surveillance
-
CIVICUS expresses concern over detention of Uzbekistan activist
13 May 2009 – CIVICUS: World Alliance for Citizen Participation has expressed concern over the detention of well-known civil society activists in Tashkent, Uzbekistan for commemorating the anniversary of the 2005 “Andijan Massacre”. Civil society activists Oleg Sarapulov and Tatyana Dolblatova from the Committee for the Freedom of the Prisoners of Conscience in Uzbekistan, and Elena Urlaeva, Salomatoy Boymatova, and Anatoly Volkov and Victoria Banjenova from the Human Rights Alliance of Uzbekistan were detained for most of today at the Tashkent Police Department for peacefully paying tribute to the memory of those killed in Andijan on 12-13 May 2005.
Further, Bahadir Namazov from the Committee for the Freedom of the Prisoners of Conscience in Uzbekistan remains under house arrest to prevent them from attending the peaceful memorial services at Tashkent’s Monument to Courage.
“Commemorating the deaths of fellow citizens is not a crime. Their detention even further tarnishes Uzbekistan’s democratic credentials as a member of the Organization of Security and Cooperation in Europe (OSCE),” said Ingrid Srinath, Secretary General of CIVICUS.
According to reports, surveillance and pressure on independent human rights defenders began yesterday, on the 12th of May, and has continued throughout today. All the mentioned human rights activists were followed by several law enforcement agents.
On 13 May 2005, gunmen attacked government buildings and broke into the Andijan city prison, taking hostages. In reaction, thousands of demonstrators later gathered, airing grievances about the government. While official estimates state that 173 people were killed, it was widely reported that over 500 lost their lives. Although, no official investigation has been made into these events, it is clear officers from the Ministry of the Interior and National Security Service used violent and disproportionate force against protesting citizens, resulting in these deaths. The government of Uzbekistan has not held any of the forces accountable for the violence.
CIVICUS believes these civil society activists were arbitrary detained, in breach of national constitutional guarantees and Uzbekistan’s commitments under the International Covenant on Civil and Political Rights assuring the freedom to assemble peacefully.
-
EUROPEAN MEDIA FREEDOM ACT: ‘National security cannot justify the use of spyware on journalists’
CIVICUS speaks about the role of civil society in the drafting process of the European Media Freedom Act with Jordan Higgins, Press and Policy Officer at the European Centre for Press and Media Freedom (ECPMF).Founded in 2015, ECPMF is a civil society organisation that seeks to promote, preserve and defend media freedom by monitoring violations,providing practical support and engaging diverse stakeholders across Europe.
Why was the European Media Freedom Act (EMFA) needed?
The EMFA aims to support media freedom and promote media pluralism in the European Union (EU). While media-related matters have traditionally fallen under the competence of member states, EU-wide action has become necessary due to the severity of the threats media freedom faces across Europe.
The EMFA was introduced in September 2022 and underwent successive rounds of negotiations, culminating in a political agreement reached on 15 December 2023. It is comprehensive and seeks to address critical threats to media freedom, including the independence of public service broadcasters, concentration of media ownership and the capture of media through the allocation of state advertising, among other issues.
It safeguards the right of audiences to access pluralistic media sources and establishes a European Board for Media Services, composed of national media authorities that will advise the European Commission on the consistent application of key provisions of the Act in all member states. It also focuses on ensuring the safety of journalists, protecting them and their sources from surveillance and the use of spyware.
In sum, the EMFA is a crucial tool to address some of the major threats faced by journalists and protect the editorial and market independence of media.
What did civil society bring to negotiations?
This initiative aimed to strengthen press freedom in Europe and was widely welcomed by civil society, including us at ECPMF.
From the early stages, media freedom organisations proposed critical amendments to specific aspects of the EMFA that did not comply with the highest media freedom standards. In particular, we pushed for greater transparency in media ownership, comprehensive rules regulating financial relations between the state and media, including the allocation of state advertising, and full protection of journalists from all forms of surveillance, including spyware. We also advocated for the independence of national media regulators and the European Board for Media Services.
The process incorporated the perspectives of media freedom experts and journalists and culminated in the final trilogue negotiations between the European Parliament, Council and Commission. One of the key areas of interest for media freedom advocates during these negotiations was EMFA Article 4 on the protection of journalistic sources. In particular, we hoped to see the removal of provisions – promoted by Cyprus, Finland, France, Greece, Italy, Malta and Sweden – that included ‘threats to national security’ as justification for the use of spyware on journalists.
To what extent did the final text address civil society concerns?
Civil society, particularly media freedom organisations, advocated for a robust version of the EMFA that considered the needs of those most affected by it. Throughout the negotiation process, we voiced our objections to concerns from publishers’ groups and regarding proposed amendments to Article 4, which could have removed legal safeguards that shield journalists from the deployment of spyware under the pretext of national security. Fortunately, the final version no longer cites ‘national security’ as a justification for using spyware on journalists.
Now our work will shift towards ensuring the effective implementation of the EMFA through active monitoring, particularly in EU member states where press freedom is under the greatest threat.
Get in touch with ECPMF through itswebsite orFacebook page, and follow@ECPMF on Twitter.
-
INTELLIGENCE ARTIFICIELLE : « Il doit y avoir un équilibre entre la promotion de l’innovation et la protection des droits »
CIVICUS parle avec Nadia Benaissa, conseillère en politique juridique chez Bits of Freedom, sur les risques que l’intelligence artificielle (IA) fait peser sur les droits humains et sur le rôle que joue la société civile dans l’élaboration d’un cadre juridique pour la gouvernance de l’IA.Fondée en 2000, Bits of Freedom est une organisation de la société civile (OSC) néerlandaise qui vise à protéger les droits à la vie privée et à la liberté de communication en influençant la législation et la politique en matière de technologies, en donnant des conseils politiques, en sensibilisant et en entreprenant des actions en justice. Bits of Freedom a également participé aux négociations de la loi de l’Union européenne sur l’IA.
Quels risques l’IA fait-elle peser sur les droits humains ?
L’IA présente des risques importants car elle peut exacerber des inégalités sociales préexistantes et profondément ancrées. Les droits à l’égalité, à la liberté religieuse, à la liberté d’expression et à la présomption d’innocence figurent parmi les droits touchés.
Aux Pays-Bas, nous avons recensé plusieurs cas de systèmes algorithmiques violant les droits humains. L’un de ces cas est le scandale des allocations familiales, dans lequel les parents recevant des allocations pour la garde de leurs enfants ont été injustement ciblés et profilés. Le profilage a surtout touché les personnes racisées, les personnes à faible revenu et les musulmans, que l’administration fiscale a faussement accusés de fraude. Cette situation a entraîné la suspension des allocations pour certains parents et prestataires de soins, ainsi que des enquêtes hostiles sur leurs cas, ce qui a eu de graves répercussions financières.
Un autre exemple est le programme de prévention de la criminalité ‘Top400' mis en œuvre dans la municipalité d’Amsterdam, qui profile des mineurs et des jeunes afin d’identifier les 400 personnes les plus susceptibles de commettre des délits. Cette pratique affecte de manière disproportionnée les enfants des classes populaires et les enfants non-blancs, car le système se concentre géographiquement sur les quartiers à faibles revenus et les quartiers de migrants.
Dans ces cas, le manque d’éthique dans l’utilisation d’outils d’intelligence artificielle a entraîné une immense détresse pour les personnes concernées. Le manque de transparence dans la manière dont les décisions automatisées ont été prises n’a fait qu’accroître les difficultés dans la quête de justice et de redevabilité. De nombreuses victimes ont eu du mal à prouver les préjugés et les erreurs du système.
Existe-t-il des tentatives en cours pour réglementer l’IA ?
Un processus est en cours au niveau européen. En 2021, la Commission européenne (CE) a proposé un cadre législatif, la loi sur l’IA de l’Union européenne (UE), pour répondre aux défis éthiques et juridiques associés aux technologies de l’IA. L’objectif principal de la loi sur l’IA de l’UE est de créer un ensemble complet de règles régissant le développement, le déploiement et l’utilisation de l’IA dans les États membres de l’UE. Elle cherche à maintenir un équilibre entre la promotion de l’innovation et la protection des valeurs et des droits fondamentaux.
