Splintered Speech: Digital Sovereignty and the Future of the Internet

Introduction: The New Guard Posts of Cyberspace

The common wisdom used to be that the internet would inevitably make societies more open and free. It would connect people, cutting across cultural and political boundaries. It would offer new opportunities for self-expression. It would give every human being with an internet connection access to the world’s accumulated stores of knowledge and to the digital public square, along with the ability to be their own one-person publishing house. It would be, in the words of internet pioneer John Perry Barlow’s influential 1996 “Declaration of the Independence of Cyberspace,” “the new home of Mind,” far above the governments that were futilely attempting to “ward off the virus of liberty by erecting guard posts at the frontiers of Cyberspace.”¹ Then, the internet was largely viewed as simply too decentralized, too massive, and too untameable for any repressive government to fully and indefinitely control.

Few people would make such optimistic pronouncements today about either the internet’s inevitably liberalizing effect or its irrepressibility. Between a rising tide of governmental regulation of the digital sphere, and the domination of the digital public square by a handful of social media giants, it turns out that the internet is in fact much more vulnerable to top-down controls than its early techno-utopian champions would have predicted.² Additionally, as societies grapple with the digital spread of extremism, disinformation, hate, and harassment, experts and everyday people alike are now calling for greater regulation of social media and other tech titans. Few people now advocate Barlow’s call for all governments to simply “leave us alone.”

Today, governments across the globe are arguing for new powers to regulate the internet within their countries’ borders for national security, economic health, and other fundamental reasons. Much of this new negotiation for control is occurring between governments and the technology corporations that host and arbitrate online public discourse. Still other aspects of this renegotiation involve who controls how the global internet functions at a basic level.

In this struggle for control, there is potential for multiple bad outcomes—including further concentration of power in the hands of states or corporations, the erosion of human rights norms, and the subversion of the internet’s continued potential as a space for expression, emancipation, and cultural exchange.

As governments redraw the boundaries of their own authority over the internet, many leaders have endorsed or invoked “digital sovereignty,” a phrase intended to explain and legitimize more expansive governmental regulation of the digital sphere in the national interest. But different governments have vastly different interpretations of what this sovereignty actually entails–which “sovereign” rights governments should have over their nations’ internet, what the strategic goals of such “sovereignty” should be, and what constitutes national interest.

Because the internet traverses boundaries, many of these “sovereignty” efforts will have effects that stretch beyond any one country’s domestic space or the experiences of its own citizens. Analysts and experts have warned that governmental efforts to silo the internet or our data into national boxes, or to impose conflicting national laws on the internet broadly, risk fragmenting the internet and undermining its connective potential. Moreover, authoritarian leaders have invoked their “sovereignty” to enshrine the power of the state—through rhetoric, through law and regulation, and through technological developments—in ways that either foreseeably or explicitly contravene human rights, including freedom of expression, privacy rights, and the right to be free of arbitrary detention or other acts of state-sponsored violence and repression.

All this is happening as governments the world over increasingly adopt their future model of internet governance—including fundamental decisions as to what level of digital freedom they afford their populaces. These decisions increasingly intersect with great power politics, as the digital arena emerges as a new front in the increasingly competitive relationship between the United States and China, so that internet governance and infrastructure now represent a new axis of geopolitical contention.

The framework of digital sovereignty has become popular in part because it appears to offer governments a set of tools to address peoples’ serious and legitimate concerns about unaccountable large foreign corporations—from telecommunications companies who control the infrastructure of the internet, to the handful of social media companies whose algorithms can influence human behavior and whose business model is based on the collection and commercialization of people’s data.

Yet as governments renegotiate the terms of their power over the functioning of the internet, the result can be an increase in digitally-facilitated repression. Governments the world over have passed new laws mandating data localization, granting them new powers over their citizens’ data and new levers of control over transnational corporations; they have pressured or forced companies to trigger digital shutdowns, becoming complicit in repression; they have demanded content takedowns and other forms of censorship. Companies’ compliance is often predicated on the argument that they must comply with national law—yet this compliance inevitably conflicts with these same companies’ responsibilities to uphold human rights.

The future shape of the internet is actively being decided, and along with it, the extent of our rights to freely access information and express ourselves online. That makes this an issue of fundamental importance for those concerned with freedom of expression, cultural interchange, and our human rights both on and offline.

PEN America’s analysis and engagement on these issues is motivated by our commitment to the PEN Charter, first drafted in 1948, which commits PEN Members to “the principle of unhampered transmission of thought within each nation and between all nations.”³ Today, this principle is most embodied by the global internet—the network that allows human beings to communicate across national boundaries and enables information, opinion, and expression to flourish freely. Today this global project is facing increased threat—and demand defending.

Methodology

In producing this report, PEN America draws upon interviews with more than a dozen experts and advocates on internet policy, digital rights, and country-specific issues, as well as from our review of sources including relevant national legislation and regulations, scholarly and news articles, civil society reports, and international norms and standards.

This report begins by identifying and distinguishing between differing conceptions of digital sovereignty, examining the authoritarian origins of the concept alongside its subsequent broader application by governments across the political spectrum, and explaining how the different baseline rights protections within different countries influence how many sovereignty proposals play out in practice. In the second section, we examine how authoritarian countries are pushing for a new model of a more nationalized internet, domestically and on the international stage, threatening to splinter the internet into increasingly disconnected and incompatible networks. We then explore how governments are attempting to re-balance their relationship with the online service providers who control substantial aspects of our digital reality, focusing on how rights-repressive governments specifically have developed or accelerated regulatory tactics to compel or induce corporations to comply with abusive demands. Such tactics, we explain, illustrate how calls for corporate accountability must be thought through with care, to avoid simply handing governments new powers they can use for political ends. Finally, we explain how rising US-China tensions are changing the terms of the debate over global digital regulation, before evaluating calls for a new form of digital democratic multilateralism. We end this report with a call for a global approach to digital regulation that affirms the primacy of human rights and global connectivity, and for a greater corporate commitment to international human rights standards in the face of repressive national dictates.

Section I: Digital Sovereignty, Digital “Deciders,” and the Future of the Internet

At its most basic, the doctrine of digital sovereignty holds that governments should be able to exercise sovereign control over both the infrastructure and the content of the digital realm within their own borders, in order to better serve their national interests.⁴ Yet because governments define their national interests so differently, the way this sovereignty is invoked varies vastly.⁵

As a doctrine, digital sovereignty suffers from an unfortunate starting point—its earliest proponents have been authoritarian leaders who subscribe to a vision of sovereignty that gives them substantial power to restrict or violate the rights of their own citizens. These leaders have invoked this notion of sovereignty over the digital sphere as a justification for the privileges of state, and as a convenient justification for digital repression. Today, authoritarian governments have not only implemented this framework of digital sovereignty domestically, but—as this report discusses in greater detail—have pushed for it on the global stage.

In recent years, however, many others have begun invoking digital sovereignty: from key leaders within the European Union, who invoke it as a framework for more muscular regulation, to regulators in countries with developing digital economies who argue this sovereignty offers them a shield to defend their citizens and businesses from unaccountable foreign actors. The extent to which these actors are able to re-package digital sovereignty to fit within a democratic and rights-respecting framework, while avoiding the temptation to accrue dangerous or injurious new powers over the digital space, will play a large role in determining the future of the global internet.

The Authoritarian Origins of Digital Sovereignty as a Doctrine

The Chinese government was the first to lay out its framework for digital sovereignty, which it has described as “cyber sovereignty.” In 2010, the Chinese State Council Information Office, the press organ of the country’s chief administrative body, released the white paper “The Internet in China,” declaring that “Within Chinese territory the internet is under the jurisdiction of Chinese sovereignty,” and that all those within China were obligated to “obey the laws and regulations of China and conscientiously protect internet security.”⁶ In subsequent public pronouncements, government officials have continued to invoke the nation’s “cyber sovereignty” as the overarching framework for their regulatory policy.⁷

Under this approach, the state is empowered to act as the ultimate gatekeeper for all digital information entering or exiting the country, as well as the manager of all information flows within the country.⁸ This empowerment exempts the government from any obligation to ensure the free flow of information across—or even within—national borders, allowing an authoritarian state to place its own prerogatives over its citizens’ rights. Such centralized state control allows the government to hardwire digital censorship and surveillance into the state’s regulatory and technological infrastructure.

This authoritarian framework of digital sovereignty also gives precedence to considerations of national security, treating the free movement of information as inherently hostile and dangerous, and enabling rights-abusive measures in the name of the national interest. As Konstantinos Komaitis, the policy director of the Internet Society, describes it, this conception of digital sovereignty is one that is “predominantly attached to notions of national security and securitization,” or in other words, “all about the right of national governments to supervise, regulate, and censor all electronic content that passes through its borders.”⁹

From the beginning, supporters of this view of digital sovereignty have essentially admitted that this formulation explicitly contravenes human rights guarantees. In 2011, member states of the Shanghai Cooperation Organization (SCO)—a Beijing-initiated intergovernmental grouping that then consisted of China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan, and Uzbekistan¹⁰—submitted to the UN General Assembly a proposed International Code of Conduct for Information Security, an attempt to develop new norms for digital regulation that would have given their view of digital sovereignty the status of an international standard. In the Code, SCO members called for an affirmation that “policy authority for Internet-related public issues is the sovereign right of States, which have rights and responsibilities for international Internet-related public policy issues.”¹¹ The Code—which was not adopted¹²—also argued that “rights and freedom to search for, acquire, and disseminate information” was predicated on “complying with relevant national laws and regulations,” a formulation incompatible with human rights law.¹³ In addition, the Code would have bound states to a pledge not to use the internet to “interfere in the internal affairs of other States,” a digital corollary to the long-standing authoritarian rhetoric that human rights advocacy represents interference in their domestic affairs.¹⁴

The Chinese internet experience, as PEN America documented in its 2018 report Forbidden Feeds, is one circumscribed by centralized state control: the world’s most systemic and sophisticated censorship system, lack of privacy protections from state security services, and advanced filtering capabilities that block or surveil access to much of the global internet behind the country’s Great Firewall.¹⁵ In its western Xinjiang region, the ruling Chinese Communist Party has pioneered new forms of digitally-assisted repression, wielding digital technologies to sweep up massive amounts of data and using “predictive policing”-style algorithmic analysis to determine which Uyghurs and other members of ethnic or religious minorities to send to the region’s internment camps.¹⁶ This imposition of a digital police state is facilitating systematic crimes against humanity and cultural erasure, a dystopia that would have been unimaginable only decades ago, and illustrates the most extreme risks of a digital sphere deployed purely in service of the state.¹⁷ Under the authoritarian view of digital sovereignty, employing such technology to facilitate abusive policies is not only permissible, but in furtherance of legitimate government aims.

