By: Douwe Korff , Emeritus Professor of International Law
The theory: “The same freedoms online as offline”
The Digital Enlightenment Forum is based on the belief, also expressed numerous times in international instruments and declarations, that “people should enjoy the same autonomy and rights and freedoms online that they do offline”. We also generally subscribe to the ideas that individuals should first and foremost be subject to the laws and mores of the country where they live, provided that those laws and mores accord with international human rights standards – that states should refrain from interfering in other states and should generally not apply their laws extraterritorially; but that, conversely, violations of public international law or international human rights law are a legitimate concern of the whole international community.
However, these mantras are not reflected in the responses of many states – including states that often portray themselves as the main advocates of human rights and international law – to “bad” actions in cyberspace. Worse, the excessive and unlawful online behaviour of certain state agencies increasingly also informs their behaviour offline.
This blog simply tries to list the issues involved, to help the debate.
What exactly is “cybersecurity” and “cybercrime?
The term “cybersecurity” is used to cover a great many – indeed, in my opinion, far too many – different issues, ranging from purely technical security issues (like protection against non-criminal threats to IT/Internet infrastructure), to “cybercrime” (which itself covers very different things, from interception of communications, online IP “piracy” and “hacking” to child pornography and hate speech), and is sometimes even applied to civil law and –procedure relating to e-contracts, ISP Terms & Conditions, intellectual property, etc., etc.. And in all these regards, it is at times applied to substantive law, procedure, oversight and remedies, national institutions, international instruments, and intergovernmental arrangements and –institutions; at the national and international/transnational level; and also including national and international policy-making in these regards.
At the same time, the very word “cybersecurity” is used to conjure up existential threats relating to “national security” and “international security”.
Cybersecurity and human rights
Cybersecurity issues are often highly human rights sensitive, in particular when they involve monitoring of the activities of individuals in cyber space; pulling of data on individuals (or that may also relate to individuals) from cyberspace; or the storing, sharing, analysing and further using of such data, including profiling.
Any such monitoring or collecting, etc., constitutes ipso facto an interference with at least the privacy rights and the right to data protection of such individuals, and possibly with their rights to freedom of expression, freedom of association and freedom of religion. Moreover, if such measures are taken as part of criminal investigations (or may lead to such investigations), they raise fair trial – and fair investigation – issues.
These cybersecurity human right issues are complicated and aggravated, in particular:
- if the measures involve cooperation – and data exchanges – between state and private entities (companies, including in particular companies active in cyber space, such as Internet Service Providers (ISPs) and mobile network operators (MNOs) and social network service providers (SNSs);
- if the measures involve cooperation – and data exchanges – between law enforcement agencies and national security agencies; and/or
- if there are transnational/international aspects to the measures, i.e., if they either involve actions of entities in one country that directly affect individuals (the data of individuals and the rights of individuals) in other countries (such as the pulling of data from a server in one country for analysis in another country), or if they involve cooperation between entities in different countries (which could be cooperation between private entities in different countries, or cooperation between public entities in different countries [such as international law enforcement- or national security cooperation], or cooperations between private entities in one country and public entities in another country).
Of course, if several of these factors are present, that multiplies the complications.
Cybersecurity and national security
One of the most serious threats to the rule of law is the increasing attempts to define cybersecurity as inherently being part of national security. There are two important aspects to this. It means that:
- Individuals suspected of involvement of “threats to [ill-defined] cybersecurity” and/or of being involved in “[any kind of] cybercrime”, are increasingly treated as “threats to national security” – i.e., in effect, as terrorists; and
- The issues concerned are increasingly placed within the competence of the national security agencies rather than the ordinary law enforcement agencies and/or that there is an ever-greater blurring of the lines between the work of the LEAs and the NSAs.
In the course of these processes, two serious threats to the rule of law emerge:
- Individuals suspected of a wide range of crimes – including crimes not in any way involving violence – are increasingly treated as, or on a par with, “terrorists” and others “threatening the fundamental [constitutional[ order of the State”; and
- The law enforcement agencies in states supposedly strongly committed to the rule of law increasingly not only work with, but are beginning to adopt the methods and practices and ethos of the security agencies – who have too often been shown to have little regard to the rule of law.
If we want to preserve the State Under the Rule of Law (der Rechtsstaat, l’État du Droit), we must fight these trends. They may not be new – the author fought against them in the 1970s, 80s and 90s – but they have reared their heads again in mutated forms in the current century. We must re-affirm our commitment to the rule of law and to Enlightenment values – now!
* This blog expands on a powerpoint presentation by the author at the 2015 Computers, Privacy & Data Protection (CPDP) Conference in Brussels, January 2015, on “Cybersecurity & Human Rights”. It also draws on the Council of Europe Commissioner for Human Rights Issue Paper on “The Rule of Law on the Internet and in the wider digital world”, released in December 2014, which was drafted by the author of this blog.
For further reading, see:
The rule of law on the Internet and in the wider digital world, Issue Paper of the Council of Europe Commissioner for Human Rights, prepared by Douwe Korff, December 2014, available at: https://wcd.coe.int/ViewDoc.jsp?Ref=CommDH/IssuePaper(2014)1&Language=lanAll (Full paper in English; Exec. Summary & Recommendations also available in French, Russian and Turkish)