Briefing :: Online Safety Under Repressive Regimes: What is the Responsibility of Technology Companies?


Commission on Security & Cooperation in Europe:  U.S. Helsinki Commission

Online Safety Under Repressive Regimes:
What is the Responsibility of Technology Companies?

Committee Member Present:
Shelly Han, Policy Advisor for Economics, 
Environment, Technology and Trade

Amol Mehra,
International Corporate Accountability Roundtable

Susan Morgan,
Executive Director,
Global Network Initiative

Meg Roggensack,
Senior Adviser,
Global Network Initiative

The Hearing Was Held At 10:00 a.m. EDT in Room 2203 Rayburn Office, Washington, 
D.C., Shelly Han Moderating 

Friday, October 19, 2012

SHELLY HAN:  All right, good morning.  On behalf of Chairman Smith, the 
chairman of the Commission on Security and Cooperation in Europe, I’d like to 
welcome you to today’s briefing. I know it’s somewhat trite, but it’s still 
true to say that the Internet has opened tremendous communication and advocacy 
avenues in a truly revolutionary way, but it’s also true that the Internet has 
also revolutionized the way governments can monitor and know even more intimate 
details about their citizens with very little cost or effort.  If you haven’t 
seen it, I want to recommend you to see a movie called “The Lives of Others,” – 
and most of you I see in the room are probably too young to remember the Cold 
War, but the movie portrays really accurately the old-fashioned way of 
surveillance, where you had teams of people that were dispatched to listen in 
on phone conversations and follow people around – and now with the Internet and 
GPS, it’s so much easier for governments to get that information with much less 
manpower and expense.  

And when you pair that with a government that does not respect human rights or 
where citizens don’t have the ability to assert their own human rights, then 
it’s truly a dire situation.  The chairman of the Helsinki Commission, 
Congressman Chris Smith, introduced the Global Online Freedom Act in order to 
give more power to those who are living in just such a dire situation.  The Act 
really isn’t aimed at protecting users in countries where we have the freedom 
and abundant opportunity to lobby our governments and where we have an 
independent judicial system in which we can wage legal battles to – for our own 
rights, but it is aimed at giving a voice to those who don’t have a voice in 
their own country.  The Global Online Freedom Act envisions a reporting 
requirement for listed U.S. companies.  

The issue of corporate responsibility and accountability is critical since the 
Internet that we use every day is run by private companies.  The business model 
of most consumer-facing websites means that they collect whatever data they can 
from your online activity and then use that data usually to sell advertising.  
But because this data is stored for often unspecific lengths of time, this 
potentially puts consumers at risk to either hackers or government agencies who 
want to access that specific information.  The question of how companies treat 
user data painfully came to light when it was disclosed that Yahoo had given 
the Chinese government information that confirmed the identity of Shi Tao, a 
journalist who was subsequently imprisoned under the charge of revealing state 
secrets.  Shi Tao is still in jail in China.

In many ways, that incident several years ago sparked some of the first debates 
on the responsibility of companies to their users, particularly when those 
companies are working in repressive countries, and that’s what we’re going to 
be focusing on today.  And what we’re going to do is look at where we have come 
since the early days of the Internet and where we’re going in terms of 
corporate responsibility.  The panelists here are all experts in the field, and 
I look forward to hearing their views.  I’d also like to invite the audience to 
think about questions that you may have, because during the question and answer 
period, we will open it up to the audience for questions since this is a 
briefing and a little bit less formal than a hearing, so I’d welcome your input 
and questions at that time.

So first I’ll turn to our panelists; we’re going to go in alphabetical order, 
so we’re going to start with Amol Mehra, who is the coordinator of the 
International Accountability Roundtable.  I have – we’ve distributed the bios 
for each of the speakers over on the table, so I won’t go into those, but I’ll 
let Amol get started.  Thanks.

AMOL MEHRA:  Well, thank you, Shelly, and thank you to Chairman Smith and the 
members of the Helsinki Commission for conducting this briefing.  The 
International Corporate Accountability Roundtable is a coalition of leading 
human rights environmental development groups and unions.  We work to build 
robust frameworks for corporate accountability, to strengthen current measures 
and to defend existing laws, policies and legal precedents.  So as Shelly 
mentioned, the Internet and communication technology companies are increasingly 
acting as mediators both for access to and content of information, placing them 
at the forefront of discussions on corporate accountability.  This is most 
evident in the context of oppressive regimes, where controls or restrictions 
over the Internet are commonplace, and effectively turn a tool for advancing 
democracy and freedom into a means of censorship and surveillance.

Businesses should not be complicit in such human rights abuses.  We believe 
that any effort to tackle the responsibility of the ICT companies vis-à-vis 
human rights must include a clear requirement for these companies to conduct 
human rights due diligence.  This is consistent with recent regulatory 
approaches in addressing corporate responsibility for human rights, including 
the transparency provisions of section 1502 of the Dodd-Frank Act pertaining to 
conflict minerals and the due diligence policies and procedures contained in 
the reporting requirements on responsible investment in Burma issued by the 
U.S. State Department in 2012.  Governments, as primary duty-bearers of human 
rights, must therefore take regulatory action to ensure that companies respect 
human rights, including by imposing binding requirements on companies to 
conduct human rights due diligence.  Strong, effective human rights due 
diligence procedures are fundamental to ensure that human rights are respected 
and company actions both inside and outside the territory where they are based, 
and governments should mandate independent monitoring in appropriate cases and 
public reporting of companies’ human rights impacts to verify their compliance.

These requirements should cover all business relationships, including 
suppliers, including contractors, security forces, business partners and 
recipients of finance.  For this reason, ICAR has supported the Global Online 
Freedom Act, or GOFA and the disclosure requirements regarding human rights due 
diligence policies contained therein in Title II of the bill.  We believe this 
legislation provides critical corporate transparency and strengthens 
accountability of both U.S. and foreign Internet communication service 
companies.  With other processes under way that will shape the regulatory 
context of this industry, such as the development of sector-specific human 
rights due diligence guidance for the European Commission, GOFA should 
establish a floor rather than a ceiling for the human rights responsibilities 
of ICT corporations. 

Essentially, GOFA requires ICT companies, both U.S. and foreign that operate in 
Internet-restricting and are required to file an annual report with the SEC – 
the Securities and Exchange Commission – to disclose their human rights due 
diligence policies.  This disclosure must specify if policies are consistent 
with applicable provisions of the OECD guidelines for multinational 
enterprises, including an independent assessment of compliance to the policies 
in practice.  Noncompliance with these requirements requires the company to 
issue an explanation, and companies must also disclose their policies regarding 
responses to Internet-restricting country requests to disclose personally 
identifiable information and communications, and secondly, a provision of 
notice where the content – when the content of an Internet search engine or 
Internet content hosting service is removed or blocked by – at the request of 
an Internet-restricting country.  

While we do support fully the disclosure requirements contained in GOFA, we do 
believe that there’s room to improve the legislation.  Our suggestions include 
the following: on reporting requirements, GOFA requires only ICT companies 
operating in Internet-restricting countries that are required to file with the 
SEC to disclose their due diligence policies.  We believe this requirement 
should be universal to all public ICT companies regardless of where they 
operate.  On Internet restricting countries: GOFA requires the State Department 
to conduct country assessments of freedom of expression with respect to 
electronic information, including government attempts to censor, to block and 
to monitor expressions and government efforts to prosecute, persecute or 
punishment individuals for their expressions.  The State Department is then 
required to publish an annual list of Internet-restricting countries that 
exhibit a systematic pattern of substantial restrictions on Internet freedom.  
We believe that country assessments of freedom of expression and the compiling 
of this list of Internet-restricting countries should be an open and 
consultative process drawing together civil society groups and other sectoral 
experts in making these assessments.