As this report will examine, China and Russia in particular have taken a leadership role in modeling or propagating this particular model of digital sovereignty, to the point that some observers have begun referring to it as “the China model” of digital regulation,¹⁸ while others warn it represents a “digital authoritarianism.”¹⁹

Governments are Adopting and Adapting New Models of Digital Sovereignty

While the concept of digital sovereignty may have originated with Beijing, other actors have since taken up the term. “Years ago, anyone who was talking about cyber sovereignty was assumed to be affiliated with a top-down, authoritarian or at least autocratic internet governance approach,” said Jason Pielemeier, director for policy and strategy at the Global Network Initiative, a multi-stakeholder initiative on human rights in the telecommunications and internet sector. “That’s no longer true. The fact that the European Union, among others, has come to use this idea of sovereignty to refer to technology governance and regulation has made it harder to rely on this language in a meaningful way to distinguish between authoritarian and democratic approaches.”²⁰

In the past few years, key decision-makers in the European Union (EU) have broadcasted their intent to develop a ‘third way’ of digital regulation, a framework for digital sovereignty that rejects both the comparatively regulation-free approach of the American model of internet governance, and the state-centered authoritarian model pioneered by China. In 2018, at the UN-affiliated Internet Governance Forum (IGF), French president Emmanuelle Macron called for a “new path” for digital regulation—one he distinguished from the “Californian form of the internet” and the “Chinese internet”—where “governments, along with Internet players, civil societies and all actors are able to regulate properly.”²¹ At the following IGF, Germany’s Angela Merkel offered similar remarks endorsing of a European framework for digital sovereignty, saying:

“What we have to clarify is, what do we mean when we talk about digital sovereignty . . . As I see it, sovereignty does not mean protectionism. It does not mean that a State body can say this or that information may pass through. That would be censorship . . . We are very well aware of the technological advances and companies that developed them, cannot always just be given a free rein. You have to have guardrails in place.”²²

Under the European Union’s envisioned framework, the body acts as an attentive regulator, but stops well short of trying to comprehensively control the internet. Instead, their focus is on technological and economic safeguards from foreign actors and tech companies, rather than on state domination of the internet and what is shared on it.²³ Importantly, the EU’s most aggressive actions to achieve this digital sovereignty are positioned as measures to afford individuals substantial personal control and choice over their data.²⁴

This envisioned ‘new path’ of European digital sovereignty is influencing EU legislators’ approach to the upcoming Digital Services Act (DSA) and accompanying Digital Markets Act (DMA), two omnibus digital regulatory bills which came before the European Parliament in December 2020. While the Acts are not expected to be finalized until 2022, the DSA would impose new obligations on social media companies to disclose information to regulators, such as how their algorithms and content takedown processes function. Many of these new obligations will only apply to platforms with more than 45 million users—that is to say, the digital behemoths that have become household names, such as Facebook, YouTube, and TikTok.²⁵ These laws will be far-reaching in their impact, and rights groups have been quick to warn about provisions that could lead to abuse—such as a proposed mandate that internet companies inform law enforcement of “suspicious criminal offences” from their users.²⁶ On the whole, though, these proposals seek primarily to protect and reinforce, rather than curtail, the agency of EU residents online.

The EU’s ability to effectuate its commitment to human rights within its envisioned framework of digital sovereignty may determine the future of the internet. As the former United Nations Special Rapporteur on Freedom of Opinion and Expression, David Kaye, has warned, European regulators “could show the way toward rights-oriented regulation” across the globe, or they could instead “give cover to those who want to undermine rights in favor of protections against vague concepts like extremism and national security.”²⁷

This is especially the case because the EU is not the only entity seeking to develop its own model of digital sovereignty. Nations with developing digital economies—such as India, Brazil, Indonesia, Nigeria, and various others—have begun evoking digital sovereignty as an organizing principle for their own regulatory frameworks.²⁸ India—which has the world’s second largest internet user base²⁹—has in particular sought to carve out its own doctrine of digital sovereignty, one predicated around active government intervention in the country’s digital development alongside a model of economic and regulatory protectionism aimed at re-orienting the balance of power between itself and foreign internet companies.³⁰ Indian regulators have argued for an approach where the state plays an active role in enabling the development of local digital platforms that operate as public goods.³¹ Yet these proposals are gaining traction at the same time that India is experiencing a backslide in its democratic commitments under the Modi government,³² raising the question as to whether Indian officials will use protectionist measures for the people’s benefit, or for their own.³³ This captures a key concern—that regulators may develop frameworks of digital sovereignty that supposedly protect citizens from unaccountable foreign actors but instead place them at greater risk from their own governments.

Today, digital sovereignty is a contested term, with various actors invoking the doctrine to encompass very different concepts of the state’s powers and role. While the authoritarian meaning of such sovereignty is fairly settled, including in its inherent hostility to human rights, governments across the political spectrum now invoke their sovereignty to advance a broad set of digital policies in furtherance of their own national goals.

What is emerging is a global series of differing national (and in the European Union’s case, regional) frameworks for digital sovereignty. Each of these developing frameworks will be deeply shaped by states’ pre-existing commitments to human rights, rule of law, and stable public institutions. “It’s tricky to figure out how to address some of these digital regulatory problems in countries that lack robust checks and balances or mechanisms for independent oversight,” Freedom House’s Adrian Shahbaz affirmed in his conversation with PEN America, “because even if they have the exact same wording as laws as in other countries, they won’t be implemented in the same way.”³⁴

For authoritarians and autocrats, the conceptual ambiguity around digital sovereignty and what it entails in practice is politically useful, allowing them to propose rights-abusive laws, rules, and standards on the global stage while hiding behind the conceptual screen of sovereignty also nominally defended by democratic states and blocs. This ambiguity also enables autocratic rulers to depict their own repressive efforts as fundamentally similar to initiatives from established democracies with rule of law and stable institutions. “Authoritarian governments,” as David Kaye warns, “are taking cues from the loose regulatory talk among democracies.”³⁵

As one analysis from the German Council of Foreign Relations puts it, “both Russian and Chinese leadership understand perfectly that [the] idea of censorship is difficult to sell to a global audience. Therefore, they are mimicking the language and terminology used by many European countries,” in order to camouflage the abusive elements of their digital regulatory policies.³⁶ Alena Epifanova, a researcher with the German Council, made this point in her conversation with PEN America, drawing on the Russian example: “The Russian government actually uses this lack of clarity around sovereignty to their advantage,” she noted, “as it makes it much easier for them to promote their vision of internet governance—where the internet should be state-centered—on the international level.”³⁷

All this underscores a vital point: the foundation of any democratic framework for digital sovereignty must, by definition, include a commitment to and continuous investment in people’s digital privacy and free speech, along with a system of rule of law and functioning institutions to guarantee these rights in the face of government or corporate power. Any democratic state invoking such sovereignty must foreground these commitments.

Digital Sovereignty as a Rejection of The American Internet Model

Today, the impulse toward greater digital sovereignty is ascendant, in large part, as a result of significant global concerns over the negative consequences of the hands-off ‘American model’ of digital governance, in addition to the outsized control that both the American government and American-based internet titans appear to have over the global internet.

Firstly, there are valid concerns over the lack of democratic accountability for American internet corporations. In the Global South especially, analysts and advocates have argued that Silicon Valley’s domination of the digital economy has been so lopsided that it constitutes a new phenomenon of “digital colonialism,” for which government intervention is not just desirable but necessary.³⁸ Digital sovereignty is being invoked as a countermeasure to this domination.³⁹

These fears tie into global alarm over the increasingly apparent, often menacing social effects of the business models for some of the world’s largest technology companies—social media and digital advertising platforms in particular. Academic and author Shoshanna Zuboff has forcefully argued that the prevailing model of our digital reality amounts to “surveillance capitalism,” an economic system geared toward the commoditization of people’s personal data.⁴⁰

Secondly, concerns over American intelligence gathering have also fed into the global push for more digital sovereignty. The revelations, exposed in 2013 by Edward Snowden, that US intelligence agencies were engaged in widespread dragnet surveillance of both U.S. and foreign citizens, are almost universally cited as a major impetus for this shift.⁴¹

In 2015, PEN America conducted our own global survey of writers across 50 countries, to assess the impact of the Snowden revelations on their willingness to write freely. We concluded then that American mass surveillance had “gravely damaged the United States’ reputation as a haven for free expression at home, and a champion of free expression abroad.”⁴² It is no surprise, then, that these surveillance programs have had tangible effects on digital policy, spurring other countries to act defensively—either out of the desire to shield their citizens from unaccountable foreign surveillance or out of national security or power-competition considerations.

The development of the European Union’s General Data Protection Regulation, or GDPR, for example, was deeply influenced by the Snowden disclosures, turbocharging European privacy advocates at a crucial point in the process.⁴³ The European Parliamentary Committee on Civil Liberties, Justice and Home Affairs was actively investigating the impact of the Snowden disclosures on the rights of EU citizens at exactly the same time that it began evaluating the first formal draft of the regulation.⁴⁴ The GDPR, adopted in 2016 and becoming enforceable in 2018, created a minimum standard of data protection for all EU internet users, and has become the world’s most significant data protection standard in place today, inspiring other countries—including Argentina, Brazil, Chile, Japan and Kenya—to adopt legislation modeled on it.⁴⁵

In two highly public decisions, the European Court of Justice has ruled that the United States’s privacy protections did not adequately protect Europeans’ data under the GDPR. In 2015, in a case known as the “Schrems decision,” the Court invalidated the “Safe Harbor” arrangement between the US and the EU, which had permitted the transfer of personal data from EU member countries to US-based companies.⁴⁶ The Court made a similar decision in 2020, known as the “Schrems II decision,” invalidating the subsequent US-EU data-transfer agreement known as the Privacy Shield.⁴⁷ In both cases, the Court cited a lack of adequate safeguards preventing US intelligence agencies from accessing personal data held by US-based companies.⁴⁸

Authoritarian leaders have also been able to leverage these same concerns to pursue their state-centered framework of digital sovereignty, using the Snowden revelations as justification to seek greater state control over the digital sphere. In Russia, Vladimir Putin has played up fears that the internet is controlled or surveilled by American intelligence agencies. In a 2019 televised interview, for example, Putin warned that the internet is the “creation” of Western intelligence agencies, that they “hear, see and read everything that you are saying and they’re collecting security information.” As a result, he argued, Russia “must create a segment [of the internet] which depends on nobody.”⁴⁹

“For both the EU and Russia,” says Alena Epifanova, a digital regulations researcher at the German Council on Foreign Relations, “much of the conversation about the need for another model of internet governance originates from the Snowden revelations. The EU said, ‘Okay, we can’t trust our US partners. We aren’t sure where the data of our European users would land.’ Russia had the same concern, but followed a different model—towards more centralized state control of the internet.”⁵⁰

The National Security Agency’s (NSA) surveillance program is not the only U.S. policy of the past decade that has prompted some governments to seek out greater digital sovereignty. In March of 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, which—among other provisions—formalized the ability of American law enforcement authorities to compel user data and content from American companies regardless of where in the world that data is actually stored.⁵¹ These provisions triggered a new wave of conversation around digital sovereignty, in the name of ensuring the privacy of people’s data in the face of American intelligence agencies. In June 2019, for example, France issued a parliamentary report condemning the CLOUD Act provisions and calling for measures to “restore the sovereignty of France.”⁵²

American policymakers, analysts, and rights advocates must be aware of, and responsive to, these concerns, as they participate in the debate over the future of the global internet. It is not enough to respond to rising calls for digital sovereignty by simply insisting on a return to the status quo ante. For too many people, the “American model” of internet governance increasingly represents an unfair playing field for American economic or governance interests.

