Access Now and several other international, regional, and local organizations express our concern over the continuous persecution of digital security researchers and trainers in a letter released yesterday. This initiative stems from a meeting held at IGF Berlin 2019 where many activists, academics, and technologists exchanged information regarding legal cases happening in their countries and regions.
The work of digital rights defenders is key in protecting and maintaining an open and safe online civic space. Through their research we learn about the existence of vulnerabilities in systems which allows governments and companies to find solutions that improve infrastructure and online security for the benefit of the public. Despite the relevance of responsible disclosure, many governments across the world are persecuting researchers through legal cases or criminalizing their activity through laws meant to silence and dissuade them.
“We have to understand that no computer system or digital infrastructure is invulnerable. Knowing about these flaws is an essential component of keeping us safe. If, as a rule, governments punish the people with the expertise to disclose this information, then we are all at a security risk,” said Gaspar Pisanu, Latin America Policy Associate at Access Now.
An intervention is necessary in order to stop this worrying trend of demonizing and punishing security research. Governments have to come together with industry and civil society to devise solutions befitting the scale of our connected world and economies. This must include transparent processes for the responsible disclosure of vulnerabilities independent security researchers discover — both to private companies as well as public entities — and it is high time we do away with laws that conflate research activity with criminal acts. The entire internet ecosystem stands to benefit if we create incentives for, rather than punish, security research.
“Technology is moving forward, and our legal processes have to adapt to the new realities this poses,” added Lucie Krahulcova, Policy Analyst at Access Now. “Security research will continue, and governments have to step up and give digital rights defenders transparent processes so they can do their work with certainty and without fear or repercussion. We can’t keep demanding innovation while standing in the past.”
We would also like to take this opportunity to reiterate our call on governments, who are often sprinting toward a more connected global economy, to consider the importance of handling vulnerabilities responsibly. Governments should encourage private and public entities to adopt coordinated disclosure policies (and similar best practices) and consider updating legal frameworks to reflect the nuances of intention and scope against the powers given to prosecutors when dealing with security researchers. Governments should also introduce a transparent process for how they handle and disclose vulnerabilities encountered and/or used by their law enforcement and intelligence agencies.
The full text of the letter and its signatories can be found here.