Finally, on safe harbor provisions: GOFA’s safe harbor provisions specifies 
that companies certified as members in good standing of either the Global 
Network Initiative – GNI –
or similar multistakeholder initiatives are not subject to the full disclosure 
requirement.  However, as GNI is still developing as a multistakeholder 
initiative, we believe it is premature to specify GNI as a carve-out for due 
diligence reporting.  The provision should therefore be edited to, A, either 
remove GNI as a preferred multistakeholder initiative or to, B, amend the 
provision’s definition of a multistakeholder initiative.  At a minimum, the 
provision should be edited to strengthen and clarify which MSI’s qualify for 
the safe harbor.

Criteria should include an annual, independent assessment of members, due 
diligence policies consistent with the OECD MNE guidelines, public disclosure 
of independent assessment reports, public disclosure of member policies both 
regarding responses to Internet-restricting country requests and provisions of 
notice when content is removed or blocked at the request of an 
Internet-restricting country.  We thank Shelly for her leadership on this 
important issue and the commission as a whole.  We appreciate this opportunity 
to share our perspectives on the responsibilities of ICT companies in human 
rights; I thank you for that.  Water?  (Laughter.)  For further information, 
contact us at ICAR, and happy to answer questions or take comments. 

Thanks, Shelly.

MS. HAN:  Thanks, Amol.  I appreciate that.  Next we’re going to have Susan 
Morgan; I’ll let her get a drink of water first, go ahead – (laughter) –

SUSAN MORGAN:  The water was perfectly timed.

MS. HAN:  Yeah.  Well – and Amol mentioned a number of things specific to GNI 
and I don’t – I’m not sure if Susan’s going to address those specifically in 
her statement, but I’m sure during the Q-and-A question we’ll have a – session 
we’ll have a time to maybe (sort ?) some of those out.  So I’ll turn it over 
now to Susan Morgan, who is the executive director of the Global Network 

MS. MORGAN:  Great.  Thanks, Shelly, and I’d like to start by thanking you and 
the members of the Helsinki Commission for conducting this briefing, and also 
for giving the opportunity to address the work of GNI in protecting and 
advancing freedom of expression and privacy rights in the ICT sector.  So, GNI 
is a multisector, multistakeholder group of companies, human rights groups, 
investors in academics, and we came together, really, to chart an ethical path 
forward for companies when they’re facing requests from governments that could 
impact on the freedom of expression and privacy rights of their users.  Over 
time, we aim to create a corporate responsibility standard for companies in the 
tech sector.

Over a two-year period, we – taking in all the different stakeholders, we had a 
period of really designing and working on creating a set of principles and 
implementation guidelines.  They’re based on international human rights 
standards consistent with the U.N. guiding principles, and they really set out 
a way for companies to operationalize thinking about freedom of expression and 
privacy rights in their organizations.  For example, that’s – things like 
conducting human rights impact assessments for new markets, new products, new 
services and also looking at some very, very specific considerations for 
companies when they receive a request from the government to do a particular 
thing and how they should respond.

I wanted to say a little bit about the accomplishments that we’ve made so far, 
starting off with accountability – and corporate accountability is really at 
the heart of GNI.  Earlier in – earlier this year, in 2012, we completed the 
first independent assessments of our three founding companies: Google, 
Microsoft and Yahoo.  These assessments were looking at whether the companies 
were putting in place the policies, procedures and processes to be compliant 
with GNI’s principles.  We made public some of the findings in our annual 
report; there are copies of that on the table.  Some examples of the findings 
are things that the companies were already doing.  For example, that the 
companies have processes in place to review requests from governments that 
their senior-level oversight of that process and that the companies is putting 
in place training and communications.

There were, of course, some recommendations for other things that the companies 
could improve on.  Examples of that were more direct engagement with 
stakeholders when conducting human rights impact assessments and documenting 
processes around human rights around impact assessments and not dating them as 
kind of legislation changes within particular countries.  The next phase of the 
assessments, which we’re currently working on, will look not only at the 
policies and procedures that the companies have in place, but whether they’re 
being implemented in practice with regard to specific cases.  Secondly, in 
terms of our accomplishments, the clear intent behind GNI is that the 
collective voice of our members – so not only companies, but human rights 
groups, investors and academic, will bring weight to our growing policy 

So, for example, we worked to raise – early on this year we worked to raise 
awareness of the human rights implications of a request for proposals in 
Pakistan earlier on in the year to build a new system for Internet filtering 
and blocking.  We’ve also issued statements on proposed legislation in Vietnam 
and Russia that could damage the freedom of expression and privacy rights of 
users of communication services.  Third, in terms of accomplishments, we 
continue to expand our reach internationally with companies and other 
stakeholders.  In the last 12 months, nine new organizations from six countries 
have joined GNI.  This includes the first new company member since the 
initiative was launched.  We’ve also created a new category for observers – for 
companies who are giving serious consideration about joining GNI the chance to 
work with us for a nonrenewable 12-month period.  Facebook and affiliates have 
now become observers.

And then finally, on accomplishments – I think, given the speed at which the 
issues evolve in this sector, GNI provides a safe space for different 
stakeholders to come together to learn and develop best practice.  We held our 
first multistakeholder learning event in June in D.C. this year; we launched a 
GNI-commissioned report which was  looking at the challenges facing governments 
and technology companies as they navigate their way through – way through 
freedom expression issues, privacy, law enforcement and national security.  
We’re currently working on best practice guidance on human rights impact 

I wanted to finish just with a few thoughts on both challenges and 
opportunities for the technology sector.  Technology’s undoubtedly played a 
role in supporting democratic aspirations around the world, but it’s also 
clearly been used by governments to aid in the surveillance and suppression of 
rights.  While most commonly identified with China’s sophisticated censorship 
architecture or the shutdown of the Internet under Mubarak’s regime during the 
revolution, issues relating to freedom of expression and privacy are not 
confined to repressive regimes.  For example, draft legislation in the U.K. at 
the moment on communications data while pursuing legitimate law enforcement 
goals has some worrying aspects to it, which could give repressive regimes 
justification for their own approach.  It’s critically important as democratic 
countries address legitimate concerns that they consider the international 
precedent that they could be setting.

Companies are facing new threats from governments in many markets, which are 
taking increasingly complex and diverse forms.  GNI was created to help 
companies address the ethical questions that arise from these issues and to 
create a network in which companies could work with other stakeholders both to 
identify best practice and to develop their commitment to freedom of expression 
and privacy rights.

A few final thoughts:  The challenging of – the challenge of addressing the 
issues of technology and human rights are too complex for companies to go in 
alone.  GNI has shown it is possible for commercial competitors in the ICT 
sector to work together on issues relating to human rights.  The value of this 
is magnified when bringing in other stakeholders with different and specific 
expertise.  GNI continues to pursue conversations with companies across the ICT 
sector including telecommunications companies, many of whom have seen an 
increased focus on their responsibilities in recent years.  

And finally, by working together, we think there’s an opportunity for 
rights-respecting companies to both set a global standard for how companies can 
responsibly manage government requests in matters of freedom of expression and 
privacy rights, but also collectively to engage with governments to promote the 
rule of law and the adoption of laws, policies and practices that will promote 
respect and fulfill the rights to freedom of expression and privacy.  Thanks.

MS. HAN:  Thanks, Susan.  I appreciate that.  Next we’ll have – finally have 
Meg Roggensack from the Human Rights First.  If you could take the floor.

MEG ROGGENSACK:  Thank you, Shelly.  I’d like to thank you and the members of 
the Helsinki Commission, both for conducting this briefing and for your 
leadership on these issues.  It’s really a great opportunity for all of us to 
consider the challenges that we face, and really the role that the Helsinki 
Commission and the Congress can play in helping to drive awareness and promote 
changed behavior.