“Digital Deciders” are Choosing Their Model of Internet Governance

These conversations around sovereignty come at a time when countries across the world and across the political spectrum are actively choosing between different frameworks of digital governance that are on offer, making foundational decisions about what the internet will look like within their borders.

Some analysts point to a large set of digital “digital deciders”, countries that are essentially opting for either a closed or an open internet.⁵³ Several of these nations are among the world’s most populous and are rising global leaders, like India, Brazil, Indonesia, and Nigeria. Moreover, these digital deciders include more than two dozen countries that the NGO Freedom House categorizes as Partly Free–such as illiberal democracies and countries slowly transitioning away from authoritarian pasts.⁵⁴ Former Special Rapporteur David Kaye has warned that it is such countries–the “transitional ones that see-saw between openness and control, that could tip into blossoming democracy or creeping authoritarianism”–that are particularly likely to “borrow” the language of internet regulation and deploy it to rights-injurious ends.⁵⁵ In 2018, researchers from the US-based think tank New America determined, worryingly, that these “digital deciders” are increasingly choosing a more closed internet, not a more open one.⁵⁶

Recent events may only exacerbate these trends. In the past year alone, for example, the COVID-19 pandemic has served as a useful opportunity—or excuse—for governments to expand their control over the digital realm in the name of safeguarding public health and public order. The International Center for Not-for-Profit Law has identified more than 50 examples of countries introducing or amending laws or policies to criminalize disinformation or otherwise limit free expression in response to the pandemic—including 16 countries on New America’s “digital decider” list⁵⁷—alongside another 40 other forms of pandemic-related constraints on free expression.⁵⁸ The substantial majority of these new policies and new constraints touch upon the digital sphere, with many such policies seeking to criminalize or otherwise punish digital “misinformation” about the pandemic.⁵⁹ As PEN America has recently noted in its Freedom to Write Index review of the past year, these laws pose an obvious threat to freedom of expression, by granting officials broad new powers to police speech that can easily bleed into repression.⁶⁰ Digital deciders are hardly alone in facing the impulse to respond to issues of genuine social concern with a heavy governmental hand and cynical political self-interest. But they do so at a time when their governments are making broader decisions regarding the architecture of their digital future.

Meanwhile, champions of the authoritarian vision of digital sovereignty are actively nudging digital deciders toward more closed digital spheres. In Eurasia, at least nine of Russia’s neighboring states have adopted technical or legal aspects of Russia’s internet surveillance structure, while Russian companies have exported the Russian government’s internet surveillance system, known as SORM, to telecom companies in the Middle East and Latin America.⁶¹ Meanwhile, China’s Xi Jinping has offered up Beijing’s model of internet governance to other countries as an example of how they can “speed up their development while preserving their independence,”⁶² a description that will appeal to digital deciders—and one that is conspicuously silent about the human rights implications of such a model.

Beijing’s most powerful mechanism for exporting its model of digital governance has been its Belt and Road Initiative, the largest infrastructure development program in the world. As part of this Initiative, Beijing has created what it terms a “Digital Silk Road,” an extensive international development and technology-sharing program.⁶³ Under this program, China has entered into bilateral relationships with an estimated 40 other countries, primarily developing economies that are still building out their digital infrastructure and their digital policies.⁶⁴

This Digital Silk Road enables Beijing to accelerate its exportation of technology that comes with China’s model of digital governance pre-baked into the formula.⁶⁵ This includes internet infrastructure that enables other countries to recreate substantial aspects of China’s Great Firewall, and grants governments new powers of censorship and surveillance. Maria Farrell, former director of the UK-based NGO Open Rights Group, has described the Digital Silk Road as offering a “plug-and-play” internet that gives digital decider countries an option for developing their national internet infrastructure without committing to an open internet. As she puts it, “What China has done is put together a whole suite of not just technology, but information systems, censorship training, and model laws for surveillance. It’s the full kit, and the laws, and the training, to execute a Chinese version of the internet.”⁶⁶

Adrian Shahbaz, Director for Democracy and Technology at Freedom House, has closely followed Beijing’s efforts in this area. Shahbaz warned in his conversation with PEN America that “we are approaching a stage where the Chinese model of internet governance is looking more appealing to certain states, particularly as they perceive the unregulated internet as a threat to either social stability or regime survival.”⁶⁷ It falls upon those who are committed to the vision of an open, global, and human rights respecting internet to offer a contrasting agenda to which digital deciders can rally.

Special Section: Digital Sovereignty as Control over Data

One of the primary digital sovereignty concerns of governments is over their residents’ data. Such data represents an economic and analytic goldmine, leading some commentators to declare that “Data is the new oil.”⁶⁸ Increasingly, countries around the world are insisting on sovereign control over this data: how it is used, who has access to it, and where it is stored or allowed to travel.

As a result, governments have enacted a wave of laws and regulations implementing data localization (or “data residency”) requirements. Broadly, this means mandating that the data generated by users within their country be stored within national borders. Internet experts have long warned that mandatory localization efforts will contribute to internet fragmentation and impede the openness and accessibility of the global internet, by creating new barriers to transnational data flows.⁶⁹ Yet in the past few years alone, more than 70 countries have passed or amended their laws to include some form of data localization.⁷⁰

Data localization mandates that affect people’s personal data, specifically, raise substantial and systemic human rights concerns because they ensure that such data is kept within the jurisdictional reach of their national law enforcement and state security services—potentially weaponizing it as a tool for repression. If the country demanding the localization of data has an independent judiciary, rule of law, and enshrined privacy rights, then the potential adverse human rights impacts of such data localization may be lessened—although not necessarily eliminated.⁷¹ In countries that do not have a strong legal framework for rights protection, the risks are heightened.

This is particularly the case for governments that criminalize peaceful dissent or otherwise suppress freedom of expression—making these databases potential treasure troves for the discovery of “crimes” involving dissenting speech or opinion. Even access to other forms of data—when and where a certain picture was taken, who uses their internet during a religious holiday and who doesn’t, who were the last five people the activist messaged before their arrest—are potent tools for surveillance and repression. Freedom House, which produced a major analysis of data localization’s human rights effects in 2020, concluded that it was no coincidence that “Some of the most stringent data localization requirements can be found in countries with poor human rights records and restrictive information environments.”⁷²

Yet these risks are not limited to authoritarian governments alone. “The core issue determining the status of people’s digital rights is the laws and regulations that guarantee people’s privacy rights and the enforceability of those laws and regulations,” Megha Rajagopalan, a tech reporter for Buzzfeed, told PEN America. “And the current status quo is that the majority of countries around the world have not developed laws and regulations that are sufficient to safeguard people’s privacy rights and the rights to free speech.”⁷³

Data localization regulations may also grant governments further powers that may enable abuse—for example, the ability to put pressure on the companies hosting their data within the country to comply with other demands (a phenomenon we examine further in Section III of this report), the ability to cut off access to the data from outside the country, or the ability to funnel data streams through local service providers, providing yet another access point for government surveillance. Some data localization mandates also seek to undermine the efficacy of encryption, by either compelling companies to store encryption keys within the country (as is the case in China),⁷⁴ or mandating that companies maintain the local data in an unencrypted form (as Pakistan has recently imposed).⁷⁵

Whatever the impacts, the motivations for data localization run the gamut: from ensuring residents’ digital privacy from foreign governments , as a form of economic protectionism to advantage local technology companies that can more easily develop local data centers or access datasets, to facilitate law enforcement access to data, or under national security rationales.⁷⁶ The motivations of ‘law enforcement access’ and ‘national security’ raise obvious red flags for any human rights-minded observer, but government officials can also easily publicly suggest one rationale while downplaying another.⁷⁷

‘Gbenga Sesan, Executive Director of the digital advocacy group Paradigm Initiative, gave PEN America an example of how this dynamic has played out in the data localization conversations in sub-Saharan Africa. “Some of the push for data localization has been from the technology private sector, with companies saying to their governments, ‘Google and Facebook are eating our lunch. Why don’t we have some protectionism? If we store data locally, then these companies will have to work with us local players.’ So that’s one conversation. But the second conversation is between security officials and their government higher-ups, saying ‘if we store the data here, we can get a back door to that data.’ And when you look at the trends in this conversation [around data localization], and you look at the countries that are talking about it–you look at Kenya, South Sudan, Rwanda, Zimbabwe, Zambia, and Nigeria, to mention some examples–there are only one or two countries where the conversation is not about governmental control.”⁷⁸

In sum, personal data localization mandates—regardless of whether they are motivated by valid sovereign interests or by anti-democratic or repressive machinations—inevitably open the door to new possibilities for governmental abuse. What is sorely needed is a global approach to the hosting of data that insists on all countries meeting human rights standards for the protection and privacy of such data, rather than one which carves up this data among national jurisdictions. As Freedom House’s Adrian Shahbaz summarized, “The framing around data privacy shouldn’t be around where data is physically located, but rather, whether it’s stored securely and protected from government surveillance and corporate malfeasance.”⁷⁹

Section II: Government Efforts to Undermine the Global Internet

Perhaps the most world-changing attribute of the internet is that it is global–a person can travel across the world and still read their emails, visit websites, and have fundamentally the same online experience. This is an oversimplification, of course: national laws may affect what websites you can visit, or which online speech is censored before you have the chance to view it. Yet the global internet can still be conceived of, broadly, as a unitary project.

