Job alert: There’s an exciting new opportunity at GPD for a Project Assistant, supporting our work on artificial intelligence, other emerging technologies, and their impact on human rights. Applications close on 7 March 2021. Applicants must have the right to live and work in the United Kingdom. Apply here.
the digest  February 2021

A new assault on encryption?

This month the EU launched a consultation on its new plan to tackle child sexual abuse material (CSAM).

The text of the consultation outlines that this will include measures to compel online service providers “to detect known child sexual abuse material” and “require them to report that material to public authorities”. But we also know, from an EU Commission leak last year, that measures to restrict encryption—so called “backdoors”—are also potentially on the table. As several expert members of the Global Encryption Coalition have noted, these proposals could have serious implications for digital security and human rights. 

This is all concerning, but at least the consultation (which ends on 15 April) provides a structured opportunity for civil society and other stakeholders to provide their perspectives on the proposed approach.

Unfortunately, in India—where a similar set of proposals are about to be announced—no consultation is being promised. The Indian Ministry of Electronics and Information Technology (MeiTy) is imminently expected to propose sweeping amendments to intermediary liability rules that could weaken security and limit the use of strong encryption on the internet. A leaked version of these guidelines reveals plans to require intermediaries (like social media platforms, or internet service providers) to be able to trace the origin of communications, with penalties for non-compliance—creating an obligation on the intermediary to have access to encrypted traffic. In an open letter to the Indian government, a group of nearly 30 security advisors highlighted the risks of such an approach: “by tying intermediaries’ protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures.”

An Internet Society report from last year similarly concluded that the use of digital signatures and the use of metadata (which have both been proposed as methods to achieve traceability) would require the breaking of end-to-end encryption. 

As we noted in a recent blog on GPD’s newly launched encryption policy hub, these attacks on encryption—as well as the new focus on intermediary liability—is part of a wider set of trends which human rights defenders and others who support the availability of strong encryption need to be aware of. The Global Encryption Coalition will be coordinating members to respond to developments at both the EU and in India: watch out for more here.

The new wave of online content laws: risks and opportunities

At GPD, a core part of our work is monitoring state efforts to regulate online content, and exploring their potential impacts on human rights. 

Right now, our main focus is on three initiatives: the UK’s forthcoming Online Safety Bill, the European Union’s proposed Digital Services Act (DSA), and Australia’s Online Safety Bill. These legislative proposals vary in terms of their territorial application, obligations on platforms, scope of content addressed, and intermediary liability provisions. But each of them—and those in other parts of the world (see Listening Post below)—present a shared set of risks for human rights online. 

As the contours of these proposed frameworks become clearer, commentators are voicing more specific concerns about the impacts they may have on freedom of expression, privacy and the right to effective remedy under international human rights law. Gabrielle Guillemin of Article 19 recently shared thoughts about the DSA’s notice-and-action mechanism, which—despite including a number of safeguards—may pose risks to freedom of expression for individuals and incentivise takedowns by companies. Heather Burns of Open Rights Group has also raised concerns about the UK’s proposed framework, noting that any service requirement that would weaken or compromise encryption (in order to meet compliance obligations under the proposed duty of care) would be an affront to individuals’ right to privacy. 

In our response to a consultation last month on Australia’s draft Online Safety Bill, we stressed that appeals mechanisms should be established for users and companies to challenge take-down decisions by the country’s independent regulator for online safety. This would ensure users are provided with an effective remedy without resorting to civil proceedings, which are often cumbersome, time-intensive and expensive. 

While the approaches taken in these three proposals are largely reasonable, it has become increasingly clear that modifications or additional safeguards would further mitigate risks to human rights online. It is imperative that new frameworks are also consistent with international human rights standards, since any new models will shape and influence other regulatory approaches taken across the globe. On this point, we have a cautionary tale in the example of Germany’s Network Enforcement Act (NetzDG), which many say has become a prototype for online censorship in dozens of countries since its introduction in 2017. 

If appropriately modified, GPD believes that current proposals in the UK, EU and Australia could avoid this fate—and instead serve as useful models of rights-respecting solutions to tackle online harms without resorting to censorship of legitimate speech or internet shutdowns, as recently seen in Myanmar and Uganda.

The OEWG’s final draft: roadblocks to the finish line

The UN First Committee’s Open ended Working Group (OEWG) has just published the final draft of its upcoming report on responsible state behaviour. 

