Today, Access Now will be endorsing the Paris Call for Trust and Stability in Cyberspace (Paris Call) in support of a more peaceful internet with stronger protections for users and human rights. The Paris Call will be a landmark deal launched during the Paris Digital Week, including the Paris Peace Forum (PPF) and Internet Governance Forum (IGF), in which those endorsing will reaffirm their commitment to the applicability of human rights online and support for a more secure cyberspace. While the deal is far from perfect, its commitments largely benefit users, including users at risk, and will reinforce valuable norms of behavior online.
The Paris Call is a multi-stakeholder effort of government, companies, and civil society, though primarily led by government and company stakeholders. President Emmanuel Macron of France will launch the call at IGF on November 12. As we wrote last week, the IGF and PPF are a part of the broader Paris Digital Week where user protections should be high on the agenda. Access Now participated in drafting the Call, including in support of language encouraging coordinated vulnerability disclosure. We recognize, however, that the process was not adequately inclusive for civil society and that civil society must also be involved in the implementation. When those endorsing the Call reexamine it in a year, we hope to see structured outreach to more civil society organizations, and at an earlier stage.
Why we signed
Protecting peace in the digital era must mean strengthening user protections against governments that undermine the security of the internet. There is the growing risk that “online sovereignty” will become the prevailing theme in international cybersecurity policy. A coalition of countries that includes Russia and China has introduced resolutions at the United Nations that emphasize state sovereignty online over human rights. Sovereignty can justify overbroad data collection and government hacking, internet shutdowns, restrictions on expression based on poorly defined standards of hate speech or terrorist content, and limits on the security of platforms, all in the name of the needs of the state.
Meanwhile, the current insecurity of internet platforms and connected technology leave users at high risk of data breaches and direct attacks. Companies must take responsibility for poor security decisions. That is why we support efforts like the Paris Call that recognize the responsibility of all actors, including the private sector, in strengthening the security of platforms and services.
Ultimately, the Paris Call will reinforce other efforts to improve protections for users and their rights. Just yesterday, the Global Commission on the Stability of Cyberspace, a body that works “to promote mutual awareness and understanding among the various cyberspace communities working on issues related to international cybersecurity” released a new package of norms that aim for a more peaceful cyberspace. Those norms overlap with the commitments of the Paris Call, including the need to address vulnerabilities, the harm of private-sector offensive hacking operations, and the recognition of the value of cyber hygiene.
What the Paris Call includes
Near the top of the Paris Call will be reaffirmations of the applicability of international law, in particular humanitarian law and human rights law, to cyberspace. Putting human rights near the top of the Paris Call is an indication of importance. The rest of the Paris Call will help when answering questions about how human rights apply online.
In our last blog post on Paris Digital Week, we addressed a number of commitments that should come out of Paris. Many of those protections will be included in the Paris Call. For example, the Paris Call commits those endorsing to strengthening cyber hygiene. To us, that means promoting tools like multi-factor authentication and virtual private networks (VPNs). While the Call does not make reference to encryption, it does urge the strengthening of products and services, which often involves encryption.
The Call also recognizes the range of ways in which all actors must work, often together, to improve cybersecurity. Both state and non-state actors play a role in helping victims of cybersecurity attacks. We play our own role in assisting victims through our Digital Security Helpline. We work collaboratively with other non-governmental organizations that also help prevent attacks and recover from those that take place.
How the Paris Call should be improved
As we noted, the Paris Call is not perfect. We hope to see a reevaluation of certain commitments when the parties reconvene next year. Two in particular warrant particular discussion and Access Now accordingly places reservation on their endorsement.
First, the Paris Call promotes cooperation between stakeholders to address the threat of “cyber criminality.” Judicial orders should be the basis for any assistance between providers and law enforcement. Cooperation, on the other hand, can be interpreted to mean informal exchange of data or the intentional weakening of platforms to enable law enforcement access. As such, “cooperation” is not the proper framework for the relationship between law enforcement and companies.
The Paris Call also refers to the Budapest Convention, a global cybercrime treaty that attempts to harmonize national laws, as a “key tool.” Civil society has critiqued the Convention’s broad definitions of criminal actions can hamper security research. The Council of Europe is developing an additional protocol to the Convention that would extend law enforcement’s ability to reach data stored across borders. It is yet to be seen whether the additional protocol will be crafted with adequate human rights protection given the risks.
Second, the Paris Call includes a commitment from stakeholders to prevent theft of intellectual property, including trade secrets, using information and communication technologies. Calling for “prevention” suggests a heavy-handed approach that could limit the flow of information online and risk freedom of expression and the right to privacy. We were concerned that references to intellectual property would be contained in the document, which is why we reserve support for this provision.
We also hope to see additions to the Paris Call next year. First, while the Paris Call urges limits on private sector actors “hacking back,” it does not adequately address the risks of government hacking. The UN Human Rights Council singled out hacking as a threat to the safety of journalists. Jamal Khashoggi may have been spied on through invasive malware beforehand his murder. Government hacking is not only a threat to user privacy, it can also undermine the security of platforms.
Finally, the Paris Call does not make explicit that protecting security often means protecting personal data. The next Paris Call should recognize the need for robust data protection and security measures, breach notification schemes, and privacy-by-design principles. Similarly, the Paris Call should address the widespread use of surveillance by governments which impacts users’ rights.
User-centric cybersecurity
The Paris Peace Forum and the Paris Call mark 100 years since the end of World War I. The actors that meet there will help set the security agenda for the next 100 years. At Access Now, we believe that the next 100 years must be about reinforcing and extending existing protections. To achieve that, cybersecurity should be user-centric, systemic, and anchored in open and pluralistic processes. Despite the need for improvements, the Paris Call can help achieve those goals.