I wanted to just start by asking everybody here, how many of you – raise your 
hand if you’ve actually been in a fire drill – raise your hand.  So pretty much 
everybody.  Now, keep your hand up if you’ve actually been in a fire.  Has 
anybody actually been in a fire?  I bring this up because why do we do fire 
drills?  We could say, you know, nobody’s been in a fire.  This is a lot of – 
you know, takes a lot of time, it’s a big disruption in our business day.  And 
you know, we’re not fire safety experts.  Why are we – why are we doing this?

Well, we do it because the risk of not doing it is one that we deem 
unacceptable.  And it’s indicative also, this drill, of a broader awareness of 
health and safety issues.  In a nonprofit – a little nonprofit, a big law firm 
or the bureaucracy of the U.S. government – whether big, small, whatever, we 
all know how to get out of the building in the case of a fire whether we ever 
encounter a fire or not.  

I bring this up because it really is, I think, a crude but applicable example 
to the challenge we’re facing today, which is that you can say at a global 
level most users of Internet services are never going to face, you know, dire 
consequences.  But for those that do, the consequences of censorship, 
surveillance or tracking could be, and are, life-threatening.  And so, like 
fire safety, it’s unacceptable for companies to wing it.  And so the 
conversation today really is about not only are what the consequences of 
winging it, but what are the alternatives to winging it and what are the 
broader implications that we’re facing.  

Secretary Clinton, about two years ago, gave a landmark speech on Internet 
freedom, in which she really related the core freedoms of the universal bill to 
rights in cyberspace and declared the freedom to connect.  And she warned of 
the consequence if we failed to protect this freedom, which would be whether we 
live on a planet that had one Internet and a common body of knowledge that 
benefits and unites us all or a fragmented planet in which access to 
information and opportunities in dependent on where you live and the whims of 

So companies in this sector are on the front lines in this battle.  And they’re 
getting demands from governments to surveil, censor, limit service or otherwise 
provide users’ information.  And the decisions that they make have a wider 
impact, not only on the sector but on all of us, whether we have an open access 
to information and a safe way to use the Internet.  

We know that the human rights challenges are significant and that they’re 
evolving nearly as rapidly as ICT products and services and that they affect a 
whole range of companies, not just Internet providers but telecoms companies, 
credit card providers, manufacturers of mainframes and switching technology.  
We also know in the past year alone that the governments have taken down both 
entire services as well as specific content in Egypt, Pakistan, Vietnam, Iran, 
Afghanistan, Libya, Indonesia and India.  

Iran has launched its own censored and controlled country-specific intranet and 
China has imposed a warning system to chill Twitter users’ speech.  Secretary 
Clinton, recognizing the pivotal role that companies can play, declared that 
“American companies need to make a principled stand.  This needs to become part 
of our national brand.”  A key part of that national brand, she noted, is a 
trust between companies and users so that users know that what they put online 
won’t be used against them.

As we’ve heard today, the U.N. Framework and Guiding Principles are an 
important global standard in evaluating what are the responsibilities of both 
governments and companies.  And it’s certainly true that states are principally 
responsible for protecting human rights, but companies also have a 
responsibility to respect human rights.  And the Guiding Principles articulate 
that as a requirement of due diligence.  Simply put, knowing and showing – 
knowing what the risks are to the global business operations and showing that 
you have a plan to address those risks and to follow-through and communicate 
how you are addressing those risks.  

The GNI is, at present, the only initiative that affords companies in the ICT  
sector a platform for addressing human rights due diligence in a comprehensive, 
credible and transparent way.  And I won’t repeat what Susan has said about the 
aspects of the Global Network Initiative that make it unique from a trade 
association or from other types of initiatives.  We helped to launch the GNI 
because we think that volunteering multistakeholder initiatives can play a very 
valuable role in helping companies address human rights risks of their global 
operations.  But whether or not these succeed depends in major part on whether 
they can demonstrate a positive impact on the human rights issue.

So in GNI’s case, its effectiveness is going to depend on the extent to which 
company assertions about what they have done to implement GNI’s principles can 
be verified through independent assessments and then transparent reporting on 
those assessments.  GNI has make important progress, as Susan has noted, and I 
hope in our question and answer session we’ll be able to talk a little bit more 
about that.  But unfortunately, most companies aren’t even at the table.  
They’re not even part of the conversation.  

We know, for example, that most of these companies have limited, if any, human 
rights expertise, and most of it is residing at the headquarters level, not at 
the – in the countries where these issues frequently are playing out.  They 
also don’t adequately engage stakeholders, so they have difficulty 
understanding what exactly is happening in these countries and why and then how 
to respond to it.  And they do, at best, an extremely limited job of reporting 
on their efforts to address these threats.  They don’t even consider the 
possible impacts that their partners, for which they are also responsible.  

So these are all major challenges to implementing human rights due diligence.  
And we would – we would submit that statements about what these companies are 
doing regarding due diligence can’t and shouldn’t be taken at face value 
because there’s no way to independently verify whether they have adequate 
policies in place, whether those policies are being effectively implement, and 
how, if at all, the company is addressing government demands. 

So GOFA is a really exciting development because it has a potential to help 
ensure wider corporate engagement on this – on this issue.  GOFA really zeros 
in on the challenge of engaging the ICT sector more comprehensively by 
requiring that companies due diligence policies or explain why they’re not 
doing it.  And this requirement should help raise awareness, not only within 
the sector, about what due diligence is and what companies need to do but also 
spark what is a really needed debate about best practices.  And so we, at Human 
Rights First, look forward to working with you, Shelly, and others to develop 
the best possible bill and see that it gets passed. 

The threats to Internet freedom are pervasive and proliferating.  We know that 
we can’t realize the vision of one Internet without the full engagement of the 
ICT sector.  That vision is vitally important for the millions of people who 
live under repressive regimes.  For them, the Internet is virtual town square.  
It’s essential to them, but also to us, in preserving and promoting democracy 
and human rights in this century.  

MS. HAN:  Thanks, Meg.  I wanted to – I appreciate all of the testimony that 
y’all gave today.  And I wanted to dive a little bit deeper into the question 
of – that we ask in the – in the briefing title, which is Online Safety under 
Repressive Regimes.  And what’s the responsibility of technology companies?  
And think about the issue of particularly differing legal regimes and how 
companies are having to operate in China or Vietnam or – and some – you know, 
some companies are operating in Iran or however. 

And if maybe, Amol and Meg, if you could address this more from a philosophical 
standpoint or a legal standpoint and, Susan, you could talk about it from how 
GNI approaches it.  But what really – I mean, our companies should they – is 
disclosing enough how they work or should they be doing more?  And what should 
we be asking of companies?

MR. MEHRA:  Sure.  I’ll take the first crack at this.  You know, I think, as 
Meg mentioned, at the international the U.N. Guiding Principles on Business and 
Human Rights articulate the companies have a responsibility to respect human 
rights.  What this means essentially is that the standard is that companies 
should do no harm.  

So when they’re operating in repressive regimes, I think we would – we would 
argue that companies should think critically about whether their operations 
pose significant risks to human rights.  And if so, the companies should do no 
harm.  If that means that the company removes themselves from that situation, 
that’s one option.  Another situation is that the company could exert its 
leverage to try to change the situation in the country using its market power 
to address the potential human rights implications in that way.

But again, Shelly, I’d submit that the real issue here is that companies have a 
responsibility to respect human rights.  That’s agreed upon at the 
international level.  This was universally endorsed at the council.  And so 
now, you know, what that means in practice that companies should do no harm.  
We believe due diligence is a tool for companies to assess whether or not their 
operations pose significant human rights risks, and therefore, you know, we’re 
very supportive of the measure being included in this bill.

