Section 3- Discussion & Conclusions

This section examines the legal, regulatory, corporate social responsibility, and other public policy issues raised by our report’s findings. We focus on the responsibilities of Netsweeper, Inc. and the obligations of the Canadian government under international human rights law. We then suggest measures each could take to mitigate negative human rights impacts associated with Internet filtering technology.

3.1 Summary

This report has documented Netsweeper installations on public IP networks in ten countries presenting systemic human rights concerns. Netsweeper is a Canada-based company. Our findings raise issues of public importance regarding both Canada’s and Netsweeper’s compliance with international human rights law and commitment to corporate social responsibility (CSR). This section discusses these issues.

The purpose of this section is not to allege definitive violations of Canadian or international law, but to set out responsibilities and obligations both Netsweeper and Canada have under international human rights law, how they may be falling short, and how they may do better. In fact, there are no Canadian domestic laws that apply extraterritorially to the international uses of the Netsweeper products and services discussed in this report. Nevertheless, Netsweeper has responsibilities under international law to respect human rights such as the right to freedom of opinion and expression, a right that is clearly implicated by the filtering practices discussed in Sections 1 and 2.

The corporate responsibility to respect human rights encompasses, among other things, the establishment of human rights due diligence processes to identify, prevent, and mitigate how business operations impact human rights abroad. This onus is heightened in states with conflict-affected areas– like Afghanistan, Yemen, Pakistan, and Somalia– and with track records of human rights abuses, like those discussed in the country case studies in Section 2.

Canada has an obligation to protect human rights as well, which includes enacting and enforcing laws requiring businesses to respect human rights, providing effective remedies for victims, and setting clear expectations and standards for Canadian businesses operating abroad. There are ways both Netsweeper and Canada could do better in fulfilling international human rights law, discussed in this section.

This section proceeds as follows. First, it sets out the rights framework that is applicable to filtering technologies and the issues these technologies raise under international human rights law, including protections for the freedom of opinion and expression. Second, it sets out general corporate social responsibility principles for filtering companies and the ways in which Netsweeper is falling short. And third, it sets out Canada’s obligations and responsibilities for the human rights impact of Canadian businesses, including those operating abroad. We conclude this section by identifying concrete recommendations for how Canada can better meet the requirements of international human rights law.

3.2 The international human rights framework applicable to filtering technologies

The routine use of filtering technologies to mediate publicly-available Internet access by states poses a significant threat to human rights when that filtering is applied covertly, arbitrarily, without due process, or without regard for legitimate forms of expression. Companies operating within the market for filtering technologies must be aware of the risk that their products can be used to threaten and undermine human rights.

The practice of Internet filtering most directly threatens the right to freedom of opinion and expression (UDHR Art. 19, ICCPR Art. 19). This right includes the absolute right “to hold opinions without interference” (ICCPR Art. 19(1)) as well as the “freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers,” whether online or otherwise (ICCPR Art. 19(2)). Any state restriction on the right to freedom of expression must be provided by law and must be necessary “for respect of the rights or reputations of others” or to protect national security, public order, public health, or morals (ICCPR Art. 19(3)). The restriction must be the least intrusive measure available to achieve the intended function and proportionate when weighed against the consequences of limiting the right (ICCPR Art. 19(3), Kaye, A/HRC/32/38 at para 7). The implementation and effects of filtering technology may also impact a host of other protected human rights including, among others, the rights to liberty and security of the person (UDHR Art. 3, ICCPR Art. 9); the right to privacy (UDHR Art. 12, ICCPR Art. 17); protections against discrimination (UDHR Art. 7, ICCPR Art. 26); and minority rights (ICCPR Art. 27).

Human rights obligations are not relinquished in situations where a state contracts with a private company—such as an ISP or other digital intermediary—to provide public services or to enforce government policy (see Guiding Principles, 5). States’ duty to respect these international human rights obligations will often also be reflected in domestic laws and policies, which may impose specific legal requirements on the private sector to respect human rights.

Private companies maintain an independent responsibility to respect human rights. The United Nations Human Rights Council adopted this position in endorsing the Guiding Principles on Business and Human Rights (A/HRC/17/31). While domestic law in a given jurisdiction may provide a framework for Internet censorship, private filtering technology vendors cannot rely on the contracting state’s legal framework alone without also considering that state’s compliance with binding international law. The corporate responsibility to respect human rights “exists over and above compliance with national laws and regulations protecting human rights” (Guiding Principles, 11 [commentary). In some countries, human rights laws and policies may not be adequately implemented in practice and domestic legal frameworks may not provide meaningful recourse to victims. For this reason, private companies have independent responsibilities, including to avoid causing or contributing to adverse human rights impacts, and to prevent or mitigate adverse impacts “directly linked to their operations, products or services by their business relationships, even if they have not contributed to those impacts” (Guiding Principles, 13). Depending on the context, this responsibility means business enterprises should, among other things, put in place due diligence processes to identify, prevent, and mitigate how their business operations impact on human rights (Guiding Principles, 17); provide a measure of transparency reporting on human rights policies and practices (Guiding Principles, 21); and ensure remediation for any adverse human rights impacts caused (Guiding Principles,22).

