Practical implementations of human rights respecting cybersecurity policy

From IFF Wiki
Revision as of 13:04, 11 March 2017 by Mallory (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Practical implementations of human rights respecting cybersecurity policy
Presenter(s) Vidushi Marda, Mallory Knodel
Organization(s) Centre for Internet and Society, Association for Progressive Communications
Project(s) Freedom Online Coalition working group "An Internet Free and Secure"
Country(ies) India, United States
Social media
2017 theme Policy & Advocacy

The Freedom Online Coalition Working Group 1, "An Internet Free and Secure" is a multistakeholder body that has put forward a list of 13 recommendations for policy makers engaged in cybersecurity. These recommendations aim to ensure that cybersecurity policies and practices are human rights respecting by design. As part of the workshop, participants will assess existing policies against these recommendations in order to understand the ways in which the norm-setting recommendations can actually be implemented. The recommendations have the support of 30 governments and dozens of civil society and private sector members. Those interested in cybersecurity policy, multistakeholder processes and the Freedom Online Coalition should attend. More information is available here: Participants in the workshop will be divided into groups to work through existing or proposed cybersecurity policies in place around the world. The policy recommendations will be provided as the primary resource for assessing the policies. The session will end with feedback to capture lessons learned.

Format Workshop
Target Groups Journos, software developers, advocacy and policy professionals, communications professionals, academia
Length 1 hour
Skill Level Novice
Language English

Session Outputs

Next Steps

Additional Notes

Relevant Resources


Session started by introducing working group of the Freedom Online Coalition (FOC), a partnership of 30 governments that was born in 2011 to support internet freedom and protect fundamental human rights online worldwide, including the rights to freedom of expression, association and assembly and privacy. It was established at the inaugural Freedom Online Conference in The Hague, the Netherlands, and has members spanning from Africa to Asia, Europe, the Americas, and the Middle East. Coalition members work closely together to coordinate their diplomatic efforts and engage with civil society and the private sector to support internet freedom and rights worldwide.

The FOC working group, “An Internet Free and Secure”, has a mandate through May 2017 to establish norms on cybersecurity and human rights. Defining cybersecurity as key to privacy and freedom of expression has been at the core of the working group’s efforts, in the context of increasing securitisation of the internet, with the aim to put people at the centre and avoid national security serving as an umbrella to curtail rights.

The session continued by going through the recommendations made by the FOC working group to achieve “an internet free and secure”, on which participants were asked to comment:

  • Cybersecurity policies and decision-making processes should protect and

respect human rights.

  • The development of cybersecurity-related laws, policies and practices

should from their inception be human rights-respecting by design.

  • Cybersecurity-related laws, policies and practices should enhance the

security of persons online and offline, taking into consideration the disproportionate threats faced by individuals and groups at risk.

  • The development and implementation of cybersecurity-related laws,

policies and practices should be consistent with international law, including international rights law and international humanitarian law.

  • Cybersecurity-related laws, policies and practices should not be used as

a pretext to violate human rights, especially free expression, association, assembly and privacy.

  • Responses to cyber incidents should not violate human rights.
  • Cybersecurity-related laws, policies and practices should uphold and

protect the stability and security of the internet, and should not undermine the integrity of infrastructure, hardware, software and services.

  • Cybersecurity-related laws, policies and practices should reflect the

key role of encryption and anonymity in enabling the exercise of human rights, especially free expression, association, assembly and privacy.

  • Cybersecurity-related laws, policies and practices should not impede

technological developments that contribute to the protection of human rights.

  • Cybersecurity-related laws, policies and practices at national, regional

and international levels should be developed through open, inclusive and transparent approaches that involve all stakeholders.

  • Stakeholders should promote education, digital literacy, and technical

and legal training as a means to improve cybersecurity and the realisation of human rights.

  • Human rights-respecting cybersecurity best practices should be shared

and promoted among all stakeholders.

  • Cybersecurity capacity building has an important role in enhancing the

security of persons both online and offline: such efforts should promote human rights-respecting approaches to cybersecurity.

Regarding how these recommendations are taken into account in policy making, several participants offered feedback on the notice of intention to develop a South African national cybersecurity policy, which does not make reference to human rights. How will rights be protected if there is no mention of them in the notice? Mention of multistakeholderism was noted as a positive development, but its vagueness leaves room for human rights breaches. It was also stressed that South Africa is one of only two African countries, along with Egypt, to join the Budapest Convention, so it should take a leading role in the continent and ask for more feedback within the African Union.

Participants were asked what else they would add to the list of recommendations. Comments centred on the observation that cybersecurity and cyberpolicies treat people as threats instead of targets, and also that rights and security are necessarily two sides of the same coin.

More specifically, it was stressed that the recommendations as a norm-setting document that guides advocacy work must be put into a more actionable context with specific examples, best practices, and guides such as a glossary of keywords. Advocates and legislators would want to reference provisions, soft laws and other norms in evaluations of cybersecurity policies. Context is important for a localised approach that responds to threats and challenges, which vary across regions and sectors. Highlighting the human aspects, impact and consequences of cybersecurity is key to policy advocacy as is the inclusion of examples of successful policies that implement these recommendations well.