MS. ROGGENSACK:  So to just add to that, as Amol said, a first starting point 
is to do a risk assessment – which is one element of due diligence as outlined 
in the Guiding Principles – and based on that risk assessment to determine 
whether a company wants to enter that market given those risks and if it’s 
equipped to manage those risks.  As Amol said, one consequence of that might 
be:  No, we aren’t.  We aren’t equipped to manage those risks.  We can’t 
operate responsibly in this market.

But another alternative might be to think about who in that market one could 
partner with responsibly and work with that partner to develop both principles 
for operating and then a system for monitoring against those benchmarks going 
forward to gauge over time how that’s playing out and then report and review on 
how that is working and if not, then to make a difficult decision about whether 
continuing in that market in on balance harmful or hurtful.

I think, you know, obviously another really important aspect of this, we know 
without saying a number of markets that are extremely challenging and that 
require often collaborative approaches.  As Susan said, companies can’t go it 
alone.  So another strategy, apart from risk assessment, is to work 
collaboratively with other companies facing the same challenges and also with 
home governments to try to use that collective leverage to fight against market 
restrictions more proactively, and of course engaging with stakeholders to do 
so.  As we’ve said, GNI’s really the only place right now for this sector to 
engage and to have a safe space for those conversations and strategies to 
address these types of market challenges. 

MS. MORGAN:  So I just want to add a couple of things to that.  I think – so 
GNI was really founded on the basis of how can you help companies operate in as 
broad a range of markets as possible in a responsible way?  And I think, you 
know, as both Amol and Meg have said, the importance of human rights impact 
assessments and due diligence, both prior to going into markets and I think 
also acknowledging that the situation doesn’t necessarily stay the same in 
markets.  You know, I think we’ve seen lots of examples in many countries 
around the world in the last few years of sort of drastically changing 
situations in particular markets.  So I think that this sort of analysis and 
due diligence needs to be an ongoing process, not a kind of you do it once and 
that’s it, it’s done.  

Certainly within GNI, I mean, Meg’s mentioned a safe space sort of aspect of 
GNI.  We’ve started increasingly to come together as a group of participants to 
look at particular issues in markets as they’re changing and to really develop 
a strategy and approach and a collective response to particular issues, and you 
see that in some of the public statements that we’ve made.  So I think those 
are really the key points that I’d highlight.