In conflict-affected areas, the risk of human rights abuses is heightened. Businesses have special responsibilities to ensure that they are not involved in facilitating such harms and states have similar responsibilities to ensure that this is the case (see Guiding Principles, 7). More fundamentally, states have responsibilities to ensure that their support for domestic business does not compromise their own international legal commitments and policies. The Guiding Principles on Business and Human Rights clarify that in addition to providing assistance to businesses navigating the challenge of operating in conflict-affected areas, states should deny “access to public support and services for a business enterprise that is involved with gross human rights abuses and refuses to cooperate in addressing the situation,” and should pay special attention to the possibility of gender-based and sexual violence (see Guiding Principles, 7). Notably, censorship and surveillance technology tends to have unique and disproportionate impacts on the rights of women and girls (see Citizen Lab, 2017).

3.3 Corporate social responsibility issues for Internet filtering companies

After two decades of academic studies and regular media reporting on the use of filtering technologies for public online censorship, companies providing Internet filtering technology are or should be aware of the rights-related impacts of their products. Some companies have taken principled stands on the issues. For example, security company F5, which offers products that include web filtering capabilities, has a detailed statement and full report on the company’s “Corporate and Social Responsibilities.” Juniper Networks, which also includes web filtering technology among its products, likewise has a statement. OpenDNS has an anti-censorship policy concerning its security and web filtering products, as does Forcepoint.

Groups of companies have also taken part in multi-stakeholder initiatives (MSI) on this point. One example of an MSI focused on corporate social responsibility is the Global Network Initiative (GNI), which was founded by NGOs, investors, academics, and key industry participants Google, Yahoo, and Microsoft to formulate a “code of conduct” for technology companies with an aim to promote transparency, privacy, and freedom of expression (Brown & Korf, 2012). Today, GNI-participating companies have expanded to include many key technology and telecommunications companies like Facebook, LinkedIn, Vodafone, and Nokia, among others. GNI issues guidance to participants and requires self-reporting and independent assessment of participant compliance with GNI principles and codes (GNI Accountability Framework).

Another framework for corporate social responsibility is the UN’s Global Compact, which now involves over 6,000 participants, including over 5,000 businesses in 130 countries. Participants agree to a set of 10 principles concerning human rights, labour standards, environmental rules, and corporate corruption. In particular:

“Principle 1: Businesses should support and respect the protection of internationally proclaimed human rights; and

Principle 2: Make sure that they are not complicit in human rights abuses.”

The prospects for enhanced accountability through the Global Compact are questionable, however, for although a mechanism to “exclude” members for non-compliance with the principles exists, no country has ever been so removed.

Despite the aforementioned examples of companies taking steps towards better CSR, many companies have yet to acknowledge any responsibility for equipping autocratic regimes, or governments presiding over widespread violence and humanitarian crises, with the means to control their population’s access to information.

In his 2017 report to the Human Rights Council, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, noted that filtering companies play a direct role in emerging human rights challenges:

“What governments demand of private actors, and how those actors respond, can cripple the exchange of information; limit journalists’ capacity to investigate securely; deter whistle-blowers and human rights defenders. Private actors may also restrict freedom of expression on their own initiative. They may assign priority to Internet content or applications in exchange for payment or other commercial benefits, altering how users engage with information online. Companies that offer filtering services may influence the scope of content accessible to their subscribers…” (A/HRC/35/22 at para 1).

“The private actors that make digital access possible mediate and enable the exercise of freedom of expression. To be sure, States drive most censorship and surveillance. But just as States often, but not always, rely upon providers to take the actions that make censorship possible, we as users — beneficiaries of the remarkable advances of the digital age — deserve to understand how those actors interact with one another, how these interactions and their independent actions affect us and what responsibilities providers have to respect fundamental rights…” (A/HRC/35/22 at para 3)

Technology companies in particular tend to operate as platforms, intervenors, and mediators in the exercise of human rights in the digital age. The business decisions of Internet filtering companies like Netsweeper can have a direct, measurable, and significant impact on the ability of individuals at home and abroad to meaningfully and safely exercise their human rights. And with that impact comes important human rights responsibilities.

3.3.1 Applying human rights and corporate social responsibility considerations in the case of Netsweeper

Our findings suggest Netsweeper products and services may be contributing to adverse human rights impacts abroad, as such products and services have been used to block political discourse, political opposition websites, religious content, local and media websites, and online privacy tools. For example, Netsweeper’s pre-defined “alternative lifestyle” filtering category effectively reduces for its government clients the cost, time, and complexity associated wtih censoring websites related to LGBTQ communities, gender identity, sexuality, and sexual orientation. Providing such filtering categorization, however, appears inconsistent with core corporate responsibilities to respect human rights such as freedom of opinion and expression and non-discrimination (see Guiding Principles, 11; 12).

