The following is a statement that was submitted to the South School on Internet Governance in Washington DC on 1 April 2016. We call on the OAS and its member organizations to align cybersecurity strategies with human rights. TEDIC and Karisma, along with other leading organizations in the region, have created this list of the 10 most important points that civil society should promote locally. It will serve as a starting point to develop a joint strategy on this issue that is so important in our region.
The undersigned organizations:
Welcome the decision of the Organization of American States (OAS) to conduct an event where cybersecurity is directly linked to freedom of expression and privacy. The recognition and promotion of this linkage by the OAS illustrates that the agenda of the OAS for the Americas region considers the criticism and lessons of recent years. Therefore, we urge the countries of the region to consider this relationship when developing “cybersecurity strategies.”
As the OAS commits to this process, it should draft and adopt definitions that can facilitate future discussions. The effective design of laws and policies on digital security requires all stakeholders —government, private sector, technical community, academia and civil society— to be aware of the issues involved and agree on how these issues are defined. With this in mind, if instead of using the term cybersecurity, which appeals to a highly militarized context, there is a reference to “digital security” as a more comprehensive concept, that has at its center the people and communities and strategies that will best serve the interests of citizens.
While acknowledging the legitimacy of governments to address digital security, fight crime in cyberspace, and protect critical national infrastructure, the strategies adopted have focused on expanding state surveillance without the proper application of the principles of necessity and proportionality. This has been at the expense of individuals' rights, such as the right to freedom of expression and privacy. There is an urgent need to shift the discourse. Digital security policies should be human-centered. Any digital security policy must have the individual at its core and should be implemented in accordance with human rights standards enshrined in regional conventions, international law, and should integrate and implement data protection public policy.
Moving forward, we must take into account the increasing amount of personal data that is generated and processed by companies and governments, and adopt policies of digital security. These policies should include security planning in the design, deployment, and maintenance of systems, which focus on data minimization efforts, and should ensure that these decisions are discussed in open and multidisciplinary processes. They should also include the participation of the various stakeholders —government, private sector, technical community, academia and civil society—.
- To align any strategy on digital security with the human rights legal frameworks of every country, the Inter-American system, and international standards such as those described in the International Principles for the Application of Human Rights to Communications Surveillance, emphasizing the protection and guarantee of the rights to privacy, freedom of expression and freedom of association. This includes improving national legal frameworks to ensure that communications surveillance is conducted in accordance with human rights standards, including the aforementioned principles of necessity and proportionality, and to adopt and implement data protection public policy, particularly with regards to data sharing initiatives and projects between countries. In that sense, it is recommended that the cybersecurity program at OAS consult and collaborate with other units of the organization so that its recommendations are aligned with standards on freedom of expression and right to privacy, developed and established by the Inter-American Commission and Court of Human Rights and the Special Rapporteur for Freedom of Expression of the IACHR.
- To replace the concept of cybersecurity with digital security, which transcends the military field and must have at its core the protection of the individual and their communities. Digital security should also serve to promote economic and social development on the basis of the principles of the rule of law and protection of fundamental rights.
- To adopt instruments and mechanisms for transparency and accountability, including open government plans for the implementation and development of digital security strategies in each country that are measurable and verifiable.
- To recognize the importance of strong encryption as an element of the digital security, which is necessary for the protection of communications and data. It is therefore recommended that States promote and respect its wide use and development by citizens, businesses, and governments.
- To use risk analysis methodologies such as “privacy by design” and impact analysis on human rights to support the formulation and implementation of evidence-based public policies for digital security.
- To recognize that civil society organizations have specific weaknesses and vulnerabilities that are not being addressed by current structures to respond to cyberattacks (CSIRT). It is therefore advisable to develop CSIRT to protect civil society and which does not depend on law enforcement, in addition to having the ability to produce data and responses for all sectors of society within a framework that respects human rights.
- To promote and encourage resilient and updated information systems which promote digital security. In this sense, it is recommended that these systems be publicly and continuously audited, and their source code be made available without legal obstacles.
- To increase collaboration and exchange of experiences amongst countries including across all sectors of the population, in an open and multistakeholder —government, private sector, technical community, academia and civil society— effort to identify the needs and views of all sectors.
- To collect and implement experiences and good practices from other regions on issues of digital security, such as those developed by the OECD, and adapted to local needs.
- To encourage governments to adopt digital security public policies that include a commitment to the use of products that meet recognized digital security standards.
Association for Civil Rights
Access Now, Internacional
Asociación para una Ciudadanía Participativa, Honduras
Coletivo Intervozes, Brasil
Cooperativa Sula Batsu, Costa Rica
Instituto Beta Para Internet e Democracia (BIDEM), Brasil
DATA Uy, Uruguay
Asuntos del Sur, Chile
Acceso Libre, Venezuela
Usuarios Digitales, Ecuador
Datos Protegidos, Chile
Asociación para el Progreso de las Comunicaciones, Internacional
Enjambre Digital, México
Fundación Acceso, Costa Rica
Global Voices Advox
Acceso Libre, Venezuela
Public Knowledge, EE.UU.
Movimiento Mega, Brasil