Cybersecurity policies and human rights perspectives at the Internet Freedom Festival
The Internet Freedom Festival, which takes place in Valencia, Spain on a yearly basis, has become one of the main events for civil society to gather around issues of surveillance, censorship and circumvention worldwide. Hundreds of activists, journalists and members of the technical community get together to explore trends, challenges and strategies.
At this 2017 edition, APC is fully supporting the IFF as a partner, along with organisations like Hivos and CPJ. Join our sessions on topics that range from cybersecurity to the importance of the internet for economic, social and cultural rights, or how to move forward in the process of building a feminist internet.
APC’s Mallory Knodel started by introducing a working group of the Freedom Online Coalition (FOC), a partnership of 30 governments that was born in 2011 to support internet freedom and protect fundamental human rights online worldwide, including the rights to freedom of expression, association and assembly and privacy. It was established at the inaugural Freedom Online Conference in The Hague, the Netherlands, and has members spanning from Africa to Asia, Europe, the Americas, and the Middle East. Coalition members work closely together to coordinate their diplomatic efforts and engage with civil society and the private sector to support internet freedom and rights worldwide.
The FOC working group, “An Internet Free and Secure”, has a mandate through May 2017 to establish norms on cybersecurity and human rights. Defining cybersecurity as key to privacy and freedom of expression has been at the core of the working group’s efforts, in the context of increasing securitisation of the internet, with the aim to put people at the centre and avoid national security serving as an umbrella to curtail rights.
The session continued by going through the recommendations made by the FOC working group to achieve “an internet free and secure”, on which participants were asked to comment:
- Cybersecurity policies and decision-making processes should protect and respect human rights.
- The development of cybersecurity-related laws, policies and practices should from their inception be human rights-respecting by design.
- Cybersecurity-related laws, policies and practices should enhance the security of persons online and offline, taking into consideration the disproportionate threats faced by individuals and groups at risk.
- The development and implementation of cybersecurity-related laws, policies and practices should be consistent with international law, including international rights law and international humanitarian law.
- Cybersecurity-related laws, policies and practices should not be used as a pretext to violate human rights, especially free expression, association, assembly and privacy.
- Responses to cyber incidents should not violate human rights.
- Cybersecurity-related laws, policies and practices should uphold and protect the stability and security of the internet, and should not undermine the integrity of infrastructure, hardware, software and services.
- Cybersecurity-related laws, policies and practices should reflect the key role of encryption and anonymity in enabling the exercise of human rights, especially free expression, association, assembly and privacy.
- Cybersecurity-related laws, policies and practices should not impede technological developments that contribute to the protection of human rights.
- Cybersecurity-related laws, policies and practices at national, regional and international levels should be developed through open, inclusive and transparent approaches that involve all stakeholders.
- Stakeholders should promote education, digital literacy, and technical and legal training as a means to improve cybersecurity and the realisation of human rights.
- Human rights-respecting cybersecurity best practices should be shared and promoted among all stakeholders.
- Cybersecurity capacity building has an important role in enhancing the security of persons both online and offline: such efforts should promote human rights-respecting approaches to cybersecurity.
Regarding how these recommendations are taken into account in policy making, several participants offered feedback on the notice of intention to develop a South African national cybersecurity policy, which does not make reference to human rights. How will rights be protected if there is no mention of them in the notice? Mention of multistakeholderism was noted as a positive development, but its vagueness leaves room for human rights breaches. It was also stressed that South Africa is one of only two African countries, along with Egypt, to join the Budapest Convention, so it should take a leading role in the continent and ask for more feedback within the African Union.
Participants were asked what else they would add to the list of recommendations.
Comments centred on the observation that cybersecurity and cyberpolicies treat people as threats instead of targets, and also that rights and security are necessarily two sides of the same coin.
More specifically, it was stressed that the recommendations as a norm-setting document that guides advocacy work must be put into a more actionable context with specific examples, best practices, and guides such as a glossary of keywords. Advocates and legislators would want to reference provisions, soft laws and other norms in evaluations of cybersecurity policies. Context is important for a localised approach that responds to threats and challenges, which vary across regions and sectors. Highlighting the human aspects, impact and consequences of cybersecurity is key to policy advocacy as is the inclusion of examples of successful policies that implement these recommendations well.
More information on the recommendations can be found here .