Last April, when 34 technology companies announced their membership of a Cybersecurity Tech Accord, it was portrayed as proof that the private sector was, at long last, taking responsibility for protecting civilians online — something governments had conspicuously failed to do. Since then, the ranks of signatories to the self-imposed cybersecurity standards has more than doubled.
Alibaba
Group Holding Ltd., the Chinese tech giant, is not among them, but its
co-founder and executive chairman, Jack Ma, certainly agrees that
companies should rush in where governments have so far feared to tread.
To wit, his plan to create an Electronic World Trade Platform (eWTP),
which will facilitate online trade across borders.
“Innovation always develops much faster and I think future laws should
not be driven only by governments; they should be driven by private
sector and all stakeholders together,” Ma said. Another example of this
is the Paris Call for Trust and Security in Cyberspace, backed
by Microsoft Corp., Alphabet Inc.’s Google and Samsung Electronics Co. —
and announced by President Macron last year—which underlines the
companies’ ambitions to draft standards in the fight against election
tampering, compromised electronic components and software hacks.
I am entirely in favor of companies acting responsibly: For
too long, they have been negligent about protecting the data of their
users and customers. But when the most powerful tech companies take on
the responsibility of global rule-making and cross-border governance, to
set and enforce standards, that is deeply problematic for democracy and
the rule of law.
There’s no question that governments have been laggards in setting norms and rules online — take that from a politician who has been involved in some of these cumbersome efforts. While Microsoft has been pushing for a Digital Geneva Convention, intergovernmental discussions on norms of behavior in cyberspace during peacetime are stalled at the United Nations. Even as Ma’s eWTP initiative takes off, negotiations between states on e-commerce at the World Trade Organization are going nowhere fast.
Indeed, governments and courts have offloaded some of their responsibilities to tech companies. For instance, the European Court of Justice ruled for companies to remove websites from search results in respecting ‘the right to be forgotten.’ Similarly, in the NetzDG law in Germany, tech companies must take hate speech, fake news and illegal content offline within 24 hours. Both cases underline how much impact tech companies already have on the content people see, or don’t see online. But by leaving the policing to the companies, rather than to regulators and governments, there’s a great risk that the public interest will be captured by the private sector, and that norms will be made without transparency, accountability or the mandate of the people.
There
are plenty of reasons to worry about the privatization of governance.
If we’ve learned anything from the scandal after scandal over Facebook
Inc’s handling of user data, it is that the private sector’s noble
intentions to regulate the internet should be met with skepticism.
Without adequate public oversight of algorithms, and with recurring bad
practices, tech platforms cannot — should not — be trusted.
What are we going to do about it? In an era when all forms of multilateralism are being challenged, it is harder than ever to forge a consensus among governments on issues pertaining to cyberspace. It is fiendishly complicated to reach across jurisdictions, from where citizens live to where tech companies are run. That’s why it took years for the European Union to adopt the General Data Protection Regulation, or GDPR, which governs how data collectors gather and use information.
There’s
no wishing away of the complications, no realistic way to accelerate
the process of multilateral rule-making in the short term. We can hope
that governments will become more ambitious as they witness companies
stepping into the breach. In the meantime, we must not let private
initiatives go unquestioned, or evolve from de facto norms to de jure
laws. At best, these should be regarded as temporary constructs while we
keep working to build powerful, enforceable rules.
We must assess each private-sector initiative closely, and on its merits, rather than take it at face value as well-intended. As with every governance initiative, the values at its core, and mechanisms of consent, oversight and accountability, determine the practical working. We must insist that developing norms includes multiple stakeholders — such as civil society representatives, technology experts and government representatives from different parts of the world. This will be equally important for monitoring their implementation. And we must ensure that the norms are anchored in principles such as respect for universal human rights and fair competition. If companies want to play government, even temporarily, they must expect to be held to account as governments are.
Find the original article here.