Other findings likewise raise important human rights concerns. These include the use of Netsweeper for:

• Blocking sites across a range of political content, including websites affiliated with local political groups, opposition groups critical of government, local and foreign news portals, and regional human rights issues in countries like Bahrain, Kuwait, Yemen, and UAE
• Blocking Google searches for keywords related to LGBTQ identities such as “gay” and “lesbian” in the UAE, Bahrain, and Yemen
• Blocking a variety of non-pornographic websites in various countries on the basis of an apparent miscategorization of these sites as ‘Pornography’, including the websites of the World Health Organization, the Christian Science Monitor, the World Union for Progress Judaism, the Center for Health and Gender Equity, and Change Illinois
• Blocking access to news reporting on the Rohingya refugee issue, as well as violence against Muslims, from Al Jazeera, the Telegraph, ABC News Australia, and the Express Tribune for users in India
• Blocking a variety of Blogspot-hosted websites in Kuwait after categorizing them as ‘Viruses’, as well as a range of political content including foreign and domestic news portals, a website on the Kuwait Progressive Movement, and a website that monitors regional human rights issues
• Blocking a variety of websites that are not web proxies in various countries on the basis of an apparent miscategorization of these sites as ‘Web Proxy’, including the websites of Date.com, B’nai B’rith International, Gay.com (the Los Angeles LGBT Center), the World Jewish Congress, Feminist.org, Former Catholic, the Jewish Defense League, and TMZ

These and other uses of Netsweeper filtering products documented in this report implicate the right to freedom of opinion and expression (UDHR Art. 19, ICCPR Art. 19) including the freedom to seek, receive and impart information and ideas of all kinds (ICCPR Art. 19(2)). Such filtering, especially concerning content relating to national minorities and marginalized groups, may also impact rights to liberty and security of the person (UDHR Art. 3, ICCPR Art. 9); protections against discrimination (UDHR Art. 7, ICCPR Art. 26); and minority rights (ICCPR Art. 27).

It may be that some of the uses of Netsweeper installations with adverse human rights impacts result from errors or oversights, or constitute restrictions on the right to freedom of expression that are “provided for by law,” necessary “for respect of the rights or reputations of others,” or to protect national security, public order, public health, or morals (ICCPR Art. 19(3)), and are both “proportionate” and the “least intrusive measure available” to achieve the intended justifiable purpose (ICCPR Art. 19(3), Kaye, A/HRC/32/38 at para 7).

However, the UN Human Rights Committee, in General Comment No. 34, stated that “any restrictions” on blogs, websites, or any other “Internet-based, electronic, or other dissemination system,” including systems supporting such communication like Internet service providers, are generally only permissible under Article 19(3) if they are content-specific, that is, target content on sites, not sites themselves. Generic bans on the operation of certain sites thus would not be permissible. It also stated it is impermissible under Article 19(3) to block or prohibit a site solely on the basis that the site contains content critical of the government or political and social views promoted by the government. And any restrictions, on any of the grounds in Article 19(3), must conform with the ICCPR’s non-discrimination provisions.

Thus, any of the findings involving entirely blocked sites– including those of political groups and critical opposition groups, news portals, and regional human rights sites– would not be permissible restrictions on freedom of expression under Article 19(3). Blocking entire sites through miscategorization would similarly not qualify as a permissible restriction. In fact, the blocking of many of the sites noted here through miscategorization– including sites affiliated with health organizations and various social, religious, and political groups– is likely impermissible on other grounds as well, as the blocking is of content critical of the political or social views of the government, or the blocking is inconsistent with the non-discrimination requirements of the ICCPR. The more content-specific filtering of Google searches on “gay”, “lesbian,” and “LGBT” issues, as well as of news concerning Rohingya refugees and violence against national minority populations (e.g., muslims), and various religious sites, also appears to violate the ICCPR’s express non-discrimination requirements, rendering these restrictions on freedom of expression also impermissible under Article 19(3).

In short, none of these restrictions on freedom of expression appear to be permissible under Article 19(3). Indeed, there are strong international legal norms against Internet and web content filtering. As stated in the 2011 Joint Declaration on Freedom of Expression and the Internet, issued jointly by four special international mandates for protecting freedom of expression, mandatory blocking of entire websites through Internet content filtering is an “extreme” measure and content filtering systems imposed by governments or commercial service providers, which are not end-user controlled, constitute “prior censorship” and are “not justifiable as a restriction on freedom of expression.”

Moreover, if these and other uses of Netsweeper filtering products documented in this report are merely errors or oversights or are legally permissible under Article 19(3), then Netsweeper should indicate as such. Netsweeper should provide information as to any errors and oversights, specify any justifications for restrictions that are authorized by law, including information as to necessity and proportionality, and detail any remedial action taken on present or past adverse human rights impacts of its products. The public reporting of such information would be facilitated if Netsweeper were to fulfill its responsibilities under international human rights law to: establish due diligence processes to identify, prevent, and mitigate how its business operations impact on human rights (Guiding Principles, 17); ensure public transparency on its human rights measures, policies, and practices, particularly in relation to groups affected (Guiding Principles, 21); ensure remediation for any adverse human rights impacts (Guiding Principles, 22); undertake special measures or attention for minority groups within national populations, to account for unique challenges these groups face such as vulnerability and marginalization, as suggested by commentary accompanying the Guiding Principles; and take into account the fact that many states with which it does business have records for human rights abuses (as discussed in the country case studies in Section 2) or conflict-affected areas, which heightens risks and thus due diligence responsibilities ((Guiding Principles, 7 & 23).

