Warsaw is tightening control over the Web in the name of national security — and setting an ominous precedent for other democracies.
- By Jan RydzakJan Rydzak is a Ph. D. student at the University of Arizona and a 2016 Google Policy Fellow with the Global Network Initiative in Washington, D.C.
“Yesterday, you were defending thieves; today, you’re defending terrorists.” With these words, uttered early this morning, the leader of Poland’s ruling conservative party silenced the parliamentary opposition. Not five minutes later, Poland had a new counterterrorism law — the terms of which go beyond what most of the democratic world has thus far seen.
The bill establishes a battery of eyebrow-raising security regulations that limit freedom of assembly in vaguely defined crisis situations and allow for the arbitrary detention and surveillance of foreign citizens. In the digital realm, it gives the country’s powerful intelligence service, the Internal Security Agency (ABW), the mandate to block websites deemed a threat to national security. When a (vaguely defined) state of emergency is declared, the new regulations also enable the police to disable all telecommunications (an equally vague term that could refer to anything from phone lines to internet access) in a given area. The law also grants intelligence operatives unencumbered access to key data on Polish citizens — all this in a country that hasn’t seen a major act of terrorism since 1939.
The law is the brainchild of the conservative Law and Justice Party (often known by its Polish acronym, PiS), which took power last November. Since the party’s stunning electoral triumph, the government — headed formally by Prime Minister Beata Szydlo and informally by party chairman Jaroslaw Kaczynski — has enacted a series of laws that have ignited protests in the streets and ire in Brussels. In quick succession, the party has paralyzed the constitutional court, asserted its control over public broadcasting, and greatly expanded the government’s powers of surveillance. It has defiantly stood by its reforms even as the European Commission launched its first-ever procedure to investigate threats to a member state’s rule of law.
The PiS government has made it a habit to shroud its most controversial laws in mystery, then push them quickly through a parliament where it enjoys an absolute majority. In the case of this law, though, there was a leak. In late April, an unmarked envelope from an anonymous source arrived on the doorstep of Panoptykon, the largest Polish foundation dedicated to protecting digital rights. Inside was a draft text of the counterterrorism law that passed today. Realizing the bill’s troubling implications, Panoptykon promptly made the text available for public scrutiny, hoping to spark public debate. NGO watchdogs, civil rights groups, and opposition politicians arose in a chorus of protest.
Fully aware of the power that comes with an absolute parliamentary majority, however, the government did not back down. Several days after the leak, a revised version of the draft law was quietly released on the website of the Polish parliament. Far from yielding to the public outcry, the architects of the bill doubled down by widening the definition of terrorist activity.
Now passed, the law will affect not only Poland, but will echo far and wide in the parliamentary chambers of other countries who are eager to reinforce their digital arsenal and searching for precedents to justify doing so. The bill holds the dubious honor of being one of the first in the democratic world to sanction the use of telecommunications shutdowns as a security tool — blurring the boundary between the legitimate, democratic enforcement of state security and outright digital repression.
That isn’t the only milestone. The law also grants Poland’s domestic intelligence agency unrestrained access to data on all Polish citizens, from all state institutions, with no prior approval from a court. Tax reports, vehicle information, bank statements, and data from investment funds and insurance providers will all be laid bare to intelligence operatives, with no need to formally request any of it. Meanwhile, the institutions harboring this information will not even know that the data has been harvested. The intelligence service will also have the power to suspend access to websites suspected of illicit activity for up to four months, based on definitions of possible terrorist activity that are hazy at best.
More ominously, blocking websites will not require the consent of a court. Instead, the head of the domestic intelligence agency must secure the approval of the Prosecutor General — a position PiS has recently unified with the Minister of Justice — rendering the process an exercise in rubber-stamp oversight among party colleagues. The law preserves a vestige of judicial authority by giving courts five days to assess the legitimacy of a takedown — but these assessments will only be made once the block is in place. And thanks to PiS’s war against the country’s constitutional court, no meaningful review of the constitutionality of any of these measures is currently possible.