MS. HAN:  Great.  Could you – Susan, I was wondering if you could – you gave 
one example of the issue of the Pakistan request for procurement about the 
censorship software and your – GNI’s membership response to that.  I mean, have 
you seen, over the course of the life of GNI, some other examples of specific 
changes, maybe, perhaps, that companies have made to their business practices, 
or seen a change in the market because of what the principles that GNI is 
working on?
MS. MORGAN:  So I think there’s probably two things to this.  The first is the 
policies and practices that the companies are putting in place.  And I think, 
you know, clearly some of the companies that are members of GNI already had 
some policies and practices in place before they joined GNI.  But obviously in 
GNI’s principles and implementation guidelines, we set out very clearly the 
expectations of the sort of processes and systems that companies will have in 
place to be compliant with our – with our principles, and I think the outcome 
of the first independent assessments earlier on this year showed that, you 
know, the companies were clearly making progress, but that there was – there 
was some aspects where there was – where there was more to do.  
I think on the “is it making any difference in the kind of wider context,” 
sometimes it hard to say that.  Sometimes it’s the things that didn’t happen.  
And you can never – you know, you can never quantify that, but I think, you 
know, certainly we’ve definitely had feedback that – from a number of sources 
that the – you know, the variety of policy engagement that we’re beginning to 
do, whether that’s public statements, whether it’s responses to consultations 
on legislation in particular countries, whether it’s private meetings with 
ministers in particular countries on particular aspects of legislation, that 
that’s starting to make a difference.  But I think, you know, we’re kind of at 
the beginning of that journey.
MS. HAN:  And also, I’ll keep you in the spotlight for a second.  On 
membership, GNI membership, you’ve steadily added companies over – and how – 
what’s your sort of long-term projection?  Do you see this growing as basically 
more U.S. companies as participants, or is the idea to have more of a global 
engagement?  And what are you hearing in terms of what the large companies in 
Europe are doing, particularly the telecom companies?
MS. MORGAN:  So the – the sort of aspiration and vision for GNI over time has 
always been that we would create a global standard of corporate responsibility 
in the ICT sector.  That’s very much the aspiration and continues to be the 
case.  As you say, we’ve had a steady sort of number of organizations joining 
us, and I think it’s important, you know, not only from a company perspective 
but also the fact that we’re attracting investors, human rights groups and 
academics from quite a few different countries around the world now.  From a 
company perspective, we’ve had two new member companies join us in the last 
year.  We’ve also created an observer status.  So some of the feedback that 
we’ve had from companies was that they were thinking about GNI, they were 
interested to learn more about us but weren’t quite ready to make that leap 
yet.  So we created a category for observer status specifically so that 
companies could kind of get to know us and see how we worked together and sort 
of see that value before they made the decision.  
In terms of the telecommunications companies in Europe, there’s a number of 
companies who have kind of been working together for about a year now called 
the industry dialogue.  They’re looking to house their work somewhere in the 
near future.  Earlier on in the summer, they went out to five different 
organizations that they were considering as a home for their work.  GNI is one 
of those.  And we’re continuing to have conversations with them, and obviously 
we hope that that will come to a good result.
MS. HAN:  Great.  Thank you.
I wanted – we mentioned before that in the Global Online Freedom Act, there’s a 
provision that specifically requires ICT companies to – that are listed in the 
U.S. to report to the Securities and Exchange Commission their human rights due 
diligence.  There’s been some discussion about, you know, whether the SEC is 
the most efficient or most effective place for that reporting to be done.  And 
you know, as Amol mentioned, it does sort of piggyback on a couple of 
provisions that were in Dodd-Frank, 1502 and 1504, which are somewhat similar 
in that they’re provisions that aren’t considered the typical investor or 
accounting-related provisions for SEC reporting.  But they’re – recently the 
State Department created a reporting requirement for Burma that is somewhat of 
an interesting model for companies to report their human rights due diligence 
and the work that they’re doing in Burma, given that we are lifting certain 
sanctions on that country.  And – so it’s been suggested that perhaps we might 
look at that for a model.  And I wondered if Meg and Amol would like to comment 
on that and – or have any other ideas along those lines.
MS. ROGGENSACK:  Sure.  Thanks, Shelly.  I’ll also defer to Amol a bit on 
Dodd-Frank.  But I think that’s right.  I think usually with the SEC, it may be 
more a matter of making the business case.  Investors still don’t have the 
information that they need to make the case that reporting is material in an 
SEC context.  I think we know from our reporting from the field that there is a 
case to be made, but it’s still one that we have to start to elaborate.  What 
are the dollars-and-cents implications of these policies?  The OECD put a 
number on the cost of the takedown of the Internet by Hosni Mubarak.  There are 
other statistics out there about the interruptions of service and what that 
might mean for commerce.  We need to get that information in the hands of 
investors, because I think it would satisfy a materiality threshold that the 
SEC would require.  But to date, I think, you know, more effort needs to be 
done, and my sense is, that’s the major concern.  You’re certainly right.  
Dodd-Frank does provide an avenue.  We just need to evidence it for this 
sector.  But it’s also true that the Burma reporting requirements, which could 
stand to be strengthened and improved – and many of us have weighed in on that 
– but it does provide another important model so that the State Department 
might be an alternative place to receive those reports.  I know there are 
staffing issues associated with that, capacities issues associated with that, 
but the Burma model does suggest that that could be another additional avenue 
for due diligence reporting.
I just wanted to point out that when California enacted the Transparency and 
Supply Chains Act, it was really an interesting idea, because at that time they 
did set a reporting threshold, but it didn’t really question the need for 
companies to look at whether or not they were aware of potential labor abuses 
in their supply chain.  They accepted that that would probably be more likely 
than not, but that it was up to companies to make that determination.  So it 
didn‘t stop an effort to impose a requirement.  And I know that the mere fact 
of passage of that law has driven broad awareness among companies that are 
covered in California, and outreach and capacity building to develop policies.  
It’s certainly possible for a company to comply with a law by saying publicly, 
we don’t have a policy.  (Chuckles.)  But no company wants to be in that 
position, so all companies are really obliged to think about their supply 
chains differently, and I submit that a requirement like this could drive a 
very important and helpful conversation, whether lodged at the SEC or in the 
State Department, but it is overdue.
MR. MEHRA:  I’m going to agree with everything that Meg said.  I think what we 
– what we believe at ICAR is that nonfinancial disclosure, disclosure about 
companies impacts on – social impacts, environmental impacts and governance 
issues, is critically important not only for consumers and citizens but also 
for investors.  We have seen investors come out very strongly on the provisions 
that Shelly mentioned, Section 1504 of the Dodd-Frank Act, which pertains to 
extractive industries transparency, the publish what you pay law, and Section 
1502, which pertains to conflict minerals disclosures.  Investors said in 
submissions to the SEC that having information about a company’s due diligence 
practices pertaining to assessing risk in their supply chains was material 
information that affects their investment decisions.  So as Meg accurately 
notes, I think what we need to do is make a better case for how nonfinancial 
disclosure is material to investors, expanding beyond the traditional socially 
responsible investors and linking in with a larger community.  This is why the 
GOFA bill is very important, because it articulates another set of issues that 
could materially infect – affect investors.  If you think of a technology 
company that is complicit with human rights abuse occurring abroad and the news 
gets out, what tends to – I mean, the public reaction to that poses significant 
costs to that company, not only potential litigation risks and the cost 
associated with litigation, but also for consumer-facing companies a drop in 
sort of consumer value of that company.  So these things are all important.  
And a bill like GOFA helps companies build internal systems to make sure that 
they’re assessing those risks accurately.
I’ll quickly mention the Burma reporting requirements, which essentially 
require that companies who are seeking contracts with Burma submit to the State 
Department a set of – answers to a set of questions.  Question five in the 
reporting pertains to the due diligence policies and procedures that the 
company undertakes.  What’s interesting about the Burma requirement is that the 
State Department will then take in the information and then publicly post it on 
a website, so it doesn’t have the sanction that a disclosure regime will have 
whereby either the SEC or aggrieved investors can bring claims against a 
company for false filings, but it does have that public reporting component.  
So again, to answer Shelly’s specific question, the SEC and disclosure, because 
of the enforcement mechanisms and because of the substantial risks that these 
issues pose to investors, is really where we see this disclosure line.  
MS. HAN:  Great, thanks for that.  Also, Amol, I just wanted to follow up on 
one thing that you had mentioned in your statement regarding the safe harbor 
provision that’s currently in GOFA.  And this provision, as was mentioned, 
there is a safe harbor for companies.  They don’t need to report to the SEC if 
they’re a member of – we don’t – the law – or the draft law doesn’t say exactly 
GNI but it just describes GNI-type organizations, and so that if they’re 
participating in that, then they don’t need to make the reports to the SEC.  
And one of the things that you mentioned – and I just wanted to see if we could 
flesh it out a little bit more – was the – you were saying to amend the 
provisions definition of a multistakeholder initiative and then that – it 
should include that there’s an annual independent assessment of members and the 
due diligence policy’s consistent.  Did you have any thoughts on who would 
actually be making the assessment of those multistakeholder initiatives?  
Because that’s one thing that we’ve grappled with a little bit, is how we could 
instill some responsibility into those parts of the bill, but exactly who might 
be the body that could do that is still an open question, in my mind.  So I’d 
be interested in your ideas.
MR. MEHRA:  And Shelly, that’s a very good point.  We fought this similar 
battle on 1502, on the conflict minerals disclosure.  As you know, the conflict 
minerals disclosure had a general due-diligence requirement built into the 
statute.  So what happened at the regulatory phase with the SEC was a ton of 
comments were brought into the discussion about which model would be the best 
model to point to for what the due diligence disclosure should look like.  In 
the end, the OECD, who had a system moving at the same time, had developed a 
very robust five-step due-diligence process.  So I would reluctantly submit 
that perhaps the agency that’s tasked with monitoring the disclosure should, 
through a notice and comment period, consider the very many multistakeholder 
initiatives or initiatives in this space in pointing to what standards are sort 
of the – now the best and most protected standards.  
And again, I want to clarify, you know, we’re not – we’re not criticizing the 
GNI at all.  In fact, we think it’s a wonderful initiative, and we’re hopeful 
that it will sort of lead to the sea change that it could, but the initiative 
is on – it getting its legs, as I think we’re all kind of agreeing about.  And 
so we’re reluctant to see it introduced into a legislative text without sort of 
proof of its veracity.
MS. HAN:  Great.  I’d like to open it up to the floor.  So if there’s any 
questions that you have, I think the room is small enough that we don’t need a 
mic, if you could just speak loudly.  And if you could identify yourself, that 
would be great.  Do we have any questions from the audience?
Yes, please.
Q:  Hi, there.  My name is Billy Ohn (ph).  And this might be a stupid question 
because I don’t have a background in this, but I had a question about the due 
no harm principle for corporate responsibility.  And isn’t there an idea that 
it might be better for a company, let’s say Google for example, to comply with 
the laws in an (oppressive ?) market while exerting pressure for change, rather 
than leaving the market and leaving it to local providers that might be more 
vulnerable to state pressure and/or might be less engaged with the corporate 
human rights principles that we’ve been talking about? 
MS. ROGGENSACK:  So this is a question that Google actually faced – (chuckles) 
– in China, as you know.  And ultimately I thought Google’s solution was deft.  
Instead of being the agent of censorship, it moved its services to Hong Kong 
and let the Chinese government take responsibility for censoring content coming 
back into the country.  And they’ve had additional challenges in operating in 
China that have been well-documented and that have affected those services.  
But at least in that case they were able to get themselves out of the middle, 
which is where companies often find themselves, and it’s an unhappy place to be.

You’re absolutely right that there is always a weighing in terms of what does 
this service provide vis-à-vis the risks to society of being unable to provide 
it either in a safe and secure manner or in a consistent and reliable way.  And 
so every company needs to make that judgment, engage with stakeholders on the 
ground to try to get a good sense of that, which can also help them try to 
design around or anticipate some of those risks.  So if they know that there 
will be, for example, potential government surveillance, go in with a safe 
platform, an encrypted platform and/or tools for users to – and education for 
users as to how to use the platform safely.

Be transparent about government requests and how they’re – how the company is 
responding, what the policy is about responding to those requests.  And 
benchmark that over time to decide, on balance, are we better off here or not – 
because over time we could end up with a set of services that is very less 
ideal than where we started.  So every company needs to be mindful of that, and 
it’s an ongoing process.

As Susan said, the reverse is true, that the market could open.  We also do 
think that companies obviously have leverage in these markets.  And right now, 
most of the companies with these services are U.S.-based – not all, but quite a 
few.  And so there is an element of leverage there that could be applied, 
should be applied, can be applied creatively, both directly and through 
collaborative efforts like the GNI and in working with home governments.  And 
we’d like to see companies, frankly, do more of that than they’re currently 

MS. MORGAN:  Yeah, I was just going to echo that.  I think it’s – often it will 
be the case that it isn’t the black-and-white “Are you in the market or out?”  
It’s how you operate in the market.  And I think that’s where the kind of – the 
due diligence, the engaging with other stakeholders and the trying to apply 
leverage is absolutely critical.

