Trust and Security digest (February 2021)

3 Mar 2021

This extract is taken from the February 2021 issue of The digest, GPD’s newsletter. Sign up here.


A new assault on encryption?

This month the EU launched a consultation on its new plan to tackle child sexual abuse material (CSAM).

The text of the consultation outlines that this will include measures to compel online service providers “to detect known child sexual abuse material” and “require them to report that material to public authorities”. But we also know, from an EU Commission leak last year, that measures to restrict encryption—so called “backdoors”—are also potentially on the table. As several expert members of the Global Encryption Coalition have noted, these proposals could have serious implications for digital security and human rights.

This is all concerning, but at least the consultation (which ends on 15 April) provides a structured opportunity for civil society and other stakeholders to provide their perspectives on the proposed approach.

Unfortunately, in India—where a similar set of proposals are about to be announced—no consultation is being promised. The Indian Ministry of Electronics and Information Technology (MeiTy) is imminently expected to propose sweeping amendments to intermediary liability rules that could weaken security and limit the use of strong encryption on the internet. A leaked version of these guidelines reveals plans to require intermediaries (like social media platforms, or internet service providers) to be able to trace the origin of communications, with penalties for non-compliance—creating an obligation on the intermediary to have access to encrypted traffic. In an open letter to the Indian government, a group of nearly 30 security advisors highlighted the risks of such an approach: “by tying intermediaries’ protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures.”

An Internet Society report from last year similarly concluded that the use of digital signatures and the use of metadata (which have both been proposed as methods to achieve traceability) would require the breaking of end-to-end encryption.

As we noted in a recent blog on GPD’s newly launched encryption policy hub, these attacks on encryption—as well as the new focus on intermediary liability—is part of a wider set of trends which human rights defenders and others who support the availability of strong encryption need to be aware of. The Global Encryption Coalition will be coordinating members to respond to developments at both the EU and in India: watch out for more here.


The OEWG’s final draft: roadblocks to the finish line

The UN First Committee’s Open ended Working Group (OEWG) has just published the final draft of its upcoming report on responsible state behaviour. 

It follows the publication in February of a Zero Draft, which GPD responded to here. Our feedback on that draft—drawing closely on insights from a recent informal multistakeholder dialogue we co-organised—recommended that the report do more to:

  1. Centre the impacts on human rights from state activities in cyberspace;
  2. Affirm the importance of including all stakeholders in discussions around cyber norms.

At a civil society briefing held just after the release of the Zero Draft, we were told that ongoing disagreements within the OEWG meant that—for the final draft—the Chair was thinking of moving the “discussion-related sections” (which in fact constituted the bulk of the report) into a separate annex or report, or even cutting them altogether. We were concerned by this possible outcome, since these sections include most of the report’s references to stakeholder engagement, and are most reflective of the input and framing shared by non-governmental organisations over the course of the discussions.

Now the final draft is here (it was released on 1 March), it seems that a compromise has been struck. This new version maintains some of the discussion-related sections, refashioned as “introductory remarks”, as well as the recommendations sections. Text that has been removed has been pasted at the end of the report for discussion at the third meeting (8-12 March), and will either be incorporated then or completely removed.

GPD is still reviewing the final draft, and will provide a fuller response soon. It’s clear that much will depend on what happens at the upcoming March meeting. Whether civil society will even be able to attend is currently unconfirmed, but we’re hopeful: previous substantive meetings have made at least partial provision for non-governmental input, and not doing so would be a huge step backward for the process. Regardless, we should have plenty of intel and updates to share in next month’s Digest—stay posted…

Other news

  • Across the OEWG discussions, one (uncharacteristic) area of agreement has been that states need greater guidance on implementing existing agreed cyber norms—with a dedicated “non-paper” developed to discuss this. A while back, GPD, along with other civil society organisations, submitted joint feedback and recommendations on this non-paper, and in February were pleased to see much of it reflected and incorporated in the latest version—which now includes stronger reference to engaging non-governmental stakeholders in implementation, and to the importance of considering human rights in the implementation of cyber norms.
  • Despite the enforced leave of the recently appointed Tech Envoy pending a sexual harassment investigation, the Envoy’s Office is continuing its work. According to a briefing held with some civil society actors this month, it plans to focus on supporting implementation of the Secretary General’s Roadmap on digital cooperation, and will be relying on stakeholders to continue to implement the Roadmap via the existing Roundtables.
  • One of the outcomes of the Roadmap so far has been its recommendation to set up a new higher level multistakeholder advisory body (MHLB), as a bridge between discussions at deliberative bodies like the IGF and decision-making bodies at the UN and elsewhere. A questionnaire on the proposed MHLB has just launched: input here.

Listening post

Your monthly global update, tracking relevant new laws and policies relating to the digital environment.

On the trust and security side, a lot to report from February:

  • Zambia’s Cybersecurity and Cybercrime Bill 2021 reached committee stage in parliament (a consortium of civil society organisations released a statement); Fiji passed its Cybercrime Bill 2020; and, in Tuvalu, a draft Cybercrime Bill is apparently due to be tabled in parliament.
  • Following criticism of the draft cybersecurity bill, on 15 Feb, Myanmar issued surprise amendments to the Electronic Transactions Law.
  • Nigeria launched its National Cybersecurity Policy and Strategy.
  • New Zealand announced it will join the Budapest Convention on Cybercrime, while Ghana joined the Global Forum on Cyber Expertise.