The universal right to privacy embodied in international human rights law is increasingly dependant on privileged access to digital security; nowhere is this link demonstrated more clearly than in the experience of civil society organisations (CSOs).
As detailed in a recently released Citizen Lab report, civil society actors on which the public relies to check abuses of power and advance human rights agendas – nongovernmental organisations, independent media and journalists, activists, and others – are regularly subjected to targeted digital attacks that undermine their privacy and compromise sensitive information. Such attacks include malicious emails that may infect the target’s computer when links or attachments are opened, or malicious code delivered through compromised websites.
CSOs are persistently targeted due to the political nature of their work, including by some of the very same attackers targeting corporations and government agencies. Yet CSOs are often the least capable of attaining adequate levels of digital security due to a lack of resources and access to technical expertise. At the same time, public debates surrounding cyber security have largely ignored CSO concerns, focusing instead on digital espionage and attacks conducted against industry and government. A new digital divide – one in which digital security is a matter of “haves” and “have-nots” – is opening up.
In a four-year study of targeted digital threats against CSOs, Citizen Lab sought to explore more deeply the CSO experience of targeted digital attacks. We examined attacks levied against a group of ten non-governmental and media organisations, using both technical and contextual analysis. The organisations in our study were all concerned with human rights issues related to China and/or Tibet, or were human rights organisations focused on multiple issues and regions.
Shutterstock/Gajus (All rights reserved)
Targeted digital threats have also effectively extended the reach of the state beyond borders, to locales where vulnerable groups, such as exile or diaspora communities, may have thought themselves safe.
We found that politically motivated actors seeking persistent and undetected access to their networks targeted all ten of these groups. Technical exploits used against them, while generally unsophisticated, permitted surveillance by the attackers and the surreptitious transmission of sensitive information over lengthy periods of time. The methods used to portray malicious emails as legitimate and to dupe targets into opening malware (known as “social engineering”) were well developed, suggesting strong familiarity on the part of the attackers with the work, interests, and contacts of their targets.
Targeted digital threats have not only undermined CSOs’ core communications and missions as a nuisance, resource drain, or risk to individual safety; they have also effectively extended the reach of the state (or other threat actors) beyond borders, to locales where vulnerable groups, such as exile or diaspora communities, may have thought themselves safe. Our research findings and datasets provide a small window into what appears to be a much greater and under-reported problem affecting CSOs.
To address this problem we must expand the terms and scope of the debate, exploring the link between the right to privacy and access to digital security more fully.
The United Nations General Assembly has declared, in a resolution on the right to privacy in the digital age, that “…the same rights that people have offline must also be protected online, including the right to privacy.”
Yet for such a right to privacy to hold any meaning in the digital age, one must address difficult foundational questions regarding the sanctity and security of digital communications. States have looked for and even created ways to compromise data and networks in furtherance of law enforcement or geopolitical interests, handicapping by design the overall security of the online environment. They have driven the growth of a private market for spyware that equips regimes – regardless of their respect for human rights – with powerful digital espionage capabilities. These factors further erode a digital security apparatus already threatened by criminal activity and the ubiquity of insecure software and hardware. While some individuals and entities, including large companies, possess the technical expertise, political clout, and/or financial assets to defend their systems, many of the actors regularly subjected to digital targeting, such as CSOs, do not have such resources at their disposal. Developments thus far suggest that privacy will never truly exist without concerted effort to secure from intrusion both the hardware and software that people rely on to communicate. Both technical and policy measures are needed to curb the opportunity to exploit crucial technologies in the first instance.
Is privacy the new luxury, attainable only by those with the means to protect their information in a digital environment consumed by competing strategic interests? So, is privacy the new luxury, attainable only by those with the means to protect their information in a digital environment consumed by competing strategic interests? Now is the time to refute that proposition. A holistic approach to digital security will require action from multiple sectors.
CSOs and funders should consider working together to collect and aggregate data (stripped of identifying information) concerning digital threat incidents within civil society. This will provide insight into the nature and scale of the problem. CSOs should also seek to cultivate a culture of digital security awareness among all staff, which funders can encourage by providing dedicated support for long-term digital security enhancements by CSOs.
Governments should elevate the priority and visibility of targeted digital threats against civil society in their domestic policy and diplomacy, seeking ways to raise the costs of the attackers. They should also rein in the commercial market for spyware, and minimize digital risks within this sector. They should push back against the legitimization of the targeting of non-state public interest entities for strategic or intelligence purposes.
And companies are poised to play a critical role in addressing this problem. ICT companies should incorporate end-to-end encryption in their products and services. They should explore a “pro bono” approach to sharing technical expertise as well as creative licensing solutions with CSOs, helping CSOs to upgrade their technical capacity and reduce the risks associated with the use of insecure, out dated software. Those companies that produce or distribute technology that can be misused by repressive regimes, such as spyware, must adopt mechanisms to prevent their complicity in rights abuses.
Guaranteeing the digital security of civil society will be the proving ground for the right to privacy at large. Privacy has long been recognized as an enabling right, a precondition for the genuine exercise of freedoms of expression, association, and other human rights. We must now ensure that the conditions for privacy itself exist, or we risk a future in which all rights face a digital demise.