This is due, first and foremost, to the fact that the internet is designed to be globally interoperable—with shared foundational technical protocols making it possible for any device, anywhere, to connect to the internet and digitally interact with each other.⁸⁰ This interoperability underlies the internet as a place where cultures connect, where ideas and identities and freedoms that would not otherwise be possible become so, and where the “unhampered transmission of thought within each nation and between all nations”⁸¹ can be a day to day lived reality for billions. Yet this global interoperability is increasingly threatened, by governments working to either enable themselves to separate from the global internet, or to take over the foundational underpinnings which render the global internet interoperable.

The Authoritarian Pursuit of a National Internet

National internets—in which the domestic populace is cut off or largely removed from access to the global internet—have traditionally been understood as exceptions in an increasingly connected world. Apart from China, countries that had cut themselves off from the World Wide Web prior to the last decade included only North Korea, Cuba, and pre-2011 Myanmar.⁸² Today however, Russia and Iran are pioneering new models for internet nationalization, laying the legal and technical groundwork for independent, centrally-controlled, and nationalized internets. In its ultimate expression, which both countries are actively working toward, this nationalized internet would allow their governments to sever the country’s domestic internet from the global one. Russia and Iran’s efforts have major implications for the future, in part because each of these efforts may provide a blueprint for other governments looking to do the same.

Under President Putin, Russia has aggressively pursued an authoritarian set of digital sovereignty policies over the past decade.⁸³ These efforts include the creation of a country-wide online content filtering system in 2012;⁸⁴ the ongoing development of a Russian surveillance ‘back door’ to the internet known as the System of Operative-Search Measures, or SORM–originally modeled off of KGB wiretapping technology;⁸⁵ and the passage of the “Yarovaya Law” in 2016, which imposed new requirements on technology companies to collect and store data within Russia, mandated that online service providers provide security services with backdoor access to encrypted content, and compelled providers to provide law enforcement access to data upon request.⁸⁶ In 2018, Russian regulators attempted, largely unsuccessfully, to block the popular encrypted messaging program Telegram, after the company refused to hand over its encryption keys to the government.⁸⁷

Russia’s most significant step in expanding its control over the internet came in 2019,
with the passage of its Sovereign Internet Law legalizing the government’s reach into nearly every corner of its domestic internet infrastructure. Some observers have analogized this law as a step towards Russia’s own “Great Firewall.”⁸⁸ Technically a series of amendments to preexisting regulations, the Sovereign Internet Law both creates a legal framework and mandates construction of the technological infrastructure for the government to close down Russians’ access to the global internet.⁸⁹ It provides the legal basis for the Russian government to route web traffic through state-controlled chokepoints; censor content without due process or public disclosure; block popular encrypted messaging apps like Telegram; and create a ‘kill switch’ that could shut off internet traffic into and out of the country whenever the government deems necessary.⁹⁰

The Sovereign Internet Law even enables the construction of a new infrastructure for a separate, national, Domain Name System (DNS), a foundational element of internet architecture that is managed globally by the non-governmental Internet Corporation on Assigned Names and Numbers (ICANN). This separate DNS infrastructure would lay down foundational protocols for a Russian internet that would be technologically separate from the global internet.⁹¹

It should be acknowledged that the legislation enabling this level of control is separate from the actual technical implementation necessary for Russia to achieve the law’s stated goals. Analysts following Russia’s digital path have noted that, in order to accomplish this digital separation, Russia would be largely reliant on Chinese technological assistance and cooperation—something that Putin has laid the groundwork for over the past several years through several high-level bilateral agreements to cooperate on digital policy.⁹²

Even short of full implementation, the law is a powerful statement of the Russian government’s intent and a highly visible model for other states to follow. Russia’s regional neighbors, in particular, have copied-and-pasted their own digital regulations from Russia before. Kyrgyzstan’s unpopular 2020 Law on Manipulating Information,⁹³ for example, was largely modeled after Russia’s Yarovaya Law.⁹⁴

With the Sovereign Internet Law, the German Council on Foreign Relations’ Alena Epifanova explained, “Russia is creating more than a legal framework. It’s also creating a precedent. The good news is that Russia’s neighbors don’t have the money or the technology to move towards a sovereign internet as well or as quickly as Russia can. The bad news is that they will keep on trying.”⁹⁵

Iran is another state that has pushed over the past decade towards this digital isolationism. In 2005, the Iranian government announced its intent to develop a National Information Network (NIN).⁹⁶ Iranian leaders then argued that the network was necessary to secure the country’s national security interests. This argument gained currency within the country after an American-Israeli cyberattack substantially damaged Iran’s nuclear program in 2010.⁹⁷ Another motivation for the project arose from the 2009-2010 Green Movement protests, a series of massive, peaceful, demonstrations over the contested 2009 elections that highlighted the potential of social media as a tool for both organizing and amplifying protesters’ visibility in the global media.⁹⁸ In the aftermath of the protests, which the government put down with systemic violence against protesters alongside thousands of arrests and over 100 executions,⁹⁹ officials increasingly viewed western social media as a threat to their regime, one which the NIN would counter.¹⁰⁰ The government officially began the NIN project in 2013, and its development is still ongoing.¹⁰¹

Once complete, the NIN would enable the Iranian government to cut off domestic access to the global internet without disrupting the country’s critical domestic digital infrastructure—such as, for example, the online operations of its hospitals.¹⁰² To understand the repressive potential of such a system, one can look at the events of November 2019, when Iran’s government shut off the populace’s access to the global internet in the midst of a wave of anti-government protest.¹⁰³ By shutting off global internet access, officials were able to substantially dampen international awareness and coverage of the protests, in which hundreds of protesters were reportedly killed by security forces.¹⁰⁴

With a fully functioning NIN, the economic and administrative costs for such an internet shutdown in response to protests would be minimized—all the political benefits of cutting one’s citizenry off from the world, with few of the drawbacks.

“Iran’s National Information Network is designed to make disconnection easier,” noted Kaveh Azarhoosh, an Iranian digital rights researcher who has long monitored the Network’s development. “It is a means to an end, and the end is further controlling Iran’s digital borders.”¹⁰⁵ Azarhoosh concluded that if Iran succeeds at fully disconnecting itself, it “would be a blueprint for a lot of other countries seeking to emulate them. I can guarantee you that Turkey is looking at what Iran is doing. I can guarantee you that Lebanon is looking, that Iraq is looking, that Russia is looking.”¹⁰⁶

Governments may attempt to justify these proposals through appeals to national security; but a separated and nationalized internet, by design, empowers them to cut their citizenry off from the outside world—isolating them from the global free flow of digital information and empowering the state over its own people. Such isolationism would represent a boon for regimes that have chosen to engage in systemic digital censorship, making it far more difficult for citizens to visit websites hosted within another country. Russia and Iran’s efforts toward such a nationalized internet threaten to pave the way for other repressive governments to follow, posing chilling implications for freedom of expression, privacy rights, and civic discourse.

The Dangers of Internet Fragmentation and the “Splinternet”

As the Internet Society’s Konstantinos Komaitis has noted, “The internet was not designed to recognize physical boundaries or to comply with only one actor’s rules.”¹⁰⁷ Governments’ attempts “to make the internet fit within national borders or to make it comply with one nation’s regulatory thinking for the sake of maintaining some sense of control” only threaten to fracture and weaken the internet—a phenomenon that experts have dubbed “digital fragmentation.”¹⁰⁸ The risk of fragmentation is triggered not only by governments undermining the interoperability of the internet through the construction of national internet networks, but by efforts to enforce one state’s national digital regulations beyond their own borders, or to block information from freely crossing national boundaries.¹⁰⁹ The extent to which this fragmentation has already occurred or is likely to occur in the near future is debated, a debate complicated by the fact that “digital fragmentation” has no single definition; like digital sovereignty, it describes both a political and a technological reality.

In recent years, however, analysts and advocates have stepped up their concerns over digital fragmentation, to the point that they have begun warning of “the balkanized internet,” “the Westphalian Web,” and, most succinctly, “the splinternet.”¹¹⁰ The splinternet is a dystopian prediction: As countries increasingly seek to raise digital boundaries around their domestic internet, the global internet will increasingly fragment to the point where it no longer makes much sense to speak of a single internet at all. The ability of writers, journalists, and others to communicate across national boundaries will be subject to political diktats, online communities will fracture, and a new toolbox for state repression will open. Authoritarian and illiberal leaders would especially celebrate this development, as a means toward enforcing greater information control over their own populaces, and advancing their ability to shut their people off from the rest of the world.¹¹¹

Proponents of an authoritarian digital sovereignty framework are actively pursuing digital fragmentation as a political goal, including through advocacy on the global stage. They are doing so, in large part, not only in furtherance of their goal of accruing new powers over their own domestic internets, but to fundamentally restructure the global internet, rebalancing it in favor of sovereign governments and normalizing the idea that such sovereign powers are both necessary and acceptable.

Under the current, long-standing, model of internet governance, key internet protocols are managed not by the United Nations or by individual states, but by non-governmental and multi-stakeholder groups of experts. This includes groups like the Internet Corporation for Assigned Names and Numbers and its affiliated Internet Assigned Numbers Authority (IANA), which manage the Internet Protocol (IP) address protocols and the Domain Name System of the internet.¹¹² DNS and IP are two foundational elements of the infrastructure of the internet, essentially providing the series of digital addresses that situate each website or digital device within the world wide web. Non-governmental stewards of the internet also include groups like the Internet Engineering Task Force (IETF) and its affiliated Internet Society, the Internet Architecture Board, and the World Wide Web Consortium, which each play a major role in both creating and promoting global standards for how these and other foundational underpinnings of the internet should be managed.

