Rapporteur: Metta Spencer

Unless you live in a cave, you probably depend on a refrigerator, online bank account, airline traffic control system, oil pipeline, water treatment plant, car, subway, electric power plant, WiFi router, and maybe your pacemaker(1) and insulin pump.(2) Nowadays all of those things can be controlled by computers that can be hacked.(3) When that happens, whose fault is it, and what can you do about it?

If you ask a court who’s to blame, the judge will probably pin it all on a hacker criminal, who probably cannot be found. Yes, the hacker is the main culprit, but the programmers enabled him by writing buggy software that their company’s executives hurriedly sold without having it tested properly. The negligent vendors of such inferior products should be held accountable.

If you buy a TV set that explodes (and that has actually happened!) the manufacturer is liable for damages, but if you buy software, you probably don’t actually own it; you’ve just paid for a license to use it. (Remember that “terms of service” agreement you signed without reading it? That’s when you signed away your claims against the manufacturer, who now cannot be held liable for the software’s shoddy performance or its vulnerability to hacking. But you didn’t have much choice. You could take or leave it, so you signed, as we all do.)

The relevant laws are unlikely to be changed until internet insecurity becomes lethal. So far, the harm that hackers inflict is mostly inconvenience or financial loss—and the financial losses are far greater than the public knows. Banks and corporations avoid publicity about such events.

[read more]

Yet the potential also exists for massive attacks on infrastructure that cost lives. Airliners are now acknowledged to be vulnerable to hacking,(4) though none of them have been crashed by it yet. Russian teams have hacked more than 20 US power stations, but without causing damage; apparently they were only testing their capability.(5) We don’t know how many Russian power stations the American teams have penetrated, but NSA is the acknowledged “gold standard” organization for such activity.

Now imagine that thousands of airliners, banks, electric grids, gas pipelines, and electric cars are seized all at the same time. Finally, as the cyber security expert Benoit Morel writes, “there is a realization that through the process of unlimited reliance on computer and ICT technology, the United states is increasingly exposed to potential devastating cyberattacks on its critical infrastructure, a kind of cyber Pearl Harbor.”(6) And not only the United States but all other nations too. But finally, there are people looking for ways to prevent the disastrous consequences of faulty software.

With the swift emergence of the Internet of Things (IoT) everything around us is turning into computers that can do things they were not originally invented for. Already your refrigerator, your printer,(7) and your camera have turned into computers with astonishing new capacities. (One fellow even programmed a Canon printer, a Honeywell thermostat, and a Kodak digital camera to play the computer game Doom.)(8) By next year – 2020 — about 75 billion devices are predicted to be connected to the Internet of Things(9) that can be hacked.

The cyber world has developed with astounding rapidity, partly by allowing for fast-and-loose standards of quality. Facebook’s old motto reflected this: “Move fast and break things.” Instead of perfecting a product through rigorous monitoring and in-house testing, software and even hardware producers rush their products to market full of coding errors, knowing that somewhere malevolent hackers are watching to detect and exploit them.

Software vendors expect to correct the problems afterward when the end users begin to complain. You probably receive notifications almost every day to “update” an app or two. These updates are actually “patches”—repairs to coding errors that have been discovered in the software.

Many of us are slow about applying these patches, but that is dangerous. When such a notice is sent out, it informs a criminal somewhere as to where in the software the new bug had been found. He will then search for an easy victim — you — who has not installed the update. And a survey commissioned by Skype in 2012 showed that 40 percent of adults do not update their software when prompted to do so, and about a quarter do not do so because they do not understand the benefits. But the benefits are great: About 90 percent of successful exploits are against unpatched systems.(10)

Even patches won’t solve everything, and not all coding errors can be spotted and fixed before being released. Programmers, being human, will err. But their errors will depend largely on the effectiveness of their monitoring and testing procedures. The industry averages about 15 – 50 errors per 1000 lines of delivered code. But Microsoft has brought its applications down to an average of about 10-20 defects per 1000 lines during in-house testing. One other testing system has achieved rates as low as 3 defects per 1000 lines of code during in-house testing and 0.1 defects per 1000 lines of code in released product.(11)

Thus, although some mistakes will inevitably happen, the number can be greatly reduced by rigorous use of quality control measures. As the risks to the public continue to increase, it is time to begin demanding improved quality of software and hardware. Instead of selling buggy software and expecting to fix it later with patches, vendors should be required by law to ensure that any product they sell meets reasonable standards of security, safety, and reliability.

