Human Rights Defenders in Cyberspace: A Litmus Test for Cybersecurity
Compromised accounts, device confiscation, censorship, surveillance, excessive monitoring – these are some of the threats in cyberspace with the potential to violate human rights. But not everyone is affected equally with their consequences. Human rights defenders have been pre-eminently targeted by their adversaries and opponents. They have witnessed human rights concerns being translated into threats to psychological and even physical security. Reflecting on their security needs and experiences can act as the litmus test when building digital societies that are democratic, secure, and resilient.
Shortly after the word ‘cyberspace’ had been coined by sci-fi novelist William Gibson in the early ’80s, the prefix ‘cyber’ extended into multiple areas, denoting their relationship with information technology. The term ‘cybersecurity’ has by itself over 400 unique definitions recorded to date. This seeming plurality of definitions, however, does not translate into diverse views, and the field remains driven by a dominant national security-centric approach.
While cybersecurity is a matter of national security, the narrow focus on potential threats has led to the conflation of cybersecurity with national security without full consideration of what cybersecurity means for individual users and communities. The danger is that when the narrative is overly focused on restrictive policies and practices as the way to greater security, it creates downward pressure on human rights and freedoms and can lead to one-sided or inadequate measures.
Under the pretext of deterring crimes or countering terrorism, states can also weaponize cybersecurity-related laws and practices to exercise greater control over those they govern – to justify surveillance, censor the opposition and dissident, monitor private communications, and criminalize online users for expressing their views. Such practices can violate human rights, with the right to privacy, the right to freedom of expression and the right to free assembly and association among the most contested rights in cyberspace.
These violations and related threats do not affect everyone equally. Human rights defenders (HRDs) are a particularly exposed group. They have been targeted by their adversaries and opponents on a massive scale with far-reaching consequences not only for their digital but also physical and psychological security. For this reason, HRDs can act as a litmus test for what cybersecurity means for individual users. Witnessing violations to their rights and consequently often also security should alert us about possible implications for the security of the society at large.
Some HRDs are trained or adapted to reading security indicators by recognising and flagging abnormalities in their physical, social and political environment. Yet, most remain unaware or unskilled to read the indicators in the digital environment. Evident threats relate to the content and information HRDs produce and disseminate. This is partly due to the inherent portable nature of the data, but also because of greater governmental control that takes advantage of the fluidity and exposure of data to target HRDs’ activities online. The risks include data loss, compromised accounts, device confiscation, theft or inspection, information handover, surveillance, and monitoring that can result in the exposure of HRDs’ networks and related sensitive information.
Confiscation or theft of devices or information represented near ten per cent of all reported digital security issues in 2020, according to the Front Line Defenders Global Analysis. Additional risks stem from metadata. For instance, sending and receiving server names and Internet Protocol addresses (IPs), geolocation, filenames, date and time of files or emails, and other data that can be used to track movements, monitor connections, or reveal sensitive information and compromise data security.
Phishing and targeted malware are the most popular methods of digital attack due to their inexpensive and low-tech means, and the possibility of being customised on individuals (spear phishing) or efficiently deployed on a large scale. Phishing tricks users into sharing critical, highly sensitive personal information such as their usernames and passwords or sharing other private and confidential information; while malware is malicious software that enters the computers of website visitors to capture and transmit users' private data.
An Amnesty International investigation revealed similar methods being used in Uzbekistan, describing “(…) a campaign of malicious emails using fake websites along with Windows and Android spyware embedded in legitimate software.” According to the report, phishing campaigns fit into a larger pattern of digital attacks against Uzbekistani HRDs, among others. An earlier investigation documented targeted phishing attacks against HRDs in the Middle East and North Africa. The investigation described phishing campaigns that attackers had specifically developed to target those who had taken advanced steps to secure their online accounts with multi-factor authentication. Spyware attacks against HRDs have been identified in Mexico in 2017, Vietnam from February 2018 to November 2020 and India in 2019.