MR. MEHRA:  You know, I also want to add that when we mention the Guiding 
Principles on Business and Human Rights, one of the foundational principle is 
the state has a duty to protect human rights.  And companies in the U.S. that 
are registered here or operating here should be exerting their leverage to the 
U.S. government to help engage bilaterally with these – in these situations as 
well.  So companies shouldn’t feel like they have to go it alone.  I think what 
we’re doing is – in the civil society sector is putting as much leverage and 
power on the – and push on the – on the government as we can to push these 
issues along.  And I think we’re seeing companies start to do that as well.  It 
just increases their leverage.  But good question; thank you.

MS. HAN:  Yeah, I think that you – you’ve – you thought that you were asking a 
basic question.  And – but it’s a fundamental question, not a basic question, 
because I think that what we’ve seen, and particularly in the larger repressive 
markets like China – and we’ve also seen it to a certain extent in Russia and 
certainly Iran – is that homegrown companies are taking the place of the 
Facebooks and the Twitters and the Googles.  They don’t need them.  (Chuckles.) 
 And I think certainly you’d see – you could see, over a timeline in China – 
you know, if Facebook – I mean, I’m not privy to any of their business plans, 
but if they wanted to enter the China market, I – I’m sure they’d get a 
percentage but certainly not what they could have five years ago, when there 
was no domestic Facebook.  But they already have several versions of Facebook 
operating in China right now from domestic companies.

So I think it’s a – it’s a really good question, and it’s something that all of 
the companies are grappling with.  And I think they see exactly that conundrum, 
is that if we don’t go in, there are certain – now, there are other examples – 
say, for example, Kazakhstan.  There was – Google had posted a blog post about 
this a year or so ago, where Kazakhstan – the government had asked Google to 
route all of the server – the search traffic just through the dot-kz servers so 
that they could control – and you know, for such a small market – (chuckles) – 
in Kazakhstan, Google was able to say no.  (Chuckles.)  You know, they can’t do 
that in China.  You know, the – so you have to look at the markets.  You have 
to look at the – you know, the situation on the ground, and then who are the 
competitors?  And there’s also a Russian version of Facebook that operates, you 
know, within the bounds of what the Russian government wants it to operate.  So 
it’s something that will – I think will continue to be an issue.

MS. ROGGENSACK:  One thing I just wanted to add to that – well, two things, 
really.  One is that companies that are operating in risky environments also – 
you know, if they’re part of the GNI, the mantra is apply any request as 
narrowly as possible.  Take a look; don’t overcomply – don’t do that.  Analyze 
whether it’s backed by some legal process, duly legal process.  And where 
possible, challenge.  And those are all really good principles to apply in any 
market.  They’re sensible principles.  We know across the world that companies 
tend to overcomply, and that frequently happens where they haven’t done a risk 
analysis, where they don’t have good stakeholder intel on the ground.  
Frequently their own employees don’t understand the risks adequately enough to 
calibrate them.  So that’s a place where companies can do a better job, in 
calibrating the risk and in responding as narrowly as possible.

The other thing that I wanted to mention is there are also a whole slew of 
markets where this is completely up for grabs.  Egypt is one good example of 
that, where there’s a tremendous amount of leverage not only that companies can 
exert but also our government, both our government and the U.K. government.  
And it really is a situation where the question on the table is are we going to 
have a government and an architecture for these systems that’s open or closed?  
And we have an open opportunity to influence that through a whole array of 
policy tools, dialogue, conversation, diplomacy, economic pressures, and we 
should seize it.

And part of, I think, what I’ve tried to convey, and the rest of us today, is 
that that’s also – should be part of this conversation.  There should be 
proactive, robust discussions about those issues and what’s at stake.  And we 
unfortunately don’t see that except in the – in the context of the GNI, where 
we’re very much oriented toward those issues – and through initiatives like the 
GOFA.  So this conversation needs to be a whole lot broader, needs to include a 
lot more stakeholders.  The government is doing what it can, is working with 
other like-minded governments around the world.  But it’s still not nearly 
enough for the urgency of the situation.

MS. HAN:  Any other questions from the audience?

MS.:  Yes, please.

Q:  Hi, I’m B.J. (ph).

MS. HAN:  Oh, I’m sorry.  OK.  I actually –

Q:  Oh, I’m so sorry.  (Off mic.)

MS. HAN:  Yeah, that’s all right.  I’m sorry; I didn’t see your hand raised.  
Could we go with the woman here?  And then we’ll go with B.J. (ph).  Thank you. 

Q:  Kathy Mulvey with the Conflict Risk Network.  And a specific question about 
conflict-affected areas, where I think investors do recognize the materiality 
of the various financial, legal, operational and reputational risks that they 
face.  And the Guiding Principles also have a – you know, acknowledge 
specifically the particular risks in those areas.  Conflict can erupt 
spontaneously; human rights abuses and crimes against humanity can begin in 
places like that.  And I guess how can the legislation and initiatives like GNI 
anticipate and help companies to respond?  And you know, is disclosure enough 
in those situations?  And what other measures – and I think Meg started to 
touch on this with some of what she was talking about, but –

MS.:  (Off mic.)

MS. ROGGENSACK:  So thank you for that question and for the good work that 
you’re doing on this, because CRN is doing some really astounding leadership on 
this, particularly with telecommunications companies.  Our organization has 
worked on elaborating a concept of enablers, which can help companies that may 
be selling what might appear to be bread and butter-type equipment into 
situations where they’re actually enabling possibility of mass atrocities or 

And so again, it comes back a little bit to what we’ve been talking about due 
diligence, about doing a risk assessment.  We talk about this in the context of 
Egypt as well, where companies may have been dealing with the Mubarak regime 
for 20, 30 years; thought, OK, you know, we’re on autopilot.  But a simple risk 
assessment would tell you, if you’re dealing with an autocrat, that’s not a 
good situation to be in.  And whether that autocrat is in for five years, 10 or 
a day, you need to have a plan for when that autocrat’s time ends.  And 
similarly, in situations such as the one Kathy is describing, if they are 
volatile situations, one has to anticipate the possibility of an escalated 
conflict that could lead to mass atrocities or genocide.  Look at the risk 
factors for that, and have a plan in place to begin to address them which 
includes the types of stakeholder engagement that CRN and others are promoting.

MS. MORGAN:  So I think – just to echo again what Meg was saying, I think the – 
you know, clearly the sort of due diligence aspects are critically important.  
I think the other thing that I’d highlight is just the importance of 
relationships and building relationships so that you can reach out at the right 
– at the right time.  And certainly that’s one of the things that I’ve observed 
at GNI over the last couple of years, is the relationships between the 
different constituencies developing so that, you know, if there are particular 
policies or particular sensitivities that companies are facing, they might be 
more likely to reach out and also possibly, you know, have those kind of 
relationships where they can get to people quickly on the ground, to kind of 
have the kind of, you know, discussions and dialogue that’s necessary.

MR. MEHRA:  Yes, I’ll just quickly – I mean, I absolutely agree with what Meg 
and Susan were saying.  I think – there’s an interesting report that came out 
last week from the Businesses for Social Responsibility.  And I’m not trying to 
plug them, but the report is called “Applying the Guiding Principles (sic; UN 
Guiding Principles)” – (chuckles, laughter) – “on Business and Human Rights to 
the ICT Sector (sic; Industry).”

And what’s fascinating, I think, about this report is that it highlights some 
of the critical challenges in the ICT sector – including, as Meg mentioned 
earlier, the lack of human rights expertise within these organizations and 
their sort of – the – since – and their lack of engagement  with affected 
groups on the ground.  So I think that these are two possible solutions that 
feed into the due diligence process, really, is trying to understand better how 
to identify, to address, to mitigate potential human rights risks and their 
operations, which are particularly more acute in conflict risk areas.

