Last week, Microsoft and 33 other leading tech companies unveiled their Cybersecurity Tech Accord – an agreement on a broad set of principles committing the signatories to “protecting users and customers everywhere”.
The introduction to the Accord makes its intention clear: it is a corrective to a troubled cyberspace, characterised by a growing proliferation of malicious actors “from criminal to geopolitical” and the deterioration in trust, stability and security that this has brought about. While human rights are not explicitly mentioned, this broad diagnosis of the challenge is one that many human rights defenders will likely share. Exercising privacy and free expression online, after all, depends on a free, open and secure cyberspace. “Protecting our online environment”, as the Accord correctly notes, “is in everyone’s interest”.
There is indeed much to welcome in the text from a human rights perspective, not least the commitment in Principle 1 that the parties to the Accord will strive to protect their users and customers from cyberattacks, whether they are by individuals or governments, and no matter their location. This principle also commits the parties to “design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability, and in turn reduce the likelihood, frequency, exploitability, and severity of vulnerabilities”. The commitment in Principles 3 and 4 – to fostering partnerships with other groups on cybersecurity, and assisting in cyber capacity building in the global South – is also a useful reinforcement of the multistakeholder approach in the context of cybersecurity. Given the growing complexity and urgency of cybersecurity challenges, it should be enacted as soon as possible.
Other aspects are more problematic. Most notably, Principle 2 introduces a commitment to “oppose cyberattacks on innocent civilians and enterprises”. Who will decide whether citizens or enterprises are “innocent” – or, for that matter, “guilty” – and according to what criteria? The inclusion of this undefined and potentially subjective and arbitrary requirement of innocence stands in stark contrast to the universal nature of international human rights and the need for any restrictions to be limited, necessary and proportionate. Without this qualifier – reported as a last minute addition – the principle would have been a powerful and unequivocal defence of user rights.
Lastly, the Accord leaves open the question of how these commitments will be implemented. What will happen if a government comes to a signatory of the Accord, seeking access to private communications or data citing secret intelligence of an urgent threat to national security? How will courses of action be decided, in practice – and how will these be communicated? There is a single reference, towards the end of the text, to “public reporting” on progress against goals which are as yet undefined.
In some ways, the most interesting aspect of this (for now) slender manifesto is what it says about the current state of play in cyberspace, and where we are heading. Why are Microsoft and other tech companies doing this – and why now?
The Accord has to be read in the context of a fractured and fracturing geopolitical system. Last year, efforts to establish consensus on international norms for responsible behaviour in cyberspace at the UN Group of Governmental Experts stalled dramatically; while the 2017 Global Conference on CyberSpace proved a showcase for the growing polarisation between several divergent visions of cyberspace. Though the Accord principally concerns itself with the behaviour of companies, it is a component of Microsoft’s broader proposal for a Digital Geneva Convention, which also calls for a new international treaty “to protect civilians, infrastructure and private companies from state-sponsored cyberattacks”. Regardless of whether Microsoft is the right player to call for or broker such an arrangement, the fact that companies are stepping up to take this role is hardly surprising, given the current state of debate.
Another important item of context is the growing regulatory pressure on tech companies. When the EU’s General Data Protection Regulation (GDPR) comes into force in May, companies will face substantial new obligations to protect the data of their users. Although its remit is not cybersecurity-specific, the GDPR reflects a changing regulatory tide. US tech giants are already having to adapt to the legislation in their European outposts (or, in at least one case, hurriedly move their operations out of its reach), and even in the US – where a light regulatory environment has long prevailed – there are augurs of change, exemplified by the image of a chastened Mark Zuckerberg testifying before Congress. The Cybersecurity Tech Accord which, without explicitly saying it, gestures towards a form of self-regulation for the tech industry, might therefore be seen as an attempt to demonstrate that companies can behave responsibly without additional legal obligations.
Before we can judge the Accord’s likely impact in addressing the issues it identifies, we will need more to go on. But in the current geopolitical climate, it may at least provide an impetus to move us beyond this cyber impasse.