But at present, the purchaser is at a severe disadvantage vis-à-vis the vendor, for generally purchasers who allege defects and security breaches get their cases thrown out of court (Jane Chong, “We need strict laws if we want more secure software,” The New Republic, Oct. 30, 2013.) Bruce Schneier maintains that the purchaser will not get secure software until the producers have a strong incentive to provide it—and now they do not. What would create such incentives? Knowing that the vendor can be sued for supplying a shoddy product that causes harm to the buyer. It will require government action to bring about that legal change.(12)

While some legal liability is being imposed on software vendors in a few places — Australia, for example(13) — there are few prospects for making significant changes in most countries. We should consider some of the main reasons for this lag.

First, much software is free. The courts will not hold software providers liable for harms for which the users did not pay in some form. However, the lawyer Jane Chong suggests that a different kind of payment occurs when the providers of free software do not take money from the users but rather data that they are able to monetize. If there were a legal obligation created to secure this data or restrict its use (and certainly there is a current public demand for such obligations) the users might be able to sue for breach of security under tort theories of negligence or misrepresentation.(14)

Second, Jane Chong notes that courts tend to assume that coding errors are inevitable and that, therefore, it is impossible to hold the vendors liable for any of them. Her own argument is that, while some errors are indeed inevitable, one product can be safer than another, and vendors should be liable if they produce unsafe ones. In fact, “just ten percent of vulnerabilities are responsible for 90 percent of all cybersecurity exposures.”(15) Chong uses the analogy of a car manufacturer. All cars are vulnerable to accidents. There is no such thing as a crash-proof car. But the courts have established that it was possible for General Motors to have produced a car that would minimize the effect of accidents and that their cars should be so designed.

Third, Chong states that the courts tend to hold only hackers, not providers, responsible for security breaches. Her own argument is that negligence is grounds for a civil lawsuit if the defendant failed to carry out a duty and caused harm as a a result. He should pay damages “to make Humpty Dumpty whole again.” And when it comes to software, a negligent creator is also a source of injury.

But most security breaches to do not lead to physical injury but instead to losses of data or money. This fact causes another legal problem for those who would hold the vendors liable. Oddly, tort liability does not apply to financial losses, so Chong argues that it would be better to invoke contract law when seeking damages that are purely financial from software vendors. Nevertheless, for all the reasons listed above, she is not optimistic about the likely outcome of most such court cases.

Bruce Schneier shares Chong’s bleak prognosis. While he shows what legal changes would benefit us, he admits that no such changes can be foreseen.(16)

Actually, not everyone wants greater software security. Obviously, criminal hackers want all opportunities to be left open for them to ply their trade. However, for a plethora of reasons, many states and law enforcement agencies also want to retain means of surveillance or even sabotage through bugs deliberately left in software.

One such bug is the “backdoor” — a piece of code that secretly placed in software before releasing it. Anyone with access to that code can spy on the its user, seize control of the computer to change or destroy data, or even lock it up and hold it for ransom.

Presumably no software producers would intentionally leave a backdoor or other bug open for criminals to exploit, but when a security flaw is discovered, they do not always appreciate being told about it. The most important discoveries are made by public-spirited hackers who enjoy revealing their discoveries in hacker conferences. Often when they have announced their plan to give a speech revealing an important new bug, they have to suddenly cancel the talk, since the software manufacturer urgently intervenes to prevent the disclosure.

On the other hand, some corporations offer rewards to any hackers who can tell them in private about the bugs in their software, which they can patch quietly and quickly.

