How to best protect privacy in cyberspace is a very difficult question. So is what role the law (domestic and international) should play in ensuring a proper balance between privacy and national security. But even questions as difficult as these admit of some easy answers — mainly on what not to do. Here is one: To protect privacy in the digital age, the world most certainly does not need a “Geneva Convention for the Internet” that would outlaw mass surveillance programs. In fact, proposing such a new multilateral treaty — akin to the Geneva Conventions that regulate armed conflict, that have been agreed to by all states in the world — is actually harmful to the cause of Internet privacy.
Unfortunately, people who should know better are already calling for such a treaty. This summer the UN Human Rights Council appointed its new special rapporteur on privacy, an independent expert tasked with promoting, protecting and developing this human right within the UN system. After much political wrangling, the Council appointed Joseph Cannataci, a Maltese law professor, as the first privacy rapporteur. It took him little time to label the current situation as “worse than anything George Orwell could have foreseen,” calling for a new Geneva Convention on the Internet. His call was answered by Edward Snowden, David Miranda, and a group of activists, who put forward the proposal for a “Snowden Treaty” that would end mass surveillance and protect whistleblowers. Other than a short, uninformative summary (coupled with expressions of support from celebrities like Vivienne Westwood, DJ Spooky, and John Cusack), the activists didn’t publish a draft of this proposed treaty.
Why is this proposal misguided? Because such a multilateral treaty — whether a comprehensive convention on the Internet or a treaty specifically outlawing mass surveillance — is quite simply never going to happen. It seems completely fanciful that any of the major players engaged in some type of mass surveillance (e.g., the US, the UK, Russia, or China), not to mention authoritarian regimes in many smaller states that are doing surveillance on the cheap, would ever agree to any such treaty. And having a Geneva Convention on the Internet that would not include such states as parties would be akin to having laws on warfare that did not include any major military powers — it wouldn’t just be useless, but worse than useless. While acknowledging that “some people” (read: everyone who matters) wouldn’t be ready to buy into this new treaty, Cannataci argues that “his notion of a new universal law on surveillance could embarrass those who may not sign up to it.“ If one takes the attitude that some countries will not play ball, he says, then for example, “the chemical weapons agreement would never have come about.”
The manifestly unsound analogy between regulating surveillance and weapons of mass destruction aside, states did not agree to the Chemical Weapons Convention because they were “embarrassed” into doing it (even assuming that states are capable of embarrassment). Rather, they agreed to it because it was in their (enlightened) interest to do so, and because the moral imperative to do so was overwhelming. Treaties don’t just happen because activists will them into being — it is states who negotiate them, have to agree to them, and have to abide by them.
Multilateral lawmaking is tough work. Even when it is reasonably clear that a long-term solution to a particular problem requires a new treaty, the conclusion of effective treaties takes an enormous amount of political energy, leadership and the readiness to make sufficient concessions. There is no more instructive example of the difficulties on overcoming collective action problems than the continuing inability of the international community to agree to a set of binding treaties that would effectively address climate change, with conflicting short- to mid-term interests consistently undermining the possibility of reaching agreement on a long-term solution.
So, as a purely pragmatic matter, a new surveillance treaty seems completely implausible. In the US context alone, just consider the near-impossibility of getting the 2/3 majority in the Senate necessary for its ratification, which even treaties that bring much more obvious benefits and little if any costs to the US, such as the Convention on the Rights of the Child or the Law of the Sea Convention are not able to attain. The “Snowden Treaty” label hardly helps in that respect.
What makes this idea harmful, rather than simply useless, is that any proposals to fill a regulatory gap necessarily assume that such a gap exists. But we already have widely accepted human rights conventions, including the International Covenant on Civil and Political Rights (ICCPR), to which the US, Russia, and the UK are parties. And almost all of the major human rights treaties, as well as the Universal Declaration of Human Rights which is reflective of customary international law, protect the right to privacy.
True, these instruments do not specifically address the problem of mass surveillance, or provide clear-cut solutions to questions such as the nature and quality of oversight mechanisms. But this does not undermine their relevance (see more here). The US Constitution also says nothing about cyberspace, but that likewise doesn’t mean that it cannot be applied to new problems. It is standard legal practice to apply general rules to specific problems that could not have been envisaged by the rules’ drafters. And there is currently a significant amount of work going on, within the UN and elsewhere, to clarify standards on cyber surveillance on the basis of existing law.
The UN General Assembly and the Human Rights Council have both adopted standard-setting resolutions on privacy in the digital age, affirming that the same rights that people enjoy offline they should also enjoy online. Test cases on surveillance are currently being litigated, for example, before British courts and the European Court of Human Rights. The Court of Justice of the European Union has also pushed back against mass surveillance practices in a number of cases, most recently with regard to the so-called safe harbor agreement between the US and the EU. This will likely force the two to improve their intelligence oversight mechanisms and privacy protections in negotiating a new deal. Bilateral diplomacy can also help curtail cyber espionage, as with the recent agreement between the US and China, assuming that the interests of the relevant states align.
The “Snowden Treaty” is hence not only pie-in-the-sky, but will waste energy better invested in other advocacy efforts, especially internally in democratic societies for the purpose of building up effective domestic legislation. It can only distract us from those conversations that are actually worth having: strengthening oversight mechanisms, applying more rigorous tests for justifying intrusive measures, ending citizenship-based discrimination and changing statutes under which foreigners are entitled to few (if any) privacy protections, and regulating corporations, which routinely engage in privacy-intrusive practices on the basis of terms and conditions that nobody ever reads before clicking “yes.”
Nor would this treaty remedy the existing problems in applying the existing human rights framework vis-à-vis the US – viz., the US claim that the Covenant does not apply extraterritorially, the position in US domestic law that the Covenant is not self-executing, or the view of US courts that domestic constitutional protections do not protect foreigners extraterritorially. Again, the US would simply never agree to a treaty that specifically prohibited extraterritorial mass surveillance, which would at that be self-executing and enforceable in its domestic courts. The US government’s mistaken arguments about the ICCPR’s supposed inability to apply outside US territory would in fact only be lent credence by a proposed new gap-filling treaty. As for deficiencies in US domestic law, the only way to remedy those is through internal debate and legislative action, with a compelling moral argument being made on why foreigners deserve privacy and respect for their dignity as human beings, whose interests cannot be completely discounted simply because of an accident of birth, which is determinative of citizenship for the vast majority of people.
If, in short, you genuinely care about Internet privacy and think that (international) law has some solutions to offer, you should reject the idea of any new global privacy treaty, a Snowden one or otherwise.