Agenda

• Moderator
  – Sung-Mei Hsiung, Attorney, Deloitte Legal
• Panelists:
  -Singing Li, CEO, Open Culture Foundation
  -Hsin-Hsuan Lin, Assistant Professor, The Department of Political Science of National Cheng Kung University
  -Po-Wen Chi,  Associate Professor, Department of Computer Science and Information Engineering, National Taiwan Normal University
  -Chen-Ching Huang, Sub-Division Chief, Technology Crime Prevention Center, Criminal Investigation Bureau

15:45-16:00  Q&A

Meeting Minutes

Singing Li, CEO of the Open Culture Foundation

Ms. Singing Li first stated that there is indeed a tension between national security and individual privacy, and neither can be neglected. Nonetheless, the government cannot infringe upon privacy rights under the pretext of national security.

Ms. Li further emphasized that global digital platforms, including streaming media and large social media platforms, possess a significant amount of user data and private information.  According to a survey conducted by the Taiwan Association for Human Rights, there is a lack of transparency when the government requests data from digital platforms. The government only complies with the regulations of the Communication Security and Surveillance Act when requesting data from telecommunications operators. The Ministry of Justice currently refuse to disclose the data they retrieved from the platforms, citing reasons such as “obstructing criminal investigations” and “hindering investigative efficiency.”

On the international front, the “Ranking Digital Rights” (RDR) project assesses the human rights performance of major global digital platforms and telecommunications companies based on open data. The evaluation covers three main aspects: corporate governance, privacy, and freedom of speech and information. In Taiwan, the assessment conducted by RDR primarily focuses on digital privacy.  In general, the assessed companies in Taiwan provide privacy policies in compliance with the law. However, there is still room for improvement in terms of user protection, including aspects such as how user information is stored, mechanisms for responding to government requests for user data, providing relevant information to the government when requested, and informing users when their information is being accessed. Scores in these areas are relatively low.

Ms. Li concluded that there are three essential characteristics in privacy: transparency, openness, and non-compromise. Transparency fosters trust between users and platforms, while openness provides flexibility, allowing users to decide what data the platform can access. Although national security is crucial, privacy is also a fundamental civil right that must be protected. Ultimately, privacy protection also impacts the digital economy. For example, due to the lack of respect for user privacy by large tech platforms like Meta and X (formerly known as Twitter), many users have chosen to abandon these platforms.

Hsin-Hsuan Lin, Assistant Professor, 
The Department of Political Science of National Cheng Kung University

Professor Hsin-Hsuan Lin started by briefing the Edward Snowden case. In 2013, a former employee of the United States National Security Agency (NSA), disclosed to media outlets that the NSA had been systematically and massively collecting intelligence on both American and foreign citizens for national security purposes. This revelation caused a significant uproar at the time. Subsequently, Snowden became a permanent resident in Russia and received asylum there. To this day, he remains wanted by British and American authorities.

After the Snowden incident, media outlets began to expose how the United States National Security Agency (NSA) engaged in large-scale internet surveillance for collecting intelligence. The NSA served as the hub for surveillance programs and, because it is part of the Five Eyes alliance, it facilitated cooperation with intelligence agencies in the United Kingdom, Canada, Australia, and New Zealand. The NSA, operating as a national agency, also required large tech companies like Facebook, Amazon, and Apple to provide people’s personal data.

The United States Foreign Intelligence Surveillance Act (FISA) explicitly defines electronic surveillance and authorizes national security agencies and intelligence units to conduct large-scale surveillance under certain authorized circumstances. In general, government surveillance typically requires obtaining a court order. However, under Section 702 of FISA, the U.S. government can conduct surveillance on non-U.S. citizens located overseas without the need for a court order.

In terms of the national security surveillance review process, U.S. intelligence agencies submit communication records that meet the surveillance threshold for review by the Department of Justice. After the review, the Foreign Intelligence Surveillance Court issues surveillance warrants if warranted.

After the Snowden reveal, human rights advocate organizations like Amnesty International and others filed lawsuits against the U.S. surveillance framework, arguing that the NSA’s surveillance programs had violated citizens’ privacy. However, these lawsuits were rejected by the Supreme Court, and subsequent related cases have seen similar outcomes with very few successful results. Judges often held that the plaintiffs’ fear of being “highly suspected of being monitored” based on their speculation was insufficient to establish a clear and substantive infringement of their rights. Additionally, the argument was made that when people voluntarily share their data with third parties like telecommunications companies or businesses, they lose a reasonable expectation of privacy. This is known as the “third-party doctrine.”

Professor Lin summarized that to regulate large-scale surveillance, key considerations include legal basis, scope of regulation, targets of regulation, strict oversight of data’s subsequent use, democratic accountability and oversight mechanisms, and public-private cooperation models, among other aspects.

