Cybersecurity Should Protect Us - Not Control Us
'State of Surveillance' with Edward Snowden and Shane Smith (VICE)
What does the election in Mexico, a hospital in California, baby monitors around the world and tinned fruit in Thailand have in common? They were all were involved in the great ‘cybersecurity’ failures of 2016. They also highlight the spectrum of cybersecurity issues that potentially impact us all: Governments, public services, companies, you and I.
The dizzying scale, technical complexity and downright panic accompanying ‘cyberattacks’ and data breaches often overshadow the fact that human rights are at the heart of cybersecurity, and that attacks mostly impact individuals. The personal information of over 93 million voters in Mexico, including home addresses, were openly published on the internet after being taken from a poorly secured government database. Up to 100,000 people are reportedly kidnapped in Mexico each year. A hospital in California had to cancel surgeries and move patients after attackers took down their network with ransomware. Internet connected devices such as baby monitors were reportedly co-opted by malware and utilized as part of a DDOS attack, which brought down popular websites including Twitter and The New York Times.
Governments are under pressure to combat these kinds of threats and more to create a secure and stable online environment. Many inter-governmental forums focus on building state capacity to develop effective cybersecurity strategies which identifies critical infrastructure to protect and prevent instances such as those in Mexico, California and the global DDOS attack.
But in the race to secure against threats, human rights such as privacy, free expression, freedom of assembly and other rights are often undermined rather than protected, leaving individuals vulnerable. In Thailand for example, a journalist was convicted of violating cybercrime laws after publishing a report on labor rights violations in the country’s fruit canning sector.
British NGO Privacy International recently published a series of State of Privacy reports, which aim to summarize privacy and surveillance laws and practices in a variety of countries. The reports identify cybersecurity as a government priority in various countries around the world, but also identify repressive cybercrime laws drafted alongside cybersecurity strategies. Cybercrime laws can be complex and problematic; they can be far-reaching, vague and national legal frameworks often lack the basic protections that should underpin them, such as data protection laws and explicit privacy protections which help curtail state power.
The result is that, in some parts of the world, the cybersecurity debate can undermine human rights and the international obligation on governments to protect them. Too quickly the debate turns to increasing state surveillance capacity, closing down transparency, criminalizing legitimate behavior and speech and undermining encryption rather than promoting it. For example, using encrypted messaging services is illegal in Pakistan, and using them in Morocco will land you in prison and a $10,000 fine. What constitutes certain crimes is unclear in the cybercrime laws of Jordan, Kenya and Tunisia. The Computer Misuse Act in Uganda has been used to criminally charge a journalist. These examples demonstrate the range of issues that appear in cybercrime laws presented as cybersecurity.
In addition, there is currently little transparency on how decisions regarding cybersecurity strategies and cybercrime laws are made and by whom. Civil society and technologists rarely have a seat at the decision-making table. Truly effective security must be done as a collaboration and no one actor can claim to have the solution. This requires trust and efforts to understand different stakeholder perspectives. When Donald Trump announced a review of US “cyber capabilities and vulnerabilities”, the Cyber Review Team consists of “military, law enforcement and industry representatives”. No mention of civil society organizations or the technology community, which is a typical omission around the world. This inevitably leads to an adversarial relationship between governments and civil society, resulting in many initiatives being sent back to the drawing board. In 2015, a draft encryption policy in India was withdrawn after 24 hours due to public outcry over the requirement for end users to store plaintexts of communications for 90 days. In South Africa, civil society successfully prevented a draft cybercrime law from being passed due to the lack of a public interest defense and perceived criminalization of journalists and whistleblowers.
So what is the ‘right’ approach to cybersecurity? The guiding principle is that good cybersecurity policies and techniques uphold the right to privacy and other human rights, not undermine them. Good cybersecurity puts the individual in the centre, ensures that secure devices and infrastructure is the priority of the nation state, and that vulnerabilities that are found and risks that are identified are communicated as quickly as possible so that protection and prevention can occur. Everyone plays a role: cybersecurity is as much about response teams taking down bots, as about your installing the latest operating system updates on your phone. But most of all, we must ensure that cybercrime laws enacted alongside cybersecurity strategies reflect the need to protect people, rather than increase state power and control over people they are bound to protect.
See the original at Open Democracy
We invite you to add your charity or supporting organizations' news stories and coming events to PVAngels so we can share them with the world. Do it now!
How You Can Help
Partners for Change
FAIR USE NOTICE: This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance a more in-depth understanding of critical issues facing the world. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 USC Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information click here. If you wish to use copyrighted material from this site for purposes that go beyond 'fair use', you must obtain permission from the copyright owner.