Netsweeper has not to our knowledge publicly reported information as to filtering categorization errors, oversights, or applicable justifications for human rights restrictions. Nor are we aware of any human rights due diligence measures, policies, or practices that Netsweeper has in place to address these issues and heightened risks. We are also not aware of any remedial action it has taken in relation to these issues nor any special measures or attention given to the potential adverse impact on various minority groups implicated by these issues, including sexual minorities (LGBTQ content), ethnic and religious groups (Rohingya content; Jewish content), and groups focused on gender issues (feminist content), for example.

If Netsweeper was to put in place human rights due diligence processes with “clear and specific criteria” in relation to freedom of expression and other human rights; enact open CSR, anti-censorship, and human rights policies; establish measures for adverse human rights impact remediation; join MSI initiatives like the GNI or UN Compact; and, consistent with Guiding Principle 21, offer formal transparency reporting to the general public, and especially groups affected, about these and related policies and practices in relation to its business, it would be far better placed in relation to its responsibility to respect human rights. And if Netsweeper was unaware of the uses of its products outlined in this report, and any attendant adverse impacts on freedom of expression and other human rights, they should now take remedial action to mitigate these impacts and prevent them in the future (Guiding Principles, 17).

As Amnesty International noted in a report in 2017, it is often difficult to establish human rights claims against businesses because much of the relevant information is internal to the company. Reflecting that reality, the Guiding Principles, and the international legal standards they express, require businesses to set up human rights processes and policies and offer transparency about them. In short, businesses have “to know and show” that they respect human rights (Guiding Principles, 15). Netsweeper has failed to do so.

3.4 Netsweeper’s relationship with the Canadian government

Netsweeper has benefitted from substantial support from the Canadian government. This support has taken the form of financial support as well as trade promotion. Specifically, the company has been a direct recipient of financial support from the National Research Council. In 2009, Netsweeper was awarded $280,615 for support “with a research and development project.” In 2012, the company was awarded an additional $46,430 for a different project.

The government of Ontario has described Netsweeper as a “success story” of its Export Market Access program, which is designed to “assist small and medium size organizations (SME) to access and expand their growth in foreign markets.” Export Market Access program support included grants covering “up to 50% of eligible costs incurred to develop export sales,” up to $150,000. Netsweeper is an approved business under the program since at least January 2013 and is quoted by the program as having generated a “five-fold (500%+) return on our investment within nine months of our participation of EMA.”

Netsweeper has been included in international trade promotion through various levels and agencies of the Canadian government, including events and trips arranged by these agencies. For example, in December 2013 a trade mission to India was organized by the Department of Foreign Affairs, Trade and Development (now Global Affairs Canada) and Export Development Canada. The mission included ‘11 top Canadian ICT companies’, one of which was Netsweeper. The Ontario Government has also included Netsweeper in its promotional materials for a number of events, including a November 2015 “ICT Trade Mission” to Thailand, the August 2016 Technology in Government event in Australia, the October 2016 Gulf Information Technology Exhibition (GITEX 2016) in the UAE, the September 2016 IBC exhibition in the Netherlands, the September 2016 CTIA Super Mobility event in Las Vegas, and the 2017 Mobile World Congress in Barcelona.

In June 2017 Export Development Canada, in partnership with Wavefront Wireless Commercialization Society, announced that Netsweeper was included on a trade tour of telecommunications companies in Europe. The Trade Commissioner Service of the Government of Canada also included Netsweeper in its promotional materials for the 2013 Mobile World Congress in Barcelona. Dubai-based telecom du, a UAE sovereign-wealth-controlled enterprise that has used Netsweeper products and services to filter political and religious content, was awarded the International Business Green IT award by the Ontario Centers of Excellence. In receiving the award, a du representative noted their collaboration with “international partners like Netsweeper.”

In July 2016, Export Development Canada (EDC) provided a guarantee for the Royal Bank of Canada’s financing of Netsweeper’s sale to Bahrain. The transaction was described as “Sale of various Canadian goods and/or services” and was valued at less than $1,000,000. In testimony to the Standing Senate Committee on Human Rights, EDC representative Christopher Pullen was asked if EDC considered the human rights implications of guaranteeing a loan to facilitate the sale of censorship technology to a rights-restricting authoritarian government. Pullen stated that in any transaction, EDC evaluates “the nature of the product, the performance of the company and the countries in which they operate.” Noting previous Senate testimony from the non-governmental organization Above Ground, which criticized EDC’s guarantee of this transaction, Pullen noted that “the guarantee that is the subject of the complaint is no longer in place, nor is the company a customer of EDC.”