MS. ROGGENSACK:  So I think one thing that this points up – it’s something that 
GNI and the ICAR and, I know, you were doing – is trying to aggregate good 
sources of information for companies, because I know Patrick would agree that, 
you know, there’s a lot of good stuff out there.  But for companies it’s really 
hard – (chuckles ) – to locate it in a timely way.  And so I do think that it’s 
incumbent on us who are working in this to try to do a better job of 
aggregating what we do have and the thinking that we have so that, for 
companies that are trying to do this, that they don’t have to reinvent the 
wheel and that there are places they can go for reports, expertise and guidance 
on these issues.

MS. HAN:  All right.  V.J. (ph), right?  Is that your name?  (Chuckles, 
laughter).  Yeah, OK.

Q:  Yes.  (Off mic.)  I’m B.J. (ph) from NDI, National Democratic Institute.  I 
had a couple of comments.  The first one kind of echoes on the previous 
question a little bit.  It’s – so with a lot of these technologies, what I’ve 
found is that it’s not quite simple in the sense that it – (inaudible) – can be 
used to – (inaudible) – the exact same – (inaudible) – proxy can be used to 
monitor and surveil as well.  So in terms of either an initial risk assessment 
or the continuous risk assessment, I’m not really sure how that plays in, 
because that can be – (inaudible).  And also, there are a lot of open source 
films, which are the exact same thing.  So it’s not so much about selling 
product; it’s – (inaudible) – services that are being provided.  And I don’t 
know if this law would target anything like that at all, because – (inaudible) 
– or what have you.

And the second kind of related question I had is what – and this is just 
something I know from previous discussions.  What exactly is going to stop 
companies from selling products, whether it’s a device or what have you, and 
then it’s resold, like, twice or thrice and ends up with the bad guys?  And 
they kind of have their hands clean, at least in terms of finance, because – 
(inaudible) – just sold – (inaudible) – and what happens from there does not 
really – (inaudible).  I – (inaudible).

MS. HAN:  Let me just say something really quick – (inaudible) – I think you’ve 
raised a couple of really good issues.  The first one, on how to do an 
effective risk assessment on, you know, items that possibly could have use for 
good and for evil, I’ll let the panel talk about.  But just to give a quick 
snapshot for people in the audience, there is Title III of the Global Online 
Freedom Act, which addresses the export control issue which you’ve raised.  And 
that is for all U.S. companies; it’s a – it doesn’t just impact listed 
companies, but any U.S. company that’s subject to export control laws would be 
subject to those laws.  And what it’s – what it’s trying to do is get at the 
sale of things that can be used for surveillance or monitoring or censorship to 
governments in countries that have been listed by the State Department to be 
Internet-restrictive.  So that’s the – what Title III basically does in GOFA.

But I – I’m glad you brought that up, because it was one of the things that I 
wanted to touch on.  We – hopefully we’ll be doing a separate session just on 
export controls, because you know, it requires a separate session.  (Chuckles.) 
 It’s not something that we can get into in great detail today.  But the – 
there was recently an executive order that was promulgated by the Obama 
administration that specifically looks at the export of certain tools – 
Internet tools such as personal communication tools to Syria and Iran.  And 
it’s – the short-term name of it is the GHRAVITY Executive Order, with the 
H-G-H-R-A-V-I-T-Y.  And I can’t remember how that actually spells out, what 
each of the letters stand for, but it’s really interesting to me, because in my 
mind – and I haven’t found another example, but it’s the first time where we’re 
making the link between human rights – the legitimacy of using human rights as 
a reason to stop things for export controls and on the Internet area; we’ve 
done it before in certain implements of torture – things that can’t be 
exported, but this is in the telecommunications area.  This is the first time 
that the administration is making that link, and so I think it’s important for 
the legislation, and it’s something that we’re looking at to see how we can use 
the precedent that’s been set through the gravity executive order and the 
legislation.  So now I’ll turn it over to the panel to comment on any of those 

MS. ROGGENSACK: Well, I want to commend Shelly, because Shelly has really been 
a driver of a policy conversations – really over almost two years, I think – on 
this issue, and it’s a significant one.  It’s difficult because, as Shelly 
mentioned, we have technology that activists desperately need, but also that, 
in the hands of repressive governments, as we see in Syria and Iran and 
elsewhere, can have, you know, life or death consequences.  And so again – you 
know, it sounds like a broken record, but companies need to do due diligence 
and understand who they’re dealing with and also know their customer.  You 
talked about the reseller issue.  We had examples of two California companies 
who sold through resellers; subsequent investigation revealed that this 
equipment was going into repressive regimes and a minimal level of due 
diligence would probably have helped them to identify that.

So it’s a know your customer type of requirement.  Under the guiding 
principles, companies are required to know who they’re dealing with.  So asking 
questions, doing a little bit of due diligence is hard, because these are 
systems, and some of the things that are sold are kind of off-the-rack.  
Hewlett-Packard sells servers, and they sell them all over the world. So for 
them, the due diligence may be a bit more challenging than for some of the 
smaller companies sold bespoke parts that were an integral piece of the 
surveillance architecture. 

But the other part of it, really, I think, for us, speaks to where the U.S. 
government could play a more proactive role.  As Shelly mentioned, you know, 
there are some difficulties with administering the export control system in 
this way.  It isn’t really designed for that; it’s very challenging to try to 
tailor it to get the result you want.  That isn’t necessarily the best policy 
approach, but we have thought that both through State, DRL and through the 
Commerce and other agencies, there could be a forward-leaning effort with the 
key companies in this space to talk about these risks and proactively discuss 
plans for addressing them, and thinking about how to help educate the 
companies, give them tools so they can implement these policies, but also 
better identify the risks and experiment.  What would be some ways to mitigate 
these risks should they arise, and so we’re encouraged by the work that Shelly 
and others have done along those lines to promote those kinds of discussions.  

MS. MORGAN:  So I was just going to say a little bit about the reseller issue.  
I mean, certainly in GNI’s principles and implementation guidelines, we make a 
distinction between where companies have operational control and where they 
don’t have operational control, but we’re quite clear that, for, sort of, 
partners, suppliers, distributors – you know, member companies in GNI should 
use, kind of, best efforts to, you know, promote awareness and understanding of 
the – of the guidelines.  I would also point you to one of our new member 
companies, which is Websense, who provide filtering technology.  And if you 
look at their anti-censorship policy, they do an awful lot of their sales 
through distributors, and it’s worth taking a look at their policy.

MS. HAN:  Yeah, I just wanted to reiterate.  You know, Mr. Smith, you know, 
considers the export control piece really one of the most important pieces of 
the legislation because of the implications of these tools getting into the 
wrong hands, and so the – you know, we’ve been – we’ve had a number of 
conversations with the Department of Commerce, who has generally the most 
jurisdiction over these types of items, and – and it’s interesting – also, I’ve 
talked to people in the U.K., and the U.K. government has made some public 
statements, and they’re actually working, I think within the Wassenaar 
Arrangement to potentially have all of the members of the Wassenaar 
Arrangement, you know, control these items without having to have legislation 
on our part.  (Chuckles.)  

So the administration could actually do it; they don’t need legislation to do 
it.  And so, you know, we’re watching that closely because I think that would 
be a wonderful step if we could get all of these governments, because when you 
do it on a multilateral basis under the Wassenaar Arrangement, then you’ve – 
you know, you’ve essentially shut down the legitimate trade of those items or 
at least created a framework so that when companies are selling, there’s a 
framework which in the – which – in which they have to know their customer, and 
then they also have to follow the steps of where that item ends up.  They still 
are responsible; you know, they do – if that’s part of knowing your customer, 
is knowing, are they going to sell it on, and if they are, under what terms 
they’re going to do it.  