Il s’agit d’une occasion unique pour l’Europe de se distinguer en donnant la priorité à la protection des droits humains dans la gouvernance de l’IA. Cependant, la loi n’a pas encore été approuvée. Une version a été adoptée par le Parlement européen en juin, mais il reste encore un débat final - un « trilogue » - à mener entre la Commission européenne, le Conseil européen et le Parlement européen. La Commission européenne s’efforce d’achever le processus d’ici la fin de l’année afin qu’il puisse être soumis à un vote avant les élections européennes de 2024.
Ce trilogue a des défis considérables à relever pour parvenir à une loi sur l’IA complète et efficace. Les questions controversées abondent, y compris les définitions de l’IA et les catégories à haut risque, ainsi que les mécanismes de mise en œuvre et d’application.
Qu’est-ce que la société civile, y compris Bits of Freedom, apporte à la table des négociations ?
Alors que les négociations sur la loi se poursuivent, une coalition de 150 OSC, dont Bits of Freedom, demande instamment à la CE, au Conseil et au Parlement d’accorder la priorité aux personnes et à leurs droits fondamentaux.
Aux côtés d’autres groupes de la société civile, nous avons activement collaboré à la rédaction d’amendements et participé à de nombreuses discussions avec des membres des parlements européen et néerlandais, des décideurs politiques et diverses parties prenantes. Nous avons fermement insisté sur des interdictions concrètes et solides, telles que celles concernant l’identification biométrique et la police prédictive. En outre, nous avons souligné l’importance de la transparence, de la redevabilité et d’un mécanisme de réparation efficace dans le contexte de l’utilisation des systèmes d’IA.
Nous avons obtenu des résultats significatifs en matière de plaidoyer, notamment l’interdiction de l’identification biométrique en temps réel et a posteriori, une meilleure formulation des interdictions, des évaluations obligatoires de l’impact sur les droits fondamentaux, la reconnaissance de droits supplémentaires en matière de transparence, de redevabilité et de réparation, et la création d’une base de données obligatoire sur l’IA.
Mais nous reconnaissons qu’il y a encore du travail à faire. Nous continuerons à faire pression pour obtenir la meilleure protection possible des droits humains et à nous concentrer sur les demandes formulées dans notre déclaration au trilogue de l’UE. Celles-ci tendent vers l’établissement d’un cadre de redevabilité, de transparence, d’accessibilité et de réparation pour les personnes touchées par ces enjeux, et à la fixation des limites à la surveillance préjudiciable et discriminatoire exercée par les autorités nationales chargées de la sécurité, de l’application de la loi et de l’immigration. Elles s’opposent ainsi au lobbying des grandes entreprises technologiques en supprimant les lacunes qui sapent la réglementation.
Le chemin vers une réglementation complète et efficace de l’IA est en cours, et nous restons déterminés à poursuivre nos efforts pour faire en sorte que le cadre législatif final englobe nos demandes essentielles. Ensemble, nous visons à créer un environnement réglementaire en matière d’IA qui donne la priorité aux droits humains et protège les personnes.
Contactez Bits of Freedom sur sonsite web ou sa pageFacebook, et suivez@bitsoffreedom sur Twitter.
-
Mexico: Illegal digital surveillance against journalists and activists
Joint statement with members of the Open Government Partnership
The undersigned members of the Open Government Partnership (OGP) Steering Committee express their deep concern over the reports of alleged illegal digital surveillance against Mexican journalists, activists, and other human rights defenders, as highlighted in a letter signed by the core group of civil society organizations that lead the OGP process in Mexico, and validated by Citizen Lab. We reiterate the invitation to the Mexican government to provide a formal response, should it choose to, in line with the guidelines of the Rapid Response Protocol.
These allegations are highly relevant to the values of OGP outlined in the Open Government Declaration, which include “protecting the ability of not-for-profit and civil society organizations to operate in ways consistent with our commitment to freedom of expression, association, and opinion.” Civic participation requires an enabling environment that is conducive to freedom of expression and freedom of association and upholding the right of everyone to hold opinions without interference, and the right to privacy. Illegal digital surveillance activities are therefore incompatible with open government principles, diminish citizens’ trust in their governments, and undermine the safety of these groups and the critical role they play.
We recognize the Mexican government’s OGP commitment to establish “Democratic controls on interventions of private communications”, and we encourage government stakeholders, including the Secretariat of National Defense, the National Guard, the National Intelligence Center, and other relevant security agencies, to use the OGP process to prioritize its implementation. We appreciate the efforts made so far by Secretary Salcedo, Secretary of Public Administration, to advance dialogue between civil society and state actors to achieve the reforms envisioned in the commitment. We further encourage the government to strengthen the democratic controls to prevent unwarranted digital surveillance of journalists, activists, and human rights defenders.
The OGP Steering Committee stands ready to provide any support necessary, including identifying needs and opportunities for collaboration and facilitating dialogue. Should it be deemed fruitful by Mexican stakeholders, we respectfully offer two of our members -one from civil society and one from government- to engage with the filers of this concern and the Mexican government, including relevant security agencies, to continue to advance dialogue and co-create a specific timeline for the successful implementation of Mexico's OGP commitment "Democratic controls on interventions of private communications".
Endorsed by the following members of the OGP Steering Committee:
The Government of Canada
The Government of Estonia
The Government of Italy
The Government of Kenya
The Government of Nigeria
The Government of the United Kingdom
Natalia Carfi, Open Data Charter
Anabel Cruz, ICD Uruguay
Aidan Eyakuze, Twaweza
Eka Gigauri, Transparency International Georgia
Blair Glencorse, Accountability Lab
Lysa John, CIVICUS
Lucy McTernan, Scottish Open Government Partnership
Stephanie Muchai, International Lawyers Project
Luben Panov, European Center for Not-for-Profit Law
Doug Rutzen, International Center for Not-for-Profit Law
Barbara Schreiner, Water Integrity Network
Civic space in Mexico is rated as Repressed by the CIVICUS Monitor
-
NEPAL: ‘The TikTok ban signals efforts to control the digital space in the name of national sovereignty’
CIVICUS speaks about the recentTikTok ban in Nepal with Anisha, provincial coordinator for Gandaki Pradesh at Body and Data.Founded in 2017,Body and Data is a civil society organisation promoting an accessible, safe and just digital space for all people in Nepal. Anisha, known by her digital name Aneekarma, oversees a project focused on online expression by women and LGBTQI+ people and leads Body and Data’s digital rights initiative in Nepal’s Gandaki province.
Why did the Nepali government ban TikTok?
The government has cited multiple reasons for banning TikTok. It cited concerns about a rise in cybercrime, the disruption of social harmony – mainly due to the circulation of ‘vulgar’ content that ‘damages societal values’ – and TikTok’s perceived promotion of a ‘begging culture’, as content creators use it to seek money or gifts from their audience during live sessions. They also invoked the fact that the platform is being banned in some global north countries, although those bans normally apply only to government phones.
Ultimately, it all boils down to an attempt to restrict freedom of expression. TikTok has grown to be a significant platform. It serves a diverse audience including housewives, older people, small business owners and entrepreneurs. Recently, people began using TikTok to voice opinions and exercise free speech against the authorities, provoking anger and fear among political leaders who have stepped up surveillance.
How will this ban impact on digital rights?
Nepal is a democratic country where freedom of speech and expression are fundamental, and the ban on TikTok has raised concerns about these rights being compromised. These concerns have been exacerbated by the government’s plans to introduce a separate bill aimed at tightening control over social media.
The enforcement of the TikTok ban infringes on the basic rights of freedom of expression and access to information. The platform was used not just for entertainment and for small enterprises to promote their products and services but also as a channel to share diverse opinions, engage in creative expression and amplify the voices of excluded communities, particularly women.
