Beware of Tech Companies Playing Government

Op-ed in Bloomberg, 17 January 2019

Last April, when 34 technology companies announced their membership of a Cybersecurity Tech Accord, it was portrayed as proof that the private sector was, at long last, taking responsibility for protecting civilians online — something governments had conspicuously failed to do. Since then, the ranks of signatories to the self-imposed cybersecurity standards has more than doubled.

Alibaba Group Holding Ltd., the Chinese tech giant, is not among them, but its co-founder and executive chairman, Jack Ma, certainly agrees that companies should rush in where governments have so far feared to tread. To wit, his plan to create an Electronic World Trade Platform (eWTP), which will facilitate online trade across borders. “Innovation always develops much faster and I think future laws should not be driven only by governments; they should be driven by private sector and all stakeholders together,” Ma said. Another example of this is the Paris Call for Trust and Security in Cyberspace, backed by Microsoft Corp., Alphabet Inc.’s Google and Samsung Electronics Co. — and announced by President Macron last year — which underlines the companies’ ambitions to draft standards in the fight against election tampering, compromised electronic components and software hacks.

I am entirely in favor of companies acting responsibly: For too long, they have been negligent about protecting the data of their users and customers. But when the most powerful tech companies take on the responsibility of global rule-making and cross-border governance, to set and enforce standards, that is deeply problematic for democracy and the rule of law.

There’s no question that governments have been laggards in setting norms and rules online — take that from a politician who has been involved in some of these cumbersome efforts. While Microsoft has been pushing for a Digital Geneva Convention, intergovernmental discussions on norms of behavior in cyberspace during peacetime are stalled at the United Nations. Even as Ma’s eWTP initiative takes off, negotiations between states on e-commerce at the World Trade Organization are going nowhere fast.

Indeed, governments and courts have offloaded some of their responsibilities to tech companies. For instance, the European Court of Justice ruled for companies to remove websites from search results in respecting ‘the right to be forgotten.’ Similarly, in the NetzDG law in Germany, tech companies must take hate speech, fake news and illegal content offline within 24 hours. Both cases underline how much impact tech companies already have on the content people see, or don’t see online. But by leaving the policing to the companies, rather than to regulators and governments, there’s a great risk that the public interest will be captured by the private sector, and that norms will be made without transparency, accountability or the mandate of the people.

There are plenty of reasons to worry about the privatization of governance. If we’ve learned anything from the scandal after scandal over Facebook Inc’s handling of user data, it is that the private sector’s noble intentions to regulate the internet should be met with skepticism. Without adequate public oversight of algorithms, and with recurring bad practices, tech platforms cannot — should not — be trusted.

What are we going to do about it? In an era when all forms of multilateralism are being challenged, it is harder than ever to forge a consensus among governments on issues pertaining to cyberspace. It is fiendishly complicated to reach across jurisdictions, from where citizens live to where tech companies are run. That’s why it took years for the European Union to adopt the General Data Protection Regulation, or GDPR, which governs how data collectors gather and use information.

There’s no wishing away of the complications, no realistic way to accelerate the process of multilateral rule-making in the short term. We can hope that governments will become more ambitious as they witness companies stepping into the breach. In the meantime, we must not let private initiatives go unquestioned, or evolve from de facto norms to de jure laws. At best, these should be regarded as temporary constructs while we keep working to build powerful, enforceable rules.

We must assess each private-sector initiative closely, and on its merits, rather than take it at face value as well-intended. As with every governance initiative, the values at its core, and mechanisms of consent, oversight and accountability, determine the practical working. We must insist that developing norms includes multiple stakeholders — such as civil society representatives, technology experts and government representatives from different parts of the world. This will be equally important for monitoring their implementation. And we must ensure that the norms are anchored in principles such as respect for universal human rights and fair competition. If companies want to play government, even temporarily, they must expect to be held to account as governments are.

International Director of Policy, Stanford’s Cyber Policy Center, International Policy Fellow, Institute for Human-Centered AI. President, CyberPeace Institute