Governments pushing for greater control over the internet have proposed new foundational structures for the internet that would cut out these non-governmental groups, replacing them with governmental actors.¹¹³ In November 2017, public reporting revealed that Russia’s Security Council had instructed the country’s Ministry of Communications and the Ministry of Foreign Affairs to develop a proposal for a new DNS root server system for the BRICS countries—Brazil, Russia, India, China, and South Africa.¹¹⁴ This plan appears to have gone nowhere in the years since, and many digital experts say that such an ambitious technological idea is far easier proposed than executed. Still, had it been implemented, such a proposal would have put approximately half of the world’s population under a new internet infrastructure, with government officials acquiring broad new powers over which websites people could access or even locate. It is particularly worth noting that four out of the five BRICS governments, all but South Africa, are ranked as ‘not free’ or ‘partly free’ on the 2020 Freedom House measurement index for Digital Freedom. The most powerful BRICS country—China—ranks dead last.¹¹⁵

In 2018, delegates from Huawei, the Chinese telecommunication giant, introduced a similar splintering proposal to radically reorient the foundational structures of the internet. At a meeting of the International Telecommunications Union (ITU), the UN body that plays—alongside the aforementioned multi-stakeholder groups—a major role in setting intergovernmental standards for internet protocols, Huawei proposed the creation of a New Internet Protocol (New IP) to replace the current privately-regulated model with a “top-down,” centralized internet infrastructure. Huawei representatives, along with representatives of China Mobile, China Unicom, and China’s Ministry of Industry and Information Technology, continued to push the idea of a New IP in 2019, submitting a proposal that September to the Telecommunication Sector Advisory Group—a working group within the ITU—reiterating their call for an overhaul of the IP system.¹¹⁶

This new protocol would have laid the technical foundation for governments to enjoy broad, comprehensive powers over the internet in their own countries—giving them the ability to block apps, silence activists online, impose online censorship, and surveil internet users.¹¹⁷ The Financial Times, the only major English-language media outlet to report in depth on the proposal, cited ITU representatives sharing their fears that “if New IP was legitimised by the ITU, state operators would be able to choose to implement a western internet or a Chinese one . . . The latter could mean that everyone in those countries would need permission from their internet provider to do anything via the internet — whether downloading an app or accessing a site — and administrators could have the power to deny access on a whim.”¹¹⁸

Like the Russian proposal, Huawei’s proposal has so far failed to gain traction. But Beijing’s efforts to advance the idea of a New IP on the global stage is representative of its larger, deliberate efforts toward digital fragmentation. “Beijing,” as one analysis from the European Council on Foreign Relations puts it, “wants to see a series of interconnected national internets rather than a global infrastructure, with each national internet governed by the laws and values of its home state.”¹¹⁹

Mehwish Ansari, head of the Digital Team at the free expression organization ARTICLE 19, has monitored internet regulatory development at the ITU and elsewhere for the past several years. Ansari believes that resistance from expert communities, opposed governments, and other stakeholders who recognize the dangers of such fragmentation make it unlikely that proposals like the New IP will succeed any time soon. But, she cautions, “What I am more concerned about is the normative impact of these types of proposals, even if they aren’t going to be standardized and implemented at this time. I’ve heard the same concern from government delegates to the ITU and from academics, for years. It’s not that these proposals are necessarily going to change the internet today or tomorrow. By introducing these proposals in spaces like the ITU, the architectural principles and values that are embedded in them can and will be normalized, so that if these same ideas are reintroduced by the same or different actors as part of the next wave of innovation, whether it’s an evolution of the internet or even the emergence of a new communication medium after the internet, they may not be so staunchly opposed. That’s what I’m concerned about.”¹²⁰

A future internet that is fragmented and siloed across political lines would represent a step backward for human rights, freedom of expression, and intercultural connection on a global scale. The concept of the nationalized internet, in particular, threatens to dramatically expand governmental control over the online information that people within a given country can access and the activities they can participate in. Such control would enable systematic censorship, preventing residents from publishing, seeking out or stumbling upon online information that their government has declared off-limits. And it would dramatically expand opportunities for government surveillance. Rights advocates and policy makers alike must recognize the destructive potential of this vision, so they can both resist its encroachment on the global stage and ensure that their own regulatory approach does not contribute to internet fragmentation.

Section III: When ‘Accountability’ Goes Wrong: Governmental Tactics to Coerce Corporations into Aiding Repression

Globally, there is a rising call for corporate accountability online, prompting proposals for greater state controls over the behavior of corporations, including social media companies, whose platforms represent a de facto digital public square for billions of people in nearly every country; internet providers, which connect users to the internet at large; website hosts; and other major corporations in the digital space such as Google, Amazon, and Alibaba. Social media and digital advertising companies have driven a global wave of concern over how such corporations scrape and utilize user data, how they monetize their services, how they wield their power, how they can impact democratic discourse or even societal perceptions of truth, and, most fundamentally, to whom they are accountable. In response to these concerns, states are weighing new regulatory approaches designed to address some of these real, substantive issues. But, as with other calls to increase their sovereign power over the internet, states can exploit these issues to advance ‘solutions’ that not only fail to protect their citizens, but may actively undermine their human rights—with freedom of expression and privacy rights potentially the first casualties.

Repressive Governments are Increasing their Leverage over Corporations

Internet service providers, social media companies, and other online service providers frequently have a major say in how governments exercise control over the internet, because the parameters of this control are often settled through negotiation between the state and the company or in multilateral fora that include state and corporate representatives.¹²¹ Yet international law places comparatively few obligations on such corporations to refuse compliance with a domestic law that will foreseeably lead to human rights abuses. The most authoritative declaration of these obligations, the UN Guiding Principles for Business and Human Rights, lacks the status of binding international law, and merely calls upon businesses to respect human rights principles “to the greatest extent possible in the circumstances” when in conflict with domestic laws enabling abuse.¹²²

As a result, corporations are largely self-governed in this area, relying on their own internal policies as well as agreed-upon but non-binding norms such as those created by multi-stakeholder organizations. The multi-stakeholder Global Network Initiative (of which PEN America is a member), for example, has laid out a set of Principles on Free Expression and Privacy as well as implementation guidelines to which participating companies commit themselves, and last year, it released additional guidance on how companies should apply these principles when local law conflicts with human rights.¹²³ Such guidance similarly lacks the status of law, and moreover apply only to companies that commit to them.¹²⁴ Often the greatest moment of agency for an online service provider is when they decide whether or not to do business within a given state in the first place.

Recognizing this leeway, autocratic and illiberal governments are quickly adopting a new set of laws to increase their leverage over social media platforms and other online service providers operating in their countries, in an effort to corral or coerce them into aiding governmental repression. These laws may include strict data or personnel localization mandates as well as content-removal obligations. While such laws may appear neutral and technocratic, when adopted by repressive governments, such requirements put pressure on companies to hand over a bargaining chip: an employee who could be arrested, data that could be seized, or corporate infrastructure that could be appropriated. They also reduce the companies’ options for how to respond in cases of either abusive government orders or the passage of new laws that further downgrade the atmosphere for digital rights within the country. Some digital rights advocates have even begun referring to personnel localization requirements from rights repressive authoritarian or illiberal states as a new “hostage model” tactic for digital control.¹²⁵

Vietnam and China’s similar Cybersecurity Laws are two useful examples of regulations which strengthen the government’s ability to compel compliance from social media and other technology companies in contexts where broad categories of speech and peaceful dissent are routinely criminalized,¹²⁶ political censorship is systemic,¹²⁷ government surveillance is largely unchecked,¹²⁸ and meaningful domestic constraints on security services’ ability to seize private data do not exist.¹²⁹

China’s Cybersecurity Law, which took effect in 2017, makes data localization mandatory for any company wishing to operate within the country—and companies like Apple, LinkedIn, and Airbnb have already complied, placing millions of Chinese users’ data within reach of the government.¹³⁰ Contrast this acquiescence with the reaction to Beijing’s imposition of the Hong Kong Security Act on the semi-autonomous region of Hong Kong in June 2020. The Act created several new categories of national security crimes and gave the government broad new powers, essentially imposing mainland China’s system of criminalization of political dissent onto a city whose “one country, two systems” framework had previously prohibited such draconian restrictions. Companies including Facebook, Google, and Twitter all suspended their compliance with the Hong Kong government’s requests for user data, recognizing that such data could be used for the newly-legalized repression of HongKongers.¹³¹

This was easily the right decision from the perspective of safeguarding the human rights of HongKongers whose data could have been used by authorities to monitor protesters, punish pro-democracy supporters’ free speech, surveil its critics, and commit a host of other abuses. Such a principled stance, however, is only possible for corporations that store user data outside of Hong Kong, and thus outside of Hong Kong law enforcement’s immediate jurisdiction and control. It is far harder for a corporation to refuse law enforcement requests to access its user data if the data is already stored within the territory—as China’s Cybersecurity Law now requires for companies offering their services within the mainland.

In a telling example of how quickly repressive digital governance strategies can spread, Vietnam’s Cybersecurity Law, implemented in 2019, is largely modeled off China’s Law.¹³² Both laws include mandatory data localization requirements, along with requirements that social media companies comply with governmental takedown requests and that service providers disclose user data to authorities even absent a court order.¹³³ Even before the Cybersecurity Law, Vietnam’s government had demonstrated its willingness to use domestic regulations as a tool to force Western tech companies like Facebook, Google and Apple to comply with its censorship strictures, successfully pressuring them to cut off Vietnamese users’ access to prohibited content—such as thousands of “malicious” videos, hundreds of websites with “anti-governmental content,” and even video games that contained “distortions of Vietnamese history.”¹³⁴

Facebook and YouTube especially play an outsized role in Vietnam’s online civic space, and digital rights and democracy activists commonly stress that these platforms offer Vietnamese users a way to share their views without going through a government-controlled publishing outlet. As Vietnamese artist/activist Mai Khoi told The Washington Post, “The cybersecurity law is an attempt by the government to control the only space where people can talk freely.”¹³⁵ The Law’s data localization and data-disclosure demands are particularly frightening when considering the government’s relentless targeting of dissident bloggers, with courts commonly handing down years-long prison sentences for online speech that it deems traverses vaguely defined and arbitrarily enforced national security crimes such as “anti-state propaganda.”¹³⁶

Reviewing the Law in 2019, journalist Timothy McLaughlin concluded that the legislation “could serve as a model for other repressive governments of how to control information and suppress dissent online while at the same time continuing to grow a vibrant tech sector.”¹³⁷ Sure enough, on February 9, 2021, Myanmar’s military junta, days after overthrowing the country’s elected government and in the midst of a brutal crackdown meant to consolidate power, proposed a draft cybersecurity law aiming to secure powers similar to those outlined in the Vietnamese and Chinese laws.¹³⁸

Turkey provides another example of how rights-repressive governments can ratchet up the pressure on international corporations, including through the “hostage model” of regulation. On October 1, 2020, the government implemented a set of amendments to its social media law, implementing new data localization measures as well as creating new levels of domestic accountability for social media companies.¹³⁹ Under the newly amended Internet Law No. 5651, major social media companies are forced to appoint Turkish citizens to serve as their legal representatives within the country—something which increases the government’s leverage over their employers.¹⁴⁰ These representatives would be charged with resolving the Turkish government’s content removal demands within 48 hours, or the company would face heavy fines.¹⁴¹ To put teeth to its legislation, the Turkish government began fining platforms that failed to appoint such representatives, including Facebook, Instagram, TikTok, Twitter, and Youtube—once, in November 2020, to the tune of 10 million Turkish lira (approx. $1.3 million), and again in December 2020, for 30 million Turkish lira (approx. $3.8 million).¹⁴²