Bans on popular social media platforms add complexity to the ongoing international debate regarding digital rights. There are growing concerns surrounding the intersection of technology, free expression and governance in the digital age. The TikTok ban sparks discussions on the delicate balance between government regulation and individual liberties.
What potential privacy or security concerns arise from users shifting to other platforms?
Because of TikTok being banned, users have started to migrate to alternative platforms, which raises further privacy and security concerns. It is paramount that digital rights are safeguarded during this transition.
User education and awareness campaigns on privacy and security best practices are needed to enhance digital literacy. Users must be confident that their personal information is well protected. Transparent data practices, including clear information on data collection and usage, are vital for building user trust and enabling informed decision-making.
The influx of new users to alternative platforms may also introduce potential cybersecurity threats. Platforms should continuously invest in security measures such as encryption protocols, regular audits and prompt vulnerability fixes. It is also essential to implement user authentication and verification mechanisms to mitigate risks such as fake accounts and identity theft.
The situation in Nepal raises additional concerns due to the government’s limited understanding of cybersecurity. The absence of consultation with experts before this type of decision is made poses severe risks, as evidenced by instances of people’s personal data being exposed and government websites being hacked.
The TikTok ban only made the gap in the oversight of data privacy clearer. A comprehensive approach is required to address these issues, integrating technological measures, transparent policies, education initiatives and regulatory frameworks to ensure robust safeguards for user privacy and digital rights.
What are the global implications of the growing trend of TikTok bans?
The growing trend of countries considering or implementing bans on TikTok due to security concerns reflects a global unease surrounding potential risks associated with the platform. Often intertwined with geopolitical tensions, the TikTok ban signals broader government efforts to control the digital space in the name of national sovereignty. These bans underscore an intensified scrutiny of data privacy and security practices on digital platforms, with governments expressing reservations about the potential misuse of user data.
This trend is reshaping the global tech landscape, prompting questions about the dominance of specific platforms and the role of international tech companies. Governments face a significant challenge in striking a delicate balance between encouraging innovation and implementing regulations to address security and privacy concerns.
As users encounter bans on TikTok, they may migrate to alternative platforms, fostering increased competition and influencing user demographics and content trends. This trend emphasises the need for international collaboration on digital standards and regulations to address security concerns and establish a framework for responsible behaviour in the global digital arena.
Ultimately, bans on TikTok carry broader implications for the future of digital platforms, shaping discussions on user awareness, advocacy and the delicate interplay between innovation and regulation in the evolving digital landscape.
How can governments regulate platforms without compromising people’s rights to free expression and privacy?
Governments face the complex challenge of regulating social media platforms to combat misinformation and disinformation while also safeguarding their citizens’ rights to free expression and privacy. Sophisticated strategies are required to achieve a balance between national security imperatives and global digital rights.
Just as TikTok has established its own guidelines regarding harmful content, governments can collaborate with technology companies to define clear and transparent standards for social media conduct that do not compromise people’s right to express their opinions, but rather that counteract misinformation. It is crucial to implement robust fact-checking mechanisms and foster media literacy to empower users to distinguish between reliable and deceptive information.
International collaboration to standardise regulations is key to preventing the infringement of digital rights across borders. The adoption of privacy-enhancing technologies, such as end-to-end encryption, preserves individual privacy while facilitating uninhibited self-expression. It is paramount to recognise that state-controlled surveillance and censorship directly threaten our freedom of expression. Rather than resorting to outright bans, governments should prioritise measures that address concerns about misinformation and privacy to strike a nuanced balance that safeguards fundamental rights.
Civic space in Nepal is rated ‘narrowed’ by theCIVICUS Monitor.
Get in touch with Body and Data through itswebsite orInstagram page,and follow@bodyanddata and@aneekarma on Twitter.
-
TAIWAN: ‘China will do to us what it did to Hong Kong, and what it has long done to Tibetans and Uighurs’
CIVICUS speaks about the situation in Taiwan withMin-Hsuan Wu, known as ttcat,a social movement activist and campaigner and co-founder and CEO of a Doublethink Lab.Founded in 2019, Doublethink Lab is a civil society organisation (CSO) focused on researching malign Chinese influence operations and disinformation campaigns and their impacts, bridging the gap between the democracy movement, tech communities and China experts, and facilitating a global civil society network to strengthen democratic resilience against digital authoritarianism.
What is the story behind Doublethink Lab?
Doublethink Lab was founded three years ago, in September 2019. Four years ago, we experienced a tremendous amount of disinformation influencing our 2018 local elections. After these elections, there were lots of signals and leads of information-related, mostly disinformation campaigns – all affiliated with or supported by China.
We realised that to tackle the challenge of strengthening and safeguarding our democracy we needed people to combine their talents and diverse professional backgrounds into a project focused on digital defence.
Our main mandate is to produce a better understanding of how Chinese external propaganda functions and effectively influences political processes and public opinion elsewhere, including in Taiwan.
Our strategy to combat disinformation differs from the usual fact-checking initiatives. Our work isn’t published in fact-checking reports. Instead, we follow the disinformation to try to understand who is spreading it and whether it is being spread by our citizens dynamically or by other kinds of actors funded by the Chinese state. Often, when analysing social media posts, it is possible to see the huge structure made up of Chinese bots liking, sharing and retweeting disinformation.
What is the likely outcome of rising Chinese aggression toward Taiwan?
It’s not news that tensions between Taiwan and China are increasing. China is increasingly using ‘grey zone’ tactics to push boundaries, increasing pressure and influencing people. Through various means, China is threatening Taiwanese people. This clearly increases the chance of the whole situation leading to China invading Taiwan.
Most military experts would agree that this won’t happen right now, with Xi Jinping having just secured his third term as chairman of the Chinese Communist Party and awaiting confirmation of a third term as president of China. Some say an invasion could occur in 2025 or 2027, but I think it will depend on how strongly the Taiwanese people can defend themselves from now on: if our resistance increases, the costs of an invasion for China increase accordingly. Our resistance might therefore postpone the crystallisation of China’s wishes for a bit longer.
On the other hand, China’s tactics may be backfiring: as China escalates militarily against us, the Chinese narrative is becoming less and less popular in Taiwan. More and more people have realised China is not a good neighbour. It is no longer thought of as a business opportunity for us but as a potent threat to our ways of life, our livelihoods and our lives. China’s aggressive attitude is pushing Taiwanese people towards embracing defence tactics to protect our country, which is a positive thing for us. We are much more aware of the need to build strong national and civil defence now.
Did the recent visit by US House Speaker Nancy Pelosi make any difference, for better or worse?
Pelosi’s visit didn’t complicate the situation, but whether we see it as helpful or not depends on the perspective we look at it from. Her visit in August 2022 was meant as a show of support to Taiwan, and happened despite China’s threats of retaliation. It was the first visit by a US House Speaker in a quarter of a century. From a democracy or human rights perspective, it was quite beneficial. Pelosi spoke up against China’s human rights violations and the challenges posed by totalitarian regimes. Her presence brought visibility to our country’s situation regarding China. It put a spotlight on it, and now people see how China treats us and what a destabilising factor it is for the region. It clearly bothered China, judging by the way it reacted to it on the international stage.
From a geopolitical and military perspective, Pelosi’s visit didn’t produce any benefit. It didn’t – couldn’t – bring any kind of peaceful dialogue. China’s vision and military exercises won’t change. But Pelosi’s visit didn’t complicate the situation; it just brought it under the spotlight so more Western media are paying attention to Taiwan. This kind of attention is somehow opening up many windows of opportunity for Taiwan to collaborate with other countries and agencies. No one knows what will come out of this, but from what I’ve seen so far, increased opportunities of international collaboration may improve our chances of safety.
What would it take to bring peace and stability to the region?
That’s a huge question. For me, the ultimate solution would be the opening up of civic space and the democratisation of China, Russia and other totalitarian regimes in Southeast Asia. However, we know this is too big a hope and it’s not really up to us.