Software producers sometimes experience enormous pressure from governments and other organizations to build backdoors into their products. As Edward Snowden revealed, the NSA has long spied on Internet communications worldwide, and several other countries have highly sophisticated systems to do likewise. Russia, China, Israel, and Iran are the main examples. Law enforcement organizations often demand that they be admitted to backdoors for surveilling suspected criminals—especially when it comes to backdoors on encrypted messaging apps such as WhatsApp.

These disputes can become major areas of tension between nations. For example, China does not allow Silicon Valley’s social media platforms access to their countries unless they can monitor the online conversations. And lately there is a new international conflict between China and the United States over the sale of fifth generation Internet devices. The Trump administration has refused to allow the Chinese firm Hua-Wei to sell its products in the US because they presumably contain backdoors that could let the Chinese follow American secrets.

And of course it is not only secret information that states may want to collect about each other; computers also control physical things—including weapons. Only two cases are publicly known about the use of computer hacking to interfere with military preparations in other country. One was the US effort to sabotage North Korea’s nuclear weapons manufacture. Little is known publicly about that, and presumably the effort failed. The other case was the use of a computer worm, Stuxnet, to interrupt Iran’s enrichment of uranium at its factory in Natanz. The bug was allegedly created by US and Israeli cyber experts, then smuggled into the plant where it caused the centrifuges to speed up and slow down repeatedly until they were ruined.

In addition to the sophisticated worm, the Stuxnet bug included four “zero days,” just for good measure. A zero day is a computer vulnerability that is unknown to the people who should have eliminated it, and which they will find out about with a shock on the day when it is exploited – the “zero day.” There is a lively trade in the buying and selling of zero days on the “dark web,” a portion of the Internet that is invisible because inaccessible to ordinary browsers. Many illegal activities, such as the sale of drugs and weapons, involve communications on the dark web.

The only way of reducing these threats is by legislating new rules to incentivize the producers of software to be scrupulous in designing and testing their software before releasing it. This will require government action. Computer professional generally agree as to how the law needs to be changed, but few politicians know enough to propose better legislation. Thus it is the responsibility of well-informed citizens to tell their parliamentarians what is needed. You are invited to take that task upon yourself.

References for this article can be seen at the Footnotes 3 page on this website (link will open in a new page).

[/read]

Rapporteur: Allison Pytlak

Introduction

Since the first instances of malicious cyber operations between states, there has been a growing acceptance of cyber space as a militarized domain. This is a dangerous path to continue down, given the civilian and dual-use nature of cyberspace and digital networks. Such militarization is evidenced in the increasingly formalized role of digital operations in military doctrine and strategy, as well as in the language used to depict activity in this arena, such as through terminologies like “cyber weapon,” “cyber war,” or “cyber bomb”. By treating this primarily as a military and security issue, states and other actors risk institutionalizing and taking for granted the broad idea of cyber conflict. In the on-going discussions at the United Nations (UN), and elsewhere, about norms of responsible behaviour in cyberspace, it’s essential that such norms are viewed as obligatory commitments and that space is also given to articulating a vision of cyber peace.

A) Existing multilateral fora

UN Groups of Governmental Experts

The United Nations has been considering “developments in the field of information and telecommunications in the context of international security” since 1998. The centre of discussion has

[read more]

largely been within Groups of Governmental Experts (GGEs) on information and communications technologies (ICTs) established by the UN General Assembly (UNGA) as of 2004. GGEs are entities created within the UN system to enable thematic and expert discussion and exploration of a given topic, sometimes as a precursor to a political process. Their rules of participation and access will vary depending on the fora in which a GGE is created.

Russia introduced the first draft resolution on the subject of in the context of international security in 1998 at the UNGA First Committee.(1) It had four operative paragraphs, including a call to member states to inform the United Nations Secretary-General (UNSG) of their views and assessments on four key questions relating to information security. These formed the basis of the annual reports that UN Secretary-Generals have published since 1999.

