A policy maker’s guide to the Global Conference on Cyberspace 2017

On November 23-24 an estimated 2,000 delegates from more than 100 countries will gather in Delhi, India for the fifth iteration of the Global Conference on Cyberspace (GCCS). Will the conference — finally — fulfill its promise to strengthen global cybersecurity while protecting human rights?

Much will depend on how the conference chair and the delegates shape the agenda, mapping out the territory for shared agreements and collective action. Our new guide, A Policy Maker’s Guide to the Global Conference on Cyberspace 2017, is aimed at helping them do just that.

In 2011, the chair of the first GCCS proclaimed, “it is my passionate conviction that all human rights should carry full force online: not just the right to privacy, but the right to freedom of expression. Human rights are universal.” Yet the centrality of human rights to the conference has wavered over the course of successive gatherings in Hungary, South Korea, and the Netherlands. Even when human rights have been formally recognized at GCCS, there has been no satisfactory implementation of the commitments that are made. It’s time to turn the tide.

Our guide provides delegates with the background, history, and context necessary for fully engaged, fruitful participation in the GCCS, including Access Now’s recommendations for protecting human rights in cybersecurity policy. We cover critical issues the conference has so far failed to address, which have systemic impacts. These include state attacks on strong encryption, government hacking, vulnerable Internet of Things (IoT) networks, and flaws in the systems for cross-border access to data.

Below is an overview of our recommendations, which we explore in detail in the guide. We encourage governments at GCCS 2017 to:

  • Put users at the center of cybersecurity policy
  • Apply systemic solutions to systemic problems such as digital security threats
  • Use open and pluralistic processes to develop cybersecurity policy
Put users at the center of cybersecurity policy

User-centric cybersecurity policies protect users’ rights. Policies that focus narrowly on state operations can undermine a government’s international human rights obligations, threaten the peaceful use of the internet, inhibit access to information, and endanger the free flow of information. Governments must respect and protect the rights both to privacy and freedom of expression.

Recommendation 1: Maintain human rights as the focus of conference statements and avoid embracing the false dichotomy of “balancing” human rights and other interests or using sovereignty to justify or protect policies that fragment the internet.

To demonstrate a commitment to human rights, conference statements should draw from the language of human rights instruments, including the Universal Declaration of Human Rights, International Covenant on Civil and Political Rights (ICCPR), and relevant United Nations resolutions, such as the Human Rights Council resolution on the promotion, protection, and enjoyment of human rights on the Internet, and standards like those developed by the Special Rapporteur on the freedom of expression on encryption, anonymity, and human rights.

Recommendation 2:  Acknowledge that, regardless of justification, limits on the right to freedom of expression must be provided by law, address a legitimate aim, and be necessary to achieve that aim, building on international standards in General Comment 34 on Article 19 of the ICCPR. Governments are increasingly censoring online content and restricting internet access. Intentional disruptions of internet access or other communications that render networks and services inaccessible for a specific population, or within a location, violate human rights, including freedom of expression. In addition, governments are exerting increased control over online content, such as by requiring platforms to remove certain categories of content. Such restrictions, often justified under the banner of combating extremism, harassment, hate speech, or “fake news,” carry significant danger for interference with online expression.

Recommendation 3: Clearly acknowledge the fundamental right to privacy and recognize necessary protections against overbroad surveillance authorities, as articulated in the International Principles on the Application of Human Rights to Communications Surveillance.

Apply systemic solutions to systemic problems such as digital security threats

Today’s digital security threats are systemic problems that require systemic solutions. It is vitally important to protect our networks, data, and the end users who are the victims of a wide range of attacks. Holistic digital security approaches should address the risks of malware and vulnerabilities; social engineering attacks; restrictions on the functionality of a network; efforts to weaken the security and integrity of communications systems; and other threats to anonymity, privacy, and the full range of human rights exercised online.

Recommendation 4: Address the human rights and cybersecurity implications of issues that GCCS has heretofore neglected, which have system-wide impacts: state attacks on strong encryption, government hacking, vulnerable Internet of Things (IoT) networks, and flaws in the systems for cross-border access to data.

  • Encryption and other digital security tools are necessary for ensuring the right to privacy and the exercise of freedom of opinion and expression in the digital age. It is critically important that the chair acknowledge the necessity of strong encryption for ensuring the security of our communications and enabling the exercise of human rights online.
  • Government hacking poses a great risk to human rights. These risks are compounded when hacking is conducted in the dark and without sufficient human rights protections for users. It is for this reason that there should be presumptive prohibition on all government hacking, which can only be overcome in limited and exceptional circumstances (and only for information gathering purposes) when human rights safeguards are met. It is imperative that the chair promote transparency into current hacking tools and authorities and initiate processes to ensure these tools are used in compliance with rights-respecting legal mechanisms.
  • Internet of Things. There are insufficient safeguards, either in law or in practice, to address the impact of the Internet of Things on human rights. The increase in the number of connected devices, without adequate attention to security, not only threatens privacy but also enables significant systemic cybersecurity attacks. The chair must address the threat of insecure devices through protections to promote the security of data and ensure continued security updates.
  • Cross-border data transfer. The systems for law enforcement access to data across borders in the context of criminal investigations is inefficient, and this has created incentives for policy that would harm human rights and limit the freedom and openness of the internet. It’s urgent that the chair promote means for lawful access across borders that improve efficiency for lawful government requests; reduce incentives for government interference with private sector platforms and networks; provide clarity for users, governments, and companies on the treatment of user data; and ensure the system for cross-border data requests protects users’ rights.

Recommendation 5: Address the threat of government hoarding and exploitation of vulnerabilities in software, devices, systems, and infrastructure. Hackers have used government-held digital security exploits and tactics for widescale attacks to gain access to personal and sensitive data, and these attacks have harmed human rights and caused widespread interruption of services. Governments undermine cybersecurity when they keep vulnerabilities secret and systematically prioritize offensive cyber operations and surveillance over cybersecurity defense. It is imperative that the chair advance solutions to prevent damage to cybersecurity and human rights caused by states withholding information about critical vulnerabilities.

Use open and pluralistic processes to develop cybersecurity policy

Recommendation 6: Ensure inclusivity and equal access for all stakeholders. At previous iterations of the GCCS, many substantive conversations took place in private rooms. Civil society has had limited or no involvement in these discussions, and there has been little transparency or public reporting on the proceedings. The chair should foster an open and transparent decision-making process throughout the duration of the conference, with clear lines of communication and feedback with all parties, including a mechanism for appeal and challenge. This would help to ensure that this conference, unlike its predecessors, is truly multi-stakeholder. To lead by example, the chair should further commit to this level of open and pluralistic process domestically, in the Asia Pacific region, and internationally. That means ensuring GCCS promotes inclusive and representative conversations. To achieve its goals, the Global Forum on Cyber Expertise (GFCE) must also become more inclusive, since civil society actors play a central role in ensuring rights-respecting cybersecurity.

Recommendation 7: Continue to pursue establishing necessary cybersecurity norms, as complementary to human rights law, including limits on state actions that threaten the human rights and security of users. Earlier this year, the UN Group of Governmental Experts failed to reach consensus on non-binding norms of state behavior, but the GCCS chair can continue that work.

We invite questions and responses from the chair, conference administration, and delegates on any of the recommendations and issues we address here. Please feel free to reach out, and we look forward to engaging with you at the conference next week.