3.5 What are Canada’s obligations?

Canada has international human rights obligations under the United Nations’ Universal Declaration of Human Rights (UDHR); as a state party to the International Covenant on Civil and Political Rights (ICCPR); and as a member of the United Nations (UN Charter) and the international community of states, it is bound by applicable rules of customary international law. Many rules of international law are binding domestic law within Canada. For example, a large number of international human rights treaty commitments have been implemented through binding domestic Canadian legislation (see Canada’s Approach to the Treaty-Making Process), with the Rome Statute of the International Criminal Court being among the most well known. Customary international law also automatically forms part of domestic common law in Canada unless inconsistent legislation is enacted, as the Supreme Court of Canada held in R v Hape. Canadian courts have also held international law should inform statutory interpretation, judicial review, as well as the application of the Canadian Charter of Rights and Freedoms.

In fact, the Canadian Charter of Rights and Freedoms, with its protections for fundamental freedoms of expression, religion, thought, and peaceful assembly among others (section 2), voting and democratic rights (section 3), mobility rights (section 5), life, liberty, and security of the person (section 7), and equality (section 15) has long informed Canadian foreign policy values. Consistent with that influence, Canada claims a longstanding history of supporting the protection and promotion of human rights and democratic values abroad, including support for freedom of expression, association, and democratic participation; respect for the privacy, dignity, and security of individuals; the principle of non-discrimination on the basis of political, religious, or cultural grounds; LGBTQ rights; and support for the rights of women and girls. All of these rights are potentially at stake when Canadian companies sell products and services to governments with track records of abuse of Internet filtering technologies.

Even where the Charter of Rights and Freedoms does not apply directly, Canadian government decision-makers must take relevant Charter values and related international human rights principles into account when exercising discretionary powers. When the Canadian government provides major financial support to a private entity, that entity’s conduct abroad is more readily attributable to the Canadian government directly. Canada could ensure that businesses that are domiciled in Canada and subject to its jurisdiction respect and protect human rights in the course of their operations, including those operations that take place abroad (see Guiding Principles, 2). The activities of these businesses also have an impact on both Canada’s international reputation and its foreign policy objectives, making it vital to strive for policy coherence (see Guiding Principles, 8).

3.5.1. Canada’s responsibility for the human rights impact of domestic companies operating abroad

International human rights law has historically focused on protecting individuals from abuses committed by states, but these laws and norms can also apply to businesses. The UDHR, for example, speaks to responsibilities of individuals and “every organ of society,” which would include non-state actors like private businesses. And the ICCPR requires every state to “ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant…” Rights impacts of Canadian businesses fall within that scope. While these obligations do not require enacting specific measures to police the extraterritorial activities of businesses internationally, there is no prohibition on such measures, and it remains open for states to do so (Guiding Principles, 2). Moreover, states nevertheless also have a duty to provide an effective remedy for victims of human rights violations (UDHR Art. 8; ICCPR Art. 9; see Guiding Principles, 25). An “effective remedy” includes access to justice, compensation, and fair and respectful treatment (OHCHR, UN Doc A/RES/60/147).

Canada has a responsibility to set clear expectations and standards for Canadian businesses operating abroad (Guiding Principles, 2), including Netsweeper. The Government of Canada previously recognized this responsibility in the context of extractive companies and expressly linked it to Canadian policies on CSR:

“The Government of Canada expects Canadian companies operating abroad to respect human rights and all applicable laws, and to meet or exceed widely-recognized international standards for responsible business conduct. For those companies working or exploring opportunities in jurisdictions where local laws are not aligned with Canadian values, the Government of Canada encourages them to find ways to reflect Canadian values that also respect local laws. If this is not possible, companies may wish to reconsider their investment.”

In this report, we have documented uses of Netsweeper filtering products that have serious implications for a range of human rights, most notably, the right to freedom of opinion and expression (UDHR Art. 19, ICCPR Art. 19), including the freedom to seek, receive, and impart information and ideas of all kinds (ICCPR Art. 19(2)). Other rights implicated are rights to liberty and security of the person (UDHR Art. 3, ICCPR Art. 9); protections against discrimination (UDHR Art. 7, ICCPR Art. 26); and minority rights (ICCPR Art. 27). And as discussed earlier, these restrictions on freedom of opinion and expression represented by these uses are unlikely to be permissible under Article 19(3).

Moreover, we see little evidence that Netsweeper is carrying out its responsibility to respect human rights. This responsibility, as has been noted, includes putting in place human rights due diligence processes to identify, prevent, and mitigate how their business operations impact on human rights (Guiding Principles, 17); ensuring public transparency about any such measures, policies, and practices, particularly in relation to groups affected (Guiding Principles, 21); taking action to remediate any adverse human rights impacts (Guiding Principles, 22); taking special measures to account for minorities and marginalized groups impacted by these filtering uses; and taking into account through due diligence the fact that many of the states implicated in the filtering uses documented in this report have records for human rights abuses (Guiding Principles, 7 & 23).

