FYI, this was distributed this afternoon to Mozilla's public "governance"
list (where "governance" refers to Mozilla's internal governance, not
governments/nation-states). May be interesting/informative to this group.
---------- Forwarded message ---------
From: <merwin(a)mozilla.com>
Date: Wed, Sep 2, 2015 at 2:53 PM
Subject: Surveillance principles draft
To: <mozilla-governance(a)lists.mozilla.org>
Hi all,
Members of the platform, policy, and legal teams at Mozilla have been
working to create a set of principles that should serve as a guide to
government surveillance activities, and that are grounded in our commitment
to trust and openness online. We would appreciate your input on these.
Check them out below.
The following three principles, derived from the Mozilla Manifesto, offer a
Mozilla way of thinking about the complex landscape of government
surveillance and law enforcement access. We are not proposing a
comprehensive list of good or bad government practices, but rather
describing the kinds of activities in this space that would protect the
underpinnings and integrity of the Web:
1) User Security
Mozilla Manifesto Principle #4 states "Individuals' security and privacy on
the Internet are fundamental and must not be treated as optional."
Governments should act to bolster user security, not to weaken it.
Encryption is a key tool in improving user security.
Requirements that systems be modified to enable government access to
encrypted data are a threat to users' security. The primary aim of computer
security is to protect user data against any access not authorized by the
user; allowing law enforcement access violates that design requirement and
makes the system inherently weaker against attacks that it is intended to
defend against. Once systems are modified to enable law enforcement access
by one government, vendors will be under enormous pressure to provide
access to other governments. It will not be possible in practice to
restrict access to only "friendly" actors. Moreover, the more government
actors have access to monitoring capabilities, the greater the risk that
non-governmental cyberattackers will obtain access. Endpoint law
enforcement access requirements are also incompatible with open source and
open systems because they conflict with users' right to know and control
the software running on their own devices.
2) Minimal Impact
Mozilla Principle #2 states that the Internet is a global public resource.
Government surveillance decisions should take into account global
implications for trust and security online by focusing activities on those
with minimal impact.
Efforts should be made to collect only the information that is needed.
Whenever possible, only data on specific, identifiable users should be
collected, rather than collecting data from a large group of users with the
expectation that it can be triaged later. Activities should be designed to
minimize their impact on the Internet infrastructure and on user trust.
Compromise of or unauthorized access to third party infrastructure or
systems should be avoided if at all possible and is wholly unacceptable if
other avenues for obtaining third party cooperation are available.
3) Accountability
Mozilla Principle #8 calls for transparent community-based accountability
as the basis for user trust. Because surveillance activities are (and
inherently must be, to some degree) conducted in secret, independent
oversight bodies must be effectively empowered and must communicate with
and on behalf of the public to ensure democratic accountability.
A strong oversight regime involves several components. Oversight should be
conducted outside of those agencies responsible for the programs
themselves, by bodies with broad mandates and access, technical competence,
and enforcement authority. Oversight should include statutory transparency
requirements that allow the public to know that aggressive oversight is
taking place and to be able to know the scope and scale of government
access to user data. Finally, oversight should be evidence-based and start
with an analysis of the national security benefits and potential harms of
programs in question.
_______________________________________________
governance mailing list
governance(a)lists.mozilla.org
https://lists.mozilla.org/listinfo/governance
--
Luis Villa
Sr. Director of Community Engagement
Wikimedia Foundation
*Working towards a world in which every single human being can freely share
in the sum of all knowledge.*