The new rules closely followed a speech by President Tayyip Recep Erdoğan that called for a “cleaning up” of social media platforms after users insulted his daughter and son-in-law on social media.¹⁴³ Some of those who allegedly posted these insults were detained by police.¹⁴⁴ Erdoğan has previously been vocal about his desire to control social media platforms’ presence in the country, seeing their potential for mobilizing protests as a threat to his power.¹⁴⁵

“Turkey already had in place expansive criminalizations of online speech,” Deniz Yüksel, a Turkey advocacy specialist at Amnesty International USA, wrote in one review of the new mandate. “It’s a country where judicial independence has been steadily undermined, and censoring the web has traditionally been a domestic and legalistic affair . . . Moreover, the blocking of online content critical of the government and the prosecution of individuals expressing dissenting opinions on social media has increased in recent years under the ruling Justice and Development Party (AKP).” Yüksel added that this aggressive intrusion on digital dissent has only increased during the COVID-19 pandemic, and that the new law will foreseeably “further squeeze Turkey’s battered civil society.”¹⁴⁶

Several of the world’s largest corporations have already accepted Turkey’s new demand. In December, Google indicated that it would comply with the order to appoint local representatives, while insisting that the law would not change its response to content removal requests, nor its management of Turkish users’ data.¹⁴⁷ TikTok and Facebook both quickly followed suit, publicly acknowledging that they would consent to the order in January 2021.¹⁴⁸ These decisions will presumably set a dangerous precedent: not only for social media operations but also for other digital service providers; and not only in Turkey but also in other countries that hope to exert pressure on foreign tech companies and limit their citizens’ ability to express dissent.¹⁴⁹

Another example of newly-adopted “hostage model” tactics comes from India, the world’s largest “digital decider” state, which has seen a democratic backslide under Prime Minister Narendra Modi, and which has increasingly imposed political censorship on social media companies under the guise of imposing democratic accountability.¹⁵⁰ In February, the government implemented a set of new rules for online content that grant the government substantial additional leverage over social media and other online companies.¹⁵¹ Under the rules, online platforms must appoint a local “grievance officer” to quickly address content takedown requests from complainants, with a government-appointed body having final authority on whether the platform must delete or change content. These local grievance officers must also share their names and contact details with government officials.¹⁵² These new requirements are particularly dangerous when paired with India’s Information Technology Act, which enables the government to impose a sentence of up to seven years imprisonment on company officials who fail to comply with government takedown orders issued on the grounds of subversion or threat to public order or national security.¹⁵³

Officials have claimed the new rules will help prevent “internet imperialism” by major social media platforms.¹⁵⁴ Yet, the government itself has acted more and more imperiously in wielding content takedown orders to silence political criticism. In February, before the new rules were implemented, officials compelled Twitter to remove from view within India dozens of accounts criticizing New Delhi’s heavy-handed response to farmer protests that have swept the country. Twitter had originally attempted to largely resist the order, citing its commitments to free speech, but reversed course after receiving a no-compliance order threatening potential jail time for its employees.¹⁵⁵ In April, the government ordered Twitter, Facebook, and Instagram to remove from view hundreds of social media posts criticizing its response to the COVID-19 pandemic.¹⁵⁶ “In India,” one journalist reporting on the orders summarized, “companies face a stark choice: follow laws and risk suppressing political debate, or ignore them and face harsh punishments, including prison time for local employees, in a potentially huge growth market.”¹⁵⁷

Social media companies are not the only targets of new laws meant to make corporations tow the government line. In Russia, almost simultaneous with the passage of its Sovereign Internet Law in 2019, Russian legislators passed a ban on the sale of smartphones, computers, and TVs that did not have certain Russian apps pre-installed.¹⁵⁸ Backed by the Putin administration, the ban has been informally dubbed “the law against Apple,” given its apparent aim to compel Apple specifically to shed its rules against pre-installing applications.¹⁵⁹ In March 2021, Apple partially conceded, adding a setup screen to its iPhones sold in Russia that prompts users to download apps from Russian developers.¹⁶⁰ While not a complete concession to the law, Apple’s move still may serve as a greenlight to other repressive regimes wishing to force technology companies to serve as vectors for government-approved digital apps that they can better surveil or censor.¹⁶¹

These government efforts to force technology giants into doing their bidding serve to demonstrate how the re-balancing of power between states and corporations can go terribly wrong. As countries across the globe determine how to impose accountability on the corporations that mediate our digital speech, there is substantial potential for this “accountability” to instead take the form of coercive measures designed to enlist these same corporations in political repression.

Governments are Increasingly Compelling Internet Shutdowns

These new tactics fit within a larger sphere of digitally-repressive actions, taken in the name of a government’s sovereign interests, for which these governments may require corporate compliance. Of these actions, none are more aggressive than a state shutting down users’ access to the internet within the country. Government-ordered internet shutdowns are commonly used to provide cover for acts of state violence, such as crackdowns on peaceful protests, or to quash public mobilization.¹⁶²

The tactic is not new, but it is increasingly a go-to tool for governments, including many of the digital deciders that are in the process of determining the future framework of their internet governance. #KeepItOn, an international coalition of civil society organizations (including PEN America) that monitor and protest internet shutdowns, has annually documented the number of shutdowns since 2016, noting a three-year upswing: from 75 shutdowns in 2016, to 106 shutdowns in 2017, to 196 shutdowns by 25 countries in 2018, to 213 shutdowns by 33 countries in 2019.¹⁶³ Of those 33 countries, eight fall within the “digital decider” camp.¹⁶⁴ India, the world’s largest democracy and perhaps the most significant digital decider, has emerged as the world’s leader in imposing shutdowns, blocking some portion of its population 121 times in 2019 alone.¹⁶⁵ In 2020, the most recent year studied, there was a downturn in these numbers—155 shutdowns from 29 countries, including seven digital deciders.¹⁶⁶ But #KeepItOn researchers warn that this reduction does not appear to be connected to any overall expansion of global digital rights.¹⁶⁷

As Section II of this report examines, authoritarian leaders have pushed to either fragment the internet into more nationalized spheres or to build their own regulatory and technological infrastructure for a national internet, both of which risk lowering the costs and technological barriers of triggering such a shutdown. Some states, like Ethiopia, rely entirely on state-owned providers, making it far easier to order these providers to shut down their services.¹⁶⁸ Yet in most cases, a government that wishes to trigger a shutdown requires the assent or assistance not only of purely domestic (state-owned or private) corporations but also of international corporations that may be major internet providers within the country.

A recent example comes from Belarus, which since August 2020 has experienced the largest anti-government protests in its history, protesting the political repression and evident electoral fraud of President Alexander Lukashenko and his administration.¹⁶⁹ The government has responded not only with systematic and repressive violence, but also with waves of internet shutdowns designed to undermine the organizing and the visibility of the protests. Belarusian authorities ordered service provider A1 Belarus—a subsidiary of the Austrian company A1 Telekom Austria Group—to comply with their shutdown orders, and A1 Belarus dutifully acquiesced.¹⁷⁰ An executive of A1 Belarus, justifying the decision, said that the Austrian parent company was “deeply concerned” about the shutdowns but argued that its communication services were largely reliant on state-controlled infrastructure, and cited its need to comply with “local and regulatory requirements.”¹⁷¹

The invocation of “local requirements” as a rationale for compliance, however, offers little consolation to protesters facing the brunt of their government’s cruelty under cover of digital darkness. Franak Viačorka, a Belarusian journalist and opposition activist, is one of the many Belarusians who reacted with anger at A1’s decision, saying at a December 2020 event that A1 specifically is “the biggest telecommunication provider in Belarus. And the authorities of Belarus, when they needed to block the internet, they didn’t do it with their own hands, but they ordered the foreign Austrian company to do it . . . We have been trying to put pressure on the company in Vienna, saying, ‘You shouldn’t do this. You shouldn’t help a dictator.’ But they say, ‘We cannot say no, since we are limited by law, and when the government forces us, we have to limit the internet.’”¹⁷²

Another recent, and ongoing, example involves Myanmar, where hours after seizing power the leaders of the February 2021 military coup ordered a country-wide internet shutdown.¹⁷³ Companies complying with the order included not only state-owned internet service providers, but also international companies such as Telenor Myanmar, a subsidiary of the Norwegian Telenor Group, and Ooredoo Myanmar, a subsidiary of the Qatari Ooredoo Group.¹⁷⁴ This shutdown remained in place even as military forces gunned down hundreds of demonstrators demanding the return of their democracy.¹⁷⁵ In an open letter to mobile operators and internet service providers operating in Myanmar, a group of Myanmar civil society organizations pointed out that, by complying with the military junta’s directives, these companies were “essentially legitimizing” the military’s stolen authority, and called on these companies to take “every action possible” to appeal these illegitimate orders.¹⁷⁶

When responding to internet shutdown demands, internet service providers and mobile operators have opportunities to respond in ways that mitigate the human rights impacts of compliance. David Sullivan, Program Director at the Global Network Initiative, has laid out five actions corporations can take, either before or in response to an internet shutdown order:¹⁷⁷

Clarify their legal obligations, including by seeking legal advice from outside counsel, rather than passively accepting the government’s interpretation of its own legal authority to compel a shutdown
Document everything, in order to ensure full corporate visibility on the scope and severity of the shutdown
Narrow disruptions as much as possible in order to reduce their impact;
Provide transparency, including by notifying users about government-imposed disruption; and
Collaborate with allies, including civil society organizations, to better resist and respond to such shutdowns.

These steps, and in particular the step of narrowing disruptions as much as possible, are not merely options for these companies, but actions that—under the UN Guiding Principles for Business and Human Rights—they are expected to take in keeping with their human rights responsibilities.