Apart from the means for collecting sensitive data, online attacks increase the insecurity mindset among HRDs. An Egyptian HRD living abroad expressed his limited security options: “All the time when we talk in our online meetings we don’t know if we can speak freely or not. We have no alternatives; we are between two options: to be practical or to be secure. Every discussion is a test for us, to mention a name, to say something or not, dates, passwords, etc.”. This statement illustrates a common dilemma for HRDs and their organisations – the lack of a technical and financial capacity for keeping their work secure on the one hand while risking leaking information and experiencing targeted intimidation on the other
State interference into the HRDs’ activities can be also carried out through internet shutdowns, censorship, blocking and filtering of online activities. According to the UN special rapporteur, “threats to digital expression and Internet freedom are more pronounced than ever […] and internet shutdowns have emerged as a popular means of information control.” The 2020 presidential elections and subsequent protests in Belarus were accompanied by internet blackouts coupled with targeted content blocking enabled through to deep packet inspection (DPI) method to prevent protesters from organizing via online communications platforms. By localising, identifying, filtering, and blocking packets with specific data, their use violates the right to privacy, freedom of expression and access to information, and in their consequences limit the rights to freedom of peaceful assembly and association, among others. The violations to the freedom of information, in particular, can have dire consequences in a high-risk environment, making HRDs unable to assess the security of the situation correctly and leaving the protesters in the dark.
Apart from technical means, censorship measures can be introduced or expanded through legislation, often under the pretext of strengthening national security, and in cooperation with tech companies. Such has been the situation in Vietnam, where the cybersecurity law protects the regime’s monopoly on power rather than ensuring network security. It has been also reported that Facebook and Google “geo-block” content critical of the authorities, which becomes invisible to anyone accessing the platform in the country. In November 2019, Facebook revealed a 983 per cent increase in content restrictions based on Vietnamese legislation, as compared with the previous reporting period, while YouTube has been praised by Vietnamese censors for its relatively high rate of compliance with censorship demands. These practices target HRDs, but also journalists, activists, dissent, and other non-conformist groups. In its consequences, securitised legislation violates the right to freedom of expression and universal access to information and introduces a state of insecurity instead.
With the advent of more intrusive use of technologies, we must protect values, principles and interests related to the safeguarding of human rights. Fundamental rights should not be a part of a trade-off for increased security. States have obligations to respect, fulfil and protect human rights. International human rights norms provide for a basis that can be translated into the realm of cyberspace, but they face a serious implementation gap. To tackle these challenges, there is a need for a multi-stakeholder environment that allows for accessible, inclusive and transparent involvement in the shaping of the normative and legal framework.
An attempt toward a more open format has been the Open-Ended Working Group (OEWG), running in parallel to the UN Group of Governmental Experts (GGE) on advancing responsible state behaviour in cyberspace in the context of international security. However, while non-state actors including civil society representatives have been participating in the process, the influence over shaping policies has been limited. There is a further need for regular institutional dialogue with standardized formats and mechanisms for implementation oversight that includes HRDs’ perspectives. A step in the right direction could be the proposed cyber Programme of Action (PoA) which would end the dual-track and establish a permanent UN forum that will be decided on this fall.
Beyond creating an environment that can facilitate progress towards introducing adequate legal and regulatory protection, stakeholders need to contribute to the existing efforts towards building technological awareness, with an emphasis on individuals and communities at risk. The prevailing lack of knowledge about digital security among HRDs creates an environment of insecurity and limited engagement. Information control practices must be countered both from top-down and bottom-up perspectives. This can be done in several ways, including training HRDs on how to proactively mitigate digital security risks. Some steps have been taken by civil society and international organizations alike, such as the example of Front Line Defenders and the Organization for Security and Co-operation in Europe (OSCE). These models can be scaled up to provide regular, tangible support for digital security awareness at various levels.
As HRDs continue to experience excessive repression in cyberspace, reflecting on their security needs and experiences, is an important part of addressing the needs of individuals- and communities-at-risk. By including their perspectives, we can move towards creating better-informed laws and practices, in which individual rights and security are understood as mutually reinforcing concepts. Employing human rights-based approaches will allow governments to strengthen their legislative and regulatory efforts while preventing human rights violations and lead to greater accountability of both state agencies and private actors. Cyberspace must be guided by rules, norms and laws that create an environment of transparency, trust, inclusiveness, equitability, and predictability while levelling the playing field for state and non-state actors alike. Only by respecting the rights that people enjoy offline into their protection online can we build digital societies that are democratic, secure, and resilient.
Pavlina Pavlova is a former official and currently a consultant at the Organisation for Security and Cooperation in Europe (OSCE) working on capacity building programmes and training sessions for Human rights defenders. She has coordinated human rights monitoring projects and trained digital safety and security for monitors, with emphasis on secure information management. Pavlina has previously published on the topic of securitisation of cybersecurity and its implications for individuals- and communities-at-risk. She has been participating in the civil society feedback to the UN Open-ended working group on developments in the field of information and telecommunications in the context of international security.