Deborah Brown and Anriette Esterhuysen
Publisher: APCNews 28 November 2019
In his first address at the high level opening of the UN General Assembly in 2017, Secretary-General António Guterres highlighted escalating cybersecurity threats as a leading threat to international security. In addition to the threat of cyberwar, cyberattacks have resulted in the closure of hospitals, have taken electrical grids offline, brought major cities to a standstill, and even affected the integrity of democratic processes. A recent report commissioned by IBM puts the global average cost of a data breach to a company in 2019 at USD 3.92 million.
As threats to cybersecurity are becoming more commonplace, sophisticated and severe, it is no wonder there is increased focus on strengthening cybersecurity by governments, industry and the technical community alike. However, efforts to bolster cybersecurity often ignore the human rights dimension, or worse, view human rights as an impediment to cybersecurity. This is a dangerous and misguided assumption. Cybersecurity is a human rights issue, and it is time to start treating it like one.
There is no universal definition of cybersecurity; however, the definition developed by the “Internet Free and Secure” working group of the Freedom Online Coalition (FOC), which was composed of technologists, human rights experts and government, is instructive. Inspired by the International Organization for Standardization 27000 standard, the FOC working group defines cybersecurity as “the preservation – through policy, technology, and education – of the availability, confidentiality and integrity of information and its underlying infrastructure so as to enhance the security of persons both online and offline.”
Why cybersecurity is a human rights issue
Using the FOC definition of cybersecurity as a basis, it is easy to see how threats to cybersecurity – or cyber insecurity – can be human rights violations. The denial of availability of information and its underlying infrastructure, in the form of network shutdowns, for example, violates a wide range of rights, including by unduly restricting access to information and the ability of people to express themselves, peacefully assemble and associate, as well as enjoy a range of economic, social and cultural rights. In 2018, 196 internet shutdowns were documented in 68 countries.
There are countless examples of the confidentiality of information being compromised, whether through data breaches for financial gain, mass government surveillance or targeted attacks on human rights defenders or journalists, in violation of the right to privacy, among other rights. Breaches of the confidentiality of communications through surveillance is linked to severe human rights violations, like detention, torture and extrajudicial killings. An example of a particularly egregious case is the surveillance of Saudi dissident Omar Abdulaziz, which contributed to the extrajudicial execution of Saudi journalist Jamal Khashoggi. According to a lawsuit, Abdulaziz’s cell phone was targeted by the Saudi Arabian government with spyware, compromising the confidentiality of his communications with Khashoggi about opposition projects in the months leading up to Khashoggi’s killing.
While most people are likely to experience some form of cyber insecurity in their lifetime, even people for whom meaningful access to the internet is a challenge,  cyber insecurity is not experienced evenly by everyone. Human rights defenders, journalists, and people in positions of marginalisation or vulnerability, because of their religion, ethnicity, sexual orientation or gender identity, for example, can experience particular risk. For example, they are more likely to be targeted by government or lateral surveillance, and the consequences of more broad threats like data breaches or network shutdowns are often more severe for them because of their location within society.
As more people and devices are connected, the risks that come with cyber insecurity will only increase. Unfortunately, governments are either not centring cybersecurity discussions on human rights, or worse, they are using cybersecurity as an excuse to exercise more control over the internet.
The securitisation of “cyber”
The development of laws, policy and norms on cybersecurity tends to take place in highly opaque, securitised settings without the benefit of civil society input or human rights expertise. This runs counter to the multistakeholder approach to internet governance, which relies on the full involvement of governments, the private sector, civil society and international organisations. Critically, this approach excludes the expertise and monitoring required to protect human rights. Often, cybersecurity discussions happen in the confines of intelligence services, or other government or military agencies that are not subject to public scrutiny or oversight. Cybersecurity is also sometimes equated with national security, which is characterised as a sacred sphere in which governments can do whatever they want and without public scrutiny, much less oversight. As a result, cybersecurity law, practices and policies are often divorced from a human rights framework, and susceptible to abuse of power.
International cybersecurity debates miss the mark
It is well established that international human rights law applies to digital technologies. However, when it comes to cybersecurity, international human rights law is not central to discussions, if a factor at all. This is partially due to the fact that international discussions on cybersecurity predominantly respond to the issue of state-on-state attacks and fall under the rubric of international security and disarmament. Nonetheless, the tenor of these discussions, and the norms that stem from them, have implications for how states approach cybersecurity at the national level. Of particular concern are efforts by the Shanghai Cooperation Organization (SCO), which for years has been working to advance the concept of extending national sovereignty and information control in cyberspace.
The UN has held since 2013 that international law, which includes international humanitarian law and international human rights law, applies in cyberspace. In 2015, the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security further elaborated that respect for human rights and fundamental freedoms is seen as being “of central importance” and recommended that states should respect the UN resolutions that are linked to human rights on the internet and to the right to privacy in the digital age.
While the international community has gotten stuck on how international law applies in cyberspace, the focus has primarily been on international humanitarian law. This approach is flawed for several reasons. First, international humanitarian law applies only in times of armed conflict, whereas international human rights law applies at all times (in peace and war). Given that most of the types of cyber insecurity are experienced during peacetime (or at least in the absence of a declared cyberwar), international human rights law is more frequently the applicable framework. Second, and relatedly, centring debates on international humanitarian law may somehow advance the belief that states are in a perpetual cyber conflict, leading to an escalation in cyberattacks. Third, international humanitarian law is a legal framework more permissive of harm to the general public than is ordinarily allowed.