In the case of Belarus, on October 1, #KeepItOn issued an open letter—to which PEN America was a signatory—to leaders of A1 Belarus and its Austrian parent company, laying out a similar series of steps that the corporation could take to resist the government shutdown demand while still remaining in compliance with national law. Specifically, the signatories exhorted A1 to:

Publicly denounce the internet shutdown;
Preserve evidence and reveal any demands from the Belarusian government;
Publicly disclose details about the extent, scope, and status of the shutdown;
Contest the legality of the internet shutdown order; and
Consult civil society groups and rally peer companies to jointly push back against the shutdown¹⁷⁸

Internet service providers have power, and under international law they are expected to use it to uphold human rights to the greatest possible extent. But so much more is needed, particularly given that internet shutdowns are on the rise. All internet service providers and mobile operators must develop policies and procedures to ensure that, upon receiving such a demand, they have a more meaningful response than meek compliance. Meanwhile, corporations, civil society, and rights-respecting governments must act affirmatively to stop the normalization of internet shutdowns, and must push back forcefully against any invocation of sovereignty that seeks to legitimize shutdowns as a legitimate tool for governmental regulation.

Section IV: Envisioning a New Digital Democratic Multilateralism

In grappling with how governments committed to an open and human rights-anchored internet can act to safeguard it, some commentators have begun calling for a new model of democratic multilateralism for internet governance, driven by a coalition of established democracies. The British government reportedly approached Washington last year to propose the creation of a “D10,” a group of 10 democracies that would collaborate on supplying 5G equipment and other digital technologies.¹⁷⁹ Over the past year alone, experts at institutions such as Stanford’s Cyber Policy Center, the Brookings Institution, the German Marshall Fund’s Alliance for Securing Democracy, and the Council on Foreign Relations have all proposed some variant of this idea—a digital democratic club, one that would help set democratic norms for the development of new technologies and digital governance, and to serve as a counterpoint to the Digital Silk Road and other efforts to export a repressive approach.¹⁸⁰

This idea is gaining particular traction within U.S. policy circles, particularly as Washington policymakers respond to the rise in tensions between the United States and China. Global internet and telecommunication infrastructure is quickly becoming a new front for competition between the two powers, with the United States taking increasingly aggressive action to excise telecommunications equipment and infrastructure produced by the Chinese telecommunications giant Huawei—as well as similar Chinese companies such as the partially-state-owned ZTE¹⁸¹—from the global supply chain.

Huawei is the world’s largest producer of telecommunications equipment and 5G infrastructure, as well as the world’s second-largest producer of smartphones.¹⁸² Although Huawei is privately owned, it is widely viewed by experts as closely aligned with the Chinese government.¹⁸³ Huawei infrastructure has underlaid much of the world’s internet connectivity, including the majority of Africa’s 4G infrastructure,¹⁸⁴ as well as that of some rural U.S. communities drawn to the technology by its low price point.¹⁸⁵ Yet U.S. national security experts have warned that Huawei 5G technology could be used to give the Chinese government access to Americans’ data, and caution that in case of a conflict between the two countries, the company could shut down its telecommunications infrastructure within the country on orders from Beijing, or serve as a vector for malicious software that could compromise the United States’s digital connectivity both within and beyond U.S. borders.¹⁸⁶

The Trump Administration had made increasingly-aggressive action against Huawei and other Chinese telecommunications companies a cornerstone of both its tech policy and its trade war with China. Under Trump, in August 2020 the State Department unveiled its Clean Network Program, designed to commit both governments and companies to excising these telecoms from their supply chains in order to be treated as trusted partners.¹⁸⁷ Efforts to limit Huawei’s reach within the United States and to excise it from American infrastructure first began under the Obama administration,¹⁸⁸ and have emerged as an area of rare bipartisan consensus: Congress passed the Secure and Trusted Communications Act in 2020 to stop telecoms from using government funds to buy Huawei or ZTE equipment, and to mandate the removal of equipment already in place within the United States.¹⁸⁹

The Biden Administration has continued these efforts, putting new limits on Huawei suppliers in March 2021.¹⁹⁰ U.S. allies, including India, Australia, the United Kingdom, and Japan have also taken action to limit Huawei technology or excise it from their national infrastructure.¹⁹¹ There is a hot debate amongst digital policy experts and digital rights advocates as to whether such measures are a justifiable response to fears of Chinese government surveillance and shutdown capabilities,¹⁹² or an unnecessary maneuver that will only exacerbate internet fragmentation.¹⁹³

This climate of suspicion and uncertainty creates a strange dilemma for U.S. policymakers who espouse a commitment to a free and open internet. On the one hand, the Chinese government has worked aggressively to influence global norms for digital technology, to proselytize an authoritarian framework of digital sovereignty, and to develop and export digital technologies that facilitate repression.¹⁹⁴ These are all clear threats to the future of the internet as a space for the free and uninterrupted flow of ideas and information, and they necessitate a response. On the other hand, U.S. efforts to counterbalance these pressures by excising Huawei and pushing other countries to do the same, particularly if mishandled, risk reinforcing this digital partition and transforming the issue of digital privacy into merely another political football between the two powers.

These risks were particularly apparent during the Trump Administration, which conflated a diverse set of concerns when justifying its actions against Huawei—citing data privacy and national security issues broadly while simultaneously playing up its efforts to counter China specifically. As Graham Webster, a scholar at the Stanford Cyber Policy Center, described it, the Clean Network Program has suffered from a fundamental framing issue wherein “the only things deemed unclean are Chinese things, tying some legitimate questions about tech security and governance to a maximalist frame and familiar racist trope against Chinese people.”¹⁹⁵

This disjointed approach was also evident in the Trump Administration’s attempts to block Chinese social media apps TikTok and WeChat, with President Trump in August 2020 issuing executive orders threatening to expel both platforms unless they separated from their Chinese parent companies.¹⁹⁶ While Trump cited national security concerns over access to Americans’ data, the move was largely derided as “security theater” by experts,¹⁹⁷ and subsequently blocked by the courts.¹⁹⁸ These threats represented both a disturbing willingness by a U.S. president to unilaterally shut down an entire platform for speech and a troubling adoption of a techno-nationalist viewpoint by a U.S. administration—threatening to validate China’s authoritarian and isolationist framework towards internet regulation even while claiming to combat it.¹⁹⁹

For its part, Beijing responded to the Clean Network Program by doubling down on its vision of digital sovereignty on the global stage. In September of 2020, in a move widely interpreted as a direct response to the Program, Foreign Minister Wang Yi, proposed a new set of global standards on data security. Dubbed the “Global Initiative on Data Security,” these standards would “Strengthen the notion of digital sovereignty and data isolation across all States, [and] encourage States to respect and abide by the internet regulations of other States.”²⁰⁰

Already, observers have begun warning of a “digital iron curtain” falling between Washington and Beijing,²⁰¹ with the battle over internet infrastructure increasingly forcing digital deciders to choose a side. Those who ascribe to this view include influential voices in Washington who are urging policymakers to accept this division as the new normal. In the fall of 2020, an informal “China Strategy Group” of DC policy experts and U.S. tech industry leaders issued a report that, while stressing “multilateralism” and global cooperation, came to the bleak conclusion that “some degree of [technical] disentangling [with China] is both inevitable and preferable . . . Trends in both countries—and many of the tools at our disposal—inherently and necessarily push toward some degree of bifurcation.”²⁰² The Strategy Group report has reportedly been well received within the Biden Administration.²⁰³

It is against this backdrop that U.S. congressional leaders have begun seriously exploring the creation of a digital alliance of democracies, or at least a more formal and substantial U.S. commitment to a digital democratic multilateralism. In the first half of 2021, lawmakers proposed several bills that would take steps towards this goal, each of which were framed as partially or primarily in response to China’s growing influence over the internet.

The bill that has most comprehensively envisioned a new digital alliance is the Democracy Technology Partnership Act (DTPA), backed by a bipartisan group of senators, which would create a State Department office to “lead in the creation of a new partnership among the world’s tech-leading democracies.”²⁰⁴ This new partnership organization would, among other things, coordinate on technology policies and standards; adopt shared data privacy, data sharing, and data archiving standards; create shared policies around export controls and technology transfer; and coordinate on operation of supply chains in critical technology areas.²⁰⁵ In the bill’s introductory language, the senators make clear that they have proposed such a partnership primarily in response to Chinese efforts in this arena.²⁰⁶

Other recent bills have not gone as far as proposing a new international partnership, but have included provisions aimed at strengthening U.S. multilateral engagement on these same issues.²⁰⁷ These bills include:

The Strategic Competition Act of 2021,²⁰⁸ which would direct the Secretary of State to form a Digital Connectivity and Cybersecurity Partnership to engage with other countries on the issues of internet access and digital infrastructure; promote internet regulations that foster an open, interoperable, and secure internet; and encourage the exportation of US technologies, as well as adopt some of the major components of the DTPA
The Cyber Diplomacy Act of 2021,²⁰⁹ which would create a State Department Bureau of International Cyberspace Policy to promote democratic ideals in the global digital realm
The STRATEGIC Act (Strengthening Trade, Regional Alliances, Technology, and Economic and Geopolitical Initiatives concerning China),²¹⁰ which would create a State Department program to facilitate regulatory dialogue between the United States and partner countries as well as a presidential working group to strengthen U.S. leadership in international standards-setting bodies

On June 8, shortly before this report went to press, the Senate passed the United States Innovation and Competition Act of 2021, an omnibus bill aimed at positioning the U.S. to counter China’s economic and military growth.²¹¹ The bill, numbering over 1400 pages, incorporates the Strategic Competition Act, including its mandate that the Secretary of State create a Digital Connectivity and Cybersecurity Partnership.²¹² As of the publication of this report, it remains to be seen how the House of Representatives will respond to the bill.

Regardless, the active legislative landscape on this issue makes it clear that U.S. lawmakers are seriously evaluating the creation of such a digital democratic alliance—or, at the very least a much more assertive approach toward building a democratic multilateralism around digital policy.

Forming this alliance would not necessarily require a new multilateral body. Marietje Schaake, a former member of the European Parliament and international policy director at Stanford’s Cyber Policy Center who has proposed a new “U.S.-E.U. Tech Alliance,” has pointed to the Biden Administration’s intended Summit for Democracies as a potential forum to develop new shared guidelines and standards on issues such as data protection and accountability in automated decision-making. The Global Network Initiative’s Jason Pielemeier has argued that U.S. policymakers should instead re-commit to and expand the scope of operations of the Freedom Online Coalition, an intergovernmental grouping of 32 democratic states—including the United States—established in 2011 to collaborate on supporting internet freedom and protecting digital rights.²¹³

PEN America sees this rise in interest from U.S. policymakers toward a new—or reinvigorated—model of democratic digital multilateralism as encouraging, with important caveats. There is an obvious and urgent need for new digital norms and standards that safeguard the promise of an open and free internet predicated on respect for human rights, and we welcome any possibility for greater coordination among democracies to develop these standards. Further, the prospect of joining a digital democratic group, if handled correctly, could incentivize digital deciders to adopt more rights-friendly approaches to digital governance.