There used to be a civil society in China, but under Xi’s rule civic space has been continuously shrinking for 10 years. More and more activists are getting arrested. We all saw what happened recently in Hong Kong: China cracked down hard on civic movements and arrested people for even having a podcast –regular citizens were sent to jail just in case. China shut down all forms of civic expression, including news agencies. China will do to Taiwan what it did to Hong Kong, and what it has long done to Tibetans and Uighurs within China.
If you ask me, I would say peace would require the demise of the Chinese Communist Party, but people think I am crazy when I put it this way. But from our perspective, this is the only forever solution. If you have an aggressive, expansionist neighbour trying to invade you, attaining peace is quite hard because it is not up to you. There can’t be peace unless your neighbour changes.
Without justice there won’t be any peace. I’m not sure which kind of peace people wish to see: I think they are wrong if they define peace as just the absence of war. It that’s what they want, they can move to Hong Kong. Hong Kong is peaceful now – there are no mobilisations, no protests, no disorder. But is this really peace? It’s just an illusion: people are quiet because they lost their rights and freedoms. This is not the kind of peace we want for Taiwan.
We need to find a way to open up civic space and bring democracy to the region – that is the only way forward.
How is Taiwanese civil society working to make this happen?
Lots of Taiwanese CSOs are working to limit China’s influence in the region, especially in Taiwan. There is an organisation called Economic Democracy Union that conducts serious research about Chinese influence on our economy; their work show how Chinese collaborators pretend to be Taiwanese companies and penetrate very sensitive industries such as electronics or e-commerce – industries that capture lots of personal data. Economy Democracy Union brings these issues to the surface with the aim of promoting new regulations to protect us from these influence-seeking tactics.
There are also many CSOs working to strengthen civic defence, which isn’t just war-related, but rather focused on preparedness for disaster or any kind of military operation; their goal is to teach citizens how to react in these cases.
Right now, Doublethink Lab is doing an investigation on China’s information operations. We do election monitoring and try to disclose disinformation campaigns or far-fetched narratives flooding into Taiwanese media. We are building a global network to bridge the gap between academia and civil society on a global scale. We want people to know what Chinese influence looks like in different countries, the channels it travels through, its tactics and its final goals.
Doublethink Lab isn’t the only organisation advocating for digital defence. There are several others focusing on Chinese media influence, disinformation campaigns, fact-checking processes and civic education to identify fake news, among other related issues.
What support does Taiwanese civil society need from the international community?
We need resources. Most Taiwanese CSOs are small grassroots organisations. People tend to view Taiwan as a rich country with a very prosperous economy, but the truth is that civil society movements struggle a lot. Human rights CSOs and those working to counter Chinese influence usually have fewer resources than a regular charity. CSOs need more resources to be able to recruit new talent.
Right now is the perfect time to ask ourselves what we really need. I always ask my fellow activists what they need, and answers resemble a lot those of activists in Hong Kong or Ukraine. Something the international community can also help with is by exposing Taiwan’s struggle. We don’t want people to think our issues are disconnected from those of the rest of the world – we want to become closer and we want to be understood. We need more connections with CSOs in the rest of the world. We need all forms of help to prepare and get ready for what’s coming.
Civic space in Taiwan is rated ‘open’ by theCIVICUS Monitor.
Get in touch with Doublethink Lab through itswebsite and follow @doublethinklab and@TTCATz on Twitter.
-
THAILAND: ‘Spyware was used to monitor protesters’ online activity’
CIVICUS speaks about the use of surveillance technology against civil society activists in Thailand with Sutawan Chanprasert, founder and executive director of DigitalReach, a civil society organisation (CSO) that promotes digital rights, human rights and democracy in Southeast Asia.What is DigitalReach working on?
DigitalReach is a digital rights organisation working in southeast Asia. We are looking at the impact of technology on human rights and democracy in the region. We initiated this project with a focus on the use of Pegasus spyware in Thailand and reached out to The Citizen Lab and iLaw for collaboration. This is because iLaw is a well-known organisation based in Thailand with a great connection with local activists, and The Citizen Lab is well-known for its expertise in spyware investigation.
What were the main findings of this research?
Pegasus spyware, which is produced by NSO group and sold only to state agencies, can infect devices (both iOS and Android) through a technology called ‘zero click’, which means that it needs no action on the part of the targeted user. Once the spyware is installed, it can gain access to everything on the device, including photos and text messages, and can turn the camera and microphone on and off.
In Thailand, this spyware has been used against at least 35 iPhone users: 24 activists, three CSO workers, three academics and five opposition politicians. These infections happened between October 2020 and November 2021, which was peak time for the democracy movement.
There were three reasons why the spyware was used against dissidents: to monitor protesters’ online activity, to monitor the protests and to find out more about the movement’s funding. On the basis of forensic evidence, The Citizen Lab confirmed that zero-click technology was used, exploiting vulnerabilities in the system to gain access to the devices.
This was likely not the first time spyware was used against activists in Thailand, but we have no evidence to confirm this suspicion. Other digital surveillance tools have also been used: as detailed in our report, GPS devices were found attached to some dissidents’ vehicles during democracy mobilisations.
How did the government react to your findings?
On 22 July the Prime Minister said in parliament that he does not know anything about this spyware, and he added that such spyware would be unnecessary as we all knew what was going on from social media. The Deputy Minister of Defence also declared in parliament that it is not the government’s policy to use spyware against people or ‘generally’ violate their rights. Meanwhile, the Minister of Digital Economy and Society stated in parliament that spyware technology had been purchased but not by a department or agency under his authority. However, he referred to it generically as ‘spyware technology’, without ever confirming that he was referring to Pegasus.
Is there anything CSOs and activists can do to counter spyware?
Spyware is considered a dual-use item, which means it can also be useful in criminal investigations. However, we all know this is not always the case. In Thailand and many other countries, spyware has been used against dissidents and members of the opposition, which means that the technology needs to be strictly regulated so it’s not abused. However, it’s hard to see that happening under the current administration, as the government itself is the likely perpetrator. Only policymakers who care about human rights will be able to make progress on this.
As for individual activists, there is no total solution to prevent a device from being infected by this kind of spyware. However, exposure to this threat can be reduced in several ways, such as by using two-factor authentication, using a security key or an authenticator app rather than an SMS, using a messaging platform with the disappearing message feature and by enrolling in Google’s Advanced Protection Program.
What can the international community do to support Thai activists facing surveillance?
This is a tricky question. Thailand doesn’t currently have an active local digital rights organisation, so working on this would be a good first step to increase digital security protection. The global community that works on digital security can play an important role. However, training activities offered in Thailand must be conducted in the local language and customised to fit the Thai context.
There’s also a need for digital security work in Thailand that goes beyond training, including monitoring to watch for emerging digital threats against dissidents, more research and work with local activists and organisations to ensure their long-term digital safety with a sustainable approach. Funding is also needed because local activists and organisations must buy tools to support their digital security.
Civic space in Thailand is rated ‘repressed’ by theCIVICUS Monitor.
Follow DigitalReach via itswebsite and follow@DigitalReachSEA on Twitter. -
TRAITÉ DES NATIONS UNIES SUR LA CYBERCRIMINALITÉ : « Il ne s’agit pas de protéger les États, mais les personnes »
CIVICUS s’entretient avecStéphane Duguin ausujet dela militarisation de la technologie et des progrès réalisés envue d’un traité des Nations Unies sur la cybercriminalité.Stéphaneest un expert de l’utilisation des technologies perturbatrices, ce qui inclut les cyberattaques, les campagnes de désinformation et le terrorisme en ligne. Il est aussi le directeur général del’Institut CyberPeace,une organisation de la société civile (OSC) fondée en 2019 pour aider les OSC humanitaires et les communautés vulnérables àlimiter les dommages causés par les cyberattaques et àpromouvoir un comportement responsable dans le cyberespace. Elle mène des activités de recherche et de plaidoyer et fournit une expertise juridique et politique dans le cadre de négociations diplomatiques, notamment au sein duComité ad hoc des Nations Unies chargé d’élaborer la Convention sur la cybercriminalité.