It follows the publication in February of a Zero Draft, which GPD responded to here. Our feedback on that draft—drawing closely on insights from a recent informal multistakeholder dialogue we co-organised—recommended that the report do more to:

  1. Centre the impacts on human rights from state activities in cyberspace;
  2. Affirm the importance of including all stakeholders in discussions around cyber norms.
At a civil society briefing held just after the release of the Zero Draft, we were told that ongoing disagreements within the OEWG meant that—for the final draft—the Chair was thinking of moving the “discussion-related sections” (which in fact constituted the bulk of the report) into a separate annex or report, or even cutting them altogether. We were concerned by this possible outcome, since these sections include most of the report’s references to stakeholder engagement, and are most reflective of the input and framing shared by non-governmental organisations over the course of the discussions. 

Now the final draft is here (it was released on 1 March), it seems that a compromise has been struck. This new version maintains some of the discussion-related sections, refashioned as “introductory remarks”, as well as the recommendations sections. Text that has been removed has been pasted at the end of the report for discussion at the third meeting (8-12 March), and will either be incorporated then or completely removed.

GPD is still reviewing the final draft, and will provide a fuller response soon. It’s clear that much will depend on what happens at the upcoming March meeting. Whether civil society will even be able to attend is currently unconfirmed, but we’re hopeful: previous substantive meetings have made at least partial provision for non-governmental input, and not doing so would be a huge step backward for the process. Regardless, we should have plenty of intel and updates to share in next month’s Digest—stay posted...

Other news
  • Across the OEWG discussions, one (uncharacteristic) area of agreement has been that states need greater guidance on implementing existing agreed cyber norms—with a dedicated “non-paper” developed to discuss this. A while back, GPD, along with other civil society organisations, submitted joint feedback and recommendations on this non-paper, and in February were pleased to see much of it reflected and incorporated in the latest version—which now includes stronger reference to engaging non-governmental stakeholders in implementation, and to the importance of considering human rights in the implementation of cyber norms. 
  • Despite the enforced leave of the recently appointed Tech Envoy pending a sexual harassment investigation, the Envoy’s Office is continuing its work. According to a briefing held with some civil society actors this month, it plans to focus on supporting implementation of the Secretary General’s Roadmap on digital cooperation, and will be relying on stakeholders to continue to implement the Roadmap via the existing Roundtables.
  • One of the outcomes of the Roadmap so far has been its recommendation to set up a new higher level multistakeholder advisory body (MHLB), as a bridge between discussions at deliberative bodies like the IGF and decision-making bodies at the UN and elsewhere. A questionnaire on the proposed MHLB has just launched: input here.

Listening post

Your monthly global update, tracking relevant new laws and policies relating to the digital environment.

On the trust and security side, a lot to report from February:

  • Zambia’s Cybersecurity and Cybercrime Bill 2021 reached committee stage in parliament (a consortium of civil society organisations released a statement); Fiji passed its Cybercrime Bill 2020; and, in Tuvalu, a draft Cybercrime Bill is apparently due to be tabled in parliament.
  • Following criticism of the draft cybersecurity bill, on 15 Feb, Myanmar issued surprise amendments to the Electronic Transactions Law. 
  • Nigeria launched its National Cybersecurity Policy and Strategy
  • New Zealand announced it will join the Budapest Convention on Cybercrime, while Ghana joined the Global Forum on Cyber Expertise.  
On online content
  • Cambodia introduced a new decree allowing the government to monitor and control all online traffic.
  • India’s leaked Information Technology Rules (covered above in Encryption) also have significant implications for the regulation of online content.
  • Indonesia proposed a new Regulation on intermediary liability. On initial analysis, it seems to be one of the most repressive proposals of its kind since the wave of like proposals following Germany’s 2017 NetzDG.
  • In Myanmar, sweeping new “fake news” provisions in the Penal Code may criminalise a vast range of free expression.  
  • In Russia, a new law, №530-FZ, requires platforms of a certain size to be added to a state registry, and obliges them to remove illegal content on their sites or face steep fines. 
On the emerging tech side, the Irish government has announced that a National AI Strategy will be published soon. And some updates on the progress of data protection laws globally: 
Copyright © 2019 Global Partners Digital.
All rights reserved

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

This email was sent to <<Email Address>>
why did I get this?    unsubscribe from this list    update subscription preferences
Global Partners Digital · Second Home · 68 Hanbury St · London, E1 5JL · United Kingdom

Email Marketing Powered by Mailchimp