Po-Wen Chi, Associate Professor, Department of Computer Science and 
Information Engineering, National Taiwan Normal University

Professor Po-Wen Chi began by introducing the different perspectives of Edward Snowden and the U.S. NSA regarding surveillance. Snowden believed that the U.S. government’s data collection efforts, while technically legal due to secret court proceedings, had never been challenged in court. He argued that people should use their online influence and transparency to oversee the government rather than being monitored by it.  In contrast, NSA countered by stating that the agent has intercepted a significant number of suspicious events through surveillance measures, thereby safeguarding national and individual security. He also emphasized that the relevant surveillance activities were subject to oversight and regulation.

Professor Chi then quoted the perspective from the Japanese novel “Legend of the Galactic Heroes” to emphasize that people’s views on privacy and national security are not fixed but continuously change due to different contexts and experiences. For example, people may perceive the United States as being highly sensitive or even hysterical about the threat of terrorism. Still, terrorism is a real experience in the United States, so it’s not surprising that the U.S. government places a high emphasis on national security.

The dilemma between privacy and national security does not have a one-size-fits-all balance point; the related systems and laws reflect underlying values and can change over time. Professor Chi suggested that we should emphasize the freedom of choice for technology users. When users prioritize privacy, they may forfeit their rights to certain services, and this choice should be respected. Furthermore, users’ choices should not lead to discrimination, as those who choose not to use digital technology for privacy reasons should not face discrimination.

It’s also important to enhance users’ digital literacy so that they can protect themselves. At the same time, strengthening users’ online resilience is crucial. When people place a higher value on privacy, it often means reduced government intervention, but it may also lead to harm among individuals, such as online bullying or harassment. Therefore, improving users’ online resilience is essential in this context.

Professor Chi pointed out that when Google provides online services, they need to collect, view, and sometimes modify user data, which is a common practice for service providers. However, users often want to protect their privacy while enjoying online services. To meet these expectations, the field of cryptography has developed “homomorphic encryption technology,” where all “services” are provided in an encrypted state. Although this technology appears to be a win-win solution, it is not yet mature and cannot be practically applied in real-life situations.

Chen-Ching Huang, Sub-Division Chief, Technology Crime Prevention Center, 
Criminal Investigation Bureau

From a crime prevention perspective, Mr. Chen-Ching Huang analyzed how technological advancements have led to changes in the patterns of criminal activities. For example, fraud crimes have evolved into new forms like app-based scams, online gambling, and investment fraud. These new types of fraud often involve cross-border operations and cybercrime methods, making it challenging for law enforcement agencies to combat them effectively. The characteristic of fraud groups being difficult to prevent, with their IP addresses frequently located overseas, has raised jurisdictional issues. The Cambodian fraud case highlighted the increasing internationalization of fraud activities.

Criminals can exploit cryptocurrencies for money laundering and rapid transfer of illicit funds, and the decentralized nature of these currencies makes it more difficult to trace the flow of funds. In the case of personal data breaches, fraud groups can obtain individuals’ personal information through various channels and use it for sending phishing messages. They may also employ tactics like setting up rogue cell towers for network phishing. Mr. Huang emphasized that personal data breaches are a significant issue, and in addition to Western intelligence agencies, hacker groups may gather even more personal data and sell it on the dark web.

Mr. Huang noted that after the Snowden incident, public awareness of privacy increased, and companies like Apple even refused to cooperate with the FBI in unlocking the iPhone of a Saudi Arabian military officer involved in a shooting of American soldiers. In Taiwan, the draft Technology Investigation Act, which contains relatively lenient regulations regarding GPS and aerial surveillance, has sparked privacy controversies. Mr. Huang believes that the specific provisions of the evidence collection process in the Technology Investigation Act may be overly clear, making investigative intentions too obvious.

The European Union’s strong emphasis on privacy has had an impact on cybercrime prevention. Before 2018, law enforcement authorities could use WHOIS domain lookup services for investigations, simply by entering a website’s URL to access relevant registration information. This information was crucial in tracking down fraudulent websites. However, after the European Union’s General Data Protection Regulation (GDPR) came into effect, the public WHOIS data, which included personal information such as the names, phone and fax numbers, email addresses, and personal addresses of registrants and technical administrators, was considered non-compliant with GDPR.

Presentation Download <Provided with the consent of the speaker>

• Singing Li, CEO, Open Culture Foundation –Presentation Download
• Hsin-Hsuan Lin, Assistant Professor, The Department of Political Science of National Cheng Kung University-Presentation Download
• Po-Wen Chi,  Associate Professor, Department of Computer Science and Information Engineering, National Taiwan Normal University-Presentation Download
• Chen-Ching Huang, Sub-Division Chief, Technology Crime Prevention Center, Criminal Investigation Bureau- Presentation Download