Pourquoi un nouveau traité des Nations Unies sur la cybercriminalité est-il nécessaire ?
Plusieurs instruments juridiques portant sur la cybercriminalité existent déjà. Notamment, la Convention de Budapest sur la cybercriminalité duConseil de l’Europe de 2001 est le premier traité international visant à lutter contre la cybercriminalité et à harmoniser les législations pour renforcer la coopération dans le domaine de la cybersécurité. En avril 2023, il a été ratifié par 68 États dans le monde. Cette convention a été suivie par des outils régionaux tels que la Convention de l‘Union africaine sur la cybersécurité et la protection des données à caractère personnel de 2014, entre autres.
Mais le problème de ces instruments réside dans leur application. La Convention de Budapest n’a même pas été ratifiée par la plupart des États, alors qu’elle est ouverte à tous. Et même lorsqu’ils ont été signés et ratifiés, ces instruments ne sont pas mis en œuvre. Cela signifie que les données ne sont pas accessibles au-delà des frontières, que la coopération internationale est compliquée à mettre en place et que les demandes d’extradition ne sont pas suivies d’effet.
Il est urgent de remodeler la coopération transfrontalière pour prévenir et contrer les crimes, surtout d’un point de vue pratique. Les États qui ont plus d’expérience dans la lutte contre la cybercriminalité pourraient aider ceux qui ont moins de ressources en leur fournissant une assistance technique et en les aidant à renforcer leurs capacités.
C’est cela qui rend si importantes les négociations actuelles de l’ONU tendant à une convention mondiale sur la cybercriminalité. En 2019, l’Assemblée générale des Nations Unies a créé le Comité spécial chargé d’élaborer une « Convention internationale globale sur la lutte contre l’utilisation des technologies d’information et de communication à des fins criminelles », en d’autres termes une Convention sur la cybercriminalité. Cela s’est fait dans un objectif de coordination des efforts entre des États membres, des OSC, dont l’Institut CyberPeace, des établissements universitaires et d’autres parties prenantes. Il s’agira du premier cadre international juridiquement contraignant pour le cyberespace.
Les objectifs du nouveau traité sont de réduire la probabilité d’attaques et, lorsqu’elles se produisent, de limiter les dommages et de veiller à ce que les victimes aient accès à la justice et à des réparations. Il ne s’agit pas de protéger les États, mais les personnes.
Quelles ont été les premières étapes de la négociation du traité ?
La première étape a consisté à faire le point sur ce qui existait déjà et, surtout, sur ce qui manquait dans les instruments existants afin de comprendre ce qu’il restait à faire. Il était également important de mesurer l’efficacité des outils existants et de déterminer s’ils ne fonctionnaient pas en raison de leur conception ou parce qu’ils n’étaient pas correctement mis en œuvre. De plus, il était primordial de mesurer les dommages humains causés par la cybercriminalité afin de définir une base du problème que nous essayons d’aborder avec le nouveau traité.
Il faudrait aussi un accord entre tous les États parties pour qu’ils cessent de se livrer eux-mêmes à la cybercriminalité. Curieusement, cela n’a pas été intégré dans les discussions. Il est pour le moins étrange d’être assis à la table des discussions sur les définitions des crimes cybernétiques et cyberdépendants avec des États qui mènent ou facilitent des cyberattaques. Les logiciels espions et la surveillance ciblée, par exemple, sont principalement financés et déployés par les États, qui financent également le secteur privé en achetant ces technologies avec l’argent des contribuables.
Quels sont les principaux défis ?
Le principal défi a été la définition du champ d’application du nouveau traité, c’est-à-dire de la liste des infractions à incriminer. Les infractions commises à l’aide des technologies de l’information et de la communication (TIC) appartiennent généralement à deux catégories distinctes : les infractions cyberdépendantes et les infractions facilitées par la technologie. Les États s’accordent globalement sur le fait que le traité devrait inclure les infractions cyberdépendantes, c’est-à-dire les infractions qui ne peuvent être commises qu’à l’aide d’ordinateurs et de TIC, telles que l’accès illégal à des systèmes informatiques, les attaques par déni de service et la création et diffusion de logiciels malveillants. Si ces infractions ne faisaient pas partie du traité, il n’y aurait pas de traité à proprement parler.
L’inclusion des crimes facilités par la technologie est toutefois plus controversée. Il s’agit d’infractions commises en ligne, mais qui pourraient être commises sans les TIC, comme la fraude bancaire et le vol de données. Il n’existe pas de définition internationalement reconnue des crimes facilités par la technologie. Certains États considèrent les infractions liées au contenu en ligne, telles que la désinformation ou l’incitation à l’extrémisme et au terrorisme, comme des crimes cybernétiques. Ces infractions sont fondées sur la parole et leur incrimination peut conduire à la criminalisation de discours ou de l’expression en ligne, ce qui aurait des conséquences négatives sur les droits humains et les libertés fondamentales.
De nombreux États susceptibles d’être futurs signataires du traité utilisent ce type de langage pour faire taire les dissidents. Toutefois, il y a un soutien général pour l’inclusion d’un nombre limité d’exceptions concernant les crimes facilités par la technologie, tels que l’exploitation sexuelle des enfants et les abus sexuels en ligne, ainsi que la fraude informatique.
Il est impossible de parvenir à une délimitation large des crimes cybernétiques si elle n’est pas accompagnée de garanties très strictes en matière de droits humains. En l’absence de garanties, le traité ne devrait porter que sur un nombre limité de crimes. Mais il n’y a pas d’accord sur les garanties et leur mise en place, en particulier en ce qui concerne la protection des données personnelles.
Or tant pour les victimes comme pour les auteurs de crimes, il n’y a aucune différence entre les crimes cybernétiques et les crimes cyberdépendants. Une victime de l’un est victime des deux. De nombreux groupes criminels – tout comme des acteurs étatiques - utilisent les mêmes outils, infrastructures et processus pour mener les deux types d’attaques.
Même s’il est nécessaire d’inclure davantage de crimes cybernétiques, la manière dont cela est fait n’est pas la bonne, car il n’y a pas de garde-fous ou de définitions claires. La plupart des États qui font pression en ce sens ont abondamment démontré qu’ils ne respectent ni ne protègent les droits humains, et certains - dont la Chine, l’Égypte, l’Inde, l’Iran, la Russie et la Syrie - ont même proposé de supprimer toute référence aux obligations internationales en matière de droits humains.
Un autre défi est l’absence d’accord sur la manière dont les mécanismes de coopération internationale devraient assurer le suivi pour garantir la mise en œuvre pratique du traité. Les modalités de coopération entre les États et les types d’activités qu’ils mèneront ensemble pour lutter contre ces crimes restent floues.
Pour éviter que les régimes répressifs n’abusent du traité, nous devrions nous concentrer à la fois sur la portée des infractions passibles d’être poursuivies et sur les conditions de la coopération internationale. Par exemple, les dispositions relatives à l’extradition devraient inclure le principe de la double incrimination, ce qui signifie qu’un acte ne peut donner lieu à extradition que s’il constitue un crime à la fois dans le pays qui fait la demande et dans celui qui la reçoit. Ce principe est essentiel pour empêcher les États autoritaires d’utiliser l’extradition pour poursuivre les dissidents et commettre d’autres violations des droits humains.
Qu’apporte la société civile aux négociations ?
L’élaboration du traité devrait être un effort collectif visant à prévenir et à réduire le nombre de cyberattaques. En tant qu’organes indépendants, les OSC y contribuent en fournissant des informations sur les incidences sur les droits humains et les menaces potentielles, et en plaidant en faveur de garanties pour les droits fondamentaux.
Par exemple, l’Institut CyberPeace analyse depuis deux ans les cyberattaques perturbatrices contre les établissements de santé dans le cadre de la COVID-19. Nous avons découvert au moins 500 cyberattaques ayant entraîné le vol des données de plus de 20 millions de patients. Et ce n’est que la partie émergée de l’iceberg.