So all of those things are covered under export control; it doesn’t mean that 
it’s easy to do or easy to investigate when things do go wrong, but I think, 
from the examples that we’ve seen in the media, most of these items – for 
example, the – what was it – Blue Coat – the companies do know when – where the 
items are.  (Laughs.)  They know who’s operating them, because essentially, in 
order to get software updates or to have any sort of support for that – for 
that item, they usually are communicating back with the original software 
provider.  So, you know, there’s challenges, but I think there’s ways to 
address them, and I’m hopeful that either through legislation or through, you 
know, multilateral initiatives, that we’ll be able to get at this issue, and 
we’re seeing more interest – or we’re seeing interest in the – in the EU among 
members of parliament – in the EU parliament, and in Germany, the foreign – I 
think it was the foreign minister who made statements to that effect in terms 
of stopping the sale of these types of items.  So I think the – it’s growing 
acknowledgment of the problem.  

So – all right.  Any other questions from the audience?  OK.  I wanted to see 
if the panelists could just give me, sort of, your crystal ball projections on 
– you know, it seems like every six months, something happens or there’s some 
sort of, either, a new technology that comes along or new ways that things are 
being used, and particularly in these countries – what do you see are some of 
the – you know, either current or upcoming issues in this area that we should 
be focusing on, and then – sort of, somewhat related to that is my question of 
how – you know, we know what governments should be doing; governments 
essentially have the fundamental responsibility to protect the human rights, 
but what should we as Internet users, you know, be doing and be trying to 
advocate for with the companies that we’re doing business with?

MR. MEHRA:  I’ll start, because my crystal ball for the ICT sector is – my 
crystal ball tends to focus on, sort of, global policy on business and human 
rights work, so I’ll tell you what I think about the crystal ball for ICT.  I 
think this is a fast-moving industry, and industry where the rules are 
changing, technology is changing at a pace that – I mean, I can barely 
understand.  So I think what we’re going to see happen, hopefully, is, 
companies are going to start to engage more actively with organizations like 
the GNI and people like – with expertise on this issue, like Meg in HRF and 
groups like CRN to try to understand better how their, sort of, 
responsibilities to respect human rights play out in a global economy with 
technology moving as fast as it does.  

And I think, at the same time – as Meg suggested earlier, I think, within the 
civil society community and the advocacy groups, we need to be pushing for 
stronger requirements on these companies.  Technology really is our gateway to 
communication and privacy, and we need to be holding it very – we need to be 
very vigilant about our – the ways that we police that gateway.  So I’d like to 
suggest that, you know – the work we do at ICAR is looking at policy solutions 
for this exact issue, hence we endorsed the Global Only Freedom Act, but at the 
international level, too, I think these examples are becoming more and more the 
issue de jure in the business and human rights space.  So we need to be 
thinking multilaterally and globally about solutions that can address these to 
ensure that, sort of, this isn’t just a U.S.-centric approach.

MS. MORGAN:  So I think I’m going to put my crystal ball on governments and the 
role of government.  (Laughter.)  And I think one of the things – it’s going to 
be very important to see, over the coming, sort of, months and years, is for 
democratic governments that are wrestling with really difficult issues around 
law enforcement and national security – that, when they’re formulating policies 
and legislative responses, that they do so in a way that creates a, sort of, 
model that would be, sort of, adopted in a – in a good way in other countries.  
I think – I think democratic governments are going to need to become much more 
aware of the international precedent-setting role that they have.  So I think 
that’s on the government side. 

And then, on the user side, I think the difference – in the – in the two and a 
half years that I’ve been at GNI, the difference in, sort of, engagement on 
these issues in the press is just unbelievable.  I think probably the question 
I faced most frequently when I joined GNI was, why does GNI exist?  And nobody 
asks that question anymore.  And, you know, I think events that have happened 
in the last few years have really started to bring it home to users, and I 
think, in terms of users, sort of—companies having users’ trust and gaining 
and, sort of, retaining the trust of their users – being actively engaged on 
freedom of expression and privacy issues is just going to become more important.

MS. ROGGENSACK:  So, picking up on what Susan said – I think the U.S. 
government has done a good job of framing the issue and of reaching out to 
other like-minded governments, but at least here at home, I think we’d all 
agree that there’s still a lot that could be done by way of policy integration. 
 As Susan mentioned, there are a number of cross-currents; national security, 
intellectual property – the list goes on – where there’s a muddled message, and 
I think, to the extent that the freedom to connect Internet freedom – whatever 
we call it – could be more mainstreamed into the broader array of trade, aid, 
investment, procurement policies, the more likely it is that companies will be 
part of this conversation.  I don’t think this can be driven purely from the 
human rights bench over at State.  There’s got to be a wider constituency, and 
kudos to Shelly and to the chairman for providing a legislative vehicle which 
can also have, I think, a really powerful impact on driving this conversation 
forward and accelerating and focusing company awareness.

I think – as I said earlier, we shouldn’t be taking at face value what these 
companies say about what they’re doing.  We should be demanding a greater 
degree of transparency around what they’re doing.  There are only two companies 
right now that issue transparency reports: Google and Twitter.  And as 
important as those are, they are limited – and there are good reasons for that, 
but the biggest thing that we really don’t know is, what exactly are they doing 
with the requests that they’re getting from governments?  And I’m not asking 
about a specific request; I’m even asking just in the aggregate.  Is the 
picture getting cloudier or clearer?  Is the situation getting better or worse, 
and where can the rest of us help that and governments help that?  There’s no 
way to really know that unless we can get a better dialogue going.

One of the things that I think is so challenging for those of us that are not 
in companies is that we don’t have the level of understanding of the business 
that they do.  So we don’t understand the risks that they’re facing, and the 
only way that we can have an informed dialogue is if we can reach a place of 
trust or we can share that information a little more broadly, and that’s going 
to take time.  The GNI has really created a place, but it does – it does take 
time.  We know that from other multistakeholder initiatives, but that is really 
the place that we need to get and as quickly as possible.  We started 20 years 
ago in this dialogue with the footwear and apparel companies, but we don’t have 
20 years.  We don’t maybe even have two years.  The space is either going to 
close or stay relatively open depending on the decisions that we make in the 
next three, six, 12 months.

MR. MEHRA:  I’m just going to add one thing that, sort of, is in the crystal 
ball.  At the European level, the commission has – we all mentioned this – the 
commission has, sort of, chartered a group called SHIFT in New York and the 
Institute for Human Rights and Business to put together sector-specific 
guidance on how companies can evidence their responsibility to respect in the 
ICT sector. This guidance is going to be released, I think, in the new year, so 
this is something that we should all be keeping an eye out for too.  It could 
provide companies a valuable tool for how to interpret complex things like due 
diligence into their specific areas and operations.  It also will identify the 
risks that are particularly relevant for ICT companies.  So something that’s 
ongoing as well.  

MS. MORGAN:  Sorry, I was just going to add quickly to that.  So, I sit on the 
advisory panel for that – for that work, and I think there’s going to be a 
two-month consultation period when the guidelines come out in draft format, so 
there will be an opportunity to comment before they’re finalized.  

MS. HAN:  Great.  I appreciate all of the – all of your input and the 
participation of the audience today. I think Meg really hit it on the – the 
nail on the head when she said that we don’t have time, and I think that, you 
know, Mr. Smith is feeling quite urgent about having this legislation passed, 
but also to have the conversations continue that we need to have because the – 
I mean, even here in the U.S., we’re grappling with questions about, you know, 
shutting off the Internet in the transit system or, you know, questions about 
cybersecurity and the nexus with Internet freedom, and as Susan mentioned, 
these are all questions – what we’re doing here will certainly have an impact 
on what other countries are doing, but I think the fundamental thing that we do 
know is that, pretty much, once the rights are gone, it’s going to be really 
hard to claw them back, and particularly in countries and repressive regimes 
where you’re fighting an uphill battle to begin with, it’s going to be even 
harder.  So we’ve got a lot of work to do, and we hope that you’ll participate 
in the – in the ongoing dialogue that we have, and thanks for coming today.