Freedom Online Coalition publishes Recommendations on Cybersecurity Policy and Human Rights

Working Group 1 of the Freedom Online Coalition (“FOC”) has published a list of recommendations which it hopes will lead to cybersecurity policies which are inherently more rights respecting. These Recommendations were produced at the sixth iteration of the FOC’s annual conference in Costa Rica.

The FOC, according to its website, is “…a group of governments who have committed to work together to support Internet freedom and protect fundamental human rights – free expression, association, assembly, and privacy online – worldwide.” The FOC’s noticeably diverse membership currently stands at 30 nations and includes, among others: Agentina, Kenya, Mongolia, The United States and Canada.

The recommendations are:

  1. Cybersecurity policies and decision-making processes should protect and respect human rights.
  2. The development of cybersecurity-related laws, policies, and practices should from their inception be human rights respecting by design.
  3. Cybersecurity-related laws, policies and practices should enhance the security of persons online and offline, taking into consideration the disproportionate threats faced by individuals and groups at risk.
  4. The development and implementation of cybersecurity-related laws, policies and practices should be consistent with international law, including international human rights law and international humanitarian law.
  5. Cybersecurity-related laws, policies and practices should not be used as a pretext to violate human rights, especially free expression, association, assembly, and privacy.
  6. Responses to cyber incidents should not violate human rights.
  7. Cybersecurity-related laws, policies and practices should uphold and protect the stability and security of the Internet, and should not undermine the integrity of infrastructure, hardware, software and services.
  8. Cybersecurity-related laws, policies and practices should reflect the key role of encryption and anonymity in enabling the exercise of human rights, especially free expression, association, assembly, and privacy.
  9. Cybersecurity-related laws, policies and practices should not impede technological developments that contribute to the protection of human rights.
  10. Cybersecurity-related laws, policies, and practices at national, regional and international levels should be developed through open, inclusive, and transparent approaches that involve all stakeholders.
  11. Stakeholders should promote education, digital literacy, and technical and legal training as a means to improving cybersecurity and the realization of human rights.
  12. Human rights respecting cybersecurity best practices should be shared and promoted among all stakeholders.
  13. Cybersecurity capacity building has an important role in enhancing the security of persons both online and offline; such efforts should promote human rights respecting approaches to cybersecurity.

The recommendations are, at first blush, hard to disagree with. Of course, the proof of the pudding will be in the eating. Naturally, therefore, eyes will be trained on the FOC member states to see the degree to which they actually observe these recommendations in their future law and policy making efforts.

You may ask what the utility of any of this is If you are from a country that is not party to the FOC. The answer: in practical terms, regardless of the membership status of a country with the FOC, the recommendations represent a, somewhat, normative reference point for any nation’s policy makers. Cybersecurity-related policies which are grounded in these recommendations will, accordingly, carry an inherently greater degree of credibility when held up to the light.

The Saint Vincent Cybercrime Act which was recently passed has come in for widespread criticism based on its perceived lack of appreciation for the basic rights of Vincentians to express themselves freely in online spaces. It is not hard to imagine that the resulting legislation could have been different had its framers had the benefit of and, importantly, took on board some of the principles in, the FOC Recommendations.

Those of us in the Caribbean who are (or wish to be) involved in the law and policy development process surrounding cybersecurity issues, may therefore want to include the FOC Recommendations in our armoury going forward. This includes not just the policy crafters themselves but also other vested stakeholders, including the business community and civil society.