L’Institut CyberPeace soumet également au Comité des recommandations dont l’approche est centrée sur les victimes. Elles comprennent des mesures préventives, la redevabilité des auteurs sur la base de preuves, l’accès à la justice et à la réparation pour les victimes, et tendent à prévenir la revictimisation.
Nous plaidons également en faveur d’une approche intrinsèquement fondée sur les droits humains, qui garantirait le plein respect des droits humains et des libertés fondamentales par le biais de protections et de garanties solides. Le langage de la Convention devrait faire référence à des cadres spécifiques de droits humains tels que la Déclaration universelle des droits de l’homme et le Pacte international relatif aux droits civils et politiques. Il est important que la lutte contre la cybercriminalité n’oppose pas la sécurité nationale aux droits humains.
Ce cadre est d’autant plus important que les gouvernements exploitent depuis longtemps les mesures de lutte contre la cybercriminalité pour étendre le contrôle de l’État, élargir les pouvoirs de surveillance, restreindre ou criminaliser les libertés d’expression et de réunion et cibler les défenseurs des droits humains, les journalistes et l’opposition politique au nom de la sécurité nationale ou de la lutte contre le terrorisme.
Pour résumer, l’objectif de la société civile est de démontrer l’impact humain des cybercrimes et de s’assurer que les États en tiennent compte lors de la négociation du régime et des réglementations - qui doivent être créés pour protéger les citoyens. Nous faisons entendre la voix des victimes, les plus vulnérables, dont la cybersécurité quotidienne n’est pas correctement protégée par le cadre international actuel. En ce qui concerne l’Institut CyberPeace, nous plaidons pour l’inclusion d’un champ limité de cybercrimes avec des définitions claires et étroites afin d’empêcher la criminalisation de comportements qui constituent l’exercice des libertés fondamentales et des droits humains.
Où en sommes-nous dans le processus de négociation du traité ?
Un document de négociation consolidé a servi de base à la deuxième lecture effectuée lors des quatrième et cinquième sessions tenues en janvier et avril 2023. La prochaine étape consistera à publier un avant-projet à la fin du mois de juin, qui sera négocié lors de la sixième session qui se tiendra à New York entre août et septembre 2023.
Le processus aboutit normalement à une consolidation par les États, ce qui va être difficile car il y a beaucoup de divergences et un délai serré : le traité devrait être soumis au vote lors de la 78ème session de l’Assemblée générale des Nations Unies en septembre 2024.
Il y a un bloc d’États qui souhaitent un traité au champ d’application le plus large possible, et un autre bloc qui penche pour une convention au champ d’application très limité et aux garanties solides. Mais même au sein de ce bloc, des désaccords subsistent en ce qui concerne la protection des données, l’approche en termes de sécurité, et des questions éthiques portant sur des technologies spécifiques telles que l’intelligence artificielle.
Quelles sont les chances que la version finale du traité respecte les normes internationales en matière de droits humains tout en remplissant son objectif ?
Compte tenu de la manière dont le processus s’est déroulé jusqu’à présent, je ne suis pas très optimiste, en particulier sur la question du respect des normes en matière de droits humains. Il manque encore les définitions cruciales des garanties en matière de droits humains. Nous ne devons pas oublier que les négociations se déroulent dans un contexte de confrontation géopolitique tendue. L’Institut CyberPeace a retracé les attaques déployées depuis le début de l’invasion de l’Ukraine par la Russie. Nous avons témoigné de plus de 1 500 campagnes d’attaques avec près de 100 acteurs impliqués, dont de nombreux États, et des impacts sur plus de 45 pays. Cette réalité géopolitique complique encore les négociations.
Le texte qui est actuellement sur la table ne permet pas d’améliorer la vie des victimes dans le cyberespace. C’est pour cette raison que l’Institut CyberPeace reste engagé dans le processus de rédaction, afin d’informer et de sensibiliser les discussions en vue d’un résultat plus positif.
Contactez l’Institut CyberPeace sur sonsite web ou sa pageFacebook, et suivez@CyberpeaceInst et@DuguinStephane sur Twitter.
-
TRAITÉ DES NATIONS UNIES SUR LA CYBERCRIMINALITÉ : « La société civile vérifie la véracité des arguments avancés par les États »
CIVICUS s’entretient avec Ian Tennant sur l’importance de la sauvegarde des droits humains dans le processus en cours d’élaboration d’un traité des Nations Unies sur la cybercriminalité.Ian estle président de l’Alliance des ONG pour la prévention du crime et la justice pénale, un vaste réseau d’organisations de la société civile (OSC) qui fait progresser les questions de prévention du crime et de justice pénale en s’engageant dans les programmes et processus pertinents de l’ONU. Il dirige la représentation multilatérale de Vienne et le Fonds de résilience de l’Initiative mondiale contre la criminalité transnationale organisée, une OSC mondiale dont le siège se trouve à Genève et qui se consacre à la recherche, à l’analyse et à l’engagement sur toutes les formes de criminalité organisée et de marchés illicites. Les deux organisations participent en tant qu’observateurs aux négociations du traité des Nations Unies sur la cybercriminalité.
Pourquoi un traité des Nations Unies sur la cybercriminalité est-il nécessaire ?
Il n’y a pas de consensus sur la nécessité d’un traité des Nations Unies sur la cybercriminalité. Depuis que la question a été soulevée officiellement pour la première fois lors du Congrès des Nations Unies sur la criminalité en 2010, les organes de l’ONU qui prennent par consensus des décisions liées à la cybercriminalité, notamment la Commission des Nations Unies pour la prévention du crime et la justice pénale (CCPCJ), n’ont pas pu s’accorder sur la nécessité de ce traité. En 2019, cette question a fait l’objet d’un vote à l’Assemblée générale de l’ONU. La résolution lançant le processus vers un traité a été adoptée avec un soutien minoritaire, en raison d’un grand nombre d’abstentions. Néanmoins, le processus progresse maintenant et des États membres de tous bords participent au débat.
La polarisation des positions sur la nécessité du traité s’est traduite par une polarisation des points de vue sur l’étendue du traité : les pays favorables au traité demandent l’inclusion d’un large éventail de crimes cybernétiques, tandis que les pays opposés au traité demandent un traité étroitement ciblé sur les crimes cyberdépendants.
Comment faire pour que le traité ne soit pas utilisé par des régimes répressifs pour réprimer la dissidence ?
L’équilibre entre les mesures efficaces contre la cybercriminalité et les garanties en matière de droits humains est la question fondamentale qui doit être résolue dans le cadre du processus de négociation de ce traité et, pour l’instant, on ne sait pas très bien comment on y parviendra. Le moyen le plus efficace de s’assurer que le traité ne soit pas utilisé pour réprimer la dissidence et d’autres activités légitimes est de veiller à ce qu’il porte sur un ensemble clair de crimes cyberdépendants avec des garanties adéquates et claires en matière de droits humains présentes dans l’ensemble du traité.
En l’absence d’un traité sur les droits numériques, ce traité doit fournir ces garanties et sauvegardes. Sinon, il existe un risque réel qu’en établissant un vaste régime de coopération sans garanties adéquates, le traité soit utilisé par certains États comme un outil d’oppression et de suppression de l’activisme, du journalisme et d’autres activités de la société civile. Or, celles-ci sont essentielles dans toute stratégie efficace de réponse et de prévention de la criminalité.
Dans quelle mesure la société civile peut-elle contribuer au processus de négociation ?
Les négociations du traité ont été ouvertes aux OSC pour qu’elles puissent contribuer au processus par le biais d’une approche qui ne permet pas aux États d’opposer leur veto à des OSC individuelles. Les OSC ont la possibilité d’apporter leur contribution à chaque point de l’ordre du jour, ainsi qu’aux réunions intersessions lors desquelles elles peuvent présenter et mener des discussions avec les États membres. Ce processus est, d’une certaine manière, un modèle que d’autres négociations de l’ONU pourraient suivre comme meilleure pratique.