A common thread runs through both the Polish bill and some recent legislation in other countries: ambiguity. In a newly published report on freedom of expression in the digital age, David Kaye, the U.N. Special Rapporteur on freedom of opinion and expression, decries vague laws on digital issues as gateways to abuse. Poland’s new bill is a case in point. It extends the definition of “terrorist acts” to any real or planned criminal activity, punishable by more than three years in prison, that is devised with the intention of spreading fear, disrupting the activity of the Polish government, or compelling it to act on a given issue. (This definition already existed in the Polish penal code, but until now, the lower limit had been five years). The change not only lowers the boundary for declaring a state of emergency; it also brings common crimes into the line of sight of the intelligence agencies. Branding someone a terrorist in Poland has never been easier.
The new counter-terrorism bill is the latest in a string of changes that are tightening the noose on the Polish Internet. The laws that embody these changes share four basic qualities: vague phrasing, lack of public consultation, ineffective mechanisms of control, and (thanks to the parliamentary dominance of PiS) hasty adoption.
The country’s revised surveillance law, passed in February, allowed police to acquire physical and electronic data — packages, emails, portable thumb drives, browsing history — without needing to justify it by reference to an ongoing investigation. This opened a vast landscape of information to arbitrary data collection. A new amendment to the country’s gambling act aims to create a blacklist of banned websites — ostensibly to curb illegal gambling — and imposes severe fines on telecom operators and Internet service providers that fail to block the sites. The previous government had also wanted to pass this bill six years ago — but its attempt collapsed thanks to a firewall of protest at its own public consultation hearings. But a government with an absolute majority has no need to take counsel with the public. When calls for a government-led consultation on the counterterrorism bill fell on deaf ears, Poland’s civil society scrambled to organize their own independent hearing. They wound up preaching to the choir: not one government representative was in attendance.
Poland’s digital fortification is not an isolated incident. One after another, and under varying pretexts mostly involving terrorism, democratic countries have been tightening their powers of surveillance and restriction online. The Polish counter-terrorism law is inspired by a sweeping measure passed in Hungary in 2011 that gave Viktor Orban’s government massive powers of covert surveillance with minimal judicial oversight, drawing firm condemnation from the European Court of Human Rights. France has put into effect a counter-terrorism law similar in scope, expanding its array of digital tracking tools while largely freeing those who use them from accountability. The danger inherent in all three cases is that what qualifies as a “threat” is exceedingly vague, rendering the threat of overreach very real.
Wholesale blocking of websites is nothing new (several countries bar access to web sites that traffic in child pornography, for example). But allowing security services to shut down telecommunications entirely is a radical innovation in the developed world, having appeared, so far, only in the law books of some developing nations like India, Brazil, and Turkey. Advocacy groups and multinational bodies are launching campaign after campaign to signal the proliferation of this “kill switch.” The #KeepItOn initiative, which aims to magnify the visibility of shutdown events and combat their growing presence, has documented more shutdowns in the first six months of 2016 alone than throughout all of last year, ranging from India’s flurry of regional bans to Brazil’s WhatsApp blackout. The threat of shutdowns is alarming enough in countries with flourishing digital ecosystems, but it is even more troubling in those that are falling behind in their region — and Poland is one of the latter.
New research reveals that most people want Internet freedom, but few trust governments to provide it. This mistrust will only deepen if governments continue to sanction frivolous restrictions on access to digital communication while failing to justify them by law — or conjure new laws to fit their intentions. The digital weapons previously wielded exclusively by autocracies are streaming into the democratic world. Rather than standing by as governments pull the plug, citizens should fight to ensure that the Internet remain free.
In the photo, Jaroslaw Kaczynski, leader of Law and Justice party (PiS), speaks during an evening ceremony in front of the presidential palace in Warsaw marking the sixth anniversary of the presidential plane crash in Smolensk, on April 10.
Photo credit: WOJTEK RADWANSKI/AFP/Getty Images