The Government of Canada thus has a responsibility to address Netsweeper’s role in global Internet filtering practices. In fact, this is not the first time the Government of Canada has been called upon to respond officially to uses of Netsweeper filtering products raising human rights concerns. In September 2013, Canada’s Director General for the United Nations, Human Rights, and Democracy Bureau of Foreign Affairs, Trade, and Development Canada, in response to a letter about Netsweeper’s international business activities, stated that, while the government did not have the legal authority to act on specific extraterritorial human rights violations, Canada “expects Canadian companies working overseas” to abide by “applicable Canadian laws, ethical standards, and corporate social responsibility (CSR) practices.” She also acknowledged Canada promotes OECD guidelines for CSR that include provisions directing companies to “respect human rights” and for Canada to “assist them in doing so.”

Clearly, Canada could do more to ensure Canadian “dual-use” technology companies like Netsweeper are abiding by CSR practices and respecting human rights internationally. In contexts beyond ICT-related businesses and products, the UN Human Rights Committee has in fact expressed concern in Concluding Observations on Canada’s compliance with the ICCPR in July 2015, noting “allegations of human rights abuses by Canadian companies operating abroad,” and the “inaccessibility to remedies by victims of such violations.” In 2014, the Inter-American Commission on Human Rights (IACHR) released a statement urging the Organization of American States to “adopt measures to prevent the multiple human rights violations that can result from the implementation of development projects, both in countries in which the projects are located as well as in the corporations’ home countries, such as Canada.” And in June 2017, the United Nations Working Group on Business and Human Rights noted that “cases of alleged human rights abuse by Canadian companies abroad … continue to be a cause for serious concern.” While none of these statements concerned Netsweeper, they highlight how Canada could take greater action to ensure CSR and human rights are respected by Canadian companies abroad.

3.6 Recommendations for the Canadian government

Below, we set out several suggestions for how Canada can better meet and exceed its international human rights law duties and responsibilities.

3.6.1 Greater due diligence: financial incentives and transparency

Canada has an international legal duty to protect against human rights abuses within their jurisdiction by companies (Guiding Principles, 1), which includes enforcing laws aimed at, or which have the effect of, requiring business enterprises to respect human rights (Guiding Principles, 3). Moreover, with respect to those companies “that receive substantial support and services from State agencies,” the UN Guiding Principles note that Canada should encourage or require such companies to carry out human rights due diligence (Guiding Principles, 4). According to our research, however, Canada is falling short in the case of Netsweeper. Despite Netsweeper technology being used for state censorship internationally, it has received substantial trade and financial support from the governments of Canada and Ontario (notably through National Research Council grants and the Government of Ontario’s Export Market Access program).

The support provided to Netsweeper by the Canadian government, and the trade-related ties established between the company and government agencies, are powerful reasons to require that the company implement rights-respecting policies and business practices (see Guiding Principle 4). Importantly, commentary within the Guiding Principles notes:

“[T]he closer a business enterprise is to the State, or the more it relies on statutory authority or taxpayer support, the stronger the State’s policy rationale becomes for ensuring that the enterprise respects human rights.

Where States own or control business enterprises, they have greatest means within their powers to ensure that relevant policies, legislation and regulations regarding respect for human rights are implemented. Senior management typically reports to State agencies, and associated government departments have greater scope for scrutiny and oversight, including ensuring that effective human rights due diligence is implemented. (These enterprises are also subject to the corporate responsibility to respect human rights, addressed in Chapter II.)

A range of agencies linked formally or informally to the State may provide support and services to business activities. These include export credit agencies, official investment insurance or guarantee agencies, development agencies and development finance institutions. Where these agencies do not explicitly consider the actual and potential adverse impacts on human rights of beneficiary enterprises, they put themselves at risk – in reputational, financial, political and potentially legal terms – for supporting any such harm, and they may add to the human rights challenges faced by the recipient State.

Given these risks, States should encourage and, where appropriate, require human rights due diligence by the agencies themselves and by those business enterprises or projects receiving their support. A requirement for human rights due diligence is most likely to be appropriate where the nature of business operations or operating contexts pose significant risk to human rights.”

Human rights due diligence can be encouraged through financial incentives, government procurement standards, as well as transparency requirements. There is a great deal of secrecy surrounding “dual-use” technology companies operating abroad, particularly concerning the products and services they provide and their end users. A lack of transparency can facilitate rights abuses and undermine accountability. This lack of transparency is especially concerning as research has shown that “dual use” products and services like Internet filtering software or digital surveillance technology are easily misused, repurposed, and abused.

As an interesting example of what is possible, Canada presently uses its Trade Commissioner Service (TCS) as a resource for Canadian extractive companies operating abroad. As part of Canada’s “enhanced” CSR Strategy, Trade Commissioners are tasked to provide international contacts beyond business services to help extractive companies forge partnerships to conduct “social risk analyses” or “conflict analyses.” TCS missions also provide contacts to assist companies in forming partnerships with development organizations, to better understand the communities and regions in which they are operating.