International human rights mechanisms provide specific guidance that is relevant for cybersecurity, and should be drawn on in the development of norms for responsible state behaviour in cyberspace. For example, reports of UN Special Procedures explain why strong encryption is necessary for the confidentiality of information and how network shutdowns are in violation of human rights law and unduly interfere with the availability of information. There is a well established body of norms under international human rights law, namely the UN Guiding Principles on Business and Human Rights, which spell out the responsibility of the private sector to respect human rights, mitigate adverse effects, and remedy harm. This is a critical point, given that the private sector owns and/or operates most of the infrastructure, hardware and software upon which the internet relies.
Security for whom?
Perhaps the most pernicious threat, is that states exploit the serious nature of cybersecurity threats to take liberties to enable them to exert their power in cyberspace in ways that directly undermine human rights. When assessing a cybersecurity framework, it is essential to ask: security for whom? security from what? and security by what means? Too often the answers to these questions reveal that the state defines security as protecting itself from political instability, applies disproportionate measures to ensure its own preservation, and itself becomes the source of insecurity.
To give just a few examples, in Vietnam a cybersecurity law was passed last year that allows the government to force technology companies to hand over potentially vast amounts of data, including personal information, and to censor users’ posts. The previous year in China, a cybersecurity law was adopted that requires companies to censor “prohibited” information, restricts online anonymity, including by requiring real name registration, and mandates the storage of Chinese users’ data within the country. In Israel, the proposed Cyber Security and National Cyber Directorate Bill would give the government sweeping new powers to hack the computers or phones of any person or entity that is defined as a threat to cybersecurity and to access the device and extract data without a court order. Earlier this year, the Venezuelan government proposed the Constitutional Law of Cyberspace, which declares Venezuelan sovereignty over cyberspace and would require messaging service providers to censor content without a prior judicial order or respect for minimum guarantees for due process among other measures to extend state control of the internet.
Each of these examples demonstrates a government instrumentalising security at the expense of human rights, in particular the rights to privacy, freedom of expression, association and assembly, and incidentally, at the expense of cybersecurity, i.e. the availability, confidentiality and integrity of information and its underlying infrastructure.
Putting cybersecurity on the rights track
In order to safeguard human rights in this digital age, it is time to start treating cybersecurity as a human rights issue.
First, there is the need to challenge the prevailing view that human rights are an impediment to security. Perhaps the most widely cited example of human rights standing in the way of security is the assertion that encryption, which is critical for exercising the right to privacy, impedes law enforcement in conducting its work. Time and again, governments make the case for building in backdoors and weakening encryption in order to provide access to encrypted communications for law enforcement. However, experts are in agreement that it is not possible to provide access to encrypted communications for one government without doing so for all governments and for malicious non-state actors. To put it another way, weakening cybersecurity for law enforcement purposes cannot be done without weakening security for all, and putting everyone’s human rights at risk. This is because cybersecurity is inexorably linked to human security, which is a fundamental human right. Cybersecurity and human rights are complementary, mutually reinforcing and interdependent. Both need to be pursued together to effectively promote freedom and security.
Second, it is critical to apply human rights-based approaches to cybersecurity laws, policies and practices. The danger of cyber insecurity should never be a used a pretext to violate human rights. Instead, recognising that individual and collective security is at the core of cybersecurity means that protection for human rights should be at the centre of cybersecurity policy development. At the international level, it is imperative to root deliberations on cybersecurity in international human rights law. The Freedom Online Coalition “Internet Free and Secure” working group developed a set of cybersecurity and human rights-focused policy recommendations towards ensuring that cybersecurity policies and practices are based upon and fully consistent with human rights – effectively, that cybersecurity policies and practices are rights-respecting by design. These recommendations, which have been endorsed by 30 FOC governments and over two dozen NGOs, are a useful starting point for rooting cybersecurity policies and practices in human rights.
Third, companies must respect human rights, and governments must hold them to account. The UN Guiding Principles on Business and Human Rights provide the necessary framework; however, there is a need for more scrutiny and oversight of technology companies – both of those that provide the hardware and software used for launching cyberattacks and those that serve as the first line of defence in cyberattacks. In addition to conducting human rights impact assessments to identify, understand, assess and address the adverse effects of their policies and practices on the enjoyment of human rights, they should be conducting cybersecurity due diligence to review the governance, processes and controls that are used to secure the information they process. Companies have advanced self-regulatory initiatives like Microsoft’s Cybersecurity Tech Accord, which aims to respond to cybersecurity threats that put people’s rights at risk, but does not take an explicit human rights framing, and therefore has some gaps.
Governments can also do more to regulate the technology industry to prevent and mitigate human rights violations as a result of cyber insecurity. For example, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression recently called for a moratorium on surveillance technology. Such bold moves are needed not just for the surveillance technology industry, but for the technology sector writ large, to ensure that companies are not profiting off of human rights violations or treating people’s data recklessly.
Fourth, cybersecurity processes need to be multistakeholder and inclusive, as well as multidisciplinary, infused with human rights and technical expertise. This means taking cybersecurity outside the confines of national security and intelligence agencies and challenging assumptions that cybersecurity is first and foremost a national security issue. Given that citizens are so often asked to make sacrifices in the name of national security, it is crucial that the bases for those sacrifices are scrutinised for their necessity and proportionality; that there is independent oversight of responses to national security threats to ensure that they are justified; and that there is more transparency as well as public debate to ensure that national security is not being equated with regime security.
Digital technologies present new and unforeseen challenges to human rights and security, which will require more documentation, research and analysis. Until cybersecurity and human rights are understood and treated as mutually reinforcing and complementary, both will suffer.
 See Human Rights Council Resolutions on the “The promotion, protection and enjoyment of human rights on the Internet” 20/8 (2012), 26/13 (2014), 32/13 (2016), and 38/7 (2018).