Internet Realities Watch, vol. 6

This is the sixth blog in our Internet Realities Watch series, where we use our Idealized Internet vs. Internet Realities framework to track changes to the internet reality around the world. Read the previous post here.

Argentina: Jujuy, one of the poorest provinces in Argentina, with crime rates above the national average, will soon begin installing surveillance systems purchased from Chinese telecommunications corporation ZTE. Argentina will receive its first CDMA450 network following a contract agreed between operator Cotecal (Co-operative Telefonica Calafate) and ZTE Corporation. ZTE landed a nearly $30 million surveillance contract with Jujuy in March to provide cameras, monitoring centers, emergency services, and telecommunications infrastructure. The local Jujuy government anticipates that the installation of these cameras will result in less local crime. In announcing the partnership, the local government said Jujuy can now be “safe like China.” Argentina is the latest Latin American country to work with Chinese telecommunication giant ZTE on the acquisition of surveillance technology, following in the footsteps of Venezuela and Brazil.

Ethiopia: The government announced the opening of its telecommunications market, which is the largest in Africa, through the awarding of licenses to two telecom operators. This regulatory shift opens up the market and has the potential to greatly impact internet architecture in the process.

France: The French National Assembly approved a bill that would require social media firms to implement tools to detect “clearly illicit” content, which could be anything that is discriminatory or prejudiced in nature. The National Assembly Member who proposed the bill has said the measure is meant to protect people from speech online that they would otherwise be protected from offline (e.g., shouting racist or homophobic abuse in the street). Unsurprisingly, as with other proposals that have cropped up in this vein of late, critics such as human rights organizations are concerned about the 24-hour time limit to remove content and whether the bill’s provisions may encourage over-censorship on the part of platforms, undermining free speech in the process. This proposed legislation would impact online content, and it could also impact the network and application layers of the internet should companies modify their platforms to meet content detection and removal requirements.

Indonesia: The Information and Communications Ministry is discussing banning Virtual Private Networks that don’t have a local license. Amidst concerns that VPNs can be used to circumvent Indonesian censorship, the government has argued that VPNs are like ISPs, and therefore must be regulated akin to how ISPs are regulated in the country: “The rule is that they must be licensed. VPNs are like ISPs in that they provide internet connections by way of users being connected to their servers. Whoever it is, we can just block them if they aren’t licensed.” Indonesia has previously blocked websites during social unrest. If implemented, these regulatory measures would impact how VPN-connected sessions are handled, and likely how network mechanisms are filtered by the state (e.g., to detect usage of unlicensed VPNs). They would also impact content and applications in the process.

Kazakhstan: On July 17, 2019 the Kazakhstani government started intercepting all HTTPS internet traffic inside its borders. When trying to access the internet, Kazakh users are now redirected to web pages that contain instructions on how to install the government’s root certificate in their desktops and mobile devices. The certificate allows government agencies to decrypt users’ HTTPS traffic, look at its content, encrypt it again with their certificate, and send it to its destination. Ministry officials claimed the mandatory certificate installation was to be confined to Kazakhstan's capital of Nur-Sultan; however, local media reports that Kazakh users from around the country are being required to install the certificate in order to access the internet.

United States: The governor of Maine signed the Act to Protect the Privacy of Online Consumer Information into law, shortly after Nevada implemented a similar law in late May. Its measures include restrictions on the data practices of internet service providers (ISPs), requiring them to obtain consumer consent prior to “using, disclosing, selling or permitting access” to their data with a third party. It goes into effect in January 2020. While some observers note similarities to California’s relatively new privacy law, The Hill’s Maggie Miller points out that the Maine law forces companies to require customer opt-in and therefore, stricter than its Californian counterpart. A coalition of broadband providers, meanwhile, have criticized the law on the grounds that “Data does not recognize state borders, and a fragmented, state-by-state approach sets uneven and inconsistent protections for consumers that are difficult, and sometimes impossible to implement.” This law impacting network and data elements of internet architecture is sure to inform broader U.S. debates and emerging regulations on data privacy and consumer protection.

United States (2): A bill introduced by Senator Josh Hawley, “Ending Support for the Internet Censorship Act,” would “encourage providers of interactive computer services to provide content moderation that is politically neutral.” The proposal, which would alter Section 230 of the Communications Decency Act (good legal analysis here) would impact how online platforms interact with content on their platforms, including content that may violate existing terms of service. The proposal has faced heat from both parties, with criticisms including claims of flagrant First Amendment violations, unjustly forcing private firms into certain content decisions about their own platforms, and placing too much power in the hands of the government (“central planning”). At the same time, however, IBM has come out in support of changes to what it calls a “liability shield” via the Communications Decency Act for platforms to avoid responsibility for hosting and not removing harmful content.

United States (3): The Senate is looking to vote on the CASE Act, which would “establish an alternative dispute resolution program for copyright small claims, and for other purposes.” The Electronic Frontier Foundation says the bill “would create a brand new quasi-court for copyright infringement claims” and that “serious problems inherent with the bill have not been remedied by Congress before moving it forward,” such as enabling patent trolls who desire to file as many copyright claims as possible to make income through statutory damage provisions in the legislation.

In other news, Lily Hay Newman writes for Wired on the hijacking of BGP, the Border Gateway Protocol; Justin and Arindrajit Basu write for The Diplomat on fostering strategic convergence in U.S.-India tech relations, including on issues like cyber norms and data governance; and Justin analyzes India’s data protection bill, which includes requirements on data localization in geopolitical context.

Keith B. Richburg writes in South China Morning Post about how Chinese leaders are likely thinking “told you so” in response to growing Western realizations that the internet could probably do with some degree of regulation. Mozilla faces heat in the U.K. for its proposal to use DNS-over-HTTPS, which is an encryption mechanism for better protecting internet traffic from hackers (i.e., man-in-the-middle attacks) alongside better traffic performance; privacy advocates are concerned it could enable easier circumvention of U.K. web filtering. 23 civil society groups denounced the internet shutdowns in Sudan, writing that “shutdowns disrupt the free flow of information and create a cover of darkness that allows repression to occur without scrutiny.” The German government fined Facebook for failing to adequately disclose information—a requirement of its NetzDG law which, among other things, requires social media companies operating in Germany to publish biannual transparency reports. This arrives just as the U.S. Federal Trade Commission hits Facebook with a $5 billion fine for mishandling users’ personal information.

Additionally, political science professor Kevin Munger argues in The New York Times that the so-called Palo Alto Consensus, where a one-size-fits-all internet is well-suited for the world, is increasingly crumbling:

Part of the appeal of the Palo Alto Consensus was that it would create a dilemma for states: They could not restrict online information flows without upsetting their populations’ social and economic lives. The assumption was that states would be prevented from shutting down information flows about, say, corruption or police brutality. That has been a success. But everyone seems to have underestimated the demand for information about how white nationalism is good and vaccines are bad. The downsides of information flows controlled by powerful institutions are obvious, but now people are coming to recognize their upsides.

Two final pieces to note: Liam Tung in ZDNet on a recent spurt of cloud service provider outages, and what that says about the resiliency vulnerabilities in contemporary web infrastructure; and a read-out in BNamericas on 5G, spectrum, and infrastructure discussions at the 7th Latin American Telecommunications Congress held in Argentina.