Recommendation 1:

Where Canada or Provincial Governments provide direct financial support to businesses operating abroad, that funding could be tied to clear prohibitions against unlawful and unethical activities, and effective and ongoing due diligence, public transparency reporting, and other accountability measures to ensure compliance with these prohibitions. Such requirements could be backed by effective penalties for non-compliance, including mechanisms to freeze and, where appropriate, revoke financial support and services.

Recommendation 2:

Government entities within Canada, at the federal, provincial, or local levels, could establish human rights-oriented government procurement standards for “dual-use” technology companies. These could restrict the award of government contracts to those businesses that have human rights policies and due diligence processes in place, and strong records of respect for human rights overseas.

Recommendation 3:

Canada could mandate transparency. Mandated transparency can make an important difference, for example, by requiring the regular issuance of company transparency reports. Such reports could indicate the jurisdictions in which products and services are provided, the nature and scale of such products and services, and applicable legal and regulatory requirements in the jurisdiction of operation that may negatively impact human rights. This would also be consistent with the Government of Canada’s commitment to transparency and open government.

Recommendation 4:

Canada could expand the mandate of the TCS’s enhanced CSR strategy beyond the extractive sector to include “dual-use” technology companies. This approach could assist companies like Netsweeper to better understand the contexts in which they are operating, including the impact of their business activities on local populations and human rights more generally.

3.6.2 Empower the new Canadian Ombudsperson for Responsible Enterprise

The Canadian Ombudsperson for Responsible Enterprise (CORE) was announced in 2018 and represents a promising means for the Government of Canada to proactively investigate corporate rights abuses abroad. The Government of Canada announcement indicated that the CORE will be “mandated to investigate allegations of human rights abuses linked to Canadian corporate activity abroad” and “empowered to independently investigate, report, recommend remedy and monitor its implementation.” The Government also indicated that its focus will be “multi-sectoral,” first on “mining, oil and gas, and garment sectors,” and expanding after the first year to “other business sectors.” The intention to make the CORE’s focus multi-sectoral means that it could eventually reach “dual-use” technology companies like Netsweeper. A Government Q & A on the CORE indicates the Government is “committed” to ensuring the CORE has sufficient investigatory powers and budgetary allotment for independent fact finding. But it will only have the power to “recommend” sanctions, changes in corporate policy, or compensation for victims. There is room for improvements here, too.

Recommendation 1:

Canada could empower the CORE to ensure it can effectively carry out its mandate. This would involve giving the CORE sufficient powers to compel both witness and document disclosure, an adequate budget, as well as the power to order effective remedies for complainants. Canada could empower the CORE to make legally binding and mandatory remedial orders, including the capacity to impose sanctions, direct businesses to cease certain activities, and compensate victims of rights abuses. These powers to issue legally binding and mandatory orders and impose fines are similar to those enjoyed by British Columbia’s Information and Privacy Commissioner, as well as those the present Government of Canada has promised to confer on Canada’s Information Commissioner,

Recommendation 2:

CORE could also have express authority to take proactive measures to prevent human rights violations and not simply investigate complaints and harms after the fact. This authority might include setting rules and guidelines for Canadian companies operating internationally, and recommendations to the Government and Parliament, as well as how federal institutions– like embassies and consulates abroad– deal with Canadian companies found to be engaged in improper or abusive practices. Such an approach would be consistent with, and arguably beyond, the recommendations of the United Nations Working Group on Business and Human Rights, which urged Canada in June 2017 to “set out clear expectations for Canadian companies operating overseas.”

3.6.3 Make it easier for human rights victims to seek redress in Canada

Canada could do better in providing effective remedies for victims of corporate human rights violations, a central international human rights obligation. Essential to this obligation is ensuring that victims of human rights abuses committed by Canadian companies abroad can more easily seek legal redress in Canadian courts.¹ The UN Human Rights Committee expressed “concern” in its July 2015 Concluding Observations on its Sixth Periodic Report on Canada about the “inaccessibility to remedies” for victims of Canadian corporate human rights abuses “operating abroad.” The Committee also expressed “regret” about the “absence of an effective independent mechanism with powers to investigate” such complaints. Two years on, the UN Working Group on Business and Human Rights observed that international victims of Canadian corporate human rights violations were “continuing to struggle in seeking adequate and timely remedies against Canadian businesses.” Similarly, Canadian human rights experts and groups like Amnesty International contend that “individuals and communities” that have “suffered human rights harms” associated with Canadian businesses operating abroad “lack of an effective remedy.” Part of the challenge, as Amnesty International has noted, is that Canadian courts have historically declined to exercise jurisdiction to hear such cases, finding that the better forums to hear such claims are in the country where the alleged abuses occurred.

However, more recently, Canadian courts have shown more willingness to exercise jurisdiction and hear these claims. In Araya v. Nevsun Resources Ltd., for example, the British Columbia Supreme Court allowed a lawsuit brought by plaintiff workers from Eritrea, for violations of international norms against slavery and torture, to proceed against Canadian mining company NevSun. The Court held, and the B.C. Court of Appeal would later agree, there was a “real risk” that the plaintiffs would not receive a fair trial in Eritrea. Similar claims against other Canadian companies like Tahoe Resources and Hudbay Minerals are likewise proceeding. However, the Araya decision is being appealed and there remains a great deal of uncertainty in this area of law, with the balance of judicial precedents weighing against victims succeeding in their claims.

