutions on privacy in the digital age. These are recommendations to states and businesses but are not legally binding.
For over 75 years, the work of the UN has addressed issues on three pillars: human rights, peace and security, and development. These pillars now provide a framework for internet governance issues in Geneva: digital rights, digital security and trust, and digital for development. “I think those are all going to be significant,” Kende says.
Kurbalija agrees that this is a “major development” also for UN specialized agencies and other intergovernmental organizations in Geneva. “You have this streamlining of previously traditional issue areas such as health, humanitarian, or trade becoming digitalized.” As digitalization continues, we will reach a point where “internet governance will become just governance.”
The link between Geneva and Brussels, two “hubs of digital policy,” will become increasingly important, Kurbalija says.
EU technology regulation such as the GDPR affects the business of internet companies beyond European borders. Large technology firms have responded by stepping upExternal link their lobbying efforts in Brussels where EU lawmakers work.
Brussels is therefore becoming the hub of “hard digital politics,” while Geneva, home of many intergovernmental organizations, is emerging as the hub of “soft digital politics,” where global standards and international norms are negotiated multilaterally, Kurbalija says.
In compliance with the JTI standards