Cybersecurity should protect us – not control us
In the race to secure against threats, human rights such as privacy, free expression, freedom of assembly are undermined rather than protected.
by Lucy Purdon, Privacy International | Posted March 14, 2017
What do the election in Mexico, a hospital in California, baby monitors around the world and tinned fruit in Thailand have in common? They were all were involved in the great ‘cybersecurity’ failures of 2016. They also highlight the spectrum of cybersecurity issues that potentially impact us all: Governments, public services, companies, you and I.
The dizzying scale, technical complexity and downright panic accompanying ‘cyberattacks’ and data breaches often overshadow the fact that human rights are at the heart of cybersecurity, and that attacks mostly impact individuals. The personal information of over 93 million voters in Mexico, including home addresses, were openly published on the internet after being taken from a poorly secured government database. Up to 100,000 people are reportedly kidnapped in Mexico each year. A hospital in California had to cancel surgeries and move patients after attackers took down their network with ransomware. Internet connected devices such as baby monitors were reportedly co-opted by malware and utilised as part of a DDOS attack, which brought down popular websites including Twitter and The New York Times.
Governments are under pressure to combat these kinds of threats and more to create a secure and stable online environment. Many inter-governmental forums focus on building state capacity to develop effective cybersecurity strategies which identifies critical infrastructure to protect and prevent instances such as those in Mexico, California and the global DDOS attack.
But in the race to secure against threats, human rights such as privacy, free expression, freedom of assembly and other rights are often undermined rather than protected, leaving individuals vulnerable. In Thailand for example, a journalist was convicted of violating cybercrime laws after publishing a report on labour rights violations in the country’s fruit canning sector.
British NGO Privacy International recently published a series of State of Privacy reports, which aim to summarise privacy and surveillance laws and practices in a variety of countries. The reports identify cybersecurity as a government priority in various countries around the world, but also identify repressive cybercrime laws drafted alongside cybersecurity strategies. Cybercrime laws can be complex and problematic; they can be far-reaching, vague and national legal frameworks often lack the basic protections that should underpin them, such as data protection laws and explicit privacy protections which help curtail state power.
The result is that, in some parts of the world, the cybersecurity debate can undermine human rights and the international obligation on governments to protect them. Too quickly the debate turns to increasing state surveillance capacity, closing down transparency, criminalising legitimate behaviour and speech and undermining encryption rather than promoting it. For example, using encrypted messaging services is illegal in Pakistan, and using them in Morocco will land you in prison and a $10,000 fine. What constitutes certain crimes is unclear in the cybercrime laws of Jordan, Kenya and Tunisia. The Computer Misuse Act in Uganda has been used to criminally charge a journalist. These examples demonstrate the range of issues that appear in cybercrime laws presented as cybersecurity.
In addition, there is currently little transparency on how decisions regarding cybersecurity strategies and cybercrime laws are made and by whom. Civil society and technologists rarely have a seat at the decision-making table. Truly effective security must be done as a collaboration and no one actor can claim to have the solution. This requires trust and efforts to understand different stakeholder perspectives. When Donald Trump announced a review of US “cyber capabilities and vulnerabilities”, the Cyber Review Team consists of “military, law enforcement and industry representatives”. No mention of civil society organisations or the technology community, which is a typical omission around the world. This inevitably leads to an adversarial relationship between governments and civil society, resulting in many initiatives being sent back to the drawing board. In 2015, a draft encryption policy in India was withdrawn after 24 hours due to public outcry over the requirement for end users to store plaintexts of communications for 90 days. In South Africa, civil society successfully prevented a draft cybercrime law from being passed due to the lack of a public interest defence and perceived criminalisation of journalists and whistleblowers.
So what is the ‘right’ approach to cybersecurity? The guiding principle is that good cybersecurity policies and techniques uphold the right to privacy and other human rights, not undermine them. Good cybersecurity puts the individual in the centre, ensures that secure devices and infrastructure is the priority of the nation state, and that vulnerabilities that are found and risks that are identified are communicated as quickly as possible so that protection and prevention can occur. Everyone plays a role: cybersecurity is as much about response teams taking down bots, as about your installing the latest operating system updates on your phone. But most of all, we must ensure that cybercrime laws enacted alongside cybersecurity strategies reflect the need to protect people, rather than increase state power and control over people they are bound to protect.
Lucy Purdon is a Policy Officer at Privacy International.