As GOFA's sponsor, Rep. Chris Smith of New Jersey, bluntly put it, repressive regimes in Iran, China, and Syria "are transforming the Internet into a 'weapon of mass surveillance.'" The bill has been kicking around Congress in various forms since 2006 after Yahoo handed over dissidents' email account information to the Chinese authorities and other companies including Cisco, Microsoft, and Google came under fire for aiding Chinese political censorship to varying degrees. While its specifics have changed over the years, the current version contains three main elements:
1. It requires the State Department to create a list of "Internet-restricting countries."
2. It requires that all companies listed on U.S. stock exchanges disclose to the Securities and Exchange Commission what procedures and practices they have put in place to protect the free expression and privacy rights of users in "Internet-restricting" countries.
3. It revises U.S. export control laws to forbid the export of censorship and surveillance technology to "Internet-restricting countries."
GOFA has received ringing endorsements from a number of human rights groups as well as from Yahoo -- which, after a few years of humiliation in Congress and the media over its mistakes in China, has made a public commitment to human rights. The second part of the bill, focused on corporate transparency, is modeled after sections 1502 and 1504 of the recently passed Dodd-Frank Act, which requires conflict-minerals and extractive-revenue disclosure. It is based on the premise that at least some investors care about the human rights responsibilities of U.S.-listed businesses. More broadly, the idea is that just as companies are expected to commit to basic environmental, labor, and human rights standards when it comes to their operations in the physical world, investors, consumers, and government regulators should expect similar commitments to users' and customers' rights to digital free expression and privacy when using the Internet and mobile devices.
Companies that join the Global Network Initiative (GNI), a multi-stakeholder organization through which Internet and telecommunications companies work with human rights groups, socially responsible investors, and academics to uphold core principles on free expression, privacy, and human rights, would receive "safe harbor" from this requirement. So far only five companies have joined the GNI: Google, Microsoft, Yahoo, Websense, and Evoca. (Full disclosure: I am on the GNI's board of directors.) It is possible that the bill will be an incentive for more companies to join the GNI even if it fails to pass.
Some free speech groups, however, have stopped short of a full-on endorsement of the bill. The Center for Democracy and Technology, while supportive of its general aims, cautions that GOFA needs refining in order to prevent unintended restrictions on the sale of badly needed technology to activists and NGOs working in authoritarian countries. Existing laws already fail to get the balance right: The Electronic Frontier Foundation is campaigning to reform current trade sanctions that are preventing opposition activists in countries like Syria from accessing U.S. companies' software and communications tools. The digital freedom group Access shares these concerns and also worries that the State Department's list of "Internet-restricting countries" will become politicized, potentially absolving companies that assist U.S. allies in censoring and monitoring political dissent.
The bill's drafters have further created problems for themselves by combining export controls and transparency requirements in one piece of legislation that applies to the same list of "Internet-restricting" countries. Export controls by nature target a list of countries that, due to U.S. trade and diplomatic interests and political lobbying by companies, is inevitably a relatively short list focused on the worst offenders. Thus the export control section of the bill will create pressure on the State Department to keep the list of "Internet-restricting" countries as short as possible.
Yet the bill's transparency requirements will lose much of their force and meaning unless they target corporate-government collaboration in a much wider range of countries where governments attempt to abuse censorship and surveillance powers. Consider, for example, India, the world's largest democracy -- which is unlikely to be placed on a State Department "Internet-restricting countries" list making it subject to sanctions -- but where the government is making increasingly aggressive demands of Internet companies to censor content and hand over user information. Or Britain, where civil liberties groups are in an uproar over plans by Prime Minister David Cameron's government to introduce a law enabling the government to monitor calls, emails, texts, and website visits of everyone in the country without a court order or warrant. Under GOFA, companies are unlikely to be held responsible for assisting these democratically elected governments in abusing their censorship and surveillance powers.
In congressional testimony last December, I argued that the section of GOFA requiring companies to adopt and disclose measures to protect Internet users' free expression and privacy rights should be based on a universal standard, not just the State Department's whim. The Global Network Initiative, for example, applies a global standard to corporate-government interactions. Why? Because the initiative's members -- who include a range of civil liberties groups, human rights organizations, socially responsible investors, and academics -- cannot come up with a single country where the abuse of free expression and privacy by government and corporations is not a genuine concern.