Media reports indicate that Senator Dianne Feinstein is planning to reintroduce her proposal to require all Internet companies to report on their users directly to the US government if those companies become aware of apparent “terrorist activity” on their networks. This may sound familiar: Feinstein snuck this proposal into the Intelligence Authorization Act over the summer as Section 603. This proposal was roundly opposed by human rights and civil liberties organizations, as well as trade associations of tech companies because of the grave threat it posed to fundamental rights to privacy and free expression and the burden it would place on US businesses. Senator Ron Wyden put a hold on the Intel Authorization Act over Section 603, and the proposal was ultimately removed from the bill.
Suffice it to say that this is one idea that should not get an encore performance at the end of the year.
Why is this proposal such a bad idea? As we described in July, it would create a requirement for all electronic communication services – social media companies, as well as Internet service providers, web hosts, cloud services, and public libraries or coffee shops that offer WiFi access – to make reports about their users’ activity based on a completely opaque set of criteria. Creating such an obligation, with its vague parameters, would drive Internet companies to one of several likely responses. Some would decide to significantly over-report their customers’ information and private communications to the US government to ensure that the company stays on the right side of the law. Others would refuse to review any content that was flagged to them, for fear that doing so would mean they obtain the “actual knowledge of any terrorist activity” that triggers the reporting obligation.
Either of these outcomes pose major problems for the free expression and privacy of Internet users. It’s also far from clear that this would generate actionable information for law enforcement or intelligence agencies. Further, this type of reporting obligation would undermine any sense of trust between Internet users and the companies that provide the service providers that enable them to access information, conduct transactions, and share their perspectives online. The proposal would essentially deputize US-based Internet companies to act as agents of the government, including potentially requiring entities such as email services to turn over the contents of private communications if they are part of the “facts and circumstances” of alleged terrorist activities – for their users both in the US and abroad.
We hashed out the problems with this proposal in detail earlier this year, but suffice it to say that this is one idea that should not get an encore performance at the end of the year.