Les OSC, ainsi que le secteur privé, apportent des perspectives essentielles sur les impacts potentiels des propositions faites dans le cadre des négociations du traité, sur les questions pratiques, sur la protection des données et sur les droits humains. Fondamentalement, les OSC vérifient les faits et fournissent des preuves pour étayer ou contester les arguments avancés par les États membres lorsque des propositions sont faites et que des compromis potentiels sont discutés.
Quels sont les progrès réalisés jusqu’à présent et quels ont été les principaux obstacles aux négociations ?
Officiellement, le comité ad hoc n’a plus que deux réunions à tenir avant l’adoption du traité : une réunion aura lieu en août et l’autre au début de 2024. Le Comité a déjà tenu cinq réunions, au cours desquelles l’ensemble des questions et des projets de dispositions à inclure dans le traité ont été discutés. La prochaine étape consistera en l’élaboration d’un projet de traité par le président, qui sera ensuite débattu et négocié lors des deux prochaines réunions.
Le principal obstacle a été l’existence de différences assez fondamentales dans les visions du traité, qui vont d’un traité large permettant l’incrimination et la coopération pour une gamme variée d’infractions à un traité étroit axé sur les crimes cyberdépendants. À cause de ces différences d’objectifs, le Comité a jusqu’à présent manqué d’une vision commune. Dans les mois à venir, c’est à cette vision que les négociations devront parvenir.
Quelles sont les chances que la version finale du traité respecte les normes internationales en matière de droits humains tout en remplissant son objectif ?
Cela dépend des négociateurs de toutes les parties et de la distance qu’ils sont prêts à parcourir pour parvenir à un accord : c’est cela qui déterminera si le traité a un impact significatif sur la cybercriminalité tout en restant fidèle aux normes internationales en matière de droits humains et à l’éthique générale des Nations Unies en matière de droits humains. Ce serait le résultat optimal, mais compte tenu de l’atmosphère et des défis politiques actuels, il sera difficile à atteindre.
Il est possible que le traité soit adopté sans garanties adéquates et que, par conséquent, seul un petit nombre de pays le ratifie. Cela non seulement diminuerait son utilité, mais également ferait porter les risques en matière de droits sur les seuls pays signataires. Il est également possible que le traité contienne des normes très élevées en matière de droits humains, mais que, là encore, peu de pays le ratifient, ce qui limiterait son utilité pour la coopération mais neutraliserait les risques qu’il présente pour les droits humains.
Contactez l’Alliance des ONG pour la prévention du crime et la justice pénale sur sonsite web et suivez@GI_TOC et@IanTennant9 sur Twitter.
-
UN CYBERCRIME TREATY: ‘Civil society is fact-checking the arguments made by states’
CIVICUS speaks with Ian Tennant about the importance of safeguarding human rights in the ongoing process to draft a United Nations (UN) Cybercrime Treaty.Ian isthe Chair of theAlliance of NGOs on Crime Prevention and Criminal Justice, a broad network of civil society organisations (CSOs) advancing the crime prevention and criminal justice agenda through engagement with relevant UN programmes and processes. He’s the Head of the Vienna Multilateral Representation and Resilience Fund at theGlobal Initiative Against Transnational Organized Crime, a global CSO headquartered in Geneva, focused on research, analysis and engagement on all forms of organised crime and illicit markets. Both organisations participate as observers in negotiations for the UN Cybercrime Treaty.
Why is there need for a UN treaty dealing with cybercrime?
There is no consensus on the need for a UN treaty dealing with cybercrime. The consensus-based bodies dealing with cybercrime at the UN, primarily the UN Commission on Crime Prevention and Criminal Justice (CCPCJ), could not agree on whether there was a need for the treaty since the issue was first raised officially at the UN Crime Congress in 2010, and in 2019 it was taken to a vote at the UN General Assembly. The resolution starting the process towards a treaty was passed with minority support, due to a high number of abstentions. Nevertheless, the process is now progressing and member states on all sides of the debate are participating.
The polarisation of positions on the need for the treaty has translated into a polarisation of views of how broad the treaty should be – with those countries that were in favour of the treaty calling for a broad range of cyber-enabled crimes to be included, and those that were against the treaty calling for a narrowly focussed treaty on cyber-dependent crimes.
What should be done to ensure the treaty isn’t used by repressive regimes to crack down on dissent?
Balancing effective measures against cybercrime and human rights guarantees is the fundamental issue that needs to be resolved by this treaty negotiation process, and at the moment it is unclear how this will be accomplished. The most effective way to ensure the treaty is not used to crack down on dissent and other legitimate activities is to ensure a treaty focused on a clear set of cyber-dependent crimes with adequate and clear human rights safeguards present throughout the treaty.
In the absence of a digital rights treaty, this treaty has to provide those guarantees and safeguards. If a broad cooperation regime without adequate safeguards is established, there is a real risk that the treaty could be used by some states as a tool of oppression and suppression of activism, journalism and other civil society activities that are vital in any effective crime response and prevention strategy.
How much space is there for civil society to contribute to the negotiations process?
The negotiations for the treaty have been opened for CSOs to contribute to the process through an approach that does not allow states to veto individual CSOs. There is space for CSOs to bring in their contributions under each agenda item, and through intersessional meetings where they can present and lead discussions with member states. This process is in some ways a model that other UN negotiations could follow as a best practice.
CSOs, as well as the private sector, are bringing vital perspectives to the table on the potential impacts of proposals made in the treaty negotiations, on practical issues, on data protection and on human rights. Fundamentally, CSOs are providing fact-checking and evidence to back up or challenge the arguments made by member states as proposals are made and potential compromises are discussed.
What progress has been made so far, and what have been the main obstacles in the negotiations?
On paper, the Ad Hoc Committee has only two meetings left until the treaty is supposed to be adopted – one meeting will take place in August and the other in early 2024. The Committee has already held five meetings, during which the full range of issues and draft provisions to be included in the treaty have been discussed. The next stage will be for a draft treaty to be produced by the Chair, and then for that draft to be debated and negotiated in the next two meetings.
The main obstacle has been the existence of quite fundamental differences in visions for the treaty – from a broad treaty allowing for criminalisation of and cooperation on a diverse range of offences to a narrow treaty focussed on cyber-dependent crimes. Those different objectives mean that the Committee has so far lacked a common vision, which is what negotiations need to discover in the coming months.
What are the chances that the final version of the treaty will meet international human rights standards while fulfilling its purpose?
It is up to the negotiators from all sides, and how far they are willing to move in order to achieve agreement, whether the treaty will have a meaningful impact on cybercrime while also staying true to international human rights standards and the general human rights ethos of the UN. This is the optimal outcome, but given the current political atmosphere and challenges, it will be hard to achieve.
There is a chance the treaty could be adopted without adequate safeguards, and that consequently only a small number of countries ratify it, thereby diminishing its usefulness, but also directing the rights risks to only those countries who sign up. There is also a chance the treaty could have very high human rights standards, but again not many countries ratify it – limiting its usefulness for cooperation but neutering its human rights risks.
Get in touch with the Alliance of NGOs on Crime Prevention and Criminal Justice through itswebsite and follow@GI_TOC and@IanTennant9 on Twitter.
-
UN CYBERCRIME TREATY: ‘This is not about protecting states but about protecting people’
CIVICUS speaks withStéphane Duguin aboutthe weaponisation of technology and progress being madetowards a United Nations (UN) Cybercrime Treaty.Stéphaneis an expert onthe use of disruptive technologies such as cyberattacks, disinformation campaigns and online terrorism and theChief Executive Officer of the CyberPeace Institute,a civil society organisation (CSO) founded in 2019 to help humanitarian CSOs and vulnerable communitieslimit the harm of cyberattacks andpromote responsible behaviour in cyberspace. It conducts research and advocacy and provides legal and policy expertise in diplomatic negotiations, including theUN Ad Hoc Committee elaborating the Cybercrime Convention.
Why is there need for a new UN treaty dealing with cybercrime?