Yet there are risks to such an approach, particularly if not managed well. Firstly, there is the likelihood that any such multilateral grouping would further entrench the digital divide between the United States and China, further politicizing the issue of digital governance and adding to the fragmentation of the internet. This likelihood may be particularly severe with a formal alliance, prompting a similar effort by authoritarian nations to counterbalance such efforts. To a certain extent, such politicization may be inevitable—but it is also highly dependent on the attitudes and aspirations that policymakers bring with them when coming to the table. It is also dependent on the approach that such a multilateral grouping takes towards the “digital deciders”—how forcefully it pushes such countries to ‘choose a side’ on the issue of digital infrastructure, for example. These are complex considerations which must be weighed carefully.

U.S. policymakers in particular must commit to a multilateral framework that is more proactive and principled than simply countering China’s efforts in this space. Beijing’s policies are indeed aimed at tilting the overall development and operations of the internet and other digital technologies toward an authoritarian path, which demands a unified response. Yet, issues of global governance over our digital space cannot be neatly boiled down into a U.S.-China binary. Instead, any new model for democratic digital multilateralism must focus itself on adopting and prioritizing global standards for digital governance that can be widely adopted by countries, offering a proactive vision that will encourage digital deciders to move towards a more open internet. This would include robust standards for data protection, both domestically and when such data crosses borders. It would also include rights-protective standards for newly developing digital technologies—such as facial recognition, biometrics, and algorithmic analysis tools—as well as the creation of new, binding standards to strictly regulate the development of digital technologies that can be employed for the purpose of repression. These standards should be clear and actionable, offering any “digital decider” country or technology corporation a clear path towards adopting and implementing them. Similarly, such standards should be more than mere ‘best practices,’ with a system of incentives for countries and companies to not only adopt such standards, but to commit to keeping them.

US policymakers must also move forward with humility and a commitment not just to resisting digital authoritarianism abroad, but to responsibly reducing U.S. hegemony over the internet and to correcting digital governance deficiencies at home. A first step toward accomplishing this would involve the domestic development and implementation of more robust data privacy protections—in the face of both government and corporate access—which would raise the confidence not only of other governments but of everyday people both domestically and abroad.

Secondly, there is the risk that any new governmental alliance would, by design or in practice, degrade the central role of non-governmental stewards of the internet—groups like ICANN and the IETF. As this report notes, authoritarian governments looking to deliberately advance internet fragmentation have worked to cut these stewards out of the conversation and diminish their role. It would be a grave mistake if a new democratic alliance, in the name of safeguarding the internet, did the same. Any new democratic digital multilateral initiative must commit to working in tandem with, not usurping the role of, these non-governmental groups. Without a clear framework for collaboration and an explicit commitment to respecting these non-governmental foundations of the internet, such an initiative may pose more risk than reward.

To this end, any democratic digital grouping must ensure substantial space and agency for non-governmental actors, such as issue experts and civil society, to participate in the process of developing digital norms and standards. This multi-stakeholder engagement could potentially include corporations, but the framework for private sector engagement will require substantial thought, potentially including limits—for example, limiting companies to technical consultation as opposed to policy consultation.

Finally, U.S. policymakers should pursue a multilateral digital alliance in service of, not in lieu of, a broader U.S. commitment to a global internet. If the U.S. government simply accepts the contention that bifurcation is inevitable, it risks a self-fulfilling prophecy. The way we define the internet matters, and any sign of giving up on the internet as a global project will cede crucial rhetorical ground to authoritarian and illiberal actors who are pushing for ever more control over their populations. It is the ideal of the global internet, for example, that undergirds the expectation that technology companies will resist complicity in censorship and human rights abuses. Any new multilateral commitments should come in addition to, not in place of, a re-investment in global decision-making spaces for the internet—such as the United Nations and its affiliated forums and bodies. That is where authoritarian nations have forcefully pushed to undermine the global internet, and this ground should not be ceded.

Advocates of an open and free internet should support the idea that democratic countries can proactively promote a global framework in which the internet remains open and free, and where digital technologies and standards maintain human rights protection and promotion at their core. Such a framework must, however, be predicated on principles and not on politics. Only from there can a responsible and rights-respecting vision for a future internet emerge.

Recommendations

As governments re-negotiate the bounds of their power over the internet—in relation to international corporations, other states, and even their own citizens—the frameworks they develop will deeply impact and potentially transform the realization of our digital rights: our rights to freely and safely express ourselves online, our right to be free from intrusive surveillance, our right to access and share information and opinion, and our right to communicate across national borders. As such, considerations of human rights must be fundamental for all actors—governments, corporations, experts, and advocates—who play a role in determining our digital future. To this end, PEN America offers the following recommendations.

Governments Must Re-Center Human Rights in Digital Regulation, and Reject Authoritarian Notions of Sovereignty

Governments must develop their digital regulatory policies within a framework that acknowledges the limits of governmental control, centers human rights, shares power with non-governmental actors, and accepts and values the global and interconnected nature of the internet.

Accordingly, PEN America calls upon all governments to:

Develop strong legal, regulatory, and policy frameworks for the protection of personal data, including rights-respecting international frameworks for protecting such data across national jurisdictions;
Promote affirmative standards for the protection of people’s rights against both corporate and state power online;
Affirm a commitment to the global and interoperable nature of the internet and the right of people to communicate and share information across national borders as a fundamental organizing principle for digital regulation;
Refuse the accrual of governmental powers over the internet—through either technological or regulatory policy—that contradict international guarantees of human rights; and
Center regulatory policy around the rights of individuals rather than the prerogatives of governments.

Any government that chooses to invoke digital sovereignty as a rationale for digital regulation, or for its regulatory attitude towards the internet more generally, should accept a special obligation to:

Clearly articulate how their understanding of sovereignty is predicated on acceptance of international law, norms, and standards, and enshrine this rights-respecting foundation in any law, regulation, or policy advanced in the name of such sovereignty; and
Explicitly reject any formulation of digital sovereignty that prioritizes governmental control over individual agency.

Governments Should Require Human Rights Impact Assessments for New Digital Laws and Regulations

Founding director of Ranking Digital Rights Rebecca MacKinnon, among others, have argued that all states should require that all proposed legislation or administrative action to regulate the internet—including but not limited to data localization and personnel localization proposals—be subject to rigorous human rights impact assessments prior to their adoption.²¹⁴ PEN America believes such a step, if adopted, would help ensure that such laws and regulations comport with states’ human rights obligations, and help promote rights-centered decision-making as states develop their internet governance frameworks.

Accordingly, PEN America calls upon all states to adopt legal requirements to conduct human rights impact assessments (HRIAs) on all internet regulatory proposals that pose a potential impact on human rights, including but not limited to: data storage and data privacy proposals, proposals designed to regulate the conduct or activities of internet corporations, and proposals that affect the government’s ability or authority to shut down or impede internet connectivity. Such HRIAs should be

Impartially conducted by qualified experts;
Made publicly available upon their completion;
Meaningfully incorporated into the corporate decision-making process; and
Given substantial weight in the decision-making process. Specifically, an HRIA finding that a given regulatory proposal would foreseeably violate international human rights law, norms, or standards, should be treated as a bar against such proposed regulation, necessitating its amendment or rejection.

Corporations Must Resist Complicity In Digital Repression

Corporations have a crucial role to play in resisting complicity in digital repression and all too often are shirking it. Overall, and at the bare minimum, all internet and telecommunication corporations must commit to—and develop processes for—resisting government requests that are inherently or foreseeably injurious to human rights, including privacy and free expression rights. Such operational principles are reflected in the UN Guiding Principles on Business and Human Rights, as well as in the Global Network Initiatives Principles, but are unevenly adopted or meaningfully adhered to by digital service providers.

PEN America calls upon all corporations in the digital space—including internet service providers, mobile operators, social media platforms, and other major technology corporations—to:

Adopt and publish human rights policies that explicitly commit to respecting human rights standards, including those formalized within the Guiding Principles on Business and Human Rights as well as the Global Network Initiative Principles;²¹⁵ and
Develop and implement comprehensive human rights due diligence processes around all decisions regarding compliance with national regulations governing corporate conduct that may foreseeably impact human rights. This would include, but is not limited to: data storage, providing or facilitating authorities’ access to data, content takedowns or other decisions affecting access to digital content, personnel localization measures, and restrictions on internet access or other internet services.

Such human rights due diligence processes should:

Include the development of actionable steps to prevent—or at minimum, mitigate to the greatest possible extent—human rights impacts that may occur as a result of company compliance with national law, policy, or regulatory mandates;
Involve meaningful consultation with civil society, human rights defenders, and other relevant stakeholders;
Include public transparency around the processes themselves, with documents made publicly available in multiple languages;
Include specific, public commitments regarding companies’ refusal to comply with mandates that violate human rights or are otherwise inconsistent with human rights law, norms, or standards; and
Include baseline human rights standards for the circumstances under which a company would conduct—or refuse to conduct—business within a specific national market, including a commitment to conduct Human Rights Impact Assessments prior to entry.

Internet service providers and mobile operators, specifically, should have pre-existing developed processes for how to respond to an internet shutdown or slowdown order, including processes to:

Evaluate the legality of such an order, including its conformity with international human rights standards and with the corporation’s obligations to respect human rights;
Promote transparency regarding such orders and company compliance with them, including how, when, where, and to what extent such orders will affect internet access; and
Coordinate with other corporations, advocacy groups, civil society, and human rights defenders to resist such orders to the fullest possible extent.

Acknowledgements

This report was written by James Tager, research director at PEN America, with substantial drafting and editing contributions from Matt Bailey, program director for digital freedom. PEN America’s senior director for Free Expression Programs, Summer Lopez, reviewed and edited the report, as did interim Washington, D.C. director Dokhi Fassihian. Veronica Tien, program assistant at Free Expression Programs, provided additional editorial support and assistance. Report layout by Lisa Atenasio, online project manager. PEN America would also like to thank the interns whose research, fact-checking, and proofreading contributed significantly to this report: Sophie Ann Bryant and Sophie Craver.

PEN America extends special thanks to the following experts for providing invaluable input on the draft report: Jason Pielemeier, director for policy and strategy at the Global Network Initiative; Sherwin Siy, lead public policy manager at the Wikimedia Foundation along with Sukhbir Singh, senior site reliability engineer at the Wikimedia Foundation; and Alena Epifanova, research fellow in the international order and democracy program at the German Council on Foreign Relations. Research for this report was generously supported by the Fritt Ord Foundation.