The 2002 resolution called for the establishment of the first GGE on ICTs, prompted in part by reluctance from some countries to fully engage in this subject in First Committee.(2) Five GGEs have since been convened, each meeting either in Geneva or New York four times over a two-year cycle.(3) Their sizes have ranged from 15-25 states.(4)

Each Group sought to agree by consensus a report of its proceedings, that may include conclusions and recommendations, and which are returned to the wider UN membership for adoption. This has had varying levels of success as since their inception, the GGEs have suffered from an inherent sense of mistrust among their memberships and divergent views on definitions and basic approaches to information security.

Over time, the outputs of the GGE have generally improved and expanded, in line with their mandates and progress in discussions.

The report of the 2012-2013 Group was welcomed for its breakthrough statement that international law is applicable to cyberspace, although it was simultaneously tempered by a reaffirmation of state sovereignty in the conduct of ICT-related activities, and protection of infrastructure.(5)

The 2015 report was lauded for setting out eleven recommendations for voluntary and non-binding norms, rules, or principles for state behaviour, confidence-building measures, international cooperation and capacity building, and positive recommendations.(6)

Progress broke down in the 2016-2017 Group, reportedly over the issue of the applicability of international law, including international humanitarian law (IHL) and international human rights law (IHRL).

In 2017, it was not possible for states to agree to establishing a new GGE. Instead, debate at the UNGA First Committee explored other possible entities and forums that could better take forward the subject, as well as providing views on the validity of past outputs from the Groups.

In 2018, Russia—traditional sponsor of the UNGA First Committee resolution on ICTs— introduced new and controversial elements into the annual resolution. The first draft included various points from the Shanghai Cooperation Organization’s International Code of Conduct on Information Security as among a list of norms for discussion in a new GGE. The Code is seen by other states as a way to undermine human rights protections to online activity and so was immediately problematic for many countries. The Russian Federation recanted and redrafted its resolution without that language but with variously selected references from former GGE reports, and a new proposal to create an open-ended working group (OEWG), in place of a GGE, using the argument that such a forum would be more conducive for democratic participation and inclusivity.(7) The United States, frustrated with Russian actions, tabled for the first time its own competing resolution, written in the style of traditional First Committee ICT resolutions and calling for a new GGE but with a limited possibility of input from non-GGE members, through regional consultations. The United States and its allies heavily criticized the Russian proposal, arguing that it mischaracterized and cherry-picked language from previous GGE reports without consistency or logic, and accused Russia of being divisive.

In connection with wider politicization that complicated multiple disarmament topics at the UNGA First Committee in 2018, it was not possible for a compromise to be reached and the end result is that there will be both a GGE and an OEWG meeting throughout 2019 and 2020.(8)

The two entities have similar, yet not identical, mandates and varying modalities to receive inputs from either non-governmental stakeholders or, in the case of the GGE, non-Group members. For example, the GGE is likely to have a series of regional consultations throughout 2019 and 2020, and the OEWG will have a session in December for input from non-governmental actors. The chairpersonship of either entity and the composition of the GGE have not been made publicly available as of late May 2019.

UN Secretary-General reports and Agenda

The UN Secretary-General has issued multiple annual reports on the subject of ICTs since 1998. These consist of a compilation of national reports submitted voluntarily by member states.

The current UNSG António Guterres has made the promotion of a peaceful ICT-environment a key priority. In his Agenda for Disarmament, launched in May 2018, Guterres has included two action points on cyber security as part of the Agenda’s implementation plan. The UNSG notes in his report that “global interconnectivity means that the frequency and impact of cyberattacks could be increasingly widespread, affecting an exponential number of systems or networks at the same time.” He further states that “in this context, malicious acts in cyberspace are contributing to diminishing trust among States.”