Recommendation 1:

Canada could take a bold step as an international human rights leader and enact a statute that provides clear legal standing and right of action for international victims of human rights abuses committed by Canadian companies abroad to proceed in Canadian courts. There is prior precedent for this in Canadian law. The Justice for Victims of Terrorism Act, for example, creates a cause of action in Canada for damage, injury, or loss, suffered anywhere in relation to an act of terrorism (with some conditions imposed). A similar statute tailored to harms and human rights violations caused by Canadian corporate practices could provide a significant incentive for companies to proactively take steps to ensure their products and services are not being used for rights abuses abroad, or face liability concerns.

3.6.4 Export transparency and controls

Narrowly tailored export controls are another policy lever that the Government of Canada can employ to prevent Canadian technology companies from exporting products, tools, and services to states with track records of human rights abuse. In Europe, export controls have been used to regulate the sale of spyware sold to foreign states that used the spyware to violate the rights of their citizens. More recently, the EU has moved to impose additional export controls on cyber-surveillance products and 11 EU countries have expressed support as of February 2018 for draft rules that would impose export restrictions on surveillance technologies. As a participating state of the Wassenaar Arrangement, the Government of Canada has put in place export controls and regulations that cover the sale of certain dual-use technologies to foreign jurisdictions, including “IP network communications surveillance systems or equipment” and items related to “intrusion software,” and requires licensing to export such dual-use technology. With sufficient precision, export controls could be extended to certain other “dual-use” technologies and products.

Moreover, transparency remains a problem in export licensing. The 2016 Annual Report issued by the Government indicates, for example, that 5,978 permits were issued for exported goods defined as military and strategic technologies, while only seven were denied. Little information beyond these basics is available. No insights are provided as to how human rights impacts are considered in licensing decisions, for example.

Recommendation 1:

Canada could follow Europe’s lead and clarify or amend its export controls to require licensing for Internet filtering software like Netsweeper that is provided to designated end users and/or for designated end uses that present significant human rights risks.

Recommendation 2:

Canada could provide greater transparency in how export licensing decisions are made. Very few license applications are denied. More transparency about this process, the basis for licensing decisions, and how human rights impacts are taken into account in the process would be helpful, and consistent both with Canada’s international human rights duties as well as its commitment to transparency and open government.

3.7 Conclusion

Research for this report demonstrates that a combination of methods could be used to identify and then analyze Netsweeper deployments around the world. First, we gathered a list of possible Netsweeper IP addresses from Internet scanning and Internet measurement databases. We found deployments in 30 countries. We performed additional testing to determine which of these installations were deployed on consumer-facing ISPs in countries of interest, which we defined as countries ranked as “Authoritarian” by the 2017 Economist Democracy Index, as well as India, Pakistan, and Somalia, which all have a history of Internet censorship. We then measured to see what sorts of websites installations in these countries were blocking. We found widespread blocking of freedom of expression sites, as well as some problems with Netsweeper’s categorization system, which allows operators of Netsweeper installations to block any of dozens of categories including “Pornography,” “Alternative Lifestyles,” and “Abortions.” We identified miscategorizations, such as the website of the World Health Organization categorized as “Pornography,” as well as problematic categories like “Alternative Lifestyles,” which appears to include nonpornographic LGBTQ content. While most of our measurements involved a vantage point in a censored country, we discovered it is also possible, in some cases, to remotely measure censorship (e.g., our Host Header test).

The use of Netsweeper technology by governments known to conduct censorship in breach of internationally-recognized human rights raises serious issues of corporate social responsibility and international human rights law. As set out in the UN Guiding Principles on Business and Human Rights (A/HRC/17/31), business enterprises operating abroad have a foundational responsibility to respect human rights under international law. This responsibility includes, among other things, putting in place due diligence processes to identify, prevent, and mitigate how their business operations impact on human rights, being transparent about these measures, and ensuring remediation for any adverse impacts. Other security, filtering, and technology companies have dealt with such issues by issuing corporate social responsibility statements and enacting anti-censorship policies, or have worked with other companies and civil society groups to promote human rights and provide transparency about their own human rights and corporate social responsibility practices. Netsweeper does not appear to have taken even these steps.

The Government of Canada has international obligations to protect human rights and the responsibility to set clear human rights expectations and standards for Canadian businesses operating abroad. The Government also has a duty to provide effective remedies in Canada for international victims of corporate abuses. Canada has recently taken important steps– like the move to establish the Canadian Ombudsperson for Responsible Enterprise (CORE)– which will be tasked with, among other things, investigating complaints concerning Canadian companies operating internationally, including their human rights impacts. The CORE could be given more powers and support to carry out this important mandate. But Canada could still do more, including encouraging stronger human rights due diligence practices for businesses through financial incentives, mandated transparency, funding for relevant research, statutory measures for easier victim redress, and export controls. While these would only be first steps, we argue they would be steps in the right direction.