Several legal instruments dealing with cybercrime already exist, including the 2001 Council of Europe Budapest Convention on Cybercrime, the first international treaty aimed at addressing cybercrimes and harmonising legislations to enhance cooperation in the area of cybersecurity, ratified by 68 states around the world as of April 2023. This was followed by regional tools such as the 2014 African Union Convention on Cyber Security and Personal Data Protection, among others.
But the problem behind these instruments is that they aren’t enforced properly. The Budapest Convention has not even been ratified by most states, although it is open to all. And even when they’ve been signed and ratified, these instruments aren’t operationalised. This means that data is not accessible across borders, international cooperation is complicated to achieve and requests for extradition are not followed up on.
There is urgent need to reshape cross-border cooperation to prevent and counter crimes, especially from a practical point of view. States with more experience fighting cybercrimes could help less resourced ones by providing technical assistance and helping build capacity.
This is why the fact that the UN is currently negotiating a major global Cybercrime Convention is so important. In 2019, to coordinate the efforts of member states, CSOs, including CyberPeace Institute, academic institutions and other stakeholders, the UN General Assembly established the Ad Hoc Committee to elaborate a ‘Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purpose’ – a Cybercrime Convention in short. This will be the first international legally binding framework for cyberspace.
The aims of the new treaty are to reduce the likelihood of attacks, and when these happen, to limit the harm and ensure victims have access to justice and redress. This is not about protecting states but about protecting people.
What were the initial steps in negotiating the treaty?
The first step was to take stock of what already existed and, most importantly, what was missing in the existing instruments in order to understand what needed to be done. It was also important to measure the efficacy of existing tools and determine whether they weren’t working due to their design or because they weren’t being properly implemented. Measuring the human harm of cybercrime was also key to define a baseline for the problem we’re trying to address with the new treaty.
Another step, which interestingly has not been part of the discussion, would be an agreement among all state parties to stop engaging in cybercrimes themselves. It’s strange, to say the least, to be sitting at the table discussing definitions of cyber-enabled and cyber-dependent crimes with states that are conducting or facilitating cyberattacks. Spyware and targeted surveillance, for instance, are being mostly financed and deployed by states, which are also financing the private sector by buying these technologies with taxpayers’ money.
What are the main challenges?
The main challenge has been to define the scope of the new treaty, that is, the list of offences to be criminalised. Crimes committed with the use of information and communication technologies (ICTs) generally belong to two distinct categories: cyber-dependent crimes and cyber-enabled crimes. States generally agree that the treaty should include cyber-dependent crimes: offences that can only be committed using computers and ICTs, such as illegally accessing computers, performing denial-of-service attacks and creating and spreading malware. If these crimes weren’t part of the treaty, there wouldn’t be a treaty to speak of.
The inclusion of cyber-enabled crimes, however, is more controversial. These are offences that are carried out online but could be committed without ICTs, such as banking fraud and data theft. There’s no internationally agreed definition of cyber-enabled crimes. Some states consider offences related to online content, such as disinformation, incitement to extremism and terrorism, as cyber-enabled crimes. These are speech-based offences, the criminalisation of which can lead to the criminalisation of online speech or expression, with negative impacts on human rights and fundamental freedoms.
Many states that are likely to be future signatories to the treaty use this kind of language to strike down dissent. However, there is general support for the inclusion of limited exceptions on cyber-enabled crimes, such as online child sexual exploitation and abuse, and computer-related fraud.
There is no way we can reach a wide definition of cyber-enabled crimes unless it’s accompanied with very strict human rights safeguards. In the absence of safeguards, the treaty should encompass a limited scope of crimes. But there’s no agreement on a definition of safeguards and how to put them in place, particularly when it comes to personal data protection.
For victims as well as perpetrators, there’s absolutely no difference between cyber-enabled and cyber-dependent crimes. If you are a victim, you are a victim of both. A lot of criminal groups – and state actors – are using the same tools, infrastructure and processes to perform both types of attacks.
Even though there’s a need to include more cyber-enabled crimes, the way it’s being done is wrong, as there are no safeguards or clear definitions. Most states that are pushing for this have abundantly demonstrated that they don’t respect or protect human rights, and some – including China, Egypt, India, Iran, Russia and Syria – have even proposed to delete all references to international human rights obligations.
Another challenge is the lack of agreement on how international cooperation mechanisms should follow up to guarantee the practical implementation of the treaty. The ways in which states are going to cooperate and the types of activities they will perform together to combat these crimes remain unclear.
To prevent misuse of the treaty by repressive regimes we should focus both on the scope of criminalisation and the conditions for international cooperation. For instance, provisions on extradition should include the principle of dual criminality, which means an act should not be extraditable unless it constitutes a crime in both the countries making and receiving the request. This is crucial to prevent its use by authoritarian states to persecute dissent and commit other human rights violations.
What is civil society bringing to the negotiations?
The drafting of the treaty should be a collective effort aimed at preventing and decreasing the amount of cyberattacks. As independent bodies, CSOs are contributing to it by providing knowledge on the human rights impacts and potential threats and advocating for guarantees for fundamental rights.
For example, the CyberPeace Institute has been analysing disruptive cyberattacks against healthcare institutions amid COVID-19 for two years. We found at least 500 cyberattacks leading to the theft of data of more than 20 million patients. And this is just the tip of the iceberg.
The CyberPeace Institute also submits recommendations to the Committee based on a victim-centric approach, involving preventive measures, evidence-led accountability for perpetrators, access to justice and redress for victims and prevention of re-victimisation.
We also advocate for a human-rights-by-design approach, which would ensure full respect for human rights and fundamental freedoms through robust protections and safeguards. The language of the Convention should refer to specific human rights frameworks such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. It is important that the fight against cybercrime should not pit national security against human rights.
This framing is especially significant because governments have long exploited anti-cybercrime measures to expand state control, broaden surveillance powers, restrict or criminalise freedoms of expression and assembly and target human rights defenders, journalists and political opposition in the name of national security or fighting terrorism.
In sum, the goal of civil society is to demonstrate the human impact of cybercrimes and make sure states take this into consideration when negotiating the framework and the regulations – which must be created to protect citizens. We bring in the voices of victims, the most vulnerable ones, whose daily cybersecurity is not properly protected by the current international framework. And, as far as the CyberPeace Institute is concerned, we advocate for the inclusion of a limited scope of cybercrimes with clear and narrow definitions to prevent the criminalisation of behaviours that constitute the exercise of fundamental freedoms and human rights.
At what point in the treaty process are we now?
A consolidated negotiating document was the basis for the second reading done in the fourth and fifth sessions held in January and April 2023. The next step is to release a zero draft in late June, which will be negotiated in the sixth session that will take place in New York between August and September 2023.
The process normally culminates with a consolidation by states, which is going to be difficult since there’s a lot of divergence and a tight deadline: the treaty should be taken to a vote at the 78th UN General Assembly session in September 2024.
There’s a bloc of states looking for a treaty with the widest possible scope, and another bloc leaning towards a convention with a very limited scope and strong safeguards. But even within this bloc there is still disagreement when it comes to data protection, the approach to security and the ethics of specific technologies such as artificial intelligence.
What are the chances that the final version of the treaty will meet international human rights standards while fulfilling its purpose?
Considering how the process has been going so far, I’m not very optimistic, especially on the issue of upholding human rights standards, because of the crucial lack of definition of human rights safeguards. We shouldn’t forget negotiations are happening in a context of tense geopolitical confrontation. The CyberPeace Institute has been tracing the attacks deployed since the start of Russia’s full-scale invasion of Ukraine. We’ve witnessed over 1,500 campaigns of attacks with close to 100 actors involved, many of them states, and impacts on more than 45 countries. This geopolitical reality further complicates the negotiations.
By looking at the text that’s on the table right now, it is falling short of its potential to improve the lives of victims in cyberspace. This is why the CyberPeace Institute remains committed to the drafting process – to inform and sensitise the discussions toward a more positive outcome.
Get in touch with the CyberPeace Institute through itswebsite or itsFacebook page, and follow@CyberpeaceInst and@DuguinStephane on Twitter.