Beyond the UN

The work within the UN is supplemented by an external patchwork of global and regional meetings for various stakeholders. Some of these fora have come to play an increasingly important role given stalemate and politicization within the UN system.(9)

France initiated its ‘Paris Call for Trust and Security in Cyberspace’ in November 2018.(10) (France Diplomatie, 2018) Also in 2018 the Global Commission on the Stability of Cyberspace (GCSC) outlined six new global norms to help promote the peaceful use of cyberspace.(11) (Global Commission on the Stability of Cyberspace, 2018)Proposals have also come from the private sector, notably Microsoft’s suggestion for a digital Geneva Convention (Microsoft, 2017)and leadership in the development of the Tech Accords, now supported by dozens of technology firms.(12)

Regional and other cooperation

Regional agreements have enabled information-sharing and support between states on a practical and tactical level, including between Computer Emergency Response (or Readiness) Teams, also known as CERTS. Some agreements, like NATO’s Enhanced Cyber Defence, also incorporates legal considerations. The NATO Cooperative Cyber Defence Centre of Excellence (technically not a NATO organization) commissioned the development of what is known as the Tallinn Manual. The Manual outlines how international law applies to cyber conflicts and cyber warfare and was developed by an international group of approximately twenty experts.

Other regional cooperation agreements have a focus on other aspects of cybersecurity such as cybercrime (the Budapest Convention), data protection and cyber security (African Union Convention on Cyber Security and Personal Data Protection) or information security (Shanghai Cooperation Organization’s agreement on “Cooperation in the Field of Information Security”).

B) Existing norms and confidence building measures

The 2015 UN GGE set out eleven recommendations for consideration by states for voluntary, non-binding norms, rules, or principles of responsible state behaviour with the aim of “promoting an open, secure, stable, accessible and peaceful ICT environment”. They include:

1. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
2. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
3. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
4. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
5. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
6. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
7. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
8. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
9. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
10. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;
11. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

In addition, the 2015 Group recommended several voluntary confidence-building measures:

1. The identification of appropriate points of contact at the policy and technical levels to address serious ICT incidents and the creation of a directory of such contacts;
2. The development of and support for mechanisms and processes for bilateral, regional, subregional and multilateral consultations, as appropriate, to enhance inter-State confidence-building and to reduce the risk of misperception, escalation and conflict that may stem from ICT incidents;
3. Encouraging, on a voluntary basis, transparency at the bilateral, subregional, regional and multilateral levels, as appropriate, to increase confidence and inform future work. This could include the voluntary sharing of national views and information on various aspects of national and transnational threats to and in the use of ICTs; vulnerabilities and identified harmful hidden functions in ICT products; best practices for ICT security; confidence-building measures developed in regional and multilateral forums; and national organizations, strategies, policies and programmes relevant to ICT security;
4. The voluntary provision by States of their national views of categories of infrastructure that they consider critical and national efforts to protect them, including information on national laws and policies for the protection of data and ICT-enabled infrastructure. States should seek to facilitate cross-border cooperation to address critical infrastructure vulnerabilities that transcend national borders. These measures could include:
   1. A repository of national laws and policies for the protection of data and ICT-enabled infrastructure and the publication of materials deemed appropriate for distribution on these national laws and policies;
   2. The development of mechanisms and processes for bilateral, subregional, regional and multilateral consultations on the protection of ICT-enabled critical infrastructure;
   3. The development on a bilateral, subregional, regional and multilateral basis of technical, legal and diplomatic mechanisms to address ICT-related requests;
   4. The adoption of voluntary national arrangements to classify ICT incidents in terms of the scale and seriousness of the incident, for the purpose of facilitating the exchange of information on incidents.

As these norms were adopted by the UN General Assembly, they are considered by many member states as reflecting the current standard for behaviour in cyberspace, albeit non-binding and voluntary. These states are now advocating for their implementation, while some countries are calling for further elaboration and discussion about the content of the norms and measures themselves.

C) Major areas of disagreement

Since their establishment, the UN GGEs have suffered mistrust among some of their key members and divergent views about definitions and basic approaches to “information security”. Other areas of contention have included GGE mandates as well as the broader role of the UN and the First Committee with respect to international information security challenges.(13) These different approaches and perspectives have had a ripple effect in other multilateral fora, and colour the scope and objectives of several regional agreements. Outlined below are three of the most visible areas of disagreement.

Existing international law

The applicability of international law to cyberspace has been a primary point of disagreement among states in recent years, particularly with respect to articulating how it applies. The third and fourth GGEs declared that “international law, and in particular the Charter of the United Nations,” were applicable to cyberspace. At the time, it did not appear to be the position of any state that the right to self-defense would not apply in response to cyber operations that meet the threshold of an armed attack under Article 51 of the UN Charter.

Yet, the fifth GGE (2015-2016) failed because of disagreement on this point. Some states (including Russia, China, and Cuba, among others) maintained that to affirm the application of UN Charter principles of use of force and international humanitarian law would result in the “militarization” of cyberspace whereas others (including the United States and western European states) insisted on acknowledging the right to apply “countermeasures” in scenarios that fell below the threshold of the ‘use of force’ in cyberspace. There was debate around linking the malicious use of ICTs with an “armed attack” and what the legal implications of that would be, which largely reflected the asymmetry the Group with respect to the cyber and conventional weapons capabilities of the different countries comprising the Group; as well as if a cyber operation could ever cross the high legal threshold of an “armed attack”.

The applicability of international humanitarian law (IHL) to cyber operations has been similarly contentious as some states have argued that applying IHL to cyberspace would legitimize taking military activities in it—which they claim to oppose, while other affirm its applicability. The International Committee of the Red Cross (ICRC), has highlighted the prohibition of weapons which are indiscriminate by nature as particularly relevant but reminds that the key principles of distinction, proportionality and precautions must also be observed. Adherence to IHL means that attacks cannot be directed at civilians or civilian objects, and as the ICRC points out, critical civilian infrastructure—including the cyber infrastructure on which they operate or rely, such as networks or equipment—are civilian objects and therefore protected against attack, unless they have become military objectives.(14)

Information security

While term “information security” has been used widely and for two decades within the UN system, it has always suffered from a fundamental difference of approach and understanding among states, which has ramifications for efforts to reach agreement on norms. Countries that are more technologically developed often prioritize the importance of the free flow of information, while those less developed make equal access to information and information technologies a priority in discussions on cyber security and cyberspace. At the same time, certain others view information technology and the free flow of information as a threat to be contained.

For example, China views the problem of information security as including not only the risks relating to vulnerabilities of structures and systems, but also the political, economic, military, social, cultural problems that arise from technology use within its own borders. China and Russia have preferred to focus on international information security in the context of multilateral discussion fora as a safer formula than addressing it in a way that would draw attention to domestic actions. The United States have regularly reaffirmed that implementing information security measures cannot infringe on basic individual freedoms. The United Kingdom avoids using the term “information security” because it can be misused or misinterpreted as a way to justify limitations on personal freedoms.(15)

The need for new international law

Since introducing its first resolution on the subject of ICTs, Russia been advocating to codify applicable norms and principles to govern uses of ICTs through a binding a universal agreement on international information security. It has made multiple proposals in this regard, both in the UN context and unilaterally within Central Asia, and with China.

Other states, largely Western ones, have not been supportive of the call for a cyber space treaty. Some have argued that to do so would be premature, or that existing international law is sufficient. Some states have also highlighted that given the divergent views on key aspects of the international cyber security issue, as well as around basic definitions and terminology, it would not be feasible to come to an agreement that would have enough substance to be effective.(16)

D) Human rights considerations

The human rights impact of digital technologies is being addressed in separate UN fora than where national security impact is discussed, and usually by different actors within the international community. There has been very little intersection between security-based and human rights-based approaches or discourses.

Some human rights-based approaches have necessarily focused on unique human rights such as the right to freedom of expression, as protected by Article 19 of the Universal Declaration of Human Rights and of the International Covenant on Civil and Political Rights (1966). The human rights to privacy and assembly are also frequently at risk in a digital context. The right to privacy is guaranteed by Article 17 of the International Covenant on Civil and Political Rights (1966). Article 15 of the International Covenant on Economic, Social and Cultural Rights (1966) protects the right of everyone to “enjoy the benefits of scientific progress and its applications” which can be interpreted to include the right to use the Internet. There has also been reaffirmation of women’s human rights that are threatened by targeted online activities like revenge porn and cyberstalking.(17)

The UN Human Rights Council (HRC), a UN body comprising 47 UN member states with foremost authority over human rights issues, has now passed multiple resolutions relevant to the Internet or digital contexts more broadly. The first, adopted in 2012, was considered landmark for not only being the first on the subject but also for its affirmation that “the human rights people enjoy offline, also apply online”.(18) The resolution built on a 2011 report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression.(19)

The right to privacy in the digital age has also been taken up by the UNGA Third Committee. In December 2013, the UNGA adopted resolution 68/167 “The Right to Privacy in the Digital Age” which called on all states to review their procedures, practices, and legislation related to communications surveillance, interception, and collection of personal data. It further emphasized the need for states to ensure the full and effective implementation of their obligations under international human rights law. The resolution was the foundation for a 2014 report of the Office of the United Nations High Commissioner for Human Rights on the same subject, for which the views of multiple stakeholders were solicited(20) and for a follow-up resolution in 2015.

The UN Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression recently issued a report focused on the obligations of states and companies, by aiming to find user-centric and human rights law-aligned approaches to content policy-making, transparency, due process, and governance.(21)

Beyond the United Nations are the day-to-day advocacy and other initiatives of non-governmental organisations and individual human rights defenders. Technologists have added to this work by developing applications and software to prevent intrusions, detect censorship, or enable anonymity online.(22) It is also worth noting that ICTs are increasingly being used in the pursuit and defense of human rights, to capture violations and facilitate sharing.(23)

References for this article can be seen at the Footnotes 3 page on this website (link will open in a new page).

Read Article | Comments

Author: Paul Meyer

Chair, Canadian Pugwash Group | Senior Advisor, ICT4Peace

Cyberspace, the broad term for the system of networked computer systems for which the Internet is the chief embodiment, is a unique, human-created environment. The potential of information and communication technology to benefit humanity is vast and the growth in its use world-wide has been exponential. Today close to four billion people are connected to the Internet and a community of “netizens” has emerged.

Unfortunately, the growth of cyberspace has not been matched by a similar development of global governance for it. Even more worrisome, is the degree to which cyberspace has become “militarized” with states developing capabilities, not only for the defence of their own systems, but also offensive capabilities that threaten damage and destruction to entities beyond their borders. These trends within national security establishments of leading cyber powers have accelerated and the detrimental impact of cyber operations on civilian interests has grown. A narrative of “cyber war” has been espoused by major states, depicting this remarkable product of human ingenuity as just another “war-fighting domain”.

[read more]

Fortunately, amid these disturbing developments there has also emerged a constituency advocating for maintaining cyberspace for peaceful purposes. Embracing stakeholders from government, civil society and the private sector, various initiatives have begun to take shape to promote the goal of a peaceful cyberspace and to insist on norms of responsible state behaviour in cyberspace. In parallel, “netizens” are requiring the information technological industry to take full responsibility for ensuring the security of the products they sell to consumers.

Two key demands or planks of a platform for remedial action, one that reflects both the external and internal concerns over cyber security, are for states to commit to cooperative security arrangements and the industry to accept responsibility for what is put on the market. The first idea is for the United Nations and similar organisations to insist on a peaceful cyberspace and to hold states to account via binding arrangements specifying norms of responsible state conduct.

The second idea is to require manufacturers of cyber hardware and software to assume liability for negligent security failures in these products that cause significant harm.

As the overwhelming owners and users of the Internet it is incumbent on civil society and the private sector to press governments to take appropriate action to ensure that cyberspace is preserved for peaceful purposes in the interests of all.
[/read]

Video interview with Paul Meyer

Video credit: ICT4Peace Foundation. A longer interview is available on YouTube at https://